mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-26 18:06:18 +03:00
c69dcc1c29
- Include CVE link in title (via @hugovk) - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
30 lines
925 B
ReStructuredText
30 lines
925 B
ReStructuredText
9.0.1
|
|
-----
|
|
|
|
Security
|
|
========
|
|
|
|
This release addresses several security problems.
|
|
|
|
:cve:`2022-24303`: Temp image removal
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
If the path to the temporary directory on Linux or macOS
|
|
contained a space, this would break removal of the temporary image file after
|
|
``im.show()`` (and related actions), and potentially remove an unrelated file. This
|
|
has been present since PIL.
|
|
|
|
:cve:`2022-22817`: Restrict lambda expressions
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
While Pillow 9.0 restricted top-level builtins available to
|
|
:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins
|
|
available to lambda expressions. These are now also restricted.
|
|
|
|
Other Changes
|
|
=============
|
|
|
|
Pillow 9.0 added support for ``xdg-open`` as an image viewer, but there have been
|
|
reports that the temporary image file was removed too quickly to be loaded into the
|
|
final application. A delay has been added.
|