mirror of
				https://github.com/python-pillow/Pillow.git
				synced 2025-10-22 11:44:32 +03:00 
			
		
		
		
	- Include CVE link in title (via @hugovk) - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
		
			
				
	
	
		
			98 lines
		
	
	
		
			3.0 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
			
		
		
	
	
			98 lines
		
	
	
		
			3.0 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
| 8.1.0
 | |
| -----
 | |
| 
 | |
| Security
 | |
| ========
 | |
| 
 | |
| This release includes security fixes.
 | |
| 
 | |
| * An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
 | |
| * An out-of-bounds read when saving a GIF of 1px width
 | |
| 
 | |
| :cve:`2020-35653`: Buffer read overrun in PCX decoding
 | |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 | |
| 
 | |
| The PCX image decoder used the reported image stride to calculate
 | |
| the row buffer, rather than calculating it from the image size. This issue dates back
 | |
| to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this.
 | |
| 
 | |
| :cve:`2020-35654`: TIFF out-of-bounds write error
 | |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 | |
| 
 | |
| Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr
 | |
| files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04).
 | |
| In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode,
 | |
| leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow
 | |
| versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
 | |
| `Tidelift`_.
 | |
| 
 | |
| :cve:`2020-35655`: SGI Decode buffer overrun
 | |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 | |
| 
 | |
| 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly
 | |
| checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's
 | |
| `OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.
 | |
| 
 | |
| .. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs
 | |
| .. _OSS-Fuzz: https://github.com/google/oss-fuzz
 | |
| 
 | |
| Dependencies
 | |
| ^^^^^^^^^^^^
 | |
| 
 | |
| OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including
 | |
| security fixes.
 | |
| 
 | |
| LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including
 | |
| security fixes discovered by fuzzers.
 | |
| 
 | |
| Deprecations
 | |
| ============
 | |
| 
 | |
| FreeType 2.7
 | |
| ^^^^^^^^^^^^
 | |
| 
 | |
| Support for FreeType 2.7 is deprecated and will be removed in Pillow 9.0.0 (2022-01-02),
 | |
| when FreeType 2.8 will be the minimum supported.
 | |
| 
 | |
| We recommend upgrading to at least FreeType `2.10.4`_, which fixed a severe
 | |
| vulnerability introduced in FreeType 2.6 (:cve:`2020-15999`).
 | |
| 
 | |
| .. _2.10.4: https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/
 | |
| 
 | |
| Makefile
 | |
| ^^^^^^^^
 | |
| 
 | |
| The ``install-venv`` target has been deprecated.
 | |
| 
 | |
| API Additions
 | |
| =============
 | |
| 
 | |
| Append images to ICO
 | |
| ^^^^^^^^^^^^^^^^^^^^
 | |
| 
 | |
| When saving an ICO image, the file may contain versions of the image at different
 | |
| sizes. By default, Pillow will scale down the main image to create these copies.
 | |
| 
 | |
| With this release, a list of images can be provided to the ``append_images`` parameter
 | |
| when saving, to replace the scaled down versions. This is the same functionality that
 | |
| already exists for the ICNS format.
 | |
| 
 | |
| Other Changes
 | |
| =============
 | |
| 
 | |
| Makefile
 | |
| ^^^^^^^^
 | |
| 
 | |
| The ``co`` target has been removed.
 | |
| 
 | |
| PyPy wheels
 | |
| ^^^^^^^^^^^
 | |
| 
 | |
| Wheels have been added for PyPy 3.7.
 | |
| 
 | |
| PySide6
 | |
| ^^^^^^^
 | |
| 
 | |
| Support has been added for PySide6. If it is installed, it will be used instead of
 | |
| PyQt5 or PySide2, since it is based on a newer Qt.
 |