CVEs TBD

2024-12-26 18:06:18 +03:00 · 2022-01-02 18:09:45 +11:00 · 2022-01-02 18:09:45 +11:00 · ed4cf78137
commit ed4cf78137
parent d7f60d1d5a
2 changed files with 6 additions and 3 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -5,10 +5,13 @@ Changelog (Pillow)
 9.0.0 (unreleased)
 ------------------
 - Restrict builtins for ImageMath.eval(). CVE TBD #5923
  [radarhere]
 - Ensure JpegImagePlugin stops at the end of a truncated file #5921
  [radarhere]
- Fixed ImagePath.Path array handling #5920
+- Fixed ImagePath.Path array handling. CVEs TBD #5920
  [radarhere]
 - Remove consecutive duplicate tiles that only differ by their offset #5919
--- a/docs/releasenotes/9.0.0.rst
+++ b/docs/releasenotes/9.0.0.rst
@ -122,12 +122,12 @@ Restrict builtins available to ImageMath.eval
 To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the
 builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems
 arising if users evaluate arbitrary expressions, such as
-``ImageMath.eval("exec(exit())")``.
+``ImageMath.eval("exec(exit())")``. CVE TBD
 Fixed ImagePath.Path array handling
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``.
+CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. CVEs TBD
 .. _OSS-Fuzz: https://github.com/google/oss-fuzz