Pillow/docs/releasenotes/7.1.0.rst
Alex Clark c69dcc1c29 Fix headers and retro-add notes for #7864
- Include CVE link in title (via @hugovk)
- Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
2024-03-15 10:01:42 -04:00

120 lines
4.5 KiB
ReStructuredText

7.1.0
-----
Security
========
This release includes many security fixes.
:cve:`2020-10177`: Multiple out-of-bounds reads in FLI decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Pillow before 7.1.0 has multiple out-of-bounds reads in ``libImaging/FliDecode.c``.
:cve:`2020-10378`: Bounds overflow in PCX decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
:cve:`2020-10379`: Two buffer overflows in TIFF decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In Pillow before 7.1.0, there are two buffer overflows in ``libImaging/TiffDecode.c``.
:cve:`2020-10994`: Bounds overflow in JPEG 2000 decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
:cve:`2020-11538`: Buffer overflow in SGI-RLE decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
API Changes
===========
Allow saving of zero quality JPEG images
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If no quality was specified when saving a JPEG, Pillow internally used a value
of zero to indicate that the default quality should be used. However, this
removed the ability to actually save a JPEG with zero quality. This has now
been resolved. ::
from PIL import Image
im = Image.open("hopper.jpg")
im.save("out.jpg", quality=0)
API Additions
=============
New channel operations
^^^^^^^^^^^^^^^^^^^^^^
Three new channel operations have been added: :py:meth:`~PIL.ImageChops.soft_light`,
:py:meth:`~PIL.ImageChops.hard_light` and :py:meth:`~PIL.ImageChops.overlay`.
PILLOW_VERSION constant
^^^^^^^^^^^^^^^^^^^^^^^
``PILLOW_VERSION`` has been re-added but is deprecated and will be removed in a future
release. Use ``__version__`` instead.
It was initially removed in Pillow 7.0.0, but brought back in 7.1.0 to give projects
more time to upgrade.
Reading JPEG comments
^^^^^^^^^^^^^^^^^^^^^
When opening a JPEG image, the comment may now be read into
:py:attr:`~PIL.Image.Image.info`.
Support for different charset encodings in PcfFontFile
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Previously ``PcfFontFile`` output only bitmap PIL fonts with ISO 8859-1 encoding, even
though the PCF format supports Unicode, making it hard to work with Pillow with bitmap
fonts in languages which use different character sets.
Now it's possible to set a different charset encoding in ``PcfFontFile``'s class
constructor. By default, it generates a PIL font file with ISO 8859-1 as before. The
generated PIL font file still contains up to 256 characters, but the character set is
different depending on the selected encoding.
To use such a font with ``ImageDraw.text``, call it with a bytes object with the same
encoding as the font file.
X11 ImageGrab.grab()
^^^^^^^^^^^^^^^^^^^^
Support has been added for ``ImageGrab.grab()`` on Linux using the X server
with the XCB library.
An optional ``xdisplay`` parameter has been added to select the X server,
with the default value of :data:`None` using the default X server.
Passing a different value on Windows or macOS will force taking a snapshot
using the selected X server; pass an empty string to use the default X server.
XCB support is not included in pre-compiled wheels for Windows and macOS.
Other Changes
=============
If present, only use alpha channel for bounding box
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When the :py:meth:`~PIL.Image.Image.getbbox` method calculates the bounding
box, for an RGB image it trims black pixels. Similarly, for an RGBA image it
would trim black transparent pixels. This is now changed so that if an image
has an alpha channel (RGBA, RGBa, PA, LA, La), any transparent pixels are
trimmed.
Improved APNG support
^^^^^^^^^^^^^^^^^^^^^
Added support for reading and writing Animated Portable Network Graphics (APNG) images.
The PNG plugin now supports using the :py:meth:`~PIL.Image.Image.seek` method and the
:py:class:`~PIL.ImageSequence.Iterator` class to read APNG frame sequences.
The PNG plugin also now supports using the ``append_images`` argument to write APNG frame
sequences. See :ref:`apng-sequences` for further details.