Merge pull request #7885 from hugovk/update-release-notes

This commit is contained in:
Hugo van Kemenade 2024-03-17 19:22:13 +02:00 committed by GitHub
commit b3edfb08ce
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
34 changed files with 199 additions and 251 deletions

View File

@ -90,19 +90,3 @@ Release GIL when fetching WebP frames
Python's Global Interpreter Lock is now released when fetching WebP frames from
the libwebp decoder.
Added release notes for past releases
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Added release notes for past releases: ``2.6.0``, ``2.5.2``,
``2.3.2``, ``2.3.1``. With these additions we are able to
provide a comprehensive list of all Pillow CVE records from
1995 to 2024 across three noteworthy periods:
- 1995-2009: No known CVEs
- 2010-2018: :cve:`2014-1932`, :cve:`2014-3589`, :cve:`2016-0740`, :cve:`2016-3076`
- 2019-2024: :cve:`2019-16865`, :cve:`2019-19911`, :cve:`2020-10177`, :cve:`2020-15999`,
:cve:`2020-35653`, :cve:`2021-25289`, :cve:`2020-35654`, :cve:`2020-35654`,
:cve:`2021-27921`, :cve:`2021-27922`, :cve:`2021-27923`, :cve:`2021-25287`,
:cve:`2021-25288`, :cve:`2021-34552`, :cve:`2021-23437`, :cve:`2022-22817`,
:cve:`2022-24303`, :cve:`2022-30595`, :cve:`2023-44271`, :cve:`2023-4863`

View File

@ -4,23 +4,23 @@
Security
========
These issues reported in
These issues were reported in
`Debian bug #737059 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059>`_.
:cve:`2014-1932`: Fix insecure use of :py:func:`tempfile.mktemp`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The (1) load_djpeg function in ``JpegImagePlugin.py``, (2) Ghostscript function
in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4)
``_copy`` function in Image.py in Python Image Library (PIL) 1.1.7 and earlier
and Pillow before 2.3.1 do not properly create temporary files, which allow
The (1) ``load_djpeg`` function in ``JpegImagePlugin.py``, (2) Ghostscript function
in ``EpsImagePlugin.py``, (3) ``load`` function in ``IptcImagePlugin.py``, and (4)
``_copy`` function in ``Image.py`` in
Pillow before 2.3.1 do not properly create temporary files, which allow
local users to overwrite arbitrary files and obtain sensitive information via a
symlink attack on the temporary file.
:cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The (1) ``JpegImagePlugin.py`` and (2) ``EpsImagePlugin.py`` scripts in Python
Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of
The (1) ``JpegImagePlugin.py`` and (2) ``EpsImagePlugin.py`` scripts in
Pillow before 2.3.1 uses the names of
temporary files on the command line, which makes it easier for local users to
conduct symlink attacks by listing the processes.

View File

@ -7,8 +7,8 @@ Security
:cve:`2014-3589`: Fix DOS attack
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
``PIL/IcnsImagePlugin.py`` in Pillow before 2.3.2 and
2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
block size.
Found and reported by Andrew Drake of dropbox.com
Found and reported by Andrew Drake of `Dropbox <https://www.dropbox.com/>`__.

View File

@ -7,8 +7,8 @@ Security
:cve:`2014-3589`: Fix DOS attack
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
``PIL/IcnsImagePlugin.py`` in Pillow before 2.3.2 and
2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
block size.
Found and reported by Andrew Drake of dropbox.com
Found and reported by Andrew Drake of `Dropbox <https://www.dropbox.com/>`__.

View File

@ -7,16 +7,8 @@ Security
:cve:`2014-3589`: Fix DOS attack
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
``PIL/IcnsImagePlugin.py`` in Pillow before 2.3.2 and
2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
block size.
Found and reported by Andrew Drake of dropbox.com
Other Changes
=============
Relaxed precision of some tests
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Relaxed imagedraw tests to allow slight errors for x86 vs x64.
Found and reported by Andrew Drake of `Dropbox <https://www.dropbox.com/>`__.

View File

@ -1,9 +1,6 @@
2.7.0
-----
Other Changes
=============
Sane Plugin
^^^^^^^^^^^
@ -105,6 +102,7 @@ other filters gave poor quality for reduction. Starting from Pillow 2.7.0,
uses supersampling internally, not convolutions.
Image transposition
+++++++++++++++++++
A new method ``TRANSPOSE`` has been added for the
:py:meth:`~PIL.Image.Image.transpose` operation in addition to

View File

@ -1,9 +1,6 @@
2.8.0
-----
Other Changes
=============
Open HTTP response objects with Image.open
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -1,22 +1,22 @@
3.0.0
-----
Deprecations
============
Backwards Incompatible Changes
==============================
Several methods that have been marked as deprecated for many releases
have been removed in this release::
have been removed in this release:
Image.tostring()
Image.fromstring()
Image.offset()
ImageDraw.setink()
ImageDraw.setfill()
The ImageFileIO module
The ImageFont.FreeTypeFont and ImageFont.truetype ``file`` keyword arg
The ImagePalette private _make functions
ImageWin.fromstring()
ImageWin.tostring()
* ``Image.tostring()``
* ``Image.fromstring()``
* ``Image.offset()``
* ``ImageDraw.setink()``
* ``ImageDraw.setfill()``
* The ``ImageFileIO`` module
* The ``ImageFont.FreeTypeFont`` and ``ImageFont.truetype`` ``file`` keyword arg
* The ``ImagePalette`` private ``_make`` functions
* ``ImageWin.fromstring()``
* ``ImageWin.tostring()``
Other Changes
=============

View File

@ -1,9 +1,6 @@
3.1.0
-----
Other Changes
=============
ImageDraw arc, chord and pieslice can now use floats
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -8,8 +8,7 @@ Security
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
may overflow a buffer when reading a specially crafted tiff file
(:cve:`2016-0740`).
may overflow a buffer when reading a specially crafted tiff file.
Specifically, libtiff >= 4.0.0 changed the return type of
``TIFFScanlineSize`` from ``int32`` to machine dependent
@ -63,8 +62,8 @@ assuming 4 bytes per pixel. This writes 768 bytes beyond the end of
the buffer into other Python object storage. In some cases, this
causes a segfault, in others an internal Python malloc error.
Integer overflow in Resample.c
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Integer overflow in ``Resample.c``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If a large value was passed into the new size for an image, it is
possible to overflow an ``int32`` value passed into malloc.

View File

@ -1,9 +1,6 @@
3.2.0
-----
Other Changes
=============
New DDS and FTEX Image Plugins
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -1,9 +1,6 @@
3.3.0
-----
Other Changes
=============
Libimagequant support
^^^^^^^^^^^^^^^^^^^^^
@ -19,13 +16,13 @@ New Setup.py options
There are two new options to control the ``build_ext`` task in ``setup.py``:
* ``--debug`` dumps all of the directories and files that are
checked when searching for libraries or headers when building the
extensions.
* ``--disable-platform-guessing`` removes many of the directories
that are checked for libraries and headers for build systems or
cross compilers that specify that information in via environment
variables.
* ``--debug`` dumps all of the directories and files that are
checked when searching for libraries or headers when building the
extensions.
* ``--disable-platform-guessing`` removes many of the directories
that are checked for libraries and headers for build systems or
cross compilers that specify that information in via environment
variables.
Resizing
^^^^^^^^
@ -51,4 +48,4 @@ Image Metadata
The return type for binary data in version 2 Exif and Tiff metadata
has been changed from a tuple of integers to bytes. This is a change
from the behavior since ``3.0.0``.
from the behavior since 3.0.0.

View File

@ -1,6 +1,16 @@
3.4.0
-----
Backwards Incompatible Changes
==============================
Image.core.open_ppm removed
^^^^^^^^^^^^^^^^^^^^^^^^^^^
The nominally private/debugging function ``Image.core.open_ppm`` has
been removed. If you were using this function, please use
``Image.open`` instead.
Deprecations
============
@ -12,14 +22,7 @@ silently drops the alpha channel. With this release Pillow will now
issue a :py:exc:`DeprecationWarning` when attempting to save a ``RGBA`` mode
image as a JPEG. This will become an error in Pillow 4.2.
Image.core.open_ppm removed
^^^^^^^^^^^^^^^^^^^^^^^^^^^
The nominally private/debugging function ``Image.core.open_ppm`` has
been removed. If you were using this function, please use
``Image.open`` instead.
Other changes
API Additions
=============
New resizing filters

View File

@ -1,9 +1,6 @@
4.0.0
-----
Other Changes
=============
Python 2.6 and 3.2 Dropped
^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -1,9 +1,6 @@
4.1.1
-----
Other Changes
=============
Fix Regression with reading DPI from EXIF data
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -1,8 +1,8 @@
4.2.0
-----
Deprecations
============
Backwards Incompatible Changes
==============================
Several deprecated items have been removed
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -3,9 +3,6 @@
There are no functional changes in this release.
Other Changes
=============
Fixed Windows PyPy Build
^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -12,21 +12,24 @@ and ``CMYK`` with up to 6 8-bit channels, discarding any extra
channels if the content is tagged as UNSPECIFIED. Pillow still does
not store more than 4 8-bit channels of image data.
API Additions
=============
Append to PDF Files
^^^^^^^^^^^^^^^^^^^
Images can now be appended to PDF files in place by passing in
``append=True`` when saving the image.
Other Changes
=============
New BLP File Format
^^^^^^^^^^^^^^^^^^^
Pillow now supports reading the BLP "Blizzard Mipmap" file format used
for tiles in Blizzard's engine.
Other Changes
=============
WebP memory leak
^^^^^^^^^^^^^^^^

View File

@ -3,9 +3,6 @@
This release fixes regressions in 5.4.0.
Other Changes
=============
Installation on Termux
^^^^^^^^^^^^^^^^^^^^^^

View File

@ -29,6 +29,25 @@ perform operations on it.
The CVE is regarding DOS problems, such as consuming large amounts of memory,
or taking a large amount of time to process an image.
API Changes
===========
Image.getexif
^^^^^^^^^^^^^
To allow for lazy loading of Exif data, ``Image.getexif()`` now returns a
shared instance of ``Image.Exif``.
Deprecations
^^^^^^^^^^^^
Image.frombuffer
~~~~~~~~~~~~~~~~
There has been a longstanding warning that the defaults of ``Image.frombuffer``
may change in the future for the "raw" decoder. The change will now take place
in Pillow 7.0.
API Additions
=============
@ -74,25 +93,6 @@ ImageGrab on multi-monitor Windows
An ``all_screens`` argument has been added to ``ImageGrab.grab``. If ``True``,
all monitors will be included in the created image.
API Changes
===========
Image.getexif
^^^^^^^^^^^^^
To allow for lazy loading of Exif data, ``Image.getexif()`` now returns a
shared instance of ``Image.Exif``.
Deprecations
^^^^^^^^^^^^
Image.frombuffer
~~~~~~~~~~~~~~~~
There has been a longstanding warning that the defaults of ``Image.frombuffer``
may change in the future for the "raw" decoder. The change will now take place
in Pillow 7.0.
Other Changes
=============

View File

@ -18,8 +18,6 @@ Pillow 7.0.0 will be released on 2020-01-01 and will drop support for Python
Other Changes
=============
Support added for Python 3.8
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -6,15 +6,15 @@ Security
This release fixes several buffer overflow issues and a DOS attack vulnerability.
:cve:`2020-5310`, :cve:`2020-5311`, :cve:`2020-5312`, :cve:`2020-5313`: Overflow checks added
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Overflow checks have been added when calculating the size of a memory block to be reallocated
in the processing of TIFF, SGI, PCX and FLI images.
:cve:`2019-19911`: DOS attack vulnerability
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If an FPX image reports that it has a large number of bands, a large amount of
resources will be used when trying to process the image. This is fixed by
limiting the number of bands to those usable by Pillow.
:cve:`2020-5310`, :cve:`2020-5311`, :cve:`2020-5312`, :cve:`2020-5313`: Overflow checks added
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Overflow checks have been added when calculating the size of a memory block to be reallocated
in the processing of TIFF, SGI, PCX and FLI images.

View File

@ -14,7 +14,9 @@ Pillow before 7.1.0 has multiple out-of-bounds reads in ``libImaging/FliDecode.c
:cve:`2020-10378`: Bounds overflow in PCX decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur
when reading PCX files where ``state->shuffle`` is instructed to read beyond
``state->buffer``.
:cve:`2020-10379`: Two buffer overflows in TIFF decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -24,7 +26,8 @@ In Pillow before 7.1.0, there are two buffer overflows in ``libImaging/TiffDecod
:cve:`2020-10994`: Bounds overflow in JPEG 2000 decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple
out-of-bounds reads via a crafted JP2 file.
:cve:`2020-11538`: Buffer overflow in SGI-RLE decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -1,9 +1,6 @@
7.1.1
-----
Other Changes
=============
Fix regression seeking PNG files
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -1,9 +1,6 @@
7.1.2
-----
Other Changes
=============
Fix another regression seeking PNG files
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -4,8 +4,8 @@
Security
========
:cve:`2021-25289`: Fix the fix for :cve:`2020-35654`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:cve:`2021-25289`: Correct the fix for :cve:`2020-35654`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The previous fix for :cve:`2020-35654` was insufficient due to incorrect
error checking in ``TiffDecode.c``.

View File

@ -1,9 +1,6 @@
8.3.1
-----
Other Changes
=============
Fixed regression converting to NumPy arrays
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -1,14 +1,11 @@
8.4.0
-----
API Changes
===========
Deprecations
^^^^^^^^^^^^
============
ImagePalette size parameter
~~~~~~~~~~~~~~~~~~~~~~~~~~~
^^^^^^^^^^^^^^^^^^^^^^^^^^^
The ``size`` parameter will be removed in Pillow 10.0.0 (2023-07-01).

View File

@ -44,17 +44,18 @@ duplicate tiles that only differ by their offset, only load the last tile. Credi
Google's `OSS-Fuzz`_ project for finding this issue.
:cve:`2022-22817`: Restrict builtins available to ImageMath.eval
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To limit :py:class:`PIL.ImageMath` to working with images, Pillow
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
help prevent problems arising if users evaluate arbitrary expressions, such as
``ImageMath.eval("exec(exit())")``.
:cve:`2022-22815`: ImagePath.Path array handling
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:cve:`2022-22815`, :cve:`2022-22816`: ImagePath.Path array handling
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``.
:cve:`2022-22815` (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when
initializing ``ImagePath.Path``.
.. _OSS-Fuzz: https://github.com/google/oss-fuzz

View File

@ -1,49 +1,6 @@
9.1.0
-----
API Changes
===========
Raise an error when performing a negative crop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Performing a negative crop on an image previously just returned a ``(0, 0)`` image. Now
it will raise a :py:exc:`ValueError`, to help reduce confusion if a user has unintentionally
provided the wrong arguments.
Added specific error if path coordinate type is incorrect
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Rather than returning a :py:exc:`SystemError`, passing the incorrect types of coordinates into
a path will now raise a more specific :py:exc:`ValueError`, with the message "incorrect
coordinate type".
Replace requirements.txt with extras
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Rather than installing all dependencies for docs and tests via ``requirements.txt``,
``extras_require`` is used instead. This installs only those needed and at the same
time as installing Pillow.
For example:
.. code-block:: bash
# Install with dependencies for tests:
python3 -m pip install .[tests]
# Or for building docs:
python3 -m pip install .[docs]
# Or for all:
python3 -m pip install .[docs,tests]
On macOS, the last argument may need to be wrapped in quotes, e.g.
``python3 -m pip install ".[tests]"``
Therefore ``requirements.txt`` has been removed along with the ``make install-req``
command for installing its contents.
Deprecations
============
@ -137,6 +94,49 @@ The stub image plugin ``FitsStubImagePlugin`` has been deprecated and will be re
Pillow 10.0.0 (2023-07-01). FITS images can be read without a handler through
:mod:`~PIL.FitsImagePlugin` instead.
API Changes
===========
Raise an error when performing a negative crop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Performing a negative crop on an image previously just returned a ``(0, 0)`` image. Now
it will raise a :py:exc:`ValueError`, to help reduce confusion if a user has unintentionally
provided the wrong arguments.
Added specific error if path coordinate type is incorrect
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Rather than returning a :py:exc:`SystemError`, passing the incorrect types of coordinates into
a path will now raise a more specific :py:exc:`ValueError`, with the message "incorrect
coordinate type".
Replace requirements.txt with extras
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Rather than installing all dependencies for docs and tests via ``requirements.txt``,
``extras_require`` is used instead. This installs only those needed and at the same
time as installing Pillow.
For example:
.. code-block:: bash
# Install with dependencies for tests:
python3 -m pip install .[tests]
# Or for building docs:
python3 -m pip install .[docs]
# Or for all:
python3 -m pip install .[docs,tests]
On macOS, the last argument may need to be wrapped in quotes, e.g.
``python3 -m pip install ".[tests]"``
Therefore ``requirements.txt`` has been removed along with the ``make install-req``
command for installing its contents.
API Additions
=============

View File

@ -14,6 +14,9 @@ Pillow reads the information past the end of the first line without deducting th
from the length of the remaining file data. This vulnerability was introduced in Pillow
9.1.0, and can cause a heap buffer overflow.
Decompression bomb check fix
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Opening an image with a zero or negative height has been found to bypass a
decompression bomb check. This will now raise a :py:exc:`SyntaxError` instead, in turn
raising a ``PIL.UnidentifiedImageError``.

View File

@ -1,6 +1,11 @@
9.2.0
-----
Security
========
An additional decompression bomb check has been added for the GIF format.
Deprecations
============
@ -132,11 +137,6 @@ with "transparency" in ``im.info``, and apply the transparency to the palette in
The image's palette mode will become "RGBA", and "transparency" will be removed from
``im.info``.
Security
========
An additional decompression bomb check has been added for the GIF format.
Other Changes
=============

View File

@ -1,6 +1,33 @@
9.3.0
-----
Security
========
Initialize libtiff buffer when saving
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When saving a TIFF image to a file object using libtiff, the buffer was not
initialized. This behaviour introduced in Pillow 2.0.0, and has now been fixed.
Decode JPEG compressed BLP1 data in original mode
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Within the BLP image format, BLP1 data may use JPEG compression. Instead of
telling the JPEG library that this data is in BGRX mode, Pillow will now
decode the data in its natural CMYK mode, then convert it to RGB and rearrange
the channels afterwards. Trying to load the data in an incorrect mode could
result in a segmentation fault. This issue was introduced in Pillow 9.1.0.
Limit SAMPLESPERPIXEL to avoid runtime DOS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A large value in the ``SAMPLESPERPIXEL`` tag could lead to a memory and runtime DOS in
``TiffImagePlugin.py`` when setting up the context for image decoding.
This was introduced in Pillow 9.2.0, found with `OSS-Fuzz`_ and fixed by limiting
``SAMPLESPERPIXEL`` to the number of planes that we can decode.
API Additions
=============
@ -38,33 +65,6 @@ The data from :py:data:`~PIL.ExifTags.TAGS` and
:py:data:`~PIL.ExifTags.GPS`.
Security
========
Initialize libtiff buffer when saving
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When saving a TIFF image to a file object using libtiff, the buffer was not
initialized. This behaviour introduced in Pillow 2.0.0, and has now been fixed.
Decode JPEG compressed BLP1 data in original mode
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Within the BLP image format, BLP1 data may use JPEG compression. Instead of
telling the JPEG library that this data is in BGRX mode, Pillow will now
decode the data in its natural CMYK mode, then convert it to RGB and rearrange
the channels afterwards. Trying to load the data in an incorrect mode could
result in a segmentation fault. This issue was introduced in Pillow 9.1.0.
Limit SAMPLESPERPIXEL to avoid runtime DOS
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A large value in the ``SAMPLESPERPIXEL`` tag could lead to a memory and runtime DOS in
``TiffImagePlugin.py`` when setting up the context for image decoding.
This was introduced in Pillow 9.2.0, found with `OSS-Fuzz`_ and fixed by limiting
``SAMPLESPERPIXEL`` to the number of planes that we can decode.
Other Changes
=============

View File

@ -1,6 +1,31 @@
9.5.0
-----
Security
========
Clear PPM half token after use
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Image files that are small on disk are often prevented from expanding to be
big images consuming a large amount of resources simply because they lack the
data to populate those resources.
PpmImagePlugin might hold onto the last data read for a pixel value in case the
pixel value has not been finished yet. However, that data was not being cleared
afterwards, meaning that infinite data could be available to fill any image
size. This has been present since Pillow 9.2.0.
That data is now cleared after use.
Saving TIFF tag ImageSourceData
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If Pillow incorrectly saved the TIFF tag ImageSourceData as ASCII instead of
UNDEFINED, a segmentation fault was triggered.
The correct tag type will now be used by default instead.
Deprecations
============
@ -46,31 +71,6 @@ If OpenJPEG 2.4.0 or later is available and the ``plt`` keyword argument
is present and true when saving JPEG2000 images, tell the encoder to generate
PLT markers.
Security
========
Clear PPM half token after use
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Image files that are small on disk are often prevented from expanding to be
big images consuming a large amount of resources simply because they lack the
data to populate those resources.
PpmImagePlugin might hold onto the last data read for a pixel value in case the
pixel value has not been finished yet. However, that data was not being cleared
afterwards, meaning that infinite data could be available to fill any image
size. This has been present since Pillow 9.2.0.
That data is now cleared after use.
Saving TIFF tag ImageSourceData
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If Pillow incorrectly saved the TIFF tag ImageSourceData as ASCII instead of
UNDEFINED, a segmentation fault was triggered.
The correct tag type will now be used by default instead.
Other Changes
=============