From b2c6db8d3b0bf759a8611300a55f3d509d7b23e6 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Fri, 7 Jan 2022 22:48:26 +0200 Subject: [PATCH] Add CVE IDs --- CHANGES.rst | 4 ++-- docs/releasenotes/9.0.0.rst | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index c2d4892cb..de3e9b9ca 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -5,13 +5,13 @@ Changelog (Pillow) 9.0.0 (2022-01-02) ------------------ -- Restrict builtins for ImageMath.eval(). CVE TBD #5923 +- Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923 [radarhere] - Ensure JpegImagePlugin stops at the end of a truncated file #5921 [radarhere] -- Fixed ImagePath.Path array handling. CVEs TBD #5920 +- Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920 [radarhere] - Remove consecutive duplicate tiles that only differ by their offset #5919 diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index f2be128bb..fbf2e7ce4 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -119,15 +119,16 @@ Google's `OSS-Fuzz`_ project for finding this issue. Restrict builtins available to ImageMath.eval ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the -builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems -arising if users evaluate arbitrary expressions, such as -``ImageMath.eval("exec(exit())")``. CVE TBD +:cve:`CVE-2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow +will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will +help prevent problems arising if users evaluate arbitrary expressions, such as +``ImageMath.eval("exec(exit())")``. Fixed ImagePath.Path array handling ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. CVEs TBD +:cve:`CVE-2022-22815` (CWE-126) and :cve:`CVE-2022-22816` (CWE-665) were found when +initializing ``ImagePath.Path``. .. _OSS-Fuzz: https://github.com/google/oss-fuzz