From 04f60eba9ce47d2fd6b695ca00e61c3b775a1aea Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Wed, 13 Mar 2024 14:15:16 -0400 Subject: [PATCH 01/33] Clean up for #7864 Before back fill, clean up. - Add suggested CVE format to template - Move Security to the top of release notes - Fix headings - Update all existing CVE notes to match template --- docs/releasenotes/10.0.0.rst | 54 ++++++++------- docs/releasenotes/10.0.1.rst | 12 +++- docs/releasenotes/10.2.0.rst | 68 +++++++++--------- docs/releasenotes/3.1.1.rst | 44 ++++++++---- docs/releasenotes/3.1.2.rst | 20 ++++-- docs/releasenotes/6.2.0.rst | 53 ++++++++------ docs/releasenotes/6.2.2.rst | 57 ++++++++++++--- docs/releasenotes/7.1.0.rst | 51 +++++++++++--- docs/releasenotes/8.0.1.rst | 9 ++- docs/releasenotes/8.1.0.rst | 96 +++++++++++++++----------- docs/releasenotes/8.1.1.rst | 45 ++++++++++-- docs/releasenotes/8.1.2.rst | 44 ++++++++++-- docs/releasenotes/8.2.0.rst | 122 ++++++++++++++++++--------------- docs/releasenotes/8.3.0.rst | 50 ++++++++------ docs/releasenotes/8.3.2.rst | 27 +++++--- docs/releasenotes/9.0.0.rst | 75 ++++++++++---------- docs/releasenotes/9.0.1.rst | 18 ++++- docs/releasenotes/9.1.1.rst | 9 ++- docs/releasenotes/index.rst | 1 + docs/releasenotes/template.rst | 23 ++++--- 20 files changed, 571 insertions(+), 307 deletions(-) diff --git a/docs/releasenotes/10.0.0.rst b/docs/releasenotes/10.0.0.rst index 705ca04152f..4be590edf8c 100644 --- a/docs/releasenotes/10.0.0.rst +++ b/docs/releasenotes/10.0.0.rst @@ -1,6 +1,35 @@ 10.0.0 ------ +Security +======== + +Limit size even if one dimension is zero +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +When performing decompression bomb checks, Pillow did not reject images with +excessive width and zero height, or zero width and excessive height. That has +now been fixed. + +This effectively dates to the PIL fork, since problem images would still have +been processed before Pillow started checking for decompression bombs. + +Fix CVE-2023-44271 +^^^^^^^^^^^^^^^^^^ + +Added ImageFont.MAX_STRING_LENGTH. + +.. note:: More information about this vulnerability included in database record :cve:`2023-44271` + +To protect against potential DOS attacks when using arbitrary strings as text +input, Pillow will now raise a :py:exc:`ValueError` if the number of characters +passed into ImageFont methods is over a certain limit, +:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. + +This threshold can be changed by setting +:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting +``ImageFont.MAX_STRING_LENGTH = None``. + Backwards Incompatible Changes ============================== @@ -157,31 +186,6 @@ Added ``alpha_only`` argument to ``getbbox()`` and the image has an alpha channel, trim transparent pixels. Otherwise, trim pixels when all channels are zero. -Security -======== - -Limit size even if one dimension is zero -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -When performing decompression bomb checks, Pillow did not reject images with -excessive width and zero height, or zero width and excessive height. That has -now been fixed. - -This effectively dates to the PIL fork, since problem images would still have -been processed before Pillow started checking for decompression bombs. - -Added ImageFont.MAX_STRING_LENGTH -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -:cve:`2023-44271`: To protect against potential DOS attacks when using arbitrary strings as text -input, Pillow will now raise a :py:exc:`ValueError` if the number of characters -passed into ImageFont methods is over a certain limit, -:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. - -This threshold can be changed by setting -:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting -``ImageFont.MAX_STRING_LENGTH = None``. - Other Changes ============= diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst index 6ac30e7fce1..0b75d2efaef 100644 --- a/docs/releasenotes/10.0.1.rst +++ b/docs/releasenotes/10.0.1.rst @@ -4,9 +4,15 @@ Security ======== -This release addresses :cve:`2023-4863`, by providing an updated install script and -updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow -in WebP. +Fix CVE-2023-4863 +^^^^^^^^^^^^^^^^^ + +Updated install script and wheels with libwebp 1.3.2 + +.. note:: More information about this vulnerability included in database record :cve:`2023-4863` + +This release provides an updated install script and updated wheels to +include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP. Updated tests to pass with latest zlib version ============================================== diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index c3947f64c2e..412995da5be 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -1,6 +1,42 @@ 10.2.0 ------ +Security +======== + +ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To protect against potential DOS attacks when using arbitrary strings as text input, +Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into +:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit, +:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. + +This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It +can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``. + +A decompression bomb check has also been added to +:py:meth:`PIL.ImageFont.ImageFont.getmask`. + +ImageFont.getmask: Trim glyph size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To protect against potential DOS attacks when using PIL fonts, +:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that +they do not extend beyond the bitmap image. + +Fix CVE-2023-50447 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +ImageMath.eval: Restricted environment keys. + +.. note:: More information about this vulnerability included in database record :cve:`2023-50447` + +If an attacker has control over the keys passed to the +``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute +arbitrary code. To prevent this, keys matching the names of builtins and keys +containing double underscores will now raise a :py:exc:`ValueError`. + Deprecations ============ @@ -63,38 +99,6 @@ JPEG tables-only streamtype When saving JPEG files, ``streamtype`` can now be set to 1, for tables-only. This will output only the quantization and Huffman tables for the image. -Security -======== - -ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To protect against potential DOS attacks when using arbitrary strings as text input, -Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into -:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit, -:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. - -This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It -can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``. - -A decompression bomb check has also been added to -:py:meth:`PIL.ImageFont.ImageFont.getmask`. - -ImageFont.getmask: Trim glyph size -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To protect against potential DOS attacks when using PIL fonts, -:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that -they do not extend beyond the bitmap image. - -ImageMath.eval: Restricted environment keys -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -:cve:`2023-50447`: If an attacker has control over the keys passed to the -``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute -arbitrary code. To prevent this, keys matching the names of builtins and keys -containing double underscores will now raise a :py:exc:`ValueError`. - Other Changes ============= diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 5d60e116cc1..7d0fcbdf211 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -1,12 +1,19 @@ - 3.1.1 -===== +----- + +Security +======== + +Fix CVE-2016-0740 +^^^^^^^^^^^^^^^^^ + +Buffer overflow in TiffDecode.c. -CVE-2016-0740 -- Buffer overflow in TiffDecode.c ------------------------------------------------- +.. note:: More information about this vulnerability included in database record :cve:`2016-0740` -Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 -may overflow a buffer when reading a specially crafted tiff file (:cve:`2016-0740`). +Pillow 3.1.0 and earlier when linked against +libtiff >= 4.0.0 on x64 may overflow a buffer when reading a +specially crafted tiff file. Specifically, libtiff >= 4.0.0 changed the return type of ``TIFFScanlineSize`` from ``int32`` to machine dependent @@ -19,12 +26,15 @@ image data over 64k is written over the heap, causing a segfault. This issue was found by security researcher FourOne. +Fix CVE-2016-0775 +^^^^^^^^^^^^^^^^^ -CVE-2016-0775 -- Buffer overflow in FliDecode.c ------------------------------------------------ +Buffer overflow in FliDecode.c. -In all versions of Pillow, dating back at least to the last PIL 1.1.7 -release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`). +.. note:: More information about this vulnerability included in database record :cve:`2016-0775` + +In all versions of Pillow, dating back at least to +the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. Around line 192: @@ -49,11 +59,15 @@ off the end of the memory buffer, causing a segfault. This issue was found by Alyssa Besseling at Atlassian. -CVE-2016-2533 -- Buffer overflow in PcdDecode.c ------------------------------------------------ +Fix CVE-2016-2533 +^^^^^^^^^^^^^^^^^ + +Buffer overflow in PcdDecode.c. + +.. note:: More information about this vulnerability available in :cve:`2016-2533` -In all versions of Pillow, dating back at least to the last PIL 1.1.7 -release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`). +In all versions of Pillow, dating back at least to the +last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3 bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer @@ -62,7 +76,7 @@ the buffer into other Python object storage. In some cases, this causes a segfault, in others an internal Python malloc error. Integer overflow in Resample.c ------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If a large value was passed into the new size for an image, it is possible to overflow an ``int32`` value passed into malloc. diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index 04325ad868f..c8e24c8c2b3 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -1,13 +1,19 @@ - 3.1.2 -===== +----- + +Security +======== + +Fix CVE-2016-3076 +^^^^^^^^^^^^^^^^^ + +Buffer overflow in Jpeg2KEncode.c. -CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c --------------------------------------------------- +.. note:: More information about this vulnerability included in database record :cve:`2016-3076` -Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing -large Jpeg2000 files, allowing for code execution or other memory -corruption (:cve:`2016-3076`). +Pillow between 2.5.0 and 3.1.1 may overflow a buffer +when writing large Jpeg2000 files, allowing for code execution or other +memory corruption. This occurs specifically in the function ``j2k_encode_entry``, at the line: diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index 7daac1b1902..cab01cfad54 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -1,6 +1,38 @@ 6.2.0 ----- +Security +======== + +This release catches several buffer overruns and fixes CVE-2019-16865. + +Buffer overruns +^^^^^^^^^^^^^^^ + +In RawDecode.c, an error is now thrown if skip is calculated to be less than +zero. It is intended to skip padding between lines, not to go backwards. + +In PsdImagePlugin, if the combined sizes of the individual parts is larger than +the declared size of the extra data field, then it looked for the next layer by +seeking backwards. This is now corrected by seeking to (the start of the layer ++ the size of the extra data field) instead of (the read parts of the layer + +the rest of the layer). + +Decompression bomb checks have been added to GIF and ICO formats. + +An error is now raised if a TIFF dimension is a string, rather than trying to +perform operations on it. + +Fix CVE-2019-16865 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +DOS attack vulnerabilities. + +.. note:: More information about this vulnerability included in database record :cve:`2019-16865` + +The CVE is regarding DOS problems, such as consuming large +amounts of memory, or taking a large amount of time to process an image. + API Additions ============= @@ -65,27 +97,6 @@ There has been a longstanding warning that the defaults of ``Image.frombuffer`` may change in the future for the "raw" decoder. The change will now take place in Pillow 7.0. -Security -======== - -This release catches several buffer overruns, as well as addressing -:cve:`2019-16865`. The CVE is regarding DOS problems, such as consuming large -amounts of memory, or taking a large amount of time to process an image. - -In RawDecode.c, an error is now thrown if skip is calculated to be less than -zero. It is intended to skip padding between lines, not to go backwards. - -In PsdImagePlugin, if the combined sizes of the individual parts is larger than -the declared size of the extra data field, then it looked for the next layer by -seeking backwards. This is now corrected by seeking to (the start of the layer -+ the size of the extra data field) instead of (the read parts of the layer + -the rest of the layer). - -Decompression bomb checks have been added to GIF and ICO formats. - -An error is now raised if a TIFF dimension is a string, rather than trying to -perform operations on it. - Other Changes ============= diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 47692a3de6a..96bf0471244 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -4,15 +4,56 @@ Security ======== -This release addresses several security problems. +This release fixes several buffer overruns and DOS attacks reported in CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312 and CVE-2020-5313. -:cve:`2019-19911` is regarding FPX images. If an image reports that it has a large -number of bands, a large amount of resources will be used when trying to process the -image. This is fixed by limiting the number of bands to those usable by Pillow. +Fix CVE-2019-19911 +^^^^^^^^^^^^^^^^^^ -Buffer overruns were found when processing an SGI (:cve:`2020-5311`), -PCX (:cve:`2020-5312`) or FLI image (:cve:`2020-5313`). Checks have been added -to prevent this. +DOS attack vulnerability. -:cve:`2020-5310`: Overflow checks have been added when calculating the size of a +.. note:: More information about this vulnerability included in database record :cve:`2019-19911` + +If an FPX image reports that it has a large number of bands, a large amount of +resources will be used when trying to process the image. This is fixed by +limiting the number of bands to those usable by Pillow. + + +Fix CVE-2020-5310 +^^^^^^^^^^^^^^^^^ + +Overflow checks added to TIFF image processing. + +.. note:: More information about this vulnerability included in database record :cve:`2020-5310` + +Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image. + +Fix CVE-2020-5311 +^^^^^^^^^^^^^^^^^ + +Overflow checks added to SGI image processing. + +.. note:: More information about this vulnerability included in database record :cve:`2020-5311` + +Buffer overruns were found when processing an SGI image. Checks +have been added to prevent this. + +Fix CVE-2020-5312 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Overflow checks added to PCX image processing. + +.. note:: More information about this vulnerability included in database record :cve:`2020-5312` + +Buffer overruns were found when processing an SGI PCX. Checks have +been added to prevent this. + +Fix CVE-2020-5313 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Overflow checks added to FLI image processing. + +.. note:: More information about this vulnerability included in database record :cve:`2020-5313` + +Buffer overruns were found when processing an FLI image. Checks +have been added to prevent this. diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index 6e231464e93..ac9701cae2f 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -1,6 +1,46 @@ 7.1.0 ----- +Security +======== + +This release includes many security fixes. + +Fix CVE-2020-10177 +^^^^^^^^^^^^^^^^^^ + +Multiple out-of-bounds reads in FLI decoding. + +.. note:: More information about this vulnerability included in database record :cve:`2020-10177` + +Fix CVE-2020-10378 +^^^^^^^^^^^^^^^^^^ + +Bounds overflow in PCX decoding. + +.. note:: More information about this vulnerability included in database record :cve:`2020-10378` + +Fix CVE-2020-10379 +^^^^^^^^^^^^^^^^^^ + +Two buffer overflows in TIFF decoding + +.. note:: More information about this vulnerability included in database record :cve:`2020-10379` + +Fix CVE-2020-10994 +^^^^^^^^^^^^^^^^^^ + +Bounds overflow in JPEG 2000 decoding + +.. note:: More information about this vulnerability included in database record :cve:`2020-10994` + +Fix CVE-2020-11538 +^^^^^^^^^^^^^^^^^^ + +Buffer overflow in SGI-RLE decoding + +.. note:: More information about this vulnerability included in database record :cve:`2020-11538` + API Changes =========== @@ -67,17 +107,6 @@ Passing a different value on Windows or macOS will force taking a snapshot using the selected X server; pass an empty string to use the default X server. XCB support is not included in pre-compiled wheels for Windows and macOS. -Security -======== - -This release includes security fixes. - -* :cve:`2020-10177` Fix multiple out-of-bounds reads in FLI decoding -* :cve:`2020-10378` Fix bounds overflow in PCX decoding -* :cve:`2020-10379` Fix two buffer overflows in TIFF decoding -* :cve:`2020-10994` Fix bounds overflow in JPEG 2000 decoding -* :cve:`2020-11538` Fix buffer overflow in SGI-RLE decoding - Other Changes ============= diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index f7a1cea65da..eb995ebe1ea 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -4,7 +4,14 @@ Security ======== -Update FreeType used in binary wheels to `2.10.4`_ to fix :cve:`2020-15999`: +Fix CVE-2020-15999 +^^^^^^^^^^^^^^^^^^ + +Update FreeType version in wheels. + +.. note:: More information about this vulnerability included in database record :cve:`2020-15999` + +Update FreeType used in binary wheels to `2.10.4`_. - A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index 69726e628b7..141489cb50f 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -1,6 +1,62 @@ 8.1.0 ----- +Security +======== + +This release includes security fixes. + +* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF +* An out-of-bounds read when saving a GIF of 1px width + +Fix CVE-2020-35653 +^^^^^^^^^^^^^^^^^^ + +Buffer read overrun in PCX decoding. + +.. note:: More information about this vulnerability included in database record :cve:`2020-35653` + +The PCX image decoder used the reported image stride to calculate +the row buffer, rather than calculating it from the image size. This issue dates back +to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this. + +Fix CVE-2020-35654 +^^^^^^^^^^^^^^^^^^ + +TIFF out-of-bounds write error. + +.. note:: More information about this vulnerability included in database record :cve:`2020-35654` + +Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr +files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). +In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode, +leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow +versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through +`Tidelift`_. + +Fix CVE-2020-35655 +^^^^^^^^^^^^^^^^^^ + +SGI Decode buffer overrun + +.. note:: More information about this vulnerability included in database record :cve:`2020-35655` + +4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly +checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's +`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1. + +.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs +.. _OSS-Fuzz: https://github.com/google/oss-fuzz + +Dependencies +^^^^^^^^^^^^ + +OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including +security fixes. + +LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including +security fixes discovered by fuzzers. + Deprecations ============ @@ -33,46 +89,6 @@ With this release, a list of images can be provided to the ``append_images`` par when saving, to replace the scaled down versions. This is the same functionality that already exists for the ICNS format. -Security -======== - -This release includes security fixes. - -* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF -* An out-of-bounds read when saving a GIF of 1px width -* :cve:`2020-35653` Buffer read overrun in PCX decoding - -The PCX image decoder used the reported image stride to calculate the row buffer, -rather than calculating it from the image size. This issue dates back to the PIL fork. -Thanks to Google's `OSS-Fuzz`_ project for finding this. - -* :cve:`2020-35654` Fix TIFF out-of-bounds write error - -Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some -LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases -LibTIFF's interpretation of the file is different when reading in RGBA mode, leading to -an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow versions -from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through -`Tidelift`_. - -* :cve:`2020-35655` Fix for SGI Decode buffer overrun - -4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the -offsets and length tables. Independently reported through `Tidelift`_ and Google's -`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1. - -.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs -.. _OSS-Fuzz: https://github.com/google/oss-fuzz - -Dependencies -^^^^^^^^^^^^ - -OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including -security fixes. - -LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including -security fixes discovered by fuzzers. - Other Changes ============= diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 18d0a33f1cd..3e084351998 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -4,20 +4,51 @@ Security ======== -:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient -due to incorrect error checking in ``TiffDecode.c``. +Fix CVE-2021-25289 +^^^^^^^^^^^^^^^^^^ -:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy`` +The previous fix for CVE-2020-35654 was insufficient. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25289` + +The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``. + +Fix CVE-2021-25290 +^^^^^^^^^^^^^^^^^^ + +In ``TiffDecode.c`` there is a negative-offset. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25290` + +In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size. -:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to +Fix CVE-2021-25291 +^^^^^^^^^^^^^^^^^^ + +``TiffDecode.c`` has invalid tile boundaries. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25291` + +In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile``. -:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex +Fix CVE-2021-25292 +^^^^^^^^^^^^^^^^^^ + +The PDF parser has a catastrophic backtracking regex. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25292`: + +The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack. -:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``, -since Pillow 4.3.0. +Fix CVE-2021-25293 +^^^^^^^^^^^^^^^^^^ + +There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25293` Other Changes diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index de50a3f1dad..6d4baa2b6f2 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -4,9 +4,41 @@ Security ======== -There is an exhaustion of memory DOS in the BLP (:cve:`2021-27921`), -ICNS (:cve:`2021-27922`) and ICO (:cve:`2021-27923`) container formats -where Pillow did not properly check the reported size of the contained image. -These images could cause arbitrarily large memory allocations. This was reported -by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of -`Arizona State University `_. +Fix CVE-2021-27921 +^^^^^^^^^^^^^^^^^^ + +There is an exhaustion of memory DOS in BLP images. + +.. note:: More information about this vulnerability included in database record :cve:`2021-27921` + +There is an exhaustion of memory DOS in BLP +images where Pillow did not properly check the reported size of the +contained image. These images could cause arbitrarily large memory +allocations. + +Fix CVE-2021-27922 +^^^^^^^^^^^^^^^^^^ + +There is an exhaustion of memory DOS in ICNS images. + +.. note:: More information about this vulnerability included in database record :cve:`2021-27921` + +There is an exhaustion of memory DOS in the ICNS +images where Pillow did not properly check the reported size of the +contained image. These images could cause arbitrarily large memory +allocations. + +Fix CVE-2021-27923 +^^^^^^^^^^^^^^^^^^ + +There is an exhaustion of memory DOS in ICO images. + +.. note:: More information about this vulnerability included in database record :cve:`2021-27923` + +There is an exhaustion of memory DOS in ICO +images where Pillow did not properly check the reported size of the +contained image. These images could cause arbitrarily large memory +allocations. + +These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and +Akshay Ajayan of `Arizona State University `_. diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index 452077f1a64..7e647841e1d 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -1,6 +1,73 @@ 8.2.0 ----- +Security +======== + +These were all found with `OSS-Fuzz`_. + +Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +OOB read in Jpeg2KDecode + +.. note:: More information about these vulnerabilities included in database records + :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675` + +* For J2k images with multiple bands, it's legal to have different widths for each band, + e.g. 1 byte for ``L``, 4 bytes for ``A``. +* This dates to Pillow 2.4.0. + +Fix CVE-2021-28675 -- DOS attack in PsdImagePlugin +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2021-28675` + +* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input + layers with regard to the size of the data block, this could lead to a + denial-of-service on :py:meth:`~PIL.Image.open` prior to + :py:meth:`~PIL.Image.Image.load`. +* This dates to the PIL fork. + +Fix CVE-2021-28676 -- FLI image DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2021-28676` + +* ``FliDecode.c`` did not properly check that the block advance was non-zero, + potentially leading to an infinite loop on load. +* This dates to the PIL fork. + +Fix CVE-2021-28677 -- EPS DOS on _open +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2021-28677` + +* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line + endings. It accidentally used a quadratic method of accumulating lines while looking + for a line ending. +* A malicious EPS file could use this to perform a denial-of-service of Pillow in the + open phase, before an image was accepted for opening. +* This dates to the PIL fork. + +CVE-2021-28678 -- BLP DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2021-28678` + +* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets + returned data. This could lead to a denial-of-service where the decoder could be run a + large number of times on empty data. +* This dates to Pillow 5.1.0. + +Fix memory DOS in ImageFont +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* A corrupt or specially crafted TTF font could have font metrics that lead to + unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check + the image size before allocating memory for it. +* This dates to the PIL fork. + Deprecations ============ @@ -123,61 +190,6 @@ be specified through a keyword argument:: im.save("out.tif", icc_profile=...) - -Security -======== - -These were all found with `OSS-Fuzz`_. - -:cve:`2021-25287`, :cve:`2021-25288`: Fix OOB read in Jpeg2KDecode -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* For J2k images with multiple bands, it's legal to have different widths for each band, - e.g. 1 byte for ``L``, 4 bytes for ``A``. -* This dates to Pillow 2.4.0. - -:cve:`2021-28675`: Fix DOS in PsdImagePlugin -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input - layers with regard to the size of the data block, this could lead to a - denial-of-service on :py:meth:`~PIL.Image.open` prior to - :py:meth:`~PIL.Image.Image.load`. -* This dates to the PIL fork. - -:cve:`2021-28676`: Fix FLI DOS -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* ``FliDecode.c`` did not properly check that the block advance was non-zero, - potentially leading to an infinite loop on load. -* This dates to the PIL fork. - -:cve:`2021-28677`: Fix EPS DOS on _open -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line - endings. It accidentally used a quadratic method of accumulating lines while looking - for a line ending. -* A malicious EPS file could use this to perform a denial-of-service of Pillow in the - open phase, before an image was accepted for opening. -* This dates to the PIL fork. - -:cve:`2021-28678`: Fix BLP DOS -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets - returned data. This could lead to a denial-of-service where the decoder could be run a - large number of times on empty data. -* This dates to Pillow 5.1.0. - -Fix memory DOS in ImageFont -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* A corrupt or specially crafted TTF font could have font metrics that lead to - unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check - the image size before allocating memory for it. -* This dates to the PIL fork. - Other Changes ============= diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index e74880f6f40..b0b016a08f1 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -1,6 +1,34 @@ 8.3.0 ----- +Security +======== + +Buffer overflow +^^^^^^^^^^^^^^^ + +Fix CVE-2021-34552 +^^^^^^^^^^^^^^^^^^ + +Buffer overflow + +.. note:: More information about this vulnerability included in database record :cve:`2021-34552` + +PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger +buffer overflow in Convert.c. + +Parsing XML +^^^^^^^^^^^ + +Pillow previously parsed XMP data using Python's ``xml`` module. However, this module +is not secure. + +- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve + orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead. +- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It + will now use ``defusedxml`` instead. If the dependency is not present, an empty + dictionary will be returned and a warning raised. + Deprecations ============ @@ -79,28 +107,6 @@ format, through the new ``bitmap_format`` argument:: im.save("out.ico", bitmap_format="bmp") -Security -======== - -Buffer overflow -^^^^^^^^^^^^^^^ - -This release addresses :cve:`2021-34552`. PIL since 1.1.4 and Pillow since 1.0 -allowed parameters passed into a convert function to trigger buffer overflow in -Convert.c. - -Parsing XML -^^^^^^^^^^^ - -Pillow previously parsed XMP data using Python's ``xml`` module. However, this module -is not secure. - -- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve - orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead. -- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It - will now use ``defusedxml`` instead. If the dependency is not present, an empty - dictionary will be returned and a warning raised. - Other Changes ============= diff --git a/docs/releasenotes/8.3.2.rst b/docs/releasenotes/8.3.2.rst index 3333d63a1e8..7e2007649f3 100644 --- a/docs/releasenotes/8.3.2.rst +++ b/docs/releasenotes/8.3.2.rst @@ -4,14 +4,25 @@ Security ======== -* :cve:`2021-23437`: Avoid a potential ReDoS (regular expression denial of service) - in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising - :py:exc:`ValueError` if the color specifier is too long. Present since Pillow 5.2.0. - -* Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c`` - incorrectly calculated the required read buffer size when copying a chunk, potentially - reading six extra bytes off the end of the allocated buffer from the heap. Present - since Pillow 7.1.0. This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs. +Fix CVE-2021-23437 +^^^^^^^^^^^^^^^^^^ + +Avoid potential ReDoS (regular expression denial of service) + +.. note:: More information about this vulnerability included in database record :cve:`2021-23437` + +Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s +:py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is +too long. Present since Pillow 5.2.0. + +Fix 6-byte out-of-bounds (OOB) read +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c`` incorrectly +calculated the required read buffer size when copying a chunk, potentially reading six extra +bytes off the end of the allocated buffer from the heap. Present since Pillow 7.1.0. + +This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs. Other Changes ============= diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index 090ec802467..b46932b2423 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -24,6 +24,46 @@ success of Python. Thank you, Fredrik. +Security +======== + +Ensure JpegImagePlugin stops at the end of a truncated file +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that +the last segment of the data will still be processed by the decoder. + +If the EOF marker is not detected as such however, this could lead to an infinite +loop where ``JpegImagePlugin`` keeps trying to end the file. + +Remove consecutive duplicate tiles that only differ by their offset +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To prevent attempts to slow down loading times for images, if an image has consecutive +duplicate tiles that only differ by their offset, only load the last tile. Credit to +Google's `OSS-Fuzz`_ project for finding this issue. + +Fix CVE-2022-22817 +^^^^^^^^^^^^^^^^^^ + +Restrict builtins available to ImageMath.eval + +.. note:: More information about this vulnerability included in database record :cve:`2022-22817` + +To limit :py:class:`PIL.ImageMath` to working with images, Pillow +will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will +help prevent problems arising if users evaluate arbitrary expressions, such as +``ImageMath.eval("exec(exit())")``. + +Fix CVE-2022-22817 -- ImagePath.Path array handling +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2022-22815` + +(:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``. + +.. _OSS-Fuzz: https://github.com/google/oss-fuzz + Backwards Incompatible Changes ============================== @@ -97,41 +137,6 @@ Support has been added for the "title" argument in argument will also now be supported, e.g. ``im.show(title="My Image")`` and ``ImageShow.show(im, title="My Image")``. -Security -======== - -Ensure JpegImagePlugin stops at the end of a truncated file -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that -the last segment of the data will still be processed by the decoder. - -If the EOF marker is not detected as such however, this could lead to an infinite -loop where ``JpegImagePlugin`` keeps trying to end the file. - -Remove consecutive duplicate tiles that only differ by their offset -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To prevent attempts to slow down loading times for images, if an image has consecutive -duplicate tiles that only differ by their offset, only load the last tile. Credit to -Google's `OSS-Fuzz`_ project for finding this issue. - -Restrict builtins available to ImageMath.eval -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -:cve:`2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow -will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will -help prevent problems arising if users evaluate arbitrary expressions, such as -``ImageMath.eval("exec(exit())")``. - -Fixed ImagePath.Path array handling -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -:cve:`2022-22815` (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were -found when initializing ``ImagePath.Path``. - -.. _OSS-Fuzz: https://github.com/google/oss-fuzz - Other Changes ============= diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst index acb92dc4151..b8003e88642 100644 --- a/docs/releasenotes/9.0.1.rst +++ b/docs/releasenotes/9.0.1.rst @@ -6,12 +6,26 @@ Security This release addresses several security problems. -:cve:`2022-24303`: If the path to the temporary directory on Linux or macOS +Fix CVE-2022-24303 +^^^^^^^^^^^^^^^^^^ + +Temp image removal + +.. note:: More information about this vulnerability included in database record :cve:`2022-24303` + +If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after ``im.show()`` (and related actions), and potentially remove an unrelated file. This has been present since PIL. -:cve:`2022-22817`: While Pillow 9.0 restricted top-level builtins available to +Fix CVE-2022-24303 +^^^^^^^^^^^^^^^^^^ + +Restrict lambda expressions + +.. note:: More information about this vulnerability included in database record :cve:`2022-22817` + +While Pillow 9.0 restricted top-level builtins available to :py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda expressions. These are now also restricted. diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index bab70f8f984..4ae596f3e28 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -6,7 +6,14 @@ Security This release addresses several security problems. -:cve:`2022-30595`: When reading a TGA file with RLE packets that cross scan lines, +Fix CVE-2022-30595 +^^^^^^^^^^^^^^^^^^ + +Heap buffer overflow + +.. note:: More information about this vulnerability included in database record :cve:`2022-30595` + +When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow. diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index e86f8082b48..e1ebd650966 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -69,4 +69,5 @@ expected to be backported to earlier versions. 3.0.0 2.8.0 2.7.0 + 2.3.1 versioning diff --git a/docs/releasenotes/template.rst b/docs/releasenotes/template.rst index 440d04b1cc4..08dbead7f7a 100644 --- a/docs/releasenotes/template.rst +++ b/docs/releasenotes/template.rst @@ -1,6 +1,21 @@ xx.y.z ------ +Security +======== + +TODO +^^^^ + +TODO + +Fix CVE-YYYY-XXXXX -- TODO +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX` + +TODO + Backwards Incompatible Changes ============================== @@ -31,14 +46,6 @@ TODO TODO -Security -======== - -TODO -^^^^ - -TODO - Other Changes ============= From 231e7384d00be2f39d6d9671685ced68277ef4d0 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Wed, 13 Mar 2024 14:40:00 -0400 Subject: [PATCH 02/33] Clean up for #7864 --- docs/releasenotes/10.0.0.rst | 4 ++-- docs/releasenotes/10.0.1.rst | 2 -- docs/releasenotes/10.2.0.rst | 4 ++-- docs/releasenotes/3.1.1.rst | 12 ++++++------ docs/releasenotes/3.1.2.rst | 4 ++-- docs/releasenotes/6.2.0.rst | 2 -- docs/releasenotes/6.2.2.rst | 26 +++++++------------------- docs/releasenotes/7.1.0.rst | 20 ++++++++++---------- docs/releasenotes/8.0.1.rst | 4 +--- docs/releasenotes/8.1.0.rst | 12 ++++++------ docs/releasenotes/8.1.1.rst | 20 ++++---------------- docs/releasenotes/8.1.2.rst | 23 ++++++----------------- docs/releasenotes/8.2.0.rst | 4 ++-- docs/releasenotes/8.3.0.rst | 4 ++-- docs/releasenotes/8.3.2.rst | 4 ++-- docs/releasenotes/9.0.0.rst | 4 ++-- docs/releasenotes/9.0.1.rst | 4 ++-- docs/releasenotes/9.1.1.rst | 4 ++-- docs/releasenotes/template.rst | 4 ++-- 19 files changed, 60 insertions(+), 101 deletions(-) diff --git a/docs/releasenotes/10.0.0.rst b/docs/releasenotes/10.0.0.rst index 4be590edf8c..25e73bff627 100644 --- a/docs/releasenotes/10.0.0.rst +++ b/docs/releasenotes/10.0.0.rst @@ -17,10 +17,10 @@ been processed before Pillow started checking for decompression bombs. Fix CVE-2023-44271 ^^^^^^^^^^^^^^^^^^ -Added ImageFont.MAX_STRING_LENGTH. - .. note:: More information about this vulnerability included in database record :cve:`2023-44271` +Added ImageFont.MAX_STRING_LENGTH. + To protect against potential DOS attacks when using arbitrary strings as text input, Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into ImageFont methods is over a certain limit, diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst index 0b75d2efaef..ab0f98123da 100644 --- a/docs/releasenotes/10.0.1.rst +++ b/docs/releasenotes/10.0.1.rst @@ -7,8 +7,6 @@ Security Fix CVE-2023-4863 ^^^^^^^^^^^^^^^^^ -Updated install script and wheels with libwebp 1.3.2 - .. note:: More information about this vulnerability included in database record :cve:`2023-4863` This release provides an updated install script and updated wheels to diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index 412995da5be..38a31ebf4a1 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -28,10 +28,10 @@ they do not extend beyond the bitmap image. Fix CVE-2023-50447 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -ImageMath.eval: Restricted environment keys. - .. note:: More information about this vulnerability included in database record :cve:`2023-50447` +ImageMath.eval: Restricted environment keys. + If an attacker has control over the keys passed to the ``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute arbitrary code. To prevent this, keys matching the names of builtins and keys diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 7d0fcbdf211..153c12ab030 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -7,10 +7,10 @@ Security Fix CVE-2016-0740 ^^^^^^^^^^^^^^^^^ -Buffer overflow in TiffDecode.c. - .. note:: More information about this vulnerability included in database record :cve:`2016-0740` +Buffer overflow in TiffDecode.c. + Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a specially crafted tiff file. @@ -29,10 +29,10 @@ This issue was found by security researcher FourOne. Fix CVE-2016-0775 ^^^^^^^^^^^^^^^^^ -Buffer overflow in FliDecode.c. - .. note:: More information about this vulnerability included in database record :cve:`2016-0775` +Buffer overflow in FliDecode.c. + In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. @@ -62,10 +62,10 @@ This issue was found by Alyssa Besseling at Atlassian. Fix CVE-2016-2533 ^^^^^^^^^^^^^^^^^ -Buffer overflow in PcdDecode.c. - .. note:: More information about this vulnerability available in :cve:`2016-2533` +Buffer overflow in PcdDecode.c. + In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index c8e24c8c2b3..fff93b8e4eb 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -7,10 +7,10 @@ Security Fix CVE-2016-3076 ^^^^^^^^^^^^^^^^^ -Buffer overflow in Jpeg2KEncode.c. - .. note:: More information about this vulnerability included in database record :cve:`2016-3076` +Buffer overflow in Jpeg2KEncode.c. + Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing large Jpeg2000 files, allowing for code execution or other memory corruption. diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index cab01cfad54..6dd65be9d11 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -26,8 +26,6 @@ perform operations on it. Fix CVE-2019-16865 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -DOS attack vulnerabilities. - .. note:: More information about this vulnerability included in database record :cve:`2019-16865` The CVE is regarding DOS problems, such as consuming large diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 96bf0471244..704ea6876be 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -9,51 +9,39 @@ This release fixes several buffer overruns and DOS attacks reported in CVE-2019- Fix CVE-2019-19911 ^^^^^^^^^^^^^^^^^^ -DOS attack vulnerability. - .. note:: More information about this vulnerability included in database record :cve:`2019-19911` +DOS attack vulnerability. + If an FPX image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow. - Fix CVE-2020-5310 ^^^^^^^^^^^^^^^^^ -Overflow checks added to TIFF image processing. - .. note:: More information about this vulnerability included in database record :cve:`2020-5310` -Overflow checks have been added when calculating the size of a -memory block to be reallocated in the processing of a TIFF image. +Overflow checks have been added when calculating the size of a memory block to be reallocated +in the processing of a TIFF image. Fix CVE-2020-5311 ^^^^^^^^^^^^^^^^^ -Overflow checks added to SGI image processing. - .. note:: More information about this vulnerability included in database record :cve:`2020-5311` -Buffer overruns were found when processing an SGI image. Checks -have been added to prevent this. +Buffer overruns were found when processing an SGI image. Checks have been added to prevent this. Fix CVE-2020-5312 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Overflow checks added to PCX image processing. - .. note:: More information about this vulnerability included in database record :cve:`2020-5312` -Buffer overruns were found when processing an SGI PCX. Checks have -been added to prevent this. +Buffer overruns were found when processing an SGI PCX. Checks have been added to prevent this. Fix CVE-2020-5313 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Overflow checks added to FLI image processing. - .. note:: More information about this vulnerability included in database record :cve:`2020-5313` -Buffer overruns were found when processing an FLI image. Checks -have been added to prevent this. +Buffer overruns were found when processing an FLI image. Checks have been added to prevent this. diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index ac9701cae2f..da6595d5ba7 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -9,38 +9,38 @@ This release includes many security fixes. Fix CVE-2020-10177 ^^^^^^^^^^^^^^^^^^ -Multiple out-of-bounds reads in FLI decoding. - .. note:: More information about this vulnerability included in database record :cve:`2020-10177` +Multiple out-of-bounds reads in FLI decoding. + Fix CVE-2020-10378 ^^^^^^^^^^^^^^^^^^ -Bounds overflow in PCX decoding. - .. note:: More information about this vulnerability included in database record :cve:`2020-10378` +Bounds overflow in PCX decoding. + Fix CVE-2020-10379 ^^^^^^^^^^^^^^^^^^ -Two buffer overflows in TIFF decoding - .. note:: More information about this vulnerability included in database record :cve:`2020-10379` +Two buffer overflows in TIFF decoding. + Fix CVE-2020-10994 ^^^^^^^^^^^^^^^^^^ -Bounds overflow in JPEG 2000 decoding - .. note:: More information about this vulnerability included in database record :cve:`2020-10994` +Bounds overflow in JPEG 2000 decoding. + Fix CVE-2020-11538 ^^^^^^^^^^^^^^^^^^ -Buffer overflow in SGI-RLE decoding - .. note:: More information about this vulnerability included in database record :cve:`2020-11538` +Buffer overflow in SGI-RLE decoding. + API Changes =========== diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index eb995ebe1ea..54ce4085384 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -7,11 +7,9 @@ Security Fix CVE-2020-15999 ^^^^^^^^^^^^^^^^^^ -Update FreeType version in wheels. - .. note:: More information about this vulnerability included in database record :cve:`2020-15999` -Update FreeType used in binary wheels to `2.10.4`_. +Update FreeType in wheels to `2.10.4`_. - A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index 141489cb50f..0fbf6ffe3cf 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -12,10 +12,10 @@ This release includes security fixes. Fix CVE-2020-35653 ^^^^^^^^^^^^^^^^^^ -Buffer read overrun in PCX decoding. - .. note:: More information about this vulnerability included in database record :cve:`2020-35653` +Buffer read overrun in PCX decoding. + The PCX image decoder used the reported image stride to calculate the row buffer, rather than calculating it from the image size. This issue dates back to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this. @@ -23,10 +23,10 @@ to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this. Fix CVE-2020-35654 ^^^^^^^^^^^^^^^^^^ -TIFF out-of-bounds write error. - .. note:: More information about this vulnerability included in database record :cve:`2020-35654` +TIFF out-of-bounds write error. + Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode, @@ -37,10 +37,10 @@ versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was repo Fix CVE-2020-35655 ^^^^^^^^^^^^^^^^^^ -SGI Decode buffer overrun - .. note:: More information about this vulnerability included in database record :cve:`2020-35655` +SGI Decode buffer overrun. + 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's `OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1. diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 3e084351998..7f871bac1c1 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -7,8 +7,6 @@ Security Fix CVE-2021-25289 ^^^^^^^^^^^^^^^^^^ -The previous fix for CVE-2020-35654 was insufficient. - .. note:: More information about this vulnerability included in database record :cve:`2021-25289` The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``. @@ -16,40 +14,30 @@ The previous fix for :cve:`2020-35654` was insufficient due to incorrect error c Fix CVE-2021-25290 ^^^^^^^^^^^^^^^^^^ -In ``TiffDecode.c`` there is a negative-offset. - .. note:: More information about this vulnerability included in database record :cve:`2021-25290` -In ``TiffDecode.c``, there is a negative-offset ``memcpy`` -with an invalid size. +In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size. Fix CVE-2021-25291 ^^^^^^^^^^^^^^^^^^ -``TiffDecode.c`` has invalid tile boundaries. - .. note:: More information about this vulnerability included in database record :cve:`2021-25291` -In ``TiffDecode.c``, invalid tile boundaries could lead to -an out-of-bounds read in ``TIFFReadRGBATile``. +In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile``. Fix CVE-2021-25292 ^^^^^^^^^^^^^^^^^^ -The PDF parser has a catastrophic backtracking regex. - .. note:: More information about this vulnerability included in database record :cve:`2021-25292`: -The PDF parser has a catastrophic backtracking regex -that could be used as a DOS attack. +The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack. Fix CVE-2021-25293 ^^^^^^^^^^^^^^^^^^ -There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. - .. note:: More information about this vulnerability included in database record :cve:`2021-25293` +There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. Other Changes ============= diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index 6d4baa2b6f2..af60a862e93 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -7,38 +7,27 @@ Security Fix CVE-2021-27921 ^^^^^^^^^^^^^^^^^^ -There is an exhaustion of memory DOS in BLP images. - .. note:: More information about this vulnerability included in database record :cve:`2021-27921` -There is an exhaustion of memory DOS in BLP -images where Pillow did not properly check the reported size of the -contained image. These images could cause arbitrarily large memory +There is an exhaustion of memory DOS in BLP images. where Pillow did not properly check the +reported size of the contained image. These images could cause arbitrarily large memory allocations. Fix CVE-2021-27922 ^^^^^^^^^^^^^^^^^^ -There is an exhaustion of memory DOS in ICNS images. - .. note:: More information about this vulnerability included in database record :cve:`2021-27921` -There is an exhaustion of memory DOS in the ICNS -images where Pillow did not properly check the reported size of the -contained image. These images could cause arbitrarily large memory -allocations. +There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the +reported size of the contained image. These images could cause arbitrarily large memory allocations. Fix CVE-2021-27923 ^^^^^^^^^^^^^^^^^^ -There is an exhaustion of memory DOS in ICO images. - .. note:: More information about this vulnerability included in database record :cve:`2021-27923` -There is an exhaustion of memory DOS in ICO -images where Pillow did not properly check the reported size of the -contained image. These images could cause arbitrarily large memory -allocations. +There is an exhaustion of memory DOS in ICO images where Pillow did not properly check the reported +size of the contained image. These images could cause arbitrarily large memory allocations. These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and Akshay Ajayan of `Arizona State University `_. diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index 7e647841e1d..ea2d7b857cc 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -9,11 +9,11 @@ These were all found with `OSS-Fuzz`_. Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -OOB read in Jpeg2KDecode - .. note:: More information about these vulnerabilities included in database records :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675` +OOB read in Jpeg2KDecode + * For J2k images with multiple bands, it's legal to have different widths for each band, e.g. 1 byte for ``L``, 4 bytes for ``A``. * This dates to Pillow 2.4.0. diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index b0b016a08f1..e5f8e7996cf 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -10,10 +10,10 @@ Buffer overflow Fix CVE-2021-34552 ^^^^^^^^^^^^^^^^^^ -Buffer overflow - .. note:: More information about this vulnerability included in database record :cve:`2021-34552` +Buffer overflow + PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger buffer overflow in Convert.c. diff --git a/docs/releasenotes/8.3.2.rst b/docs/releasenotes/8.3.2.rst index 7e2007649f3..3a2295e6a85 100644 --- a/docs/releasenotes/8.3.2.rst +++ b/docs/releasenotes/8.3.2.rst @@ -7,10 +7,10 @@ Security Fix CVE-2021-23437 ^^^^^^^^^^^^^^^^^^ -Avoid potential ReDoS (regular expression denial of service) - .. note:: More information about this vulnerability included in database record :cve:`2021-23437` +Avoid potential ReDoS (regular expression denial of service) + Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is too long. Present since Pillow 5.2.0. diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index b46932b2423..2f74f3d7038 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -46,10 +46,10 @@ Google's `OSS-Fuzz`_ project for finding this issue. Fix CVE-2022-22817 ^^^^^^^^^^^^^^^^^^ -Restrict builtins available to ImageMath.eval - .. note:: More information about this vulnerability included in database record :cve:`2022-22817` +Restrict builtins available to ImageMath.eval. + To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems arising if users evaluate arbitrary expressions, such as diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst index b8003e88642..392cf68af84 100644 --- a/docs/releasenotes/9.0.1.rst +++ b/docs/releasenotes/9.0.1.rst @@ -9,10 +9,10 @@ This release addresses several security problems. Fix CVE-2022-24303 ^^^^^^^^^^^^^^^^^^ -Temp image removal - .. note:: More information about this vulnerability included in database record :cve:`2022-24303` +Temp image removal. + If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after ``im.show()`` (and related actions), and potentially remove an unrelated file. This diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index 4ae596f3e28..85a1653cccf 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -9,10 +9,10 @@ This release addresses several security problems. Fix CVE-2022-30595 ^^^^^^^^^^^^^^^^^^ -Heap buffer overflow - .. note:: More information about this vulnerability included in database record :cve:`2022-30595` +Heap buffer overflow. + When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow diff --git a/docs/releasenotes/template.rst b/docs/releasenotes/template.rst index 08dbead7f7a..3a89ca55e6c 100644 --- a/docs/releasenotes/template.rst +++ b/docs/releasenotes/template.rst @@ -9,8 +9,8 @@ TODO TODO -Fix CVE-YYYY-XXXXX -- TODO -^^^^^^^^^^^^^^^^^^^^^^^^^^ +Fix CVE-YYYY-XXXXX +^^^^^^^^^^^^^^^^^^ .. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX` From 95b31380241412166ee7668268f5944f69edd7d8 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Wed, 13 Mar 2024 14:52:53 -0400 Subject: [PATCH 03/33] Clean up for #7864 --- docs/releasenotes/10.0.0.rst | 3 ++- docs/releasenotes/10.2.0.rst | 3 ++- docs/releasenotes/3.1.1.rst | 9 ++++++--- docs/releasenotes/3.1.2.rst | 3 ++- docs/releasenotes/6.2.2.rst | 3 ++- docs/releasenotes/8.0.1.rst | 9 +++++---- docs/releasenotes/8.1.0.rst | 9 ++++++--- docs/releasenotes/8.2.0.rst | 1 + docs/releasenotes/8.3.0.rst | 1 + docs/releasenotes/8.3.2.rst | 1 + docs/releasenotes/9.0.0.rst | 3 ++- docs/releasenotes/9.0.1.rst | 8 +++++--- docs/releasenotes/9.1.1.rst | 3 ++- docs/releasenotes/template.rst | 3 +++ 14 files changed, 40 insertions(+), 19 deletions(-) diff --git a/docs/releasenotes/10.0.0.rst b/docs/releasenotes/10.0.0.rst index 25e73bff627..7d7a22afaa7 100644 --- a/docs/releasenotes/10.0.0.rst +++ b/docs/releasenotes/10.0.0.rst @@ -19,7 +19,8 @@ Fix CVE-2023-44271 .. note:: More information about this vulnerability included in database record :cve:`2023-44271` -Added ImageFont.MAX_STRING_LENGTH. +Added ImageFont.MAX_STRING_LENGTH ++++++++++++++++++++++++++++++++++ To protect against potential DOS attacks when using arbitrary strings as text input, Pillow will now raise a :py:exc:`ValueError` if the number of characters diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index 38a31ebf4a1..5432343c772 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -30,7 +30,8 @@ Fix CVE-2023-50447 .. note:: More information about this vulnerability included in database record :cve:`2023-50447` -ImageMath.eval: Restricted environment keys. +ImageMath.eval: Restricted environment keys ++++++++++++++++++++++++++++++++++++++++++++ If an attacker has control over the keys passed to the ``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 153c12ab030..49427609e5c 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -9,7 +9,8 @@ Fix CVE-2016-0740 .. note:: More information about this vulnerability included in database record :cve:`2016-0740` -Buffer overflow in TiffDecode.c. +Buffer overflow in TiffDecode.c ++++++++++++++++++++++++++++++++ Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a @@ -31,7 +32,8 @@ Fix CVE-2016-0775 .. note:: More information about this vulnerability included in database record :cve:`2016-0775` -Buffer overflow in FliDecode.c. +Buffer overflow in FliDecode.c +++++++++++++++++++++++++++++++ In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. @@ -64,7 +66,8 @@ Fix CVE-2016-2533 .. note:: More information about this vulnerability available in :cve:`2016-2533` -Buffer overflow in PcdDecode.c. +Buffer overflow in PcdDecode.c +++++++++++++++++++++++++++++++ In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index fff93b8e4eb..5bf66650c4a 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -9,7 +9,8 @@ Fix CVE-2016-3076 .. note:: More information about this vulnerability included in database record :cve:`2016-3076` -Buffer overflow in Jpeg2KEncode.c. +Buffer overflow in Jpeg2KEncode.c ++++++++++++++++++++++++++++++++++ Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing large Jpeg2000 files, allowing for code execution or other diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 704ea6876be..6f0d468db7d 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -11,7 +11,8 @@ Fix CVE-2019-19911 .. note:: More information about this vulnerability included in database record :cve:`2019-19911` -DOS attack vulnerability. +DOS attack vulnerability +++++++++++++++++++++++++ If an FPX image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index 54ce4085384..263917922c4 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -9,12 +9,13 @@ Fix CVE-2020-15999 .. note:: More information about this vulnerability included in database record :cve:`2020-15999` -Update FreeType in wheels to `2.10.4`_. +Update FreeType in wheels to `2.10.4`_ +++++++++++++++++++++++++++++++++++++++ - - A heap buffer overflow has been found in the handling of embedded PNG bitmaps, - introduced in FreeType version 2.6. +* A heap buffer overflow has been found in the handling of embedded PNG bitmaps, + introduced in FreeType version 2.6. - If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately. +* If you use option ``FT_CONFIG_OPTION_USE_PNG`` you should upgrade immediately. We strongly recommend updating to Pillow 8.0.1 if you are using Pillow 8.0.0, which improved support for bitmap fonts. diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index 0fbf6ffe3cf..b5425946778 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -14,7 +14,8 @@ Fix CVE-2020-35653 .. note:: More information about this vulnerability included in database record :cve:`2020-35653` -Buffer read overrun in PCX decoding. +Buffer read overrun in PCX decoding ++++++++++++++++++++++++++++++++++++ The PCX image decoder used the reported image stride to calculate the row buffer, rather than calculating it from the image size. This issue dates back @@ -25,7 +26,8 @@ Fix CVE-2020-35654 .. note:: More information about this vulnerability included in database record :cve:`2020-35654` -TIFF out-of-bounds write error. +TIFF out-of-bounds write error +++++++++++++++++++++++++++++++ Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). @@ -39,7 +41,8 @@ Fix CVE-2020-35655 .. note:: More information about this vulnerability included in database record :cve:`2020-35655` -SGI Decode buffer overrun. +SGI Decode buffer overrun ++++++++++++++++++++++++++ 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index ea2d7b857cc..d60be7c018a 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -13,6 +13,7 @@ Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675 :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675` OOB read in Jpeg2KDecode +++++++++++++++++++++++++ * For J2k images with multiple bands, it's legal to have different widths for each band, e.g. 1 byte for ``L``, 4 bytes for ``A``. diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index e5f8e7996cf..e18dc48b23c 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -13,6 +13,7 @@ Fix CVE-2021-34552 .. note:: More information about this vulnerability included in database record :cve:`2021-34552` Buffer overflow ++++++++++++++++ PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger buffer overflow in Convert.c. diff --git a/docs/releasenotes/8.3.2.rst b/docs/releasenotes/8.3.2.rst index 3a2295e6a85..6e393b94d99 100644 --- a/docs/releasenotes/8.3.2.rst +++ b/docs/releasenotes/8.3.2.rst @@ -10,6 +10,7 @@ Fix CVE-2021-23437 .. note:: More information about this vulnerability included in database record :cve:`2021-23437` Avoid potential ReDoS (regular expression denial of service) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index 2f74f3d7038..130db9ebf66 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -48,7 +48,8 @@ Fix CVE-2022-22817 .. note:: More information about this vulnerability included in database record :cve:`2022-22817` -Restrict builtins available to ImageMath.eval. +Restrict builtins available to ImageMath.eval ++++++++++++++++++++++++++++++++++++++++++++++ To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst index 392cf68af84..9501e1eabf0 100644 --- a/docs/releasenotes/9.0.1.rst +++ b/docs/releasenotes/9.0.1.rst @@ -11,7 +11,8 @@ Fix CVE-2022-24303 .. note:: More information about this vulnerability included in database record :cve:`2022-24303` -Temp image removal. +Temp image removal +++++++++++++++++++ If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after @@ -21,10 +22,11 @@ has been present since PIL. Fix CVE-2022-24303 ^^^^^^^^^^^^^^^^^^ -Restrict lambda expressions - .. note:: More information about this vulnerability included in database record :cve:`2022-22817` +Restrict lambda expressions ++++++++++++++++++++++++++++ + While Pillow 9.0 restricted top-level builtins available to :py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda expressions. These are now also restricted. diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index 85a1653cccf..3dd070d904a 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -11,7 +11,8 @@ Fix CVE-2022-30595 .. note:: More information about this vulnerability included in database record :cve:`2022-30595` -Heap buffer overflow. +Heap buffer overflow +++++++++++++++++++++ When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that diff --git a/docs/releasenotes/template.rst b/docs/releasenotes/template.rst index 3a89ca55e6c..a602f3bbf42 100644 --- a/docs/releasenotes/template.rst +++ b/docs/releasenotes/template.rst @@ -14,6 +14,9 @@ Fix CVE-YYYY-XXXXX .. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX` +TODO +++++ + TODO Backwards Incompatible Changes From 2b8dfaac7c28d0a15b840807e603b316e88ebed9 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Wed, 13 Mar 2024 15:11:23 -0400 Subject: [PATCH 04/33] Retro-add release notes for 2.3.1 for #7864 --- docs/releasenotes/2.3.1.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 docs/releasenotes/2.3.1.rst diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst new file mode 100644 index 00000000000..ab5a05d5d92 --- /dev/null +++ b/docs/releasenotes/2.3.1.rst @@ -0,0 +1,12 @@ +2.3.1 +----- + +Security +======== + +Fix CVE-2014-1932, CVE-2014-1933 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about these vulnerabilities included in database records :cve:`CVE-2014-1932`, :cve:`CVE-2014-1933` + +Fix insecure use of tempfile.mktemp as reported in `Debian bug #737059 `_. From 20d451b35965b4b27154920dd9a62187547cf93f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 19:14:02 +0000 Subject: [PATCH 05/33] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/releasenotes/3.1.1.rst | 6 +++--- docs/releasenotes/3.1.2.rst | 2 +- docs/releasenotes/8.0.1.rst | 2 +- docs/releasenotes/8.1.1.rst | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 49427609e5c..d02f68aa350 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -14,7 +14,7 @@ Buffer overflow in TiffDecode.c Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a -specially crafted tiff file. +specially crafted tiff file. Specifically, libtiff >= 4.0.0 changed the return type of ``TIFFScanlineSize`` from ``int32`` to machine dependent @@ -36,7 +36,7 @@ Buffer overflow in FliDecode.c ++++++++++++++++++++++++++++++ In all versions of Pillow, dating back at least to -the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. +the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. Around line 192: @@ -70,7 +70,7 @@ Buffer overflow in PcdDecode.c ++++++++++++++++++++++++++++++ In all versions of Pillow, dating back at least to the -last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. +last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3 bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index 5bf66650c4a..289430a714d 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -14,7 +14,7 @@ Buffer overflow in Jpeg2KEncode.c Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing large Jpeg2000 files, allowing for code execution or other -memory corruption. +memory corruption. This occurs specifically in the function ``j2k_encode_entry``, at the line: diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index 263917922c4..c3909ac863f 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -9,7 +9,7 @@ Fix CVE-2020-15999 .. note:: More information about this vulnerability included in database record :cve:`2020-15999` -Update FreeType in wheels to `2.10.4`_ +Update FreeType in wheels to `2.10.4`_ ++++++++++++++++++++++++++++++++++++++ * A heap buffer overflow has been found in the handling of embedded PNG bitmaps, diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 7f871bac1c1..7b56b838ee7 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -4,7 +4,7 @@ Security ======== -Fix CVE-2021-25289 +Fix CVE-2021-25289 ^^^^^^^^^^^^^^^^^^ .. note:: More information about this vulnerability included in database record :cve:`2021-25289` From a200d716e8425fb1b5a609e9fa194d37d0695261 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark (Alex)" Date: Wed, 13 Mar 2024 15:33:53 -0400 Subject: [PATCH 06/33] Update docs/releasenotes/2.3.1.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/2.3.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst index ab5a05d5d92..6bf65f5c7b3 100644 --- a/docs/releasenotes/2.3.1.rst +++ b/docs/releasenotes/2.3.1.rst @@ -7,6 +7,6 @@ Security Fix CVE-2014-1932, CVE-2014-1933 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about these vulnerabilities included in database records :cve:`CVE-2014-1932`, :cve:`CVE-2014-1933` +.. note:: More information about these vulnerabilities included in database records :cve:`2014-1932`, :cve:`2014-1933` Fix insecure use of tempfile.mktemp as reported in `Debian bug #737059 `_. From 914db6c230541e672ebbfd938d231cfa2ab21226 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark (Alex)" Date: Wed, 13 Mar 2024 15:34:04 -0400 Subject: [PATCH 07/33] Update docs/releasenotes/2.3.1.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/2.3.1.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst index 6bf65f5c7b3..cad00aa4103 100644 --- a/docs/releasenotes/2.3.1.rst +++ b/docs/releasenotes/2.3.1.rst @@ -9,4 +9,5 @@ Fix CVE-2014-1932, CVE-2014-1933 .. note:: More information about these vulnerabilities included in database records :cve:`2014-1932`, :cve:`2014-1933` -Fix insecure use of tempfile.mktemp as reported in `Debian bug #737059 `_. +Fix insecure use of :py:func:`tempfile.mktemp` as reported in +`Debian bug #737059 `_. From a78fbfed37d5ede66c5b09d7b845a47768153314 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark (Alex)" Date: Wed, 13 Mar 2024 15:34:19 -0400 Subject: [PATCH 08/33] Update docs/releasenotes/6.2.2.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/6.2.2.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 6f0d468db7d..34d8d97bacb 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -34,14 +34,14 @@ Fix CVE-2020-5311 Buffer overruns were found when processing an SGI image. Checks have been added to prevent this. Fix CVE-2020-5312 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +^^^^^^^^^^^^^^^^^ .. note:: More information about this vulnerability included in database record :cve:`2020-5312` Buffer overruns were found when processing an SGI PCX. Checks have been added to prevent this. Fix CVE-2020-5313 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +^^^^^^^^^^^^^^^^^ .. note:: More information about this vulnerability included in database record :cve:`2020-5313` From deca2dd5fc08bd65d8e6396874ce185d10f592a9 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark (Alex)" Date: Wed, 13 Mar 2024 15:34:29 -0400 Subject: [PATCH 09/33] Update docs/releasenotes/6.2.0.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/6.2.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index 6dd65be9d11..ea1f310d7fd 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -24,7 +24,7 @@ An error is now raised if a TIFF dimension is a string, rather than trying to perform operations on it. Fix CVE-2019-16865 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +^^^^^^^^^^^^^^^^^^ .. note:: More information about this vulnerability included in database record :cve:`2019-16865` From 1f117339bd44626eba2faa409fca34dc4c43d50f Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark (Alex)" Date: Wed, 13 Mar 2024 15:34:36 -0400 Subject: [PATCH 10/33] Update docs/releasenotes/10.2.0.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/10.2.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index 5432343c772..bec558ec9a1 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -26,7 +26,7 @@ To protect against potential DOS attacks when using PIL fonts, they do not extend beyond the bitmap image. Fix CVE-2023-50447 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +^^^^^^^^^^^^^^^^^^ .. note:: More information about this vulnerability included in database record :cve:`2023-50447` From f77273db8fb0a1dc4b44cf9c188ff8e6f0552c7b Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark (Alex)" Date: Wed, 13 Mar 2024 15:44:15 -0400 Subject: [PATCH 11/33] Update docs/releasenotes/10.0.0.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ondrej Baranovič --- docs/releasenotes/10.0.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/10.0.0.rst b/docs/releasenotes/10.0.0.rst index 7d7a22afaa7..993ec4d5d02 100644 --- a/docs/releasenotes/10.0.0.rst +++ b/docs/releasenotes/10.0.0.rst @@ -20,7 +20,7 @@ Fix CVE-2023-44271 .. note:: More information about this vulnerability included in database record :cve:`2023-44271` Added ImageFont.MAX_STRING_LENGTH -+++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To protect against potential DOS attacks when using arbitrary strings as text input, Pillow will now raise a :py:exc:`ValueError` if the number of characters From 92f088919f447913484f6c2b57acbd0ce8e668dc Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Wed, 13 Mar 2024 15:45:19 -0400 Subject: [PATCH 12/33] Fix template based on 29a361d60ead196695523212dbb08a3ec4ca4b0d --- docs/releasenotes/template.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/template.rst b/docs/releasenotes/template.rst index a602f3bbf42..65671808185 100644 --- a/docs/releasenotes/template.rst +++ b/docs/releasenotes/template.rst @@ -15,7 +15,7 @@ Fix CVE-YYYY-XXXXX .. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX` TODO -++++ +~~~~ TODO From f61e184ab059a87109eec9d0455ec83af3497d7c Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Wed, 13 Mar 2024 15:50:58 -0400 Subject: [PATCH 13/33] Fix based on 29a361d60ead196695523212dbb08a3ec4ca4b0d --- docs/releasenotes/10.2.0.rst | 2 +- docs/releasenotes/3.1.1.rst | 6 +++--- docs/releasenotes/3.1.2.rst | 2 +- docs/releasenotes/6.2.2.rst | 2 +- docs/releasenotes/8.0.1.rst | 2 +- docs/releasenotes/8.1.0.rst | 6 +++--- docs/releasenotes/8.2.0.rst | 2 +- docs/releasenotes/8.3.0.rst | 2 +- docs/releasenotes/8.3.2.rst | 2 +- docs/releasenotes/9.0.0.rst | 2 +- docs/releasenotes/9.0.1.rst | 4 ++-- docs/releasenotes/9.1.1.rst | 2 +- 12 files changed, 17 insertions(+), 17 deletions(-) diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index bec558ec9a1..63cbe8806cd 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -31,7 +31,7 @@ Fix CVE-2023-50447 .. note:: More information about this vulnerability included in database record :cve:`2023-50447` ImageMath.eval: Restricted environment keys -+++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If an attacker has control over the keys passed to the ``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index d02f68aa350..7f66ac344b9 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -10,7 +10,7 @@ Fix CVE-2016-0740 .. note:: More information about this vulnerability included in database record :cve:`2016-0740` Buffer overflow in TiffDecode.c -+++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a @@ -33,7 +33,7 @@ Fix CVE-2016-0775 .. note:: More information about this vulnerability included in database record :cve:`2016-0775` Buffer overflow in FliDecode.c -++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. @@ -67,7 +67,7 @@ Fix CVE-2016-2533 .. note:: More information about this vulnerability available in :cve:`2016-2533` Buffer overflow in PcdDecode.c -++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index 289430a714d..1a46d8e639b 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -10,7 +10,7 @@ Fix CVE-2016-3076 .. note:: More information about this vulnerability included in database record :cve:`2016-3076` Buffer overflow in Jpeg2KEncode.c -+++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing large Jpeg2000 files, allowing for code execution or other diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 34d8d97bacb..648d1d66d74 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -12,7 +12,7 @@ Fix CVE-2019-19911 .. note:: More information about this vulnerability included in database record :cve:`2019-19911` DOS attack vulnerability -++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~ If an FPX image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index c3909ac863f..a492241d7f9 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -10,7 +10,7 @@ Fix CVE-2020-15999 .. note:: More information about this vulnerability included in database record :cve:`2020-15999` Update FreeType in wheels to `2.10.4`_ -++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index b5425946778..909954a37ee 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -15,7 +15,7 @@ Fix CVE-2020-35653 .. note:: More information about this vulnerability included in database record :cve:`2020-35653` Buffer read overrun in PCX decoding -+++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The PCX image decoder used the reported image stride to calculate the row buffer, rather than calculating it from the image size. This issue dates back @@ -27,7 +27,7 @@ Fix CVE-2020-35654 .. note:: More information about this vulnerability included in database record :cve:`2020-35654` TIFF out-of-bounds write error -++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). @@ -42,7 +42,7 @@ Fix CVE-2020-35655 .. note:: More information about this vulnerability included in database record :cve:`2020-35655` SGI Decode buffer overrun -+++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~ 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index d60be7c018a..adbabce3a45 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -13,7 +13,7 @@ Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675 :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675` OOB read in Jpeg2KDecode -++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~ * For J2k images with multiple bands, it's legal to have different widths for each band, e.g. 1 byte for ``L``, 4 bytes for ``A``. diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index e18dc48b23c..94ad37bb1b9 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -13,7 +13,7 @@ Fix CVE-2021-34552 .. note:: More information about this vulnerability included in database record :cve:`2021-34552` Buffer overflow -+++++++++++++++ +~~~~~~~~~~~~~~~ PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger buffer overflow in Convert.c. diff --git a/docs/releasenotes/8.3.2.rst b/docs/releasenotes/8.3.2.rst index 6e393b94d99..6796365641c 100644 --- a/docs/releasenotes/8.3.2.rst +++ b/docs/releasenotes/8.3.2.rst @@ -10,7 +10,7 @@ Fix CVE-2021-23437 .. note:: More information about this vulnerability included in database record :cve:`2021-23437` Avoid potential ReDoS (regular expression denial of service) -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index 130db9ebf66..534209117a5 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -49,7 +49,7 @@ Fix CVE-2022-22817 .. note:: More information about this vulnerability included in database record :cve:`2022-22817` Restrict builtins available to ImageMath.eval -+++++++++++++++++++++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst index 9501e1eabf0..ab6c6cbdde3 100644 --- a/docs/releasenotes/9.0.1.rst +++ b/docs/releasenotes/9.0.1.rst @@ -12,7 +12,7 @@ Fix CVE-2022-24303 .. note:: More information about this vulnerability included in database record :cve:`2022-24303` Temp image removal -++++++++++++++++++ +~~~~~~~~~~~~~~~~~~ If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after @@ -25,7 +25,7 @@ Fix CVE-2022-24303 .. note:: More information about this vulnerability included in database record :cve:`2022-22817` Restrict lambda expressions -+++++++++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ While Pillow 9.0 restricted top-level builtins available to :py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index 3dd070d904a..f8f1a802ba0 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -12,7 +12,7 @@ Fix CVE-2022-30595 .. note:: More information about this vulnerability included in database record :cve:`2022-30595` Heap buffer overflow -++++++++++++++++++++ +~~~~~~~~~~~~~~~~~~~~ When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that From c69dcc1c2969406155788d4c3f4e8fb496490f5d Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 13:58:05 -0400 Subject: [PATCH 14/33] Fix headers and retro-add notes for #7864 - Include CVE link in title (via @hugovk) - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589 --- docs/releasenotes/10.0.0.rst | 9 +++----- docs/releasenotes/10.0.1.rst | 9 ++++---- docs/releasenotes/10.2.0.rst | 9 ++------ docs/releasenotes/2.3.1.rst | 14 +++++++----- docs/releasenotes/2.3.2.rst | 12 ++++++++++ docs/releasenotes/2.5.2.rst | 12 ++++++++++ docs/releasenotes/3.1.1.rst | 31 +++++++------------------- docs/releasenotes/3.1.2.rst | 9 ++------ docs/releasenotes/6.2.0.rst | 10 ++++----- docs/releasenotes/6.2.2.rst | 37 ++++++++++--------------------- docs/releasenotes/7.1.0.rst | 40 +++++++++++++--------------------- docs/releasenotes/8.0.1.rst | 9 ++------ docs/releasenotes/8.1.0.rst | 27 +++++------------------ docs/releasenotes/8.1.1.rst | 38 +++++++++----------------------- docs/releasenotes/8.1.2.rst | 18 +++++---------- docs/releasenotes/8.2.0.rst | 36 ++++++++++-------------------- docs/releasenotes/8.3.0.rst | 12 ++-------- docs/releasenotes/8.3.2.rst | 9 ++------ docs/releasenotes/9.0.0.rst | 6 ++--- docs/releasenotes/9.0.1.rst | 22 +++++-------------- docs/releasenotes/9.1.1.rst | 11 +++------- docs/releasenotes/index.rst | 2 ++ docs/releasenotes/template.rst | 9 ++------ 23 files changed, 137 insertions(+), 254 deletions(-) create mode 100644 docs/releasenotes/2.3.2.rst create mode 100644 docs/releasenotes/2.5.2.rst diff --git a/docs/releasenotes/10.0.0.rst b/docs/releasenotes/10.0.0.rst index 993ec4d5d02..adada6e0151 100644 --- a/docs/releasenotes/10.0.0.rst +++ b/docs/releasenotes/10.0.0.rst @@ -14,13 +14,10 @@ now been fixed. This effectively dates to the PIL fork, since problem images would still have been processed before Pillow started checking for decompression bombs. -Fix CVE-2023-44271 -^^^^^^^^^^^^^^^^^^ +.. _Added ImageFont.MAX_STRING_LENGTH: -.. note:: More information about this vulnerability included in database record :cve:`2023-44271` - -Added ImageFont.MAX_STRING_LENGTH -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2023-44271`: Added ImageFont.MAX_STRING_LENGTH +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To protect against potential DOS attacks when using arbitrary strings as text input, Pillow will now raise a :py:exc:`ValueError` if the number of characters diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst index ab0f98123da..a260fc3819a 100644 --- a/docs/releasenotes/10.0.1.rst +++ b/docs/releasenotes/10.0.1.rst @@ -4,13 +4,12 @@ Security ======== -Fix CVE-2023-4863 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2023-4863` +:cve:`2023-4863`: Updated install script and updated wheels +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This release provides an updated install script and updated wheels to -include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP. +include libwebp 1.3.2, preventing a potential heap buffer overflow in +WebP. Updated tests to pass with latest zlib version ============================================== diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index 63cbe8806cd..0ffad2e8a1c 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -25,13 +25,8 @@ To protect against potential DOS attacks when using PIL fonts, :py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that they do not extend beyond the bitmap image. -Fix CVE-2023-50447 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2023-50447` - -ImageMath.eval: Restricted environment keys -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2023-50447`: ImageMath.eval: Restricted environment keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If an attacker has control over the keys passed to the ``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst index cad00aa4103..2c7c8285a3e 100644 --- a/docs/releasenotes/2.3.1.rst +++ b/docs/releasenotes/2.3.1.rst @@ -4,10 +4,14 @@ Security ======== -Fix CVE-2014-1932, CVE-2014-1933 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +These issues reported in `Debian bug #737059 `_. -.. note:: More information about these vulnerabilities included in database records :cve:`2014-1932`, :cve:`2014-1933` +:cve:`2014-1932`: Fix insecure use of :py:func:`tempfile.mktemp` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Fix insecure use of :py:func:`tempfile.mktemp` as reported in -`Debian bug #737059 `_. +The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. + +:cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. diff --git a/docs/releasenotes/2.3.2.rst b/docs/releasenotes/2.3.2.rst new file mode 100644 index 00000000000..a8ed32718aa --- /dev/null +++ b/docs/releasenotes/2.3.2.rst @@ -0,0 +1,12 @@ +2.3.2 +----- + +Security +======== + +:cve:`2014-3589`: Fix DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and +2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted +block size. diff --git a/docs/releasenotes/2.5.2.rst b/docs/releasenotes/2.5.2.rst new file mode 100644 index 00000000000..77365ef3e6e --- /dev/null +++ b/docs/releasenotes/2.5.2.rst @@ -0,0 +1,12 @@ +2.5.2 +----- + +Security +======== + +:cve:`2014-3589`: Fix DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and +2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted +block size. diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 7f66ac344b9..6e03382b29f 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -4,13 +4,8 @@ Security ======== -Fix CVE-2016-0740 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2016-0740` - -Buffer overflow in TiffDecode.c -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2016-0740`: Buffer overflow in TiffDecode.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a @@ -27,16 +22,11 @@ image data over 64k is written over the heap, causing a segfault. This issue was found by security researcher FourOne. -Fix CVE-2016-0775 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2016-0775` +:cve:`2016-0775`: Buffer overflow in FliDecode.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Buffer overflow in FliDecode.c -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In all versions of Pillow, dating back at least to -the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. +In all versions of Pillow, dating back at least to the last PIL 1.1.7 +release, FliDecode.c has a buffer overflow error. Around line 192: @@ -61,13 +51,8 @@ off the end of the memory buffer, causing a segfault. This issue was found by Alyssa Besseling at Atlassian. -Fix CVE-2016-2533 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability available in :cve:`2016-2533` - -Buffer overflow in PcdDecode.c -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2016-2533`: Buffer overflow in PcdDecode.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index 1a46d8e639b..a9615497795 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -4,13 +4,8 @@ Security ======== -Fix CVE-2016-3076 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2016-3076` - -Buffer overflow in Jpeg2KEncode.c -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2016-3076`: Buffer overflow in Jpeg2KEncode.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing large Jpeg2000 files, allowing for code execution or other diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index ea1f310d7fd..9c504da0f41 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -23,13 +23,11 @@ Decompression bomb checks have been added to GIF and ICO formats. An error is now raised if a TIFF dimension is a string, rather than trying to perform operations on it. -Fix CVE-2019-16865 -^^^^^^^^^^^^^^^^^^ +:cve:`2019-16865`: Fix DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about this vulnerability included in database record :cve:`2019-16865` - -The CVE is regarding DOS problems, such as consuming large -amounts of memory, or taking a large amount of time to process an image. +The CVE is regarding DOS problems, such as consuming large amounts of memory, +or taking a large amount of time to process an image. API Additions ============= diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 648d1d66d74..a95ab1cce6e 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -4,45 +4,32 @@ Security ======== -This release fixes several buffer overruns and DOS attacks reported in CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312 and CVE-2020-5313. +This release fixes several buffer overruns and DOS attacks. -Fix CVE-2019-19911 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2019-19911` - -DOS attack vulnerability -~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2019-19911`: DOS attack vulnerability +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If an FPX image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow. -Fix CVE-2020-5310 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-5310` +:cve:`2020-5310`: Overflow checks added to TIFF image processing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image. -Fix CVE-2020-5311 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-5311` +:cve:`2020-5311`: Overflow checks added to SGI image processing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Buffer overruns were found when processing an SGI image. Checks have been added to prevent this. -Fix CVE-2020-5312 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-5312` - -Buffer overruns were found when processing an SGI PCX. Checks have been added to prevent this. +:cve:`2020-5312`: Overflow checks added to PCX image processing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Fix CVE-2020-5313 -^^^^^^^^^^^^^^^^^ +Buffer overruns were found when processing a PCX image. Checks have been added to prevent this. -.. note:: More information about this vulnerability included in database record :cve:`2020-5313` +:cve:`2020-5313`: Overflow checks added to FLI image processing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Buffer overruns were found when processing an FLI image. Checks have been added to prevent this. diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index da6595d5ba7..e5e8b6a5af6 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -6,40 +6,30 @@ Security This release includes many security fixes. -Fix CVE-2020-10177 -^^^^^^^^^^^^^^^^^^ +:cve:`2020-10177`: Multiple out-of-bounds reads in FLI decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about this vulnerability included in database record :cve:`2020-10177` +Pillow before 7.1.0 has multiple out-of-bounds reads in ``libImaging/FliDecode.c``. -Multiple out-of-bounds reads in FLI decoding. +:cve:`2020-10378`: Bounds overflow in PCX decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Fix CVE-2020-10378 -^^^^^^^^^^^^^^^^^^ +In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. -.. note:: More information about this vulnerability included in database record :cve:`2020-10378` +:cve:`2020-10379`: Two buffer overflows in TIFF decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Bounds overflow in PCX decoding. +In Pillow before 7.1.0, there are two buffer overflows in ``libImaging/TiffDecode.c``. -Fix CVE-2020-10379 -^^^^^^^^^^^^^^^^^^ +:cve:`2020-10994`: Bounds overflow in JPEG 2000 decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about this vulnerability included in database record :cve:`2020-10379` +In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. -Two buffer overflows in TIFF decoding. - -Fix CVE-2020-10994 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-10994` - -Bounds overflow in JPEG 2000 decoding. - -Fix CVE-2020-11538 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-11538` +:cve:`2020-11538`: Buffer overflow in SGI-RLE decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Buffer overflow in SGI-RLE decoding. +In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. API Changes =========== diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index a492241d7f9..29a28443f5e 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -4,13 +4,8 @@ Security ======== -Fix CVE-2020-15999 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-15999` - -Update FreeType in wheels to `2.10.4`_ -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2020-15999`: Update FreeType in wheels to `2.10.4`_ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index 909954a37ee..5c399331846 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -9,25 +9,15 @@ This release includes security fixes. * An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF * An out-of-bounds read when saving a GIF of 1px width -Fix CVE-2020-35653 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-35653` - -Buffer read overrun in PCX decoding -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2020-35653`: Buffer read overrun in PCX decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The PCX image decoder used the reported image stride to calculate the row buffer, rather than calculating it from the image size. This issue dates back to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this. -Fix CVE-2020-35654 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-35654` - -TIFF out-of-bounds write error -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2020-35654`: TIFF out-of-bounds write error +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). @@ -36,13 +26,8 @@ leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through `Tidelift`_. -Fix CVE-2020-35655 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-35655` - -SGI Decode buffer overrun -~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2020-35655`: SGI Decode buffer overrun +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 7b56b838ee7..84e9c8f86e0 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -4,40 +4,22 @@ Security ======== -Fix CVE-2021-25289 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-25289` +:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``. -Fix CVE-2021-25290 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-25290` - -In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size. - -Fix CVE-2021-25291 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-25291` - -In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile``. - -Fix CVE-2021-25292 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-25292`: - -The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack. +:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Fix CVE-2021-25293 -^^^^^^^^^^^^^^^^^^ +:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about this vulnerability included in database record :cve:`2021-25293` +:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. +:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Other Changes ============= diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index af60a862e93..7d4a6c0be04 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -4,27 +4,21 @@ Security ======== -Fix CVE-2021-27921 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-27921` +:cve:`2021-27921`: There is an exhaustion of memory DOS in BLP images +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in BLP images. where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. -Fix CVE-2021-27922 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-27921` +:cve:`2021-27921`: There is an exhaustion of memory DOS in ICNS images +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. -Fix CVE-2021-27923 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-27923` +:cve:`2021-27923`: There is an exhaustion of memory DOS in ICO images +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in ICO images where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index adbabce3a45..6e8fd5cdebe 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -4,25 +4,17 @@ Security ======== -These were all found with `OSS-Fuzz`_. +These issues were all found with `OSS-Fuzz`_. -Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about these vulnerabilities included in database records - :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675` - -OOB read in Jpeg2KDecode -~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675`: OOB read in Jpeg2KDecode +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * For J2k images with multiple bands, it's legal to have different widths for each band, e.g. 1 byte for ``L``, 4 bytes for ``A``. * This dates to Pillow 2.4.0. -Fix CVE-2021-28675 -- DOS attack in PsdImagePlugin -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-28675` +:cve:`2021-28675`: DOS attack in PsdImagePlugin +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input layers with regard to the size of the data block, this could lead to a @@ -30,19 +22,15 @@ Fix CVE-2021-28675 -- DOS attack in PsdImagePlugin :py:meth:`~PIL.Image.Image.load`. * This dates to the PIL fork. -Fix CVE-2021-28676 -- FLI image DOS attack -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-28676` +:cve:`2021-28676`: FLI image DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ``FliDecode.c`` did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. * This dates to the PIL fork. -Fix CVE-2021-28677 -- EPS DOS on _open -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-28677` +:cve:`2021-28677`: EPS DOS on _open +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line endings. It accidentally used a quadratic method of accumulating lines while looking @@ -51,10 +39,8 @@ Fix CVE-2021-28677 -- EPS DOS on _open open phase, before an image was accepted for opening. * This dates to the PIL fork. -CVE-2021-28678 -- BLP DOS attack -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-28678` +:cve:`2021-28678`: BLP DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets returned data. This could lead to a denial-of-service where the decoder could be run a diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index 94ad37bb1b9..3ef9bb9b334 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -4,16 +4,8 @@ Security ======== -Buffer overflow -^^^^^^^^^^^^^^^ - -Fix CVE-2021-34552 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-34552` - -Buffer overflow -~~~~~~~~~~~~~~~ +:cve:`2021-34552`: Buffer overflow +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger buffer overflow in Convert.c. diff --git a/docs/releasenotes/8.3.2.rst b/docs/releasenotes/8.3.2.rst index 6796365641c..34ba703f70a 100644 --- a/docs/releasenotes/8.3.2.rst +++ b/docs/releasenotes/8.3.2.rst @@ -4,13 +4,8 @@ Security ======== -Fix CVE-2021-23437 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-23437` - -Avoid potential ReDoS (regular expression denial of service) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2021-23437`: Avoid potential ReDoS (regular expression denial of service) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index 534209117a5..b22912baf17 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -56,10 +56,8 @@ will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This help prevent problems arising if users evaluate arbitrary expressions, such as ``ImageMath.eval("exec(exit())")``. -Fix CVE-2022-22817 -- ImagePath.Path array handling -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-22815` +:cve:`2022-22815`: ImagePath.Path array handling +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``. diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst index ab6c6cbdde3..a25e3f5ac66 100644 --- a/docs/releasenotes/9.0.1.rst +++ b/docs/releasenotes/9.0.1.rst @@ -6,30 +6,20 @@ Security This release addresses several security problems. -Fix CVE-2022-24303 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-24303` - -Temp image removal -~~~~~~~~~~~~~~~~~~ +:cve:`2022-24303`: Temp image removal +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after ``im.show()`` (and related actions), and potentially remove an unrelated file. This has been present since PIL. -Fix CVE-2022-24303 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-22817` - -Restrict lambda expressions -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2022-22817`: Restrict lambda expressions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ While Pillow 9.0 restricted top-level builtins available to -:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda -expressions. These are now also restricted. +:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins +available to lambda expressions. These are now also restricted. Other Changes ============= diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index f8f1a802ba0..d538e88c0f9 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -4,15 +4,10 @@ Security ======== -This release addresses several security problems. +This release addresses several security issues. -Fix CVE-2022-30595 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-30595` - -Heap buffer overflow -~~~~~~~~~~~~~~~~~~~~ +:cve:`2022-30595`: Heap buffer overflow +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index e1ebd650966..17a95c6f62a 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -69,5 +69,7 @@ expected to be backported to earlier versions. 3.0.0 2.8.0 2.7.0 + 2.5.2 + 2.3.2 2.3.1 versioning diff --git a/docs/releasenotes/template.rst b/docs/releasenotes/template.rst index 65671808185..cfc7221a3cc 100644 --- a/docs/releasenotes/template.rst +++ b/docs/releasenotes/template.rst @@ -9,13 +9,8 @@ TODO TODO -Fix CVE-YYYY-XXXXX -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX` - -TODO -~~~~ +:cve:`YYYY-XXXXX`: TODO +^^^^^^^^^^^^^^^^^^^^^^^ TODO From 3aefe92bdf58b93a8a45adc7b9d58fb4712adb1a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 14 Mar 2024 18:01:09 +0000 Subject: [PATCH 15/33] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/releasenotes/2.3.1.rst | 2 +- docs/releasenotes/2.3.2.rst | 2 +- docs/releasenotes/2.5.2.rst | 2 +- docs/releasenotes/6.2.2.rst | 2 +- docs/releasenotes/7.1.0.rst | 6 +++--- docs/releasenotes/8.1.2.rst | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst index 2c7c8285a3e..4b58d037036 100644 --- a/docs/releasenotes/2.3.1.rst +++ b/docs/releasenotes/2.3.1.rst @@ -14,4 +14,4 @@ The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in E :cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. +The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. diff --git a/docs/releasenotes/2.3.2.rst b/docs/releasenotes/2.3.2.rst index a8ed32718aa..646f7d43b03 100644 --- a/docs/releasenotes/2.3.2.rst +++ b/docs/releasenotes/2.3.2.rst @@ -9,4 +9,4 @@ Security ``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted -block size. +block size. diff --git a/docs/releasenotes/2.5.2.rst b/docs/releasenotes/2.5.2.rst index 77365ef3e6e..7b360051e1b 100644 --- a/docs/releasenotes/2.5.2.rst +++ b/docs/releasenotes/2.5.2.rst @@ -9,4 +9,4 @@ Security ``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted -block size. +block size. diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index a95ab1cce6e..941bda3a84f 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -4,7 +4,7 @@ Security ======== -This release fixes several buffer overruns and DOS attacks. +This release fixes several buffer overruns and DOS attacks. :cve:`2019-19911`: DOS attack vulnerability ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index e5e8b6a5af6..4c1f41a693a 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -14,7 +14,7 @@ Pillow before 7.1.0 has multiple out-of-bounds reads in ``libImaging/FliDecode.c :cve:`2020-10378`: Bounds overflow in PCX decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. +In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. :cve:`2020-10379`: Two buffer overflows in TIFF decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -24,12 +24,12 @@ In Pillow before 7.1.0, there are two buffer overflows in ``libImaging/TiffDecod :cve:`2020-10994`: Bounds overflow in JPEG 2000 decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. +In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. :cve:`2020-11538`: Buffer overflow in SGI-RLE decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. +In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. API Changes =========== diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index 7d4a6c0be04..986015e3edd 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -11,13 +11,13 @@ There is an exhaustion of memory DOS in BLP images. where Pillow did not properl reported size of the contained image. These images could cause arbitrarily large memory allocations. -:cve:`2021-27921`: There is an exhaustion of memory DOS in ICNS images +:cve:`2021-27921`: There is an exhaustion of memory DOS in ICNS images ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. -:cve:`2021-27923`: There is an exhaustion of memory DOS in ICO images +:cve:`2021-27923`: There is an exhaustion of memory DOS in ICO images ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in ICO images where Pillow did not properly check the reported From 7b1c39cebe9700f92622438f1d834eeed69d9d68 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark" Date: Thu, 14 Mar 2024 16:44:00 -0400 Subject: [PATCH 16/33] Update docs/releasenotes/9.0.0.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/9.0.0.rst | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index b22912baf17..1c940904f55 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -43,13 +43,8 @@ To prevent attempts to slow down loading times for images, if an image has conse duplicate tiles that only differ by their offset, only load the last tile. Credit to Google's `OSS-Fuzz`_ project for finding this issue. -Fix CVE-2022-22817 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-22817` - -Restrict builtins available to ImageMath.eval -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2022-22817`: Restrict builtins available to ImageMath.eval +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will From 4d81ec804a8c95b7fdc01ac62dda8febb5101d56 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark" Date: Thu, 14 Mar 2024 16:44:11 -0400 Subject: [PATCH 17/33] Update docs/releasenotes/8.2.0.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/8.2.0.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index 6e8fd5cdebe..50fe9aa1988 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -6,8 +6,8 @@ Security These issues were all found with `OSS-Fuzz`_. -:cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675`: OOB read in Jpeg2KDecode -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2021-25287`, :cve:`2021-25288`: OOB read in Jpeg2KDecode +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * For J2k images with multiple bands, it's legal to have different widths for each band, e.g. 1 byte for ``L``, 4 bytes for ``A``. From bae0c988e6a7efd6417af41ad9eff04d66e1a5d4 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark" Date: Thu, 14 Mar 2024 16:44:23 -0400 Subject: [PATCH 18/33] Update docs/releasenotes/8.1.2.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/8.1.2.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index 986015e3edd..e043bc191d2 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -11,7 +11,7 @@ There is an exhaustion of memory DOS in BLP images. where Pillow did not properl reported size of the contained image. These images could cause arbitrarily large memory allocations. -:cve:`2021-27921`: There is an exhaustion of memory DOS in ICNS images +:cve:`2021-27922`: There is an exhaustion of memory DOS in ICNS images ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the From e97722b7ce30c72c7c26f20d914919aebd218f8f Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark" Date: Thu, 14 Mar 2024 16:46:04 -0400 Subject: [PATCH 19/33] Update docs/releasenotes/6.2.0.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/6.2.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index 9c504da0f41..fe0148060a6 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -4,7 +4,7 @@ Security ======== -This release catches several buffer overruns and fixes CVE-2019-16865. +This release catches several buffer overruns and fixes :cve:`2019-16865`. Buffer overruns ^^^^^^^^^^^^^^^ From 7b485c769c82a639b5ea22ead0778515d7734532 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark" Date: Thu, 14 Mar 2024 16:46:15 -0400 Subject: [PATCH 20/33] Update docs/releasenotes/6.2.0.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/6.2.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index fe0148060a6..c34ba802d3b 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -9,7 +9,7 @@ This release catches several buffer overruns and fixes :cve:`2019-16865`. Buffer overruns ^^^^^^^^^^^^^^^ -In RawDecode.c, an error is now thrown if skip is calculated to be less than +In ``RawDecode.c``, an error is now thrown if skip is calculated to be less than zero. It is intended to skip padding between lines, not to go backwards. In PsdImagePlugin, if the combined sizes of the individual parts is larger than From 69a4e0d4c914da09c9a9137ea0a27d606bf13658 Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark" Date: Thu, 14 Mar 2024 16:49:42 -0400 Subject: [PATCH 21/33] Update docs/releasenotes/6.2.0.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/6.2.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index c34ba802d3b..c241a3a3b83 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -12,7 +12,7 @@ Buffer overruns In ``RawDecode.c``, an error is now thrown if skip is calculated to be less than zero. It is intended to skip padding between lines, not to go backwards. -In PsdImagePlugin, if the combined sizes of the individual parts is larger than +In ``PsdImagePlugin``, if the combined sizes of the individual parts is larger than the declared size of the extra data field, then it looked for the next layer by seeking backwards. This is now corrected by seeking to (the start of the layer + the size of the extra data field) instead of (the read parts of the layer + From 15deb71c3a983e8e43476a543ce55ff3c4ff10ac Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 17:03:09 -0400 Subject: [PATCH 22/33] 80 char wrap + file name tick for #7864 --- docs/releasenotes/2.3.1.rst | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst index 4b58d037036..6446ebccbff 100644 --- a/docs/releasenotes/2.3.1.rst +++ b/docs/releasenotes/2.3.1.rst @@ -4,14 +4,23 @@ Security ======== -These issues reported in `Debian bug #737059 `_. +These issues reported in +`Debian bug #737059 `_. :cve:`2014-1932`: Fix insecure use of :py:func:`tempfile.mktemp` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. +The (1) load_djpeg function in ``JpegImagePlugin.py``, (2) Ghostscript function +in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4) _copy +function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and +Pillow before 2.3.1 do not properly create temporary files, which allow local +users to overwrite arbitrary files and obtain sensitive information via a +symlink attack on the temporary file. :cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. +The (1) ``JpegImagePlugin.py`` and (2) ``EpsImagePlugin.py`` scripts in Python +Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of +temporary files on the command line, which makes it easier for local users to +conduct symlink attacks by listing the processes. From ad134c63fa7afff28b0e0e55f291919c02a34b28 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 17:37:01 -0400 Subject: [PATCH 23/33] Combine CVEs --- docs/releasenotes/8.1.2.rst | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index e043bc191d2..de6ba605e6b 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -4,24 +4,12 @@ Security ======== -:cve:`2021-27921`: There is an exhaustion of memory DOS in BLP images -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2021-27921`, :cve:`2021-27922`, :cve:`2021-27923`: Fix DOS attacks +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -There is an exhaustion of memory DOS in BLP images. where Pillow did not properly check the -reported size of the contained image. These images could cause arbitrarily large memory -allocations. +There is an exhaustion of memory DOS attack in BLP, ICNS, ICO images +where Pillow did not properly check the reported size of the contained image. +These images could cause arbitrarily large memory allocations. -:cve:`2021-27922`: There is an exhaustion of memory DOS in ICNS images -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the -reported size of the contained image. These images could cause arbitrarily large memory allocations. - -:cve:`2021-27923`: There is an exhaustion of memory DOS in ICO images -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -There is an exhaustion of memory DOS in ICO images where Pillow did not properly check the reported -size of the contained image. These images could cause arbitrarily large memory allocations. - -These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and +These issues were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and Akshay Ajayan of `Arizona State University `_. From ae5f1de624a38894eeb703e37b5800ce8327d3a9 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 19:04:26 -0400 Subject: [PATCH 24/33] Back fill release notes for #7864 - Back fill release notes for 3.1.1 - Add credits to 2.3.2, 2.5.2 --- docs/releasenotes/2.3.2.rst | 2 + docs/releasenotes/2.5.2.rst | 2 + docs/releasenotes/3.1.1.rst | 82 +++---------------------------------- 3 files changed, 9 insertions(+), 77 deletions(-) diff --git a/docs/releasenotes/2.3.2.rst b/docs/releasenotes/2.3.2.rst index 646f7d43b03..56398a97414 100644 --- a/docs/releasenotes/2.3.2.rst +++ b/docs/releasenotes/2.3.2.rst @@ -10,3 +10,5 @@ Security ``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. + +Found and reported by Andrew Drake of dropbox.com diff --git a/docs/releasenotes/2.5.2.rst b/docs/releasenotes/2.5.2.rst index 7b360051e1b..4884f8db8c4 100644 --- a/docs/releasenotes/2.5.2.rst +++ b/docs/releasenotes/2.5.2.rst @@ -10,3 +10,5 @@ Security ``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. + +Found and reported by Andrew Drake of dropbox.com diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 6e03382b29f..8b7780e7e35 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -4,81 +4,9 @@ Security ======== -:cve:`2016-0740`: Buffer overflow in TiffDecode.c -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2016-0775`: Fix buffer overflow +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Pillow 3.1.0 and earlier when linked against -libtiff >= 4.0.0 on x64 may overflow a buffer when reading a -specially crafted tiff file. - -Specifically, libtiff >= 4.0.0 changed the return type of -``TIFFScanlineSize`` from ``int32`` to machine dependent -``int32|64``. If the scanline is sized so that it overflows an -``int32``, it may be interpreted as a negative number, which will then -pass the size check in ``TiffDecode.c`` line 236. To do this, the -logical scanline size has to be > 2gb, and for the test file, the -allocated buffer size is 64k against a roughly 4gb scan line size. Any -image data over 64k is written over the heap, causing a segfault. - -This issue was found by security researcher FourOne. - -:cve:`2016-0775`: Buffer overflow in FliDecode.c -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -In all versions of Pillow, dating back at least to the last PIL 1.1.7 -release, FliDecode.c has a buffer overflow error. - -Around line 192: - -.. code-block:: c - - case 16: - /* COPY chunk */ - for (y = 0; y < state->ysize; y++) { - UINT8* buf = (UINT8*) im->image[y]; - memcpy(buf+x, data, state->xsize); - data += state->xsize; - } - break; - - -The memcpy has error where ``x`` is added to the target buffer -address. ``X`` is used in several internal temporary variable roles, -but can take a value up to the width of the image. ``Im->image[y]`` -is a set of row pointers to segments of memory that are the size of -the row. At the max ``y``, this will write the contents of the line -off the end of the memory buffer, causing a segfault. - -This issue was found by Alyssa Besseling at Atlassian. - -:cve:`2016-2533`: Buffer overflow in PcdDecode.c -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -In all versions of Pillow, dating back at least to the -last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. - -The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3 -bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer -assuming 4 bytes per pixel. This writes 768 bytes beyond the end of -the buffer into other Python object storage. In some cases, this -causes a segfault, in others an internal Python malloc error. - -Integer overflow in Resample.c -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -If a large value was passed into the new size for an image, it is -possible to overflow an ``int32`` value passed into malloc. - -.. code-block:: c - - kk = malloc(xsize * kmax * sizeof(float)); - ... - xbounds = malloc(xsize * 2 * sizeof(int)); - -``xsize`` is trusted user input. These multiplications can overflow, -leading the ``malloc``'d buffer to be undersized. These allocations are -followed by a loop that writes out of bounds. This can lead to -corruption on the heap of the Python process with attacker controlled -float data. - -This issue was found by Ned Williamson. +Buffer overflow in the ImagingFliDecode function in ``libImaging/FliDecode.c`` +in Pillow before 3.1.1 allows remote attackers to cause a denial of service +(crash) via a crafted FLI file. From 0ea144b0875794085a66894b4422aa406c6ef813 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 19:36:19 -0400 Subject: [PATCH 25/33] Update 3.1.1, 8.1.1 release notes for #7864 --- docs/releasenotes/3.1.1.rst | 11 +++++++++-- docs/releasenotes/8.1.1.rst | 33 ++++++++++++++++++++++----------- 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 8b7780e7e35..fc9029ce41d 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -4,8 +4,15 @@ Security ======== -:cve:`2016-0775`: Fix buffer overflow -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2016-0740`: Fix buffer overflow in ``libImaging/TiffDecode.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Buffer overflow in the ImagingLibTiffDecode function in +``libImaging/TiffDecode.c`` in Pillow before 3.1.1 allows remote attackers to +overwrite memory via a crafted TIFF file. + +:cve:`2016-0775`: Fix buffer overflow in ``libImaging/FliDecode.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Buffer overflow in the ImagingFliDecode function in ``libImaging/FliDecode.c`` in Pillow before 3.1.1 allows remote attackers to cause a denial of service diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 84e9c8f86e0..484b1de36cb 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -4,22 +4,33 @@ Security ======== -:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2021-25289`: Fix the fix for :cve:`2020-35654` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``. +The previous fix for :cve:`2020-35654` was insufficient due to incorrect +error checking in ``TiffDecode.c``. -:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2021-25290`: Fix buffer overflow in ``TiffDecode.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size. -:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2021-25291`: Fix buffer overflow in ``TIFFReadRGBATile`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds +read in ``TIFFReadRGBATile``. + +:cve:`2021-25292`: Fix DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The PDF parser has a catastrophic backtracking regex that could be used as a +DOS attack. + +:cve:`2021-25293`: Fix buffer overflow in ``SgiRleDecode.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. Other Changes ============= From f316fd9c7aa312452550efab4eec2d9ce1ebcf13 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 19:45:05 -0400 Subject: [PATCH 26/33] Restore and update 3.1.1 release notes for #7864 - Restore accidentally overwritten contents - Update to match updated template --- docs/releasenotes/3.1.1.rst | 85 ++++++++++++++++++++++++++++++++----- 1 file changed, 75 insertions(+), 10 deletions(-) diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index fc9029ce41d..f5fbd871175 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -4,16 +4,81 @@ Security ======== -:cve:`2016-0740`: Fix buffer overflow in ``libImaging/TiffDecode.c`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2016-0740`: Buffer overflow in ``TiffDecode.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Buffer overflow in the ImagingLibTiffDecode function in -``libImaging/TiffDecode.c`` in Pillow before 3.1.1 allows remote attackers to -overwrite memory via a crafted TIFF file. +Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 +may overflow a buffer when reading a specially crafted tiff file +(:cve:`2016-0740`). -:cve:`2016-0775`: Fix buffer overflow in ``libImaging/FliDecode.c`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specifically, libtiff >= 4.0.0 changed the return type of +``TIFFScanlineSize`` from ``int32`` to machine dependent +``int32|64``. If the scanline is sized so that it overflows an +``int32``, it may be interpreted as a negative number, which will then +pass the size check in ``TiffDecode.c`` line 236. To do this, the +logical scanline size has to be > 2gb, and for the test file, the +allocated buffer size is 64k against a roughly 4gb scan line size. Any +image data over 64k is written over the heap, causing a segfault. -Buffer overflow in the ImagingFliDecode function in ``libImaging/FliDecode.c`` -in Pillow before 3.1.1 allows remote attackers to cause a denial of service -(crash) via a crafted FLI file. +This issue was found by security researcher FourOne. + +:cve:`2016-0775`: Buffer overflow in ``FliDecode.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In all versions of Pillow, dating back at least to the last PIL 1.1.7 +release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`). + +Around line 192: + +.. code-block:: c + + case 16: + /* COPY chunk */ + for (y = 0; y < state->ysize; y++) { + UINT8* buf = (UINT8*) im->image[y]; + memcpy(buf+x, data, state->xsize); + data += state->xsize; + } + break; + + +The memcpy has error where ``x`` is added to the target buffer +address. ``X`` is used in several internal temporary variable roles, +but can take a value up to the width of the image. ``Im->image[y]`` +is a set of row pointers to segments of memory that are the size of +the row. At the max ``y``, this will write the contents of the line +off the end of the memory buffer, causing a segfault. + +This issue was found by Alyssa Besseling at Atlassian. + +:cve:`2016-2533`: Buffer overflow in ``PcdDecode.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In all versions of Pillow, dating back at least to the last PIL 1.1.7 +release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`). + +The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3 +bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer +assuming 4 bytes per pixel. This writes 768 bytes beyond the end of +the buffer into other Python object storage. In some cases, this +causes a segfault, in others an internal Python malloc error. + +Integer overflow in Resample.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If a large value was passed into the new size for an image, it is +possible to overflow an ``int32`` value passed into malloc. + +.. code-block:: c + + kk = malloc(xsize * kmax * sizeof(float)); + ... + xbounds = malloc(xsize * 2 * sizeof(int)); + +``xsize`` is trusted user input. These multiplications can overflow, +leading the ``malloc``'d buffer to be undersized. These allocations are +followed by a loop that writes out of bounds. This can lead to +corruption on the heap of the Python process with attacker controlled +float data. + +This issue was found by Ned Williamson. From 180f37b18e673cdf996fa629596980c332067d2c Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 20:21:00 -0400 Subject: [PATCH 27/33] Update release notes to match template for #7864 - Categorized previously uncategorized notes under ``Other Changes`` - TODO: Fix categorization of notes in ``Other Changes`` that belong in other categories --- docs/releasenotes/10.3.0.rst | 21 ++++++++++------ docs/releasenotes/2.7.0.rst | 36 ++++++++++++++------------- docs/releasenotes/2.8.0.rst | 7 ++++-- docs/releasenotes/3.0.0.rst | 48 +++++++++++++++++++----------------- docs/releasenotes/3.1.0.rst | 18 ++++++++------ docs/releasenotes/3.2.0.rst | 8 +++--- docs/releasenotes/3.3.0.rst | 16 ++++++------ docs/releasenotes/3.3.2.rst | 10 +++++--- docs/releasenotes/3.4.0.rst | 45 ++++++++++++++++++--------------- docs/releasenotes/4.0.0.rst | 3 +++ docs/releasenotes/4.1.0.rst | 12 +++++---- docs/releasenotes/4.1.1.rst | 8 +++--- docs/releasenotes/4.2.0.rst | 18 ++++++++------ docs/releasenotes/4.2.1.rst | 5 +++- docs/releasenotes/5.1.0.rst | 20 +++++++-------- docs/releasenotes/5.4.1.rst | 3 +++ docs/releasenotes/7.1.1.rst | 5 +++- docs/releasenotes/7.1.2.rst | 5 +++- docs/releasenotes/8.3.1.rst | 7 ++++-- 19 files changed, 172 insertions(+), 123 deletions(-) diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst index af31cdb74fa..b5dbf16d4cb 100644 --- a/docs/releasenotes/10.3.0.rst +++ b/docs/releasenotes/10.3.0.rst @@ -1,6 +1,19 @@ 10.3.0 ------ +Security +======== + +TODO +^^^^ + +TODO + +:cve:`YYYY-XXXXX`: TODO +^^^^^^^^^^^^^^^^^^^^^^^ + +TODO + Backwards Incompatible Changes ============================== @@ -63,14 +76,6 @@ Added PerspectiveTransform that all of the :py:data:`~PIL.Image.Transform` values now have a corresponding subclass of :py:class:`~PIL.ImageTransform.Transform`. -Security -======== - -TODO -^^^^ - -TODO - Other Changes ============= diff --git a/docs/releasenotes/2.7.0.rst b/docs/releasenotes/2.7.0.rst index 0b3eeeb49d5..3b4d6e65dee 100644 --- a/docs/releasenotes/2.7.0.rst +++ b/docs/releasenotes/2.7.0.rst @@ -1,15 +1,17 @@ 2.7.0 -===== +----- + +Other Changes +============= Sane Plugin ------------ +^^^^^^^^^^^ The Sane plugin has now been split into its own repo: https://github.com/python-pillow/Sane . - Png text chunk size limits --------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^ To prevent potential denial of service attacks using compressed text chunks, there are now limits to the decompressed size of text chunks @@ -24,7 +26,7 @@ default. The total decompressed size of all text chunks is limited to know that there are large text blocks that are desired. Image resizing filters ----------------------- +^^^^^^^^^^^^^^^^^^^^^^ Image resizing methods :py:meth:`~PIL.Image.Image.resize` and :py:meth:`~PIL.Image.Image.thumbnail` take a ``resample`` argument, which tells @@ -33,7 +35,7 @@ which filter should be used for resampling. Possible values are: were changed in this version. Bicubic and bilinear downscaling -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------------------------- From the beginning ``BILINEAR`` and ``BICUBIC`` filters were based on affine transformations and used a fixed number of pixels from the source image for @@ -50,7 +52,7 @@ If you have previously used any tricks to maintain quality when downscaling with steps), they are unnecessary now. Antialias renamed to Lanczos -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +---------------------------- A new ``LANCZOS`` constant was added instead of ``ANTIALIAS``. @@ -64,19 +66,19 @@ The ``ANTIALIAS`` constant is left for backward compatibility and is an alias for ``LANCZOS``. Lanczos upscaling quality -^^^^^^^^^^^^^^^^^^^^^^^^^ +------------------------- The image upscaling quality with ``LANCZOS`` filter was almost the same as ``BILINEAR`` due to a bug. This has been fixed. Bicubic upscaling quality -^^^^^^^^^^^^^^^^^^^^^^^^^ +------------------------- The ``BICUBIC`` filter for affine transformations produced sharp, slightly pixelated image for upscaling. Bicubic for convolutions is more soft. Resize performance -^^^^^^^^^^^^^^^^^^ +------------------ In most cases, convolution is more a expensive algorithm for downscaling because it takes into account all the pixels of source image. Therefore @@ -93,7 +95,7 @@ The upscaling performance of the ``LANCZOS`` filter has remained the same. For times. Default filter for thumbnails -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +----------------------------- In Pillow 2.5 the default filter for :py:meth:`~PIL.Image.Image.thumbnail` was changed from ``NEAREST`` to ``ANTIALIAS``. Antialias was chosen because all the @@ -103,7 +105,7 @@ other filters gave poor quality for reduction. Starting from Pillow 2.7.0, uses supersampling internally, not convolutions. Image transposition -------------------- +^^^^^^^^^^^^^^^^^^^ A new method ``TRANSPOSE`` has been added for the :py:meth:`~PIL.Image.Image.transpose` operation in addition to @@ -115,7 +117,7 @@ The speed of ``ROTATE_90``, ``ROTATE_270`` and ``TRANSPOSE`` has been significan improved for large images which don't fit in the processor cache. Gaussian blur and unsharp mask ------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The :py:meth:`~PIL.ImageFilter.GaussianBlur` implementation has been replaced with a sequential application of box filters. The new implementation is based on @@ -125,7 +127,7 @@ implementations use Gaussian blur internally, all changes from this chapter are also applicable to it. Blur radius -^^^^^^^^^^^ +----------- There was an error in the previous version of Pillow, where blur radius (the standard deviation of Gaussian) actually meant blur diameter. For example, to @@ -136,7 +138,7 @@ If you used a Gaussian blur with some radius value, you need to divide this value by two. Blur performance -^^^^^^^^^^^^^^^^ +---------------- Box filter computation time is constant relative to the radius and depends on source image size only. Because the new Gaussian blur implementation @@ -148,7 +150,7 @@ second for radius 1, 3.6 seconds for radius 10 and 17 seconds for 50, now blur with any radius on same image is executed for 0.2 seconds. Blur quality -^^^^^^^^^^^^ +------------ The previous implementation takes into account only source pixels within 2 * standard deviation radius for every destination pixel. This was not enough, @@ -157,7 +159,7 @@ so the quality was worse compared to other Gaussian blur software. The new implementation does not have this drawback. TIFF Parameter Changes ----------------------- +^^^^^^^^^^^^^^^^^^^^^^ Several kwarg parameters for saving TIFF images were previously specified as strings with included spaces (e.g. 'x resolution'). This diff --git a/docs/releasenotes/2.8.0.rst b/docs/releasenotes/2.8.0.rst index 4dbbc0bdd29..5af2d70bac2 100644 --- a/docs/releasenotes/2.8.0.rst +++ b/docs/releasenotes/2.8.0.rst @@ -1,8 +1,11 @@ 2.8.0 -===== +----- + +Other Changes +============= Open HTTP response objects with Image.open ------------------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HTTP response objects returned from ``urllib2.urlopen(url)`` or ``requests.get(url, stream=True).raw`` are 'file-like' but do not support ``.seek()`` diff --git a/docs/releasenotes/3.0.0.rst b/docs/releasenotes/3.0.0.rst index e8eada73c54..4ec71fa6785 100644 --- a/docs/releasenotes/3.0.0.rst +++ b/docs/releasenotes/3.0.0.rst @@ -1,9 +1,28 @@ - 3.0.0 -===== +----- + +Deprecations +============ + +Several methods that have been marked as deprecated for many releases +have been removed in this release:: + + Image.tostring() + Image.fromstring() + Image.offset() + ImageDraw.setink() + ImageDraw.setfill() + The ImageFileIO module + The ImageFont.FreeTypeFont and ImageFont.truetype ``file`` keyword arg + The ImagePalette private _make functions + ImageWin.fromstring() + ImageWin.tostring() + +Other Changes +============= Saving Multipage Images ------------------------ +^^^^^^^^^^^^^^^^^^^^^^^ There is now support for saving multipage images in the ``GIF`` and ``PDF`` formats. To enable this functionality, pass in ``save_all=True`` @@ -12,7 +31,7 @@ as a keyword argument to the save:: im.save('test.pdf', save_all=True) Tiff ImageFileDirectory Rewrite -------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The Tiff ImageFileDirectory metadata code has been rewritten. Where previously it returned a somewhat arbitrary set of values and tuples, @@ -25,25 +44,8 @@ structures will be deprecated at some point in the future. When saving Tiff metadata, new code should use the TiffImagePlugin.ImageFileDirectory_v2 class. -Deprecated Methods ------------------- - -Several methods that have been marked as deprecated for many releases -have been removed in this release:: - - Image.tostring() - Image.fromstring() - Image.offset() - ImageDraw.setink() - ImageDraw.setfill() - The ImageFileIO module - The ImageFont.FreeTypeFont and ImageFont.truetype ``file`` keyword arg - The ImagePalette private _make functions - ImageWin.fromstring() - ImageWin.tostring() - -LibJpeg and Zlib are Required by Default ----------------------------------------- +LibJpeg and Zlib are required by default +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The external dependencies on libjpeg and zlib are now required by default. If the headers or libraries are not found, then installation will abort diff --git a/docs/releasenotes/3.1.0.rst b/docs/releasenotes/3.1.0.rst index 3cdb6939d49..a233b2b8f27 100644 --- a/docs/releasenotes/3.1.0.rst +++ b/docs/releasenotes/3.1.0.rst @@ -1,9 +1,11 @@ - 3.1.0 -===== +----- + +Other Changes +============= ImageDraw arc, chord and pieslice can now use floats ----------------------------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is no longer a need to ensure that the start and end arguments for ``arc``, ``chord`` and ``pieslice`` are integers. @@ -12,7 +14,7 @@ Note that these numbers are not simply rounded internally, but are actually utilised in the drawing process. Consistent multiline text spacing ---------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When using the ``ImageDraw`` multiline methods, the spacing between lines was inconsistent, based on the combination on ascenders and @@ -24,7 +26,7 @@ not the absolute height of each line. There is also now a default spacing of 4px between lines. Exif, Jpeg and Tiff Metadata ----------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There were major changes in the TIFF ImageFileDirectory support in Pillow 3.0 that led to a number of regressions. Some of them have been @@ -32,7 +34,7 @@ fixed in Pillow 3.1, and some of them have been extended to have different behavior. TiffImagePlugin.IFDRational -+++++++++++++++++++++++++++ +--------------------------- Pillow 3.0 changed rational metadata to use a float. In Pillow 3.1, this has changed to allow the expression of 0/0 as a valid piece of @@ -50,7 +52,7 @@ This class should be used when adding a rational value to an ImageFileDirectory for saving to image metadata. JpegImagePlugin._getexif -++++++++++++++++++++++++ +------------------------ In Pillow 3.0, the dictionary returned from the private, experimental, but generally widely used ``_getexif`` function changed to reflect the @@ -65,7 +67,7 @@ The format returned by Pillow 3.0 has been abandoned. A more fully featured interface for EXIF is anticipated in a future release. Out of Spec Metadata -++++++++++++++++++++ +-------------------- In Pillow 3.0 and 3.1, images that contain metadata that is internally consistent, but not in agreement with the TIFF spec, may cause an diff --git a/docs/releasenotes/3.2.0.rst b/docs/releasenotes/3.2.0.rst index c6177428814..26a91db7950 100644 --- a/docs/releasenotes/3.2.0.rst +++ b/docs/releasenotes/3.2.0.rst @@ -1,9 +1,11 @@ - 3.2.0 ----- +Other Changes +============= + New DDS and FTEX Image Plugins -============================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The ``DdsImagePlugin`` reading DXT1 and DXT5 encoded ``.dds`` images was added. DXT3 images are not currently supported. @@ -14,7 +16,7 @@ per file, in the ``.ftc`` (compressed) and ``.ftu`` (uncompressed) formats. Updates to the GbrImagePlugin -============================= +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The ``GbrImagePlugin`` (GIMP brush format) has been updated to fix support for version 1 files and add support for version 2 files. diff --git a/docs/releasenotes/3.3.0.rst b/docs/releasenotes/3.3.0.rst index 39ffdbb2ef0..35279d493f0 100644 --- a/docs/releasenotes/3.3.0.rst +++ b/docs/releasenotes/3.3.0.rst @@ -1,8 +1,11 @@ 3.3.0 ----- +Other Changes +============= + Libimagequant support -===================== +^^^^^^^^^^^^^^^^^^^^^ There is now support for using libimagequant as a higher quality quantization option in ``Image.quantize()`` on Unix-like @@ -12,7 +15,7 @@ differences. New Setup.py options -==================== +^^^^^^^^^^^^^^^^^^^^ There are two new options to control the ``build_ext`` task in ``setup.py``: @@ -24,9 +27,8 @@ There are two new options to control the ``build_ext`` task in ``setup.py``: cross compilers that specify that information in via environment variables. - Resizing -======== +^^^^^^^^ Image resampling for 8-bit per channel images was rewritten using only integer computings. This is faster on most platforms and doesn't introduce precision @@ -36,18 +38,16 @@ makes resampling 60% faster on average. Color calculation for images in the ``LA`` mode on semitransparent pixels was fixed. - Rotation -======== +^^^^^^^^ Rotation for angles divisible by 90 degrees now always uses transposition. This greatly improves both quality and performance in this case. Also, the bug with wrong image size calculation when rotating by 90 degrees was fixed. - Image Metadata -============== +^^^^^^^^^^^^^^ The return type for binary data in version 2 Exif and Tiff metadata has been changed from a tuple of integers to bytes. This is a change diff --git a/docs/releasenotes/3.3.2.rst b/docs/releasenotes/3.3.2.rst index 8845b976a8b..73156a65dbb 100644 --- a/docs/releasenotes/3.3.2.rst +++ b/docs/releasenotes/3.3.2.rst @@ -1,9 +1,11 @@ - 3.3.2 -===== +----- + +Security +======== Integer overflow in Map.c -------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow prior to 3.3.2 may experience integer overflow errors in map.c when reading specially crafted image files. This may lead to memory @@ -26,7 +28,7 @@ memory without duplicating the image first. This issue was found by Cris Neckar at Divergent Security. Sign Extension in Storage.c ---------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative diff --git a/docs/releasenotes/3.4.0.rst b/docs/releasenotes/3.4.0.rst index 2bbafe741d2..05fa7e5e2d8 100644 --- a/docs/releasenotes/3.4.0.rst +++ b/docs/releasenotes/3.4.0.rst @@ -1,9 +1,29 @@ - 3.4.0 ----- +Deprecations +============ + +Deprecation Warning when Saving JPEGs +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +JPEG images cannot contain an alpha channel. Pillow prior to 3.4.0 +silently drops the alpha channel. With this release Pillow will now +issue a :py:exc:`DeprecationWarning` when attempting to save a ``RGBA`` mode +image as a JPEG. This will become an error in Pillow 4.2. + +Image.core.open_ppm removed +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The nominally private/debugging function ``Image.core.open_ppm`` has +been removed. If you were using this function, please use +``Image.open`` instead. + +Other changes +============= + New resizing filters -==================== +^^^^^^^^^^^^^^^^^^^^ Two new filters available for ``Image.resize()`` and ``Image.thumbnail()`` functions: ``BOX`` and ``HAMMING``. ``BOX`` is the high-performance filter with @@ -14,23 +34,15 @@ two times shorter window than ``BILINEAR``. It can be used for image reduction providing the image downscaling quality comparable to ``BICUBIC``. Both new filters don't show good quality for the image upscaling. -Deprecation Warning when Saving JPEGs -===================================== - -JPEG images cannot contain an alpha channel. Pillow prior to 3.4.0 -silently drops the alpha channel. With this release Pillow will now -issue a :py:exc:`DeprecationWarning` when attempting to save a ``RGBA`` mode -image as a JPEG. This will become an error in Pillow 4.2. - New DDS Decoders -================ +^^^^^^^^^^^^^^^^ Pillow can now decode DXT3 images, as well as the previously supported DXT1 and DXT5 formats. All three formats are now decoded in C code for better performance. Append images to GIF -==================== +^^^^^^^^^^^^^^^^^^^^ Additional frames can now be appended when saving a GIF file, through the ``append_images`` argument. The new frames are passed in as a list of images, @@ -42,16 +54,9 @@ in effect, e.g.:: im.save(out, save_all=True, append_images=[im1, im2, ...]) Save multiple frame TIFF -======================== +^^^^^^^^^^^^^^^^^^^^^^^^ Multiple frames can now be saved in a TIFF file by using the ``save_all`` option. e.g.:: im.save("filename.tiff", format="TIFF", save_all=True) - -Image.core.open_ppm removed -=========================== - -The nominally private/debugging function ``Image.core.open_ppm`` has -been removed. If you were using this function, please use -``Image.open`` instead. diff --git a/docs/releasenotes/4.0.0.rst b/docs/releasenotes/4.0.0.rst index 5778de26a82..8b4b403a7aa 100644 --- a/docs/releasenotes/4.0.0.rst +++ b/docs/releasenotes/4.0.0.rst @@ -1,6 +1,9 @@ 4.0.0 ----- +Other Changes +============= + Python 2.6 and 3.2 Dropped ========================== diff --git a/docs/releasenotes/4.1.0.rst b/docs/releasenotes/4.1.0.rst index 4d6598d8efa..c57b1212f17 100644 --- a/docs/releasenotes/4.1.0.rst +++ b/docs/releasenotes/4.1.0.rst @@ -1,8 +1,8 @@ 4.1.0 ----- -Removed Deprecated Items -======================== +Deprecations +============ Several deprecated items have been removed. @@ -15,8 +15,11 @@ Several deprecated items have been removed. ``PIL.ImageDraw.ImageDraw.setfont`` have been removed. +Other Changes +============= + Closing Files When Opening Images -================================= +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The file handling when opening images has been overhauled. Previously, Pillow would attempt to close some, but not all image formats @@ -38,9 +41,8 @@ is specified: the underlying file until we are done with the image. The mapping will be closed in the ``close`` or ``__del__`` method. - Changes to GIF Handling When Saving -=================================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The :py:class:`PIL.GifImagePlugin` code has been refactored to fix the flow when saving images. There are two external changes that arise from this: diff --git a/docs/releasenotes/4.1.1.rst b/docs/releasenotes/4.1.1.rst index 1b5757015f8..8c04387d4a1 100644 --- a/docs/releasenotes/4.1.1.rst +++ b/docs/releasenotes/4.1.1.rst @@ -1,8 +1,11 @@ 4.1.1 ----- +Other Changes +============= + Fix Regression with reading DPI from EXIF data -============================================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Some JPEG images don't contain DPI information in the image metadata, but do contain it in the EXIF data. A patch was added in 4.1.0 to read @@ -10,9 +13,8 @@ from the EXIF data, but it did not accept all possible types that could be included there. This fix adds the ability to read ints as well as rational values. - Incompatibility between 3.6.0 and 3.6.1 -======================================= +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ CPython 3.6.1 added a new symbol, PySlice_GetIndicesEx, which was not present in 3.6.0. This had the effect of causing binaries compiled on diff --git a/docs/releasenotes/4.2.0.rst b/docs/releasenotes/4.2.0.rst index 1e9637f1e32..aade307d355 100644 --- a/docs/releasenotes/4.2.0.rst +++ b/docs/releasenotes/4.2.0.rst @@ -1,8 +1,11 @@ 4.2.0 ----- +Other Changes +============= + Added Complex Text Rendering -============================ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow now supports complex text rendering for scripts requiring glyph composition and bidirectional flow. This optional feature adds three @@ -11,7 +14,7 @@ dependencies: harfbuzz, fribidi, and raqm. See the :doc:`install documentation Unix and Mac, but has not yet been built on Windows platforms. New Optional Parameters -======================= +^^^^^^^^^^^^^^^^^^^^^^^ * :py:meth:`PIL.ImageDraw.floodfill` has a new optional parameter: threshold. This specifies a tolerance for the color to replace with @@ -22,16 +25,17 @@ New Optional Parameters multipage outputs. New DecompressionBomb Warning -============================= +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ :py:meth:`PIL.Image.Image.crop` now may raise a DecompressionBomb warning if the crop region enlarges the image over the threshold specified by :py:data:`PIL.Image.MAX_IMAGE_PIXELS`. -Removed Deprecated Items -======================== +Deprections +=========== -Several deprecated items have been removed. +Several deprecated items have been removed +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * The methods ``PIL.ImageWin.Dib.fromstring``, ``PIL.ImageWin.Dib.tostring`` and @@ -44,7 +48,7 @@ Several deprecated items have been removed. an :py:exc:`IOError` is raised. Removed Core Image Function -=========================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^ The unused function ``Image.core.new_array`` was removed. This is an internal function that should not have been used by user code, but it diff --git a/docs/releasenotes/4.2.1.rst b/docs/releasenotes/4.2.1.rst index 0730936feb0..220cc79b6b4 100644 --- a/docs/releasenotes/4.2.1.rst +++ b/docs/releasenotes/4.2.1.rst @@ -3,8 +3,11 @@ There are no functional changes in this release. +Other Changes +============= + Fixed Windows PyPy Build -======================== +^^^^^^^^^^^^^^^^^^^^^^^^ A change in the 4.2.0 cycle broke the Windows PyPy build. This has been fixed, and PyPy is now part of the Windows CI matrix. diff --git a/docs/releasenotes/5.1.0.rst b/docs/releasenotes/5.1.0.rst index 2a4c64ac52e..96d84f68117 100644 --- a/docs/releasenotes/5.1.0.rst +++ b/docs/releasenotes/5.1.0.rst @@ -1,15 +1,23 @@ 5.1.0 ----- +Other Changes +============= + New File Format -=============== +^^^^^^^^^^^^^^^ BLP File Format -^^^^^^^^^^^^^^^ +--------------- Pillow now supports reading the BLP "Blizzard Mipmap" file format used for tiles in Blizzard's engine. +WebP memory leak +^^^^^^^^^^^^^^^^ + +A memory leak when opening ``WebP`` files has been fixed. + API Changes =========== @@ -26,11 +34,3 @@ Append to PDF Files Images can now be appended to PDF files in place by passing in ``append=True`` when saving the image. - -Other Changes -============= - -WebP memory leak -^^^^^^^^^^^^^^^^ - -A memory leak when opening ``WebP`` files has been fixed. diff --git a/docs/releasenotes/5.4.1.rst b/docs/releasenotes/5.4.1.rst index bbabd652090..e02ab9b31da 100644 --- a/docs/releasenotes/5.4.1.rst +++ b/docs/releasenotes/5.4.1.rst @@ -3,6 +3,9 @@ This release fixes regressions in 5.4.0. +Other Changes +============= + Installation on Termux ^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/7.1.1.rst b/docs/releasenotes/7.1.1.rst index 2169e6a05b8..d0bf974ea64 100644 --- a/docs/releasenotes/7.1.1.rst +++ b/docs/releasenotes/7.1.1.rst @@ -1,8 +1,11 @@ 7.1.1 ----- +Other Changes +============= + Fix regression seeking PNG files -================================ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This fixes a regression introduced in 7.1.0 when adding support for APNG files when calling ``seek`` and ``tell``: diff --git a/docs/releasenotes/7.1.2.rst b/docs/releasenotes/7.1.2.rst index ec0063e7953..211d9dbc1f5 100644 --- a/docs/releasenotes/7.1.2.rst +++ b/docs/releasenotes/7.1.2.rst @@ -1,8 +1,11 @@ 7.1.2 ----- +Other Changes +============= + Fix another regression seeking PNG files -======================================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This fixes a regression introduced in 7.1.0 when adding support for APNG files. diff --git a/docs/releasenotes/8.3.1.rst b/docs/releasenotes/8.3.1.rst index 6af2b37bfe1..c36aa09fbad 100644 --- a/docs/releasenotes/8.3.1.rst +++ b/docs/releasenotes/8.3.1.rst @@ -1,8 +1,11 @@ 8.3.1 ----- +Other Changes +============= + Fixed regression converting to NumPy arrays -=========================================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This fixes a regression introduced in 8.3.0 when converting an image to a NumPy array with a ``dtype`` argument. @@ -28,7 +31,7 @@ access. The :py:exc:`OSError` is now silently caught. Fixed removing orientation in ImageOps.exif_transpose -===================================================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In 8.3.0, :py:meth:`~PIL.ImageOps.exif_transpose` was changed to ensure that the original image EXIF data was not modified, and the orientation was only removed from From b5f77799caf1a46cc196344e71b168087229e3a7 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 20:50:17 -0400 Subject: [PATCH 28/33] Update release notes to match template for #7864 --- docs/releasenotes/10.0.1.rst | 5 ++++- docs/releasenotes/10.3.0.rst | 5 +++++ docs/releasenotes/2.7.0.rst | 19 +++++++++--------- docs/releasenotes/3.1.0.rst | 6 +++--- docs/releasenotes/3.2.0.rst | 4 ++-- docs/releasenotes/4.0.0.rst | 14 ++++++------- docs/releasenotes/4.1.0.rst | 6 +++--- docs/releasenotes/5.1.0.rst | 31 +++++++++++++---------------- docs/releasenotes/6.2.2.rst | 21 +++----------------- docs/releasenotes/8.3.1.rst | 2 +- docs/releasenotes/9.4.0.rst | 38 ++++++++++++++++++------------------ 11 files changed, 70 insertions(+), 81 deletions(-) diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst index a260fc3819a..02189d51405 100644 --- a/docs/releasenotes/10.0.1.rst +++ b/docs/releasenotes/10.0.1.rst @@ -11,7 +11,10 @@ This release provides an updated install script and updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP. +Other Changes +============= + Updated tests to pass with latest zlib version -============================================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The release of zlib 1.3 caused one of the tests in the Pillow test suite to fail. diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst index b5dbf16d4cb..110126dc1e5 100644 --- a/docs/releasenotes/10.3.0.rst +++ b/docs/releasenotes/10.3.0.rst @@ -90,3 +90,8 @@ Release GIL when fetching WebP frames Python's Global Interpreter Lock is now released when fetching WebP frames from the libwebp decoder. + +Add release notes for 2.3.1, 2.3.2, 2.5.2 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +TODO diff --git a/docs/releasenotes/2.7.0.rst b/docs/releasenotes/2.7.0.rst index 3b4d6e65dee..82b59a6d8f3 100644 --- a/docs/releasenotes/2.7.0.rst +++ b/docs/releasenotes/2.7.0.rst @@ -35,7 +35,7 @@ which filter should be used for resampling. Possible values are: were changed in this version. Bicubic and bilinear downscaling --------------------------------- +++++++++++++++++++++++++++++++++ From the beginning ``BILINEAR`` and ``BICUBIC`` filters were based on affine transformations and used a fixed number of pixels from the source image for @@ -52,7 +52,7 @@ If you have previously used any tricks to maintain quality when downscaling with steps), they are unnecessary now. Antialias renamed to Lanczos ----------------------------- +++++++++++++++++++++++++++++ A new ``LANCZOS`` constant was added instead of ``ANTIALIAS``. @@ -66,19 +66,19 @@ The ``ANTIALIAS`` constant is left for backward compatibility and is an alias for ``LANCZOS``. Lanczos upscaling quality -------------------------- ++++++++++++++++++++++++++ The image upscaling quality with ``LANCZOS`` filter was almost the same as ``BILINEAR`` due to a bug. This has been fixed. Bicubic upscaling quality -------------------------- ++++++++++++++++++++++++++ The ``BICUBIC`` filter for affine transformations produced sharp, slightly pixelated image for upscaling. Bicubic for convolutions is more soft. Resize performance ------------------- +++++++++++++++++++ In most cases, convolution is more a expensive algorithm for downscaling because it takes into account all the pixels of source image. Therefore @@ -95,7 +95,7 @@ The upscaling performance of the ``LANCZOS`` filter has remained the same. For times. Default filter for thumbnails ------------------------------ ++++++++++++++++++++++++++++++ In Pillow 2.5 the default filter for :py:meth:`~PIL.Image.Image.thumbnail` was changed from ``NEAREST`` to ``ANTIALIAS``. Antialias was chosen because all the @@ -105,7 +105,6 @@ other filters gave poor quality for reduction. Starting from Pillow 2.7.0, uses supersampling internally, not convolutions. Image transposition -^^^^^^^^^^^^^^^^^^^ A new method ``TRANSPOSE`` has been added for the :py:meth:`~PIL.Image.Image.transpose` operation in addition to @@ -127,7 +126,7 @@ implementations use Gaussian blur internally, all changes from this chapter are also applicable to it. Blur radius ------------ ++++++++++++ There was an error in the previous version of Pillow, where blur radius (the standard deviation of Gaussian) actually meant blur diameter. For example, to @@ -138,7 +137,7 @@ If you used a Gaussian blur with some radius value, you need to divide this value by two. Blur performance ----------------- +++++++++++++++++ Box filter computation time is constant relative to the radius and depends on source image size only. Because the new Gaussian blur implementation @@ -150,7 +149,7 @@ second for radius 1, 3.6 seconds for radius 10 and 17 seconds for 50, now blur with any radius on same image is executed for 0.2 seconds. Blur quality ------------- +++++++++++++ The previous implementation takes into account only source pixels within 2 * standard deviation radius for every destination pixel. This was not enough, diff --git a/docs/releasenotes/3.1.0.rst b/docs/releasenotes/3.1.0.rst index a233b2b8f27..78531ca374f 100644 --- a/docs/releasenotes/3.1.0.rst +++ b/docs/releasenotes/3.1.0.rst @@ -34,7 +34,7 @@ fixed in Pillow 3.1, and some of them have been extended to have different behavior. TiffImagePlugin.IFDRational ---------------------------- ++++++++++++++++++++++++++++ Pillow 3.0 changed rational metadata to use a float. In Pillow 3.1, this has changed to allow the expression of 0/0 as a valid piece of @@ -52,7 +52,7 @@ This class should be used when adding a rational value to an ImageFileDirectory for saving to image metadata. JpegImagePlugin._getexif ------------------------- +++++++++++++++++++++++++ In Pillow 3.0, the dictionary returned from the private, experimental, but generally widely used ``_getexif`` function changed to reflect the @@ -67,7 +67,7 @@ The format returned by Pillow 3.0 has been abandoned. A more fully featured interface for EXIF is anticipated in a future release. Out of Spec Metadata --------------------- +++++++++++++++++++++ In Pillow 3.0 and 3.1, images that contain metadata that is internally consistent, but not in agreement with the TIFF spec, may cause an diff --git a/docs/releasenotes/3.2.0.rst b/docs/releasenotes/3.2.0.rst index 26a91db7950..b050e19426b 100644 --- a/docs/releasenotes/3.2.0.rst +++ b/docs/releasenotes/3.2.0.rst @@ -22,7 +22,7 @@ The ``GbrImagePlugin`` (GIMP brush format) has been updated to fix support for version 1 files and add support for version 2 files. Passthrough Parameters for ImageDraw.text -========================================= +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ``ImageDraw.multiline_text`` and ``ImageDraw.multiline_size`` take extra spacing parameters above what are used in ``ImageDraw.text`` and @@ -31,7 +31,7 @@ spacing parameters above what are used in ``ImageDraw.text`` and to the corresponding multiline functions. ImageSequence.Iterator changes -============================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ``ImageSequence.Iterator`` is now an actual iterator implementing the Iterator protocol. It is also now possible to seek to the first image diff --git a/docs/releasenotes/4.0.0.rst b/docs/releasenotes/4.0.0.rst index 8b4b403a7aa..34a59ab6ac4 100644 --- a/docs/releasenotes/4.0.0.rst +++ b/docs/releasenotes/4.0.0.rst @@ -5,7 +5,7 @@ Other Changes ============= Python 2.6 and 3.2 Dropped -========================== +^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow 4.0 no longer supports Python 2.6 and 3.2. We will not be creating binaries, testing, or retaining compatibility with these @@ -13,12 +13,12 @@ releases. This release removes some workarounds for those Python releases, so the final working version of Pillow on 2.6 or 3.2 is 3.4.2. Support added for Python 3.6 -============================ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow 4.0 supports Python 3.6. OleFileIO.py -============ +^^^^^^^^^^^^ ``OleFileIO.py`` has been removed as a vendored file and is now installed from the upstream :pypi:`olefile` PyPI package. All internal dependencies are @@ -27,19 +27,19 @@ redirected to the olefile package. Direct accesses to upstream olefile into ``sys.modules`` in its place. SGI image save -============== +^^^^^^^^^^^^^^ It is now possible to save images in modes ``L``, ``RGB``, and ``RGBA`` to the uncompressed SGI image format. Zero sized images -================= +^^^^^^^^^^^^^^^^^ Pillow 3.4.0 removed support for creating images with (0,0) size. This has been reenabled, restoring pre 3.4 behavior. Internal handles_eof flag -========================= +^^^^^^^^^^^^^^^^^^^^^^^^^ The ``handles_eof flag`` for decoding images has been removed, as there were no internal users of the flag. Anyone maintaining image decoders @@ -47,7 +47,7 @@ outside of the Pillow source tree should consider using the cleanup function pointers instead. Image.core.stretch removed -========================== +^^^^^^^^^^^^^^^^^^^^^^^^^^ The stretch function on the core image object has been removed. This used to be for enlarging the image, but has been aliased to resize diff --git a/docs/releasenotes/4.1.0.rst b/docs/releasenotes/4.1.0.rst index c57b1212f17..80ad9b9fb63 100644 --- a/docs/releasenotes/4.1.0.rst +++ b/docs/releasenotes/4.1.0.rst @@ -58,14 +58,14 @@ This refactor fixed some bugs with palette handling when saving multiple frame GIFs. New Method: Image.remap_palette -=============================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The method :py:meth:`PIL.Image.Image.remap_palette()` has been added. This method was hoisted from the GifImagePlugin code used to optimize the palette. Added Decoder Registry and Support for Python Based Decoders -============================================================ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is now a decoder registry similar to the image plugin registries. Image plugins can register a decoder, and it will be @@ -75,7 +75,7 @@ their C based counterparts, they may be easier and quicker to develop or safer to run. Tests -===== +^^^^^ Many tests have been added, including correctness tests for image formats that have been previously untested. diff --git a/docs/releasenotes/5.1.0.rst b/docs/releasenotes/5.1.0.rst index 96d84f68117..f965e74a14b 100644 --- a/docs/releasenotes/5.1.0.rst +++ b/docs/releasenotes/5.1.0.rst @@ -1,23 +1,6 @@ 5.1.0 ----- -Other Changes -============= - -New File Format -^^^^^^^^^^^^^^^ - -BLP File Format ---------------- - -Pillow now supports reading the BLP "Blizzard Mipmap" file format used -for tiles in Blizzard's engine. - -WebP memory leak -^^^^^^^^^^^^^^^^ - -A memory leak when opening ``WebP`` files has been fixed. - API Changes =========== @@ -34,3 +17,17 @@ Append to PDF Files Images can now be appended to PDF files in place by passing in ``append=True`` when saving the image. + +Other Changes +============= + +New BLP File Format +^^^^^^^^^^^^^^^^^^^ + +Pillow now supports reading the BLP "Blizzard Mipmap" file format used +for tiles in Blizzard's engine. + +WebP memory leak +^^^^^^^^^^^^^^^^ + +A memory leak when opening ``WebP`` files has been fixed. diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 941bda3a84f..44bb0ffe34d 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -13,23 +13,8 @@ If an FPX image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow. -:cve:`2020-5310`: Overflow checks added to TIFF image processing -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2020-5310`, :cve:`2020-5311`, :cve:`2020-5312`, :cve:`2020-5313`: Overflow checks added +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Overflow checks have been added when calculating the size of a memory block to be reallocated -in the processing of a TIFF image. - -:cve:`2020-5311`: Overflow checks added to SGI image processing -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Buffer overruns were found when processing an SGI image. Checks have been added to prevent this. - -:cve:`2020-5312`: Overflow checks added to PCX image processing -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Buffer overruns were found when processing a PCX image. Checks have been added to prevent this. - -:cve:`2020-5313`: Overflow checks added to FLI image processing -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Buffer overruns were found when processing an FLI image. Checks have been added to prevent this. +in the processing of TIFF, SGI, PCX and FLI images. diff --git a/docs/releasenotes/8.3.1.rst b/docs/releasenotes/8.3.1.rst index c36aa09fbad..5f5f9ff29df 100644 --- a/docs/releasenotes/8.3.1.rst +++ b/docs/releasenotes/8.3.1.rst @@ -22,7 +22,7 @@ with a ``dtype`` argument. >>> Catch OSError when checking if destination is sys.stdout -======================================================== +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In 8.3.0, a check to see if the destination was ``sys.stdout`` when saving an image was updated. This lead to an :py:exc:`OSError` being raised if the environment restricted diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst index 0af5bc8ca11..37f26a22c05 100644 --- a/docs/releasenotes/9.4.0.rst +++ b/docs/releasenotes/9.4.0.rst @@ -1,6 +1,25 @@ 9.4.0 ----- +Security +======== + +Fix memory DOS in ImageFont +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A corrupt or specially crafted TTF font could have font metrics that lead to +unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not +check the image size before allocating memory for it. This dates to the PIL +fork. Pillow 8.2.0 added a check for large sizes, but did not consider the +case where one dimension is zero. + +Null pointer dereference crash in ImageFont +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a +crash. An error is now raised instead. This has been present since +Pillow 8.0.0. + API Additions ============= @@ -69,25 +88,6 @@ When saving a JPEG image, a comment can now be written from im.save(out, comment="Test comment") -Security -======== - -Fix memory DOS in ImageFont -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -A corrupt or specially crafted TTF font could have font metrics that lead to -unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not -check the image size before allocating memory for it. This dates to the PIL -fork. Pillow 8.2.0 added a check for large sizes, but did not consider the -case where one dimension is zero. - -Null pointer dereference crash in ImageFont -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a -crash. An error is now raised instead. This has been present since -Pillow 8.0.0. - Other Changes ============= From 45975e482d3590edae92a35032add0a6e847f1e8 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 21:04:08 -0400 Subject: [PATCH 29/33] Update release notes to match template for #7864 --- docs/releasenotes/2.3.1.rst | 8 +++---- docs/releasenotes/4.2.0.rst | 46 ++++++++++++++++++------------------- docs/releasenotes/6.2.2.rst | 2 +- docs/releasenotes/8.3.0.rst | 8 +++---- 4 files changed, 32 insertions(+), 32 deletions(-) diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst index 6446ebccbff..d8c41d3ed36 100644 --- a/docs/releasenotes/2.3.1.rst +++ b/docs/releasenotes/2.3.1.rst @@ -11,10 +11,10 @@ These issues reported in ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The (1) load_djpeg function in ``JpegImagePlugin.py``, (2) Ghostscript function -in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4) _copy -function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and -Pillow before 2.3.1 do not properly create temporary files, which allow local -users to overwrite arbitrary files and obtain sensitive information via a +in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4) +``_copy`` function in Image.py in Python Image Library (PIL) 1.1.7 and earlier +and Pillow before 2.3.1 do not properly create temporary files, which allow +local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. :cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp` diff --git a/docs/releasenotes/4.2.0.rst b/docs/releasenotes/4.2.0.rst index aade307d355..2590c2610f1 100644 --- a/docs/releasenotes/4.2.0.rst +++ b/docs/releasenotes/4.2.0.rst @@ -1,6 +1,29 @@ 4.2.0 ----- +Deprecations +============ + +Several deprecated items have been removed +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* The methods ``PIL.ImageWin.Dib.fromstring``, + ``PIL.ImageWin.Dib.tostring`` and + ``PIL.TiffImagePlugin.ImageFileDirectory_v2.as_dict`` have + been removed. + +* Before Pillow 4.2.0, attempting to save an RGBA image as JPEG would + discard the alpha channel. From Pillow 3.4.0, a deprecation warning + was shown. From Pillow 4.2.0, the deprecation warning is removed and + an :py:exc:`IOError` is raised. + +Removed Core Image Function +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The unused function ``Image.core.new_array`` was removed. This is an +internal function that should not have been used by user code, but it +was accessible from the python layer. + Other Changes ============= @@ -30,26 +53,3 @@ New DecompressionBomb Warning :py:meth:`PIL.Image.Image.crop` now may raise a DecompressionBomb warning if the crop region enlarges the image over the threshold specified by :py:data:`PIL.Image.MAX_IMAGE_PIXELS`. - -Deprections -=========== - -Several deprecated items have been removed -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* The methods ``PIL.ImageWin.Dib.fromstring``, - ``PIL.ImageWin.Dib.tostring`` and - ``PIL.TiffImagePlugin.ImageFileDirectory_v2.as_dict`` have - been removed. - -* Before Pillow 4.2.0, attempting to save an RGBA image as JPEG would - discard the alpha channel. From Pillow 3.4.0, a deprecation warning - was shown. From Pillow 4.2.0, the deprecation warning is removed and - an :py:exc:`IOError` is raised. - -Removed Core Image Function -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The unused function ``Image.core.new_array`` was removed. This is an -internal function that should not have been used by user code, but it -was accessible from the python layer. diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 44bb0ffe34d..f223b8f5a08 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -4,7 +4,7 @@ Security ======== -This release fixes several buffer overruns and DOS attacks. +This release fixes several buffer overflow issues and a DOS attack vulnerability. :cve:`2019-19911`: DOS attack vulnerability ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index 3ef9bb9b334..9f46cc1e9e9 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -4,11 +4,11 @@ Security ======== -:cve:`2021-34552`: Buffer overflow -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2021-34552`: Fix buffer overflow +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger -buffer overflow in Convert.c. +PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert +function to trigger buffer overflow in ``Convert.c``. Parsing XML ^^^^^^^^^^^ From 4438305a959873107c4165515a5e26b5c5bafc7b Mon Sep 17 00:00:00 2001 From: "Jeffrey A. Clark" Date: Fri, 15 Mar 2024 10:03:19 -0400 Subject: [PATCH 30/33] Update docs/releasenotes/7.1.0.rst Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/7.1.0.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index 4c1f41a693a..2a7d2f1d258 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -29,7 +29,8 @@ In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out- :cve:`2020-11538`: Buffer overflow in SGI-RLE decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. +In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds +reads exist in the parsing of SGI image files, a different issue than :cve:`2020-5311`. API Changes =========== From 5b3dabb3a0b902513fd558525bbc15f83c73b471 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Fri, 15 Mar 2024 10:27:29 -0400 Subject: [PATCH 31/33] Add release notes for 2.6.0 for #7864 --- docs/releasenotes/10.3.0.rst | 12 +++++++++--- docs/releasenotes/2.6.0.rst | 22 ++++++++++++++++++++++ docs/releasenotes/index.rst | 1 + 3 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 docs/releasenotes/2.6.0.rst diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst index 110126dc1e5..d16d45504ea 100644 --- a/docs/releasenotes/10.3.0.rst +++ b/docs/releasenotes/10.3.0.rst @@ -91,7 +91,13 @@ Release GIL when fetching WebP frames Python's Global Interpreter Lock is now released when fetching WebP frames from the libwebp decoder. -Add release notes for 2.3.1, 2.3.2, 2.5.2 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Added release notes for past releases +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -TODO +Added release notes for past releases: ``2.6.0``, ``2.5.2``, +``2.3.2``, ``2.3.1``. This effort is intended to provide a comprehensive +look at CVE data from 1995 to 2024 across three noteworthy periods: + +- 1995-2010: No CVEs +- 2010-2019: A few CVEs +- 2019-2024: Many CVEs diff --git a/docs/releasenotes/2.6.0.rst b/docs/releasenotes/2.6.0.rst new file mode 100644 index 00000000000..22e8c737b07 --- /dev/null +++ b/docs/releasenotes/2.6.0.rst @@ -0,0 +1,22 @@ +2.6.0 +----- + +Security +======== + +:cve:`2014-3589`: Fix DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and +2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted +block size. + +Found and reported by Andrew Drake of dropbox.com + +Other Changes +============= + +Relaxed precision of some tests +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Relaxed imagedraw tests to allow slight errors for x86 vs x64. diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index 17a95c6f62a..089d44b9075 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -69,6 +69,7 @@ expected to be backported to earlier versions. 3.0.0 2.8.0 2.7.0 + 2.6.0 2.5.2 2.3.2 2.3.1 From 115179e5a63597387f118c87a3f34cf0c7d47ee9 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Fri, 15 Mar 2024 14:08:48 -0400 Subject: [PATCH 32/33] Update release notes for #7864 --- docs/releasenotes/10.3.0.rst | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst index d16d45504ea..9b1ca123379 100644 --- a/docs/releasenotes/10.3.0.rst +++ b/docs/releasenotes/10.3.0.rst @@ -95,9 +95,14 @@ Added release notes for past releases ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Added release notes for past releases: ``2.6.0``, ``2.5.2``, -``2.3.2``, ``2.3.1``. This effort is intended to provide a comprehensive -look at CVE data from 1995 to 2024 across three noteworthy periods: - -- 1995-2010: No CVEs -- 2010-2019: A few CVEs -- 2019-2024: Many CVEs +``2.3.2``, ``2.3.1``. With these additions we are now able to +provide a comprehensive view of all CVE data from 1995 to 2024 +across three noteworthy periods: + +- 1995-2009: No known CVEs +- 2010-2018: :cve:`2014-1932`, :cve:`2014-3589`, :cve:`2016-0740`, :cve:`2016-3076` +- 2019-2024: :cve:`2019-16865`, :cve:`2019-19911`, :cve:`2020-10177`, :cve:`2020-15999`, + :cve:`2020-35653`, :cve:`2021-25289`, :cve:`2020-35654`, :cve:`2020-35654`, + :cve:`2021-27921`, :cve:`2021-27922`, :cve:`2021-27923`, :cve:`2021-25287`, + :cve:`2021-25288`, :cve:`2021-34552`, :cve:`2021-23437`, :cve:`2022-22817`, + :cve:`2022-24303`, :cve:`2022-30595`, :cve:`2023-44271`, :cve:`2023-4863` From e7d8774d701a5a647e2b2ae9cbbae711063042db Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Fri, 15 Mar 2024 14:20:12 -0400 Subject: [PATCH 33/33] Wording --- docs/releasenotes/10.3.0.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst index 9b1ca123379..079cc220ccf 100644 --- a/docs/releasenotes/10.3.0.rst +++ b/docs/releasenotes/10.3.0.rst @@ -95,9 +95,9 @@ Added release notes for past releases ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Added release notes for past releases: ``2.6.0``, ``2.5.2``, -``2.3.2``, ``2.3.1``. With these additions we are now able to -provide a comprehensive view of all CVE data from 1995 to 2024 -across three noteworthy periods: +``2.3.2``, ``2.3.1``. With these additions we are able to +provide a comprehensive list of all Pillow CVE records from +1995 to 2024 across three noteworthy periods: - 1995-2009: No known CVEs - 2010-2018: :cve:`2014-1932`, :cve:`2014-3589`, :cve:`2016-0740`, :cve:`2016-3076`