python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2024-12-26 01:46:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

CVEs TBD

Browse Source
This commit is contained in:
Andrew Murray 2022-01-02 18:09:45 +11:00
parent d7f60d1d5a
commit ed4cf78137
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES.rst
View File

@ -5,10 +5,13 @@ Changelog (Pillow)
9.0.0 (unreleased)
------------------
- Restrict builtins for ImageMath.eval(). CVE TBD #5923
[radarhere]
- Ensure JpegImagePlugin stops at the end of a truncated file #5921
[radarhere]
- Fixed ImagePath.Path array handling #5920
- Fixed ImagePath.Path array handling. CVEs TBD #5920
[radarhere]
- Remove consecutive duplicate tiles that only differ by their offset #5919

4
docs/releasenotes/9.0.0.rst
View File

@ -122,12 +122,12 @@ Restrict builtins available to ImageMath.eval
To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the
builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems
arising if users evaluate arbitrary expressions, such as
``ImageMath.eval("exec(exit())")``.
``ImageMath.eval("exec(exit())")``. CVE TBD
Fixed ImagePath.Path array handling
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``.
CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. CVEs TBD
.. _OSS-Fuzz: https://github.com/google/oss-fuzz