Replace dependency sphinx-issues with builtin sphinx.ext.extlinks

2024-11-10 19:56:47 +03:00 · 2023-03-08 18:07:14 +02:00 · 2023-03-08 18:07:14 +02:00 · b168ec2606
commit b168ec2606
parent 2d5f451f58
19 changed files with 58 additions and 50 deletions
--- a/docs/Makefile
+++ b/docs/Makefile
@ -45,7 +45,7 @@ clean:
 	-rm -rf $(BUILDDIR)/*

 install-sphinx:
-	$(PYTHON) -m pip install --quiet furo olefile sphinx sphinx-copybutton sphinx-inline-tabs sphinx-issues sphinx-removed-in sphinxext-opengraph
+	$(PYTHON) -m pip install --quiet furo olefile sphinx sphinx-copybutton sphinx-inline-tabs sphinx-removed-in sphinxext-opengraph

 .PHONY: html
 html:
--- a/docs/conf.py
+++ b/docs/conf.py
@ -29,10 +29,10 @@ needs_sphinx = "2.4"
 extensions = [
    "sphinx.ext.autodoc",
    "sphinx.ext.intersphinx",
+    "sphinx.ext.extlinks",
    "sphinx.ext.viewcode",
    "sphinx_copybutton",
    "sphinx_inline_tabs",
-    "sphinx_issues",
    "sphinx_removed_in",
    "sphinxext.opengraph",
 ]
@ -317,8 +317,17 @@ def setup(app):
    app.add_css_file("css/dark.css")


-# GitHub repo for sphinx-issues
-issues_github_path = "python-pillow/Pillow"
+# sphinx.ext.extlinks
+# This config is a dictionary of external sites,
+# mapping unique short aliases to a base URL and a prefix.
+# https://www.sphinx-doc.org/en/master/usage/extensions/extlinks.html
+_repo = "https://github.com/python-pillow/Pillow/"
+extlinks = {
+    "cve": ("https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s", "CVE-%s"),
+    "cwe": ("https://cwe.mitre.org/data/definitions/%s.html", "CWE-%s"),
+    "issue": (_repo + "issues/%s", "#%s"),
+    "pr": (_repo + "pull/%s", "#%s"),
+}

 # sphinxext.opengraph
 ogp_image = (
--- a/docs/deprecations.rst
+++ b/docs/deprecations.rst
@ -261,7 +261,7 @@ FreeType 2.7
 Support for FreeType 2.7 has been removed.

 We recommend upgrading to at least `FreeType`_ 2.10.4, which fixed a severe
-vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+vulnerability introduced in FreeType 2.6 (:cve:`2020-15999`).

 .. _FreeType: https://freetype.org/

--- a/docs/releasenotes/3.1.1.rst
+++ b/docs/releasenotes/3.1.1.rst
@ -6,7 +6,7 @@ CVE-2016-0740 -- Buffer overflow in TiffDecode.c
 ------------------------------------------------

 Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
-may overflow a buffer when reading a specially crafted tiff file (:cve:`CVE-2016-0740`).
+may overflow a buffer when reading a specially crafted tiff file (:cve:`2016-0740`).

 Specifically, libtiff >= 4.0.0 changed the return type of
 ``TIFFScanlineSize`` from ``int32`` to machine dependent
@ -24,7 +24,7 @@ CVE-2016-0775 -- Buffer overflow in FliDecode.c
 -----------------------------------------------

 In all versions of Pillow, dating back at least to the last PIL 1.1.7
-release, FliDecode.c has a buffer overflow error (:cve:`CVE-2016-0775`).
+release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`).

 Around line 192:

@ -53,7 +53,7 @@ CVE-2016-2533 -- Buffer overflow in PcdDecode.c
 -----------------------------------------------

 In all versions of Pillow, dating back at least to the last PIL 1.1.7
-release, ``PcdDecode.c`` has a buffer overflow error (:cve:`CVE-2016-2533`).
+release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`).

 The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3
 bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer
--- a/docs/releasenotes/3.1.2.rst
+++ b/docs/releasenotes/3.1.2.rst
@ -7,7 +7,7 @@ CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c

 Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing
 large Jpeg2000 files, allowing for code execution or other memory
-corruption (:cve:`CVE-2016-3076`).
+corruption (:cve:`2016-3076`).

 This occurs specifically in the function ``j2k_encode_entry``, at the line:

--- a/docs/releasenotes/6.2.0.rst
+++ b/docs/releasenotes/6.2.0.rst
@ -69,7 +69,7 @@ Security
 ========

 This release catches several buffer overruns, as well as addressing
-:cve:`CVE-2019-16865`. The CVE is regarding DOS problems, such as consuming large
+:cve:`2019-16865`. The CVE is regarding DOS problems, such as consuming large
 amounts of memory, or taking a large amount of time to process an image.

 In RawDecode.c, an error is now thrown if skip is calculated to be less than
--- a/docs/releasenotes/6.2.2.rst
+++ b/docs/releasenotes/6.2.2.rst
@ -6,13 +6,13 @@ Security

 This release addresses several security problems.

-:cve:`CVE-2019-19911` is regarding FPX images. If an image reports that it has a large
+:cve:`2019-19911` is regarding FPX images. If an image reports that it has a large
 number of bands, a large amount of resources will be used when trying to process the
 image. This is fixed by limiting the number of bands to those usable by Pillow.

-Buffer overruns were found when processing an SGI (:cve:`CVE-2020-5311`),
-PCX (:cve:`CVE-2020-5312`) or FLI image (:cve:`CVE-2020-5313`). Checks have been added
+Buffer overruns were found when processing an SGI (:cve:`2020-5311`),
+PCX (:cve:`2020-5312`) or FLI image (:cve:`2020-5313`). Checks have been added
 to prevent this.

-:cve:`CVE-2020-5310`: Overflow checks have been added when calculating the size of a
+:cve:`2020-5310`: Overflow checks have been added when calculating the size of a
 memory block to be reallocated in the processing of a TIFF image.
--- a/docs/releasenotes/7.1.0.rst
+++ b/docs/releasenotes/7.1.0.rst
@ -72,11 +72,11 @@ Security

 This release includes security fixes.

-* :cve:`CVE-2020-10177` Fix multiple out-of-bounds reads in FLI decoding
-* :cve:`CVE-2020-10378` Fix bounds overflow in PCX decoding
-* :cve:`CVE-2020-10379` Fix two buffer overflows in TIFF decoding
-* :cve:`CVE-2020-10994` Fix bounds overflow in JPEG 2000 decoding
-* :cve:`CVE-2020-11538` Fix buffer overflow in SGI-RLE decoding
+* :cve:`2020-10177` Fix multiple out-of-bounds reads in FLI decoding
+* :cve:`2020-10378` Fix bounds overflow in PCX decoding
+* :cve:`2020-10379` Fix two buffer overflows in TIFF decoding
+* :cve:`2020-10994` Fix bounds overflow in JPEG 2000 decoding
+* :cve:`2020-11538` Fix buffer overflow in SGI-RLE decoding

 Other Changes
 =============
--- a/docs/releasenotes/8.0.1.rst
+++ b/docs/releasenotes/8.0.1.rst
@ -4,7 +4,7 @@
 Security
 ========

-Update FreeType used in binary wheels to `2.10.4`_ to fix :cve:`CVE-2020-15999`:
+Update FreeType used in binary wheels to `2.10.4`_ to fix :cve:`2020-15999`:

  - A heap buffer overflow has been found  in the handling of embedded PNG bitmaps,
    introduced in FreeType version 2.6.
--- a/docs/releasenotes/8.1.0.rst
+++ b/docs/releasenotes/8.1.0.rst
@ -11,7 +11,7 @@ Support for FreeType 2.7 is deprecated and will be removed in Pillow 9.0.0 (2022
 when FreeType 2.8 will be the minimum supported.

 We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
-vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+vulnerability introduced in FreeType 2.6 (:cve:`2020-15999`).

 .. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/

@ -40,13 +40,13 @@ This release includes security fixes.

 * An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
 * An out-of-bounds read when saving a GIF of 1px width
-* :cve:`CVE-2020-35653` Buffer read overrun in PCX decoding
+* :cve:`2020-35653` Buffer read overrun in PCX decoding

 The PCX image decoder used the reported image stride to calculate the row buffer,
 rather than calculating it from the image size. This issue dates back to the PIL fork.
 Thanks to Google's `OSS-Fuzz`_ project for finding this.

-* :cve:`CVE-2020-35654` Fix TIFF out-of-bounds write error
+* :cve:`2020-35654` Fix TIFF out-of-bounds write error

 Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some
 LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases
@ -55,7 +55,7 @@ an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow vers
 from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
 `Tidelift`_.

-* :cve:`CVE-2020-35655` Fix for SGI Decode buffer overrun
+* :cve:`2020-35655` Fix for SGI Decode buffer overrun

 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the
 offsets and length tables. Independently reported through `Tidelift`_ and Google's
--- a/docs/releasenotes/8.1.1.rst
+++ b/docs/releasenotes/8.1.1.rst
@ -4,19 +4,19 @@
 Security
 ========

-:cve:`CVE-2021-25289`: The previous fix for :cve:`CVE-2020-35654` was insufficient
+:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient
 due to incorrect error checking in ``TiffDecode.c``.

-:cve:`CVE-2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy``
+:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy``
 with an invalid size.

-:cve:`CVE-2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to
+:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to
 an out-of-bounds read in ``TIFFReadRGBATile``.

-:cve:`CVE-2021-25292`: The PDF parser has a catastrophic backtracking regex
+:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex
 that could be used as a DOS attack.

-:cve:`CVE-2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``,
+:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``,
 since Pillow 4.3.0.


--- a/docs/releasenotes/8.1.2.rst
+++ b/docs/releasenotes/8.1.2.rst
@ -4,8 +4,8 @@
 Security
 ========

-There is an exhaustion of memory DOS in the BLP (:cve:`CVE-2021-27921`),
-ICNS (:cve:`CVE-2021-27922`) and ICO (:cve:`CVE-2021-27923`) container formats
+There is an exhaustion of memory DOS in the BLP (:cve:`2021-27921`),
+ICNS (:cve:`2021-27922`) and ICO (:cve:`2021-27923`) container formats
 where Pillow did not properly check the reported size of the contained image.
 These images could cause arbitrarily large memory allocations. This was reported
 by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of
--- a/docs/releasenotes/8.2.0.rst
+++ b/docs/releasenotes/8.2.0.rst
@ -129,15 +129,15 @@ Security

 These were all found with `OSS-Fuzz`_.

-:cve:`CVE-2021-25287`, :cve:`CVE-2021-25288`: Fix OOB read in Jpeg2KDecode
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:cve:`2021-25287`, :cve:`2021-25288`: Fix OOB read in Jpeg2KDecode
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * For J2k images with multiple bands, it's legal to have different widths for each band,
  e.g. 1 byte for ``L``, 4 bytes for ``A``.
 * This dates to Pillow 2.4.0.

-:cve:`CVE-2021-28675`: Fix DOS in PsdImagePlugin
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:cve:`2021-28675`: Fix DOS in PsdImagePlugin
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
  layers with regard to the size of the data block, this could lead to a
@ -145,15 +145,15 @@ These were all found with `OSS-Fuzz`_.
  :py:meth:`~PIL.Image.Image.load`.
 * This dates to the PIL fork.

-:cve:`CVE-2021-28676`: Fix FLI DOS
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:cve:`2021-28676`: Fix FLI DOS
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * ``FliDecode.c`` did not properly check that the block advance was non-zero,
  potentially leading to an infinite loop on load.
 * This dates to the PIL fork.

-:cve:`CVE-2021-28677`: Fix EPS DOS on _open
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:cve:`2021-28677`: Fix EPS DOS on _open
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line
  endings. It accidentally used a quadratic method of accumulating lines while looking
@ -162,8 +162,8 @@ These were all found with `OSS-Fuzz`_.
  open phase, before an image was accepted for opening.
 * This dates to the PIL fork.

-:cve:`CVE-2021-28678`: Fix BLP DOS
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:cve:`2021-28678`: Fix BLP DOS
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets
  returned data. This could lead to a denial-of-service where the decoder could be run a
--- a/docs/releasenotes/8.3.0.rst
+++ b/docs/releasenotes/8.3.0.rst
@ -85,7 +85,7 @@ Security
 Buffer overflow
 ^^^^^^^^^^^^^^^

-This release addresses :cve:`CVE-2021-34552`. PIL since 1.1.4 and Pillow since 1.0
+This release addresses :cve:`2021-34552`. PIL since 1.1.4 and Pillow since 1.0
 allowed parameters passed into a convert function to trigger buffer overflow in
 Convert.c.

--- a/docs/releasenotes/8.3.2.rst
+++ b/docs/releasenotes/8.3.2.rst
@ -4,7 +4,7 @@
 Security
 ========

-* :cve:`CVE-2021-23437`: Avoid a potential ReDoS (regular expression denial of service)
+* :cve:`2021-23437`: Avoid a potential ReDoS (regular expression denial of service)
  in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising
  :py:exc:`ValueError` if the color specifier is too long. Present since Pillow 5.2.0.

--- a/docs/releasenotes/9.0.0.rst
+++ b/docs/releasenotes/9.0.0.rst
@ -43,7 +43,7 @@ FreeType 2.7
 Support for FreeType 2.7 has been removed; FreeType 2.8 is the minimum supported.

 We recommend upgrading to at least `FreeType`_ 2.10.4, which fixed a severe
-vulnerability introduced in FreeType 2.6 (:cve:`CVE-2020-15999`).
+vulnerability introduced in FreeType 2.6 (:cve:`2020-15999`).

 .. _FreeType: https://freetype.org/

@ -119,7 +119,7 @@ Google's `OSS-Fuzz`_ project for finding this issue.
 Restrict builtins available to ImageMath.eval
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-:cve:`CVE-2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow
+:cve:`2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow
 will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
 help prevent problems arising if users evaluate arbitrary expressions, such as
 ``ImageMath.eval("exec(exit())")``.
@ -127,7 +127,7 @@ help prevent problems arising if users evaluate arbitrary expressions, such as
 Fixed ImagePath.Path array handling
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-:cve:`CVE-2022-22815` (:cwe:`CWE-126`) and :cve:`CVE-2022-22816` (:cwe:`CWE-665`) were
+:cve:`2022-22815` (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were
 found when initializing ``ImagePath.Path``.

 .. _OSS-Fuzz: https://github.com/google/oss-fuzz
--- a/docs/releasenotes/9.0.1.rst
+++ b/docs/releasenotes/9.0.1.rst
@ -6,12 +6,12 @@ Security

 This release addresses several security problems.

-:cve:`CVE-2022-24303`: If the path to the temporary directory on Linux or macOS
+:cve:`2022-24303`: If the path to the temporary directory on Linux or macOS
 contained a space, this would break removal of the temporary image file after
 ``im.show()`` (and related actions), and potentially remove an unrelated file. This
 has been present since PIL.

-:cve:`CVE-2022-22817`: While Pillow 9.0 restricted top-level builtins available to
+:cve:`2022-22817`: While Pillow 9.0 restricted top-level builtins available to
 :py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda
 expressions. These are now also restricted.

--- a/docs/releasenotes/9.1.1.rst
+++ b/docs/releasenotes/9.1.1.rst
@ -6,7 +6,7 @@ Security

 This release addresses several security problems.

-:cve:`CVE-2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
+:cve:`2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
 Pillow reads the information past the end of the first line without deducting that
 from the length of the remaining file data. This vulnerability was introduced in Pillow
 9.1.0, and can cause a heap buffer overflow.
--- a/setup.cfg
+++ b/setup.cfg
@ -48,7 +48,6 @@ docs =
    sphinx>=2.4
    sphinx-copybutton
    sphinx-inline-tabs
-    sphinx-issues>=3.0.1
    sphinx-removed-in
    sphinxext-opengraph
 tests =