mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-25 17:36:18 +03:00
Add CVE IDs
This commit is contained in:
parent
5908ccc5ae
commit
b2c6db8d3b
|
@ -5,13 +5,13 @@ Changelog (Pillow)
|
|||
9.0.0 (2022-01-02)
|
||||
------------------
|
||||
|
||||
- Restrict builtins for ImageMath.eval(). CVE TBD #5923
|
||||
- Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923
|
||||
[radarhere]
|
||||
|
||||
- Ensure JpegImagePlugin stops at the end of a truncated file #5921
|
||||
[radarhere]
|
||||
|
||||
- Fixed ImagePath.Path array handling. CVEs TBD #5920
|
||||
- Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920
|
||||
[radarhere]
|
||||
|
||||
- Remove consecutive duplicate tiles that only differ by their offset #5919
|
||||
|
|
|
@ -119,15 +119,16 @@ Google's `OSS-Fuzz`_ project for finding this issue.
|
|||
Restrict builtins available to ImageMath.eval
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the
|
||||
builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems
|
||||
arising if users evaluate arbitrary expressions, such as
|
||||
``ImageMath.eval("exec(exit())")``. CVE TBD
|
||||
:cve:`CVE-2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow
|
||||
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
|
||||
help prevent problems arising if users evaluate arbitrary expressions, such as
|
||||
``ImageMath.eval("exec(exit())")``.
|
||||
|
||||
Fixed ImagePath.Path array handling
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. CVEs TBD
|
||||
:cve:`CVE-2022-22815` (CWE-126) and :cve:`CVE-2022-22816` (CWE-665) were found when
|
||||
initializing ``ImagePath.Path``.
|
||||
|
||||
.. _OSS-Fuzz: https://github.com/google/oss-fuzz
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user