From 2568fd891f1f66b2120faad93d8eaa8beef49ca4 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Sat, 16 Mar 2024 20:29:48 +0200 Subject: [PATCH 01/15] Remove listing of newly-added release notes in 10.4 release notes --- docs/releasenotes/10.3.0.rst | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst index 079cc220ccf..b5dbf16d4cb 100644 --- a/docs/releasenotes/10.3.0.rst +++ b/docs/releasenotes/10.3.0.rst @@ -90,19 +90,3 @@ Release GIL when fetching WebP frames Python's Global Interpreter Lock is now released when fetching WebP frames from the libwebp decoder. - -Added release notes for past releases -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Added release notes for past releases: ``2.6.0``, ``2.5.2``, -``2.3.2``, ``2.3.1``. With these additions we are able to -provide a comprehensive list of all Pillow CVE records from -1995 to 2024 across three noteworthy periods: - -- 1995-2009: No known CVEs -- 2010-2018: :cve:`2014-1932`, :cve:`2014-3589`, :cve:`2016-0740`, :cve:`2016-3076` -- 2019-2024: :cve:`2019-16865`, :cve:`2019-19911`, :cve:`2020-10177`, :cve:`2020-15999`, - :cve:`2020-35653`, :cve:`2021-25289`, :cve:`2020-35654`, :cve:`2020-35654`, - :cve:`2021-27921`, :cve:`2021-27922`, :cve:`2021-27923`, :cve:`2021-25287`, - :cve:`2021-25288`, :cve:`2021-34552`, :cve:`2021-23437`, :cve:`2022-22817`, - :cve:`2022-24303`, :cve:`2022-30595`, :cve:`2023-44271`, :cve:`2023-4863` From b25a0542415ed2e34f10aaa70dd84a6b6b789921 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Sun, 17 Mar 2024 01:17:38 +0200 Subject: [PATCH 02/15] Update release notes --- docs/releasenotes/2.3.1.rst | 14 +++++++------- docs/releasenotes/2.3.2.rst | 4 ++-- docs/releasenotes/2.5.2.rst | 4 ++-- docs/releasenotes/2.6.0.rst | 12 ++---------- docs/releasenotes/2.7.0.rst | 3 --- docs/releasenotes/2.8.0.rst | 3 --- docs/releasenotes/3.0.0.rst | 28 ++++++++++++++-------------- docs/releasenotes/3.1.0.rst | 3 --- docs/releasenotes/3.2.0.rst | 3 --- docs/releasenotes/3.3.0.rst | 19 ++++++++----------- docs/releasenotes/3.4.0.rst | 19 +++++++++++-------- docs/releasenotes/4.0.0.rst | 3 --- docs/releasenotes/4.1.1.rst | 3 --- docs/releasenotes/4.2.0.rst | 4 ++-- docs/releasenotes/4.2.1.rst | 3 --- docs/releasenotes/5.1.0.rst | 6 +++--- docs/releasenotes/5.4.1.rst | 3 --- docs/releasenotes/7.1.1.rst | 3 --- docs/releasenotes/7.1.2.rst | 3 --- docs/releasenotes/8.3.1.rst | 3 --- 20 files changed, 51 insertions(+), 92 deletions(-) diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst index d8c41d3ed36..e54065a0b6e 100644 --- a/docs/releasenotes/2.3.1.rst +++ b/docs/releasenotes/2.3.1.rst @@ -4,23 +4,23 @@ Security ======== -These issues reported in +These issues were reported in `Debian bug #737059 `_. :cve:`2014-1932`: Fix insecure use of :py:func:`tempfile.mktemp` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The (1) load_djpeg function in ``JpegImagePlugin.py``, (2) Ghostscript function -in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4) -``_copy`` function in Image.py in Python Image Library (PIL) 1.1.7 and earlier -and Pillow before 2.3.1 do not properly create temporary files, which allow +The (1) ``load_djpeg`` function in ``JpegImagePlugin.py``, (2) Ghostscript function +in ``EpsImagePlugin.py``, (3) ``load`` function in ``IptcImagePlugin.py``, and (4) +``_copy`` function in ``Image.py`` in +Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. :cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The (1) ``JpegImagePlugin.py`` and (2) ``EpsImagePlugin.py`` scripts in Python -Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of +The (1) ``JpegImagePlugin.py`` and (2) ``EpsImagePlugin.py`` scripts in +Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. diff --git a/docs/releasenotes/2.3.2.rst b/docs/releasenotes/2.3.2.rst index 56398a97414..c4504ee332c 100644 --- a/docs/releasenotes/2.3.2.rst +++ b/docs/releasenotes/2.3.2.rst @@ -7,8 +7,8 @@ Security :cve:`2014-3589`: Fix DOS attack ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and +``PIL/IcnsImagePlugin.py`` in Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. -Found and reported by Andrew Drake of dropbox.com +Found and reported by Andrew Drake of `Dropbox `__. diff --git a/docs/releasenotes/2.5.2.rst b/docs/releasenotes/2.5.2.rst index 4884f8db8c4..a80b460a894 100644 --- a/docs/releasenotes/2.5.2.rst +++ b/docs/releasenotes/2.5.2.rst @@ -7,8 +7,8 @@ Security :cve:`2014-3589`: Fix DOS attack ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and +``PIL/IcnsImagePlugin.py`` in Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. -Found and reported by Andrew Drake of dropbox.com +Found and reported by Andrew Drake of `Dropbox `__. diff --git a/docs/releasenotes/2.6.0.rst b/docs/releasenotes/2.6.0.rst index 22e8c737b07..84b0016d27d 100644 --- a/docs/releasenotes/2.6.0.rst +++ b/docs/releasenotes/2.6.0.rst @@ -7,16 +7,8 @@ Security :cve:`2014-3589`: Fix DOS attack ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and +``PIL/IcnsImagePlugin.py`` in Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. -Found and reported by Andrew Drake of dropbox.com - -Other Changes -============= - -Relaxed precision of some tests -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Relaxed imagedraw tests to allow slight errors for x86 vs x64. +Found and reported by Andrew Drake of `Dropbox `__. diff --git a/docs/releasenotes/2.7.0.rst b/docs/releasenotes/2.7.0.rst index 82b59a6d8f3..5d76830d24c 100644 --- a/docs/releasenotes/2.7.0.rst +++ b/docs/releasenotes/2.7.0.rst @@ -1,9 +1,6 @@ 2.7.0 ----- -Other Changes -============= - Sane Plugin ^^^^^^^^^^^ diff --git a/docs/releasenotes/2.8.0.rst b/docs/releasenotes/2.8.0.rst index 5af2d70bac2..2b9eed524d9 100644 --- a/docs/releasenotes/2.8.0.rst +++ b/docs/releasenotes/2.8.0.rst @@ -1,9 +1,6 @@ 2.8.0 ----- -Other Changes -============= - Open HTTP response objects with Image.open ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/3.0.0.rst b/docs/releasenotes/3.0.0.rst index 4ec71fa6785..8bc477f7020 100644 --- a/docs/releasenotes/3.0.0.rst +++ b/docs/releasenotes/3.0.0.rst @@ -1,22 +1,22 @@ 3.0.0 ----- -Deprecations -============ +Backwards Incompatible Changes +============================== Several methods that have been marked as deprecated for many releases -have been removed in this release:: - - Image.tostring() - Image.fromstring() - Image.offset() - ImageDraw.setink() - ImageDraw.setfill() - The ImageFileIO module - The ImageFont.FreeTypeFont and ImageFont.truetype ``file`` keyword arg - The ImagePalette private _make functions - ImageWin.fromstring() - ImageWin.tostring() +have been removed in this release: + +* ``Image.tostring()`` +* ``Image.fromstring()`` +* ``Image.offset()`` +* ``ImageDraw.setink()`` +* ``ImageDraw.setfill()`` +* The ``ImageFileIO`` module +* The ``ImageFont.FreeTypeFont`` and ``ImageFont.truetype`` ``file`` keyword arg +* The ``ImagePalette`` private ``_make`` functions +* ``ImageWin.fromstring()`` +* ``ImageWin.tostring()`` Other Changes ============= diff --git a/docs/releasenotes/3.1.0.rst b/docs/releasenotes/3.1.0.rst index 78531ca374f..951819f1956 100644 --- a/docs/releasenotes/3.1.0.rst +++ b/docs/releasenotes/3.1.0.rst @@ -1,9 +1,6 @@ 3.1.0 ----- -Other Changes -============= - ImageDraw arc, chord and pieslice can now use floats ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/3.2.0.rst b/docs/releasenotes/3.2.0.rst index b050e19426b..3ed8fae574b 100644 --- a/docs/releasenotes/3.2.0.rst +++ b/docs/releasenotes/3.2.0.rst @@ -1,9 +1,6 @@ 3.2.0 ----- -Other Changes -============= - New DDS and FTEX Image Plugins ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/3.3.0.rst b/docs/releasenotes/3.3.0.rst index 35279d493f0..cd6f7e2f93c 100644 --- a/docs/releasenotes/3.3.0.rst +++ b/docs/releasenotes/3.3.0.rst @@ -1,9 +1,6 @@ 3.3.0 ----- -Other Changes -============= - Libimagequant support ^^^^^^^^^^^^^^^^^^^^^ @@ -19,13 +16,13 @@ New Setup.py options There are two new options to control the ``build_ext`` task in ``setup.py``: - * ``--debug`` dumps all of the directories and files that are - checked when searching for libraries or headers when building the - extensions. - * ``--disable-platform-guessing`` removes many of the directories - that are checked for libraries and headers for build systems or - cross compilers that specify that information in via environment - variables. +* ``--debug`` dumps all of the directories and files that are + checked when searching for libraries or headers when building the + extensions. +* ``--disable-platform-guessing`` removes many of the directories + that are checked for libraries and headers for build systems or + cross compilers that specify that information in via environment + variables. Resizing ^^^^^^^^ @@ -51,4 +48,4 @@ Image Metadata The return type for binary data in version 2 Exif and Tiff metadata has been changed from a tuple of integers to bytes. This is a change -from the behavior since ``3.0.0``. +from the behavior since 3.0.0. diff --git a/docs/releasenotes/3.4.0.rst b/docs/releasenotes/3.4.0.rst index 05fa7e5e2d8..8a5a7efe350 100644 --- a/docs/releasenotes/3.4.0.rst +++ b/docs/releasenotes/3.4.0.rst @@ -1,6 +1,16 @@ 3.4.0 ----- +Backwards Incompatible Changes +============================== + +Image.core.open_ppm removed +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The nominally private/debugging function ``Image.core.open_ppm`` has +been removed. If you were using this function, please use +``Image.open`` instead. + Deprecations ============ @@ -12,14 +22,7 @@ silently drops the alpha channel. With this release Pillow will now issue a :py:exc:`DeprecationWarning` when attempting to save a ``RGBA`` mode image as a JPEG. This will become an error in Pillow 4.2. -Image.core.open_ppm removed -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The nominally private/debugging function ``Image.core.open_ppm`` has -been removed. If you were using this function, please use -``Image.open`` instead. - -Other changes +API Additions ============= New resizing filters diff --git a/docs/releasenotes/4.0.0.rst b/docs/releasenotes/4.0.0.rst index 34a59ab6ac4..625f237e841 100644 --- a/docs/releasenotes/4.0.0.rst +++ b/docs/releasenotes/4.0.0.rst @@ -1,9 +1,6 @@ 4.0.0 ----- -Other Changes -============= - Python 2.6 and 3.2 Dropped ^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/4.1.1.rst b/docs/releasenotes/4.1.1.rst index 8c04387d4a1..8c8055bfad8 100644 --- a/docs/releasenotes/4.1.1.rst +++ b/docs/releasenotes/4.1.1.rst @@ -1,9 +1,6 @@ 4.1.1 ----- -Other Changes -============= - Fix Regression with reading DPI from EXIF data ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/4.2.0.rst b/docs/releasenotes/4.2.0.rst index 2590c2610f1..bc2a45f025f 100644 --- a/docs/releasenotes/4.2.0.rst +++ b/docs/releasenotes/4.2.0.rst @@ -1,8 +1,8 @@ 4.2.0 ----- -Deprecations -============ +Backwards Incompatible Changes +============================== Several deprecated items have been removed ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/4.2.1.rst b/docs/releasenotes/4.2.1.rst index 220cc79b6b4..2061f646746 100644 --- a/docs/releasenotes/4.2.1.rst +++ b/docs/releasenotes/4.2.1.rst @@ -3,9 +3,6 @@ There are no functional changes in this release. -Other Changes -============= - Fixed Windows PyPy Build ^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/5.1.0.rst b/docs/releasenotes/5.1.0.rst index f965e74a14b..c49376dee93 100644 --- a/docs/releasenotes/5.1.0.rst +++ b/docs/releasenotes/5.1.0.rst @@ -18,15 +18,15 @@ Append to PDF Files Images can now be appended to PDF files in place by passing in ``append=True`` when saving the image. -Other Changes -============= - New BLP File Format ^^^^^^^^^^^^^^^^^^^ Pillow now supports reading the BLP "Blizzard Mipmap" file format used for tiles in Blizzard's engine. +Other Changes +============= + WebP memory leak ^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/5.4.1.rst b/docs/releasenotes/5.4.1.rst index e02ab9b31da..bbabd652090 100644 --- a/docs/releasenotes/5.4.1.rst +++ b/docs/releasenotes/5.4.1.rst @@ -3,9 +3,6 @@ This release fixes regressions in 5.4.0. -Other Changes -============= - Installation on Termux ^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/7.1.1.rst b/docs/releasenotes/7.1.1.rst index d0bf974ea64..4afdb664588 100644 --- a/docs/releasenotes/7.1.1.rst +++ b/docs/releasenotes/7.1.1.rst @@ -1,9 +1,6 @@ 7.1.1 ----- -Other Changes -============= - Fix regression seeking PNG files ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/7.1.2.rst b/docs/releasenotes/7.1.2.rst index 211d9dbc1f5..63a4b7aadbf 100644 --- a/docs/releasenotes/7.1.2.rst +++ b/docs/releasenotes/7.1.2.rst @@ -1,9 +1,6 @@ 7.1.2 ----- -Other Changes -============= - Fix another regression seeking PNG files ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/8.3.1.rst b/docs/releasenotes/8.3.1.rst index 5f5f9ff29df..edcda3d614f 100644 --- a/docs/releasenotes/8.3.1.rst +++ b/docs/releasenotes/8.3.1.rst @@ -1,9 +1,6 @@ 8.3.1 ----- -Other Changes -============= - Fixed regression converting to NumPy arrays ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From c7e40144116428d4af16acab685965dcff90d979 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 18:02:39 +1100 Subject: [PATCH 03/15] Fixed heading --- docs/releasenotes/2.7.0.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/releasenotes/2.7.0.rst b/docs/releasenotes/2.7.0.rst index 5d76830d24c..e9b0995bb9f 100644 --- a/docs/releasenotes/2.7.0.rst +++ b/docs/releasenotes/2.7.0.rst @@ -102,6 +102,7 @@ other filters gave poor quality for reduction. Starting from Pillow 2.7.0, uses supersampling internally, not convolutions. Image transposition ++++++++++++++++++++ A new method ``TRANSPOSE`` has been added for the :py:meth:`~PIL.Image.Image.transpose` operation in addition to From 1528ac1a4562e8713c55180b771d9b173af07659 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 18:05:07 +1100 Subject: [PATCH 04/15] Consistently highlight filenames in headings --- docs/releasenotes/3.1.1.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index f5fbd871175..c81f9621254 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -63,8 +63,8 @@ assuming 4 bytes per pixel. This writes 768 bytes beyond the end of the buffer into other Python object storage. In some cases, this causes a segfault, in others an internal Python malloc error. -Integer overflow in Resample.c -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Integer overflow in ``Resample.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If a large value was passed into the new size for an image, it is possible to overflow an ``int32`` value passed into malloc. From 3b68a56c10ca0e4b346d8d03b75a5e1526009d24 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 18:10:39 +1100 Subject: [PATCH 05/15] Remove CVE already mentioned in heading --- docs/releasenotes/3.1.1.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index c81f9621254..4eabd194490 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -8,8 +8,7 @@ Security ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 -may overflow a buffer when reading a specially crafted tiff file -(:cve:`2016-0740`). +may overflow a buffer when reading a specially crafted tiff file. Specifically, libtiff >= 4.0.0 changed the return type of ``TIFFScanlineSize`` from ``int32`` to machine dependent From 5208712b497e702411170bbfa665651016a5f3b0 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 18:12:15 +1100 Subject: [PATCH 06/15] Added "API Additions" section --- docs/releasenotes/5.1.0.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/releasenotes/5.1.0.rst b/docs/releasenotes/5.1.0.rst index c49376dee93..4e3d10ac596 100644 --- a/docs/releasenotes/5.1.0.rst +++ b/docs/releasenotes/5.1.0.rst @@ -12,6 +12,9 @@ and ``CMYK`` with up to 6 8-bit channels, discarding any extra channels if the content is tagged as UNSPECIFIED. Pillow still does not store more than 4 8-bit channels of image data. +API Additions +============= + Append to PDF Files ^^^^^^^^^^^^^^^^^^^ From 5fd4ad4aa066edda0730e421f4463c8b07a4f505 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 18:16:52 +1100 Subject: [PATCH 07/15] Corrected CVEs being split into heading and text --- docs/releasenotes/9.0.0.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index 1c940904f55..6fe6b499db4 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -51,10 +51,11 @@ will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This help prevent problems arising if users evaluate arbitrary expressions, such as ``ImageMath.eval("exec(exit())")``. -:cve:`2022-22815`: ImagePath.Path array handling -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2022-22815`, :cve:`2022-22816`: ImagePath.Path array handling +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``. +:cve:`2022-22815` (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when +initializing ``ImagePath.Path``. .. _OSS-Fuzz: https://github.com/google/oss-fuzz From 9cf0ece464874b6f8c9ae7cf0421a04926e68050 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 18:18:04 +1100 Subject: [PATCH 08/15] Changed heading level to be consistent --- docs/releasenotes/9.0.0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index 6fe6b499db4..8d59aef3029 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -44,7 +44,7 @@ duplicate tiles that only differ by their offset, only load the last tile. Credi Google's `OSS-Fuzz`_ project for finding this issue. :cve:`2022-22817`: Restrict builtins available to ImageMath.eval -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will From fe06d419fc7071fd972e715df000a01231b7f660 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 18:30:56 +1100 Subject: [PATCH 09/15] Added heading --- docs/releasenotes/9.1.1.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index d538e88c0f9..746bec4d4d6 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -14,6 +14,9 @@ Pillow reads the information past the end of the first line without deducting th from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow. +Decompression bomb check fix +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Opening an image with a zero or negative height has been found to bypass a decompression bomb check. This will now raise a :py:exc:`SyntaxError` instead, in turn raising a ``PIL.UnidentifiedImageError``. From b3c19374564fdf7100532f7a3c88e8caaca18300 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 21:37:31 +1100 Subject: [PATCH 10/15] Changed wording --- docs/releasenotes/8.1.1.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 484b1de36cb..690421c2a56 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -4,8 +4,8 @@ Security ======== -:cve:`2021-25289`: Fix the fix for :cve:`2020-35654` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2021-25289`: Correct the fix for :cve:`2020-35654` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``. From 4ef6e4ef9b3bbe9dedd0da6c384f109785007ede Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 21:41:55 +1100 Subject: [PATCH 11/15] Highlight code --- docs/releasenotes/7.1.0.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index 2a7d2f1d258..0dd8669a5b8 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -14,7 +14,9 @@ Pillow before 7.1.0 has multiple out-of-bounds reads in ``libImaging/FliDecode.c :cve:`2020-10378`: Bounds overflow in PCX decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. +In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur +when reading PCX files where ``state->shuffle`` is instructed to read beyond +``state->buffer``. :cve:`2020-10379`: Two buffer overflows in TIFF decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -24,7 +26,8 @@ In Pillow before 7.1.0, there are two buffer overflows in ``libImaging/TiffDecod :cve:`2020-10994`: Bounds overflow in JPEG 2000 decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. +In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple +out-of-bounds reads via a crafted JP2 file. :cve:`2020-11538`: Buffer overflow in SGI-RLE decoding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From d2dfb2f87fff0d85865f8943e9f42b5bed40dd9f Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 21:43:04 +1100 Subject: [PATCH 12/15] Swap order to match description --- docs/releasenotes/6.2.2.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index f223b8f5a08..85b0d0ba96a 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -6,15 +6,15 @@ Security This release fixes several buffer overflow issues and a DOS attack vulnerability. +:cve:`2020-5310`, :cve:`2020-5311`, :cve:`2020-5312`, :cve:`2020-5313`: Overflow checks added +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Overflow checks have been added when calculating the size of a memory block to be reallocated +in the processing of TIFF, SGI, PCX and FLI images. + :cve:`2019-19911`: DOS attack vulnerability ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If an FPX image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow. - -:cve:`2020-5310`, :cve:`2020-5311`, :cve:`2020-5312`, :cve:`2020-5313`: Overflow checks added -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Overflow checks have been added when calculating the size of a memory block to be reallocated -in the processing of TIFF, SGI, PCX and FLI images. From 4f677f2183cad8f27702d7dc423c07e7a64e05ef Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 21:59:46 +1100 Subject: [PATCH 13/15] Reordered sections to match template --- docs/releasenotes/6.2.0.rst | 38 ++++++++-------- docs/releasenotes/9.1.0.rst | 86 ++++++++++++++++++------------------- docs/releasenotes/9.2.0.rst | 10 ++--- docs/releasenotes/9.3.0.rst | 54 +++++++++++------------ docs/releasenotes/9.5.0.rst | 50 ++++++++++----------- 5 files changed, 119 insertions(+), 119 deletions(-) diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index c241a3a3b83..b851c56fc0e 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -29,6 +29,25 @@ perform operations on it. The CVE is regarding DOS problems, such as consuming large amounts of memory, or taking a large amount of time to process an image. +API Changes +=========== + +Image.getexif +^^^^^^^^^^^^^ + +To allow for lazy loading of Exif data, ``Image.getexif()`` now returns a +shared instance of ``Image.Exif``. + +Deprecations +^^^^^^^^^^^^ + +Image.frombuffer +~~~~~~~~~~~~~~~~ + +There has been a longstanding warning that the defaults of ``Image.frombuffer`` +may change in the future for the "raw" decoder. The change will now take place +in Pillow 7.0. + API Additions ============= @@ -74,25 +93,6 @@ ImageGrab on multi-monitor Windows An ``all_screens`` argument has been added to ``ImageGrab.grab``. If ``True``, all monitors will be included in the created image. -API Changes -=========== - -Image.getexif -^^^^^^^^^^^^^ - -To allow for lazy loading of Exif data, ``Image.getexif()`` now returns a -shared instance of ``Image.Exif``. - -Deprecations -^^^^^^^^^^^^ - -Image.frombuffer -~~~~~~~~~~~~~~~~ - -There has been a longstanding warning that the defaults of ``Image.frombuffer`` -may change in the future for the "raw" decoder. The change will now take place -in Pillow 7.0. - Other Changes ============= diff --git a/docs/releasenotes/9.1.0.rst b/docs/releasenotes/9.1.0.rst index 6400218f467..5b83d1e9c56 100644 --- a/docs/releasenotes/9.1.0.rst +++ b/docs/releasenotes/9.1.0.rst @@ -1,49 +1,6 @@ 9.1.0 ----- -API Changes -=========== - -Raise an error when performing a negative crop -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Performing a negative crop on an image previously just returned a ``(0, 0)`` image. Now -it will raise a :py:exc:`ValueError`, to help reduce confusion if a user has unintentionally -provided the wrong arguments. - -Added specific error if path coordinate type is incorrect -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Rather than returning a :py:exc:`SystemError`, passing the incorrect types of coordinates into -a path will now raise a more specific :py:exc:`ValueError`, with the message "incorrect -coordinate type". - -Replace requirements.txt with extras -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Rather than installing all dependencies for docs and tests via ``requirements.txt``, -``extras_require`` is used instead. This installs only those needed and at the same -time as installing Pillow. - -For example: - -.. code-block:: bash - - # Install with dependencies for tests: - python3 -m pip install .[tests] - - # Or for building docs: - python3 -m pip install .[docs] - - # Or for all: - python3 -m pip install .[docs,tests] - -On macOS, the last argument may need to be wrapped in quotes, e.g. -``python3 -m pip install ".[tests]"`` - -Therefore ``requirements.txt`` has been removed along with the ``make install-req`` -command for installing its contents. - Deprecations ============ @@ -137,6 +94,49 @@ The stub image plugin ``FitsStubImagePlugin`` has been deprecated and will be re Pillow 10.0.0 (2023-07-01). FITS images can be read without a handler through :mod:`~PIL.FitsImagePlugin` instead. +API Changes +=========== + +Raise an error when performing a negative crop +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Performing a negative crop on an image previously just returned a ``(0, 0)`` image. Now +it will raise a :py:exc:`ValueError`, to help reduce confusion if a user has unintentionally +provided the wrong arguments. + +Added specific error if path coordinate type is incorrect +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Rather than returning a :py:exc:`SystemError`, passing the incorrect types of coordinates into +a path will now raise a more specific :py:exc:`ValueError`, with the message "incorrect +coordinate type". + +Replace requirements.txt with extras +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Rather than installing all dependencies for docs and tests via ``requirements.txt``, +``extras_require`` is used instead. This installs only those needed and at the same +time as installing Pillow. + +For example: + +.. code-block:: bash + + # Install with dependencies for tests: + python3 -m pip install .[tests] + + # Or for building docs: + python3 -m pip install .[docs] + + # Or for all: + python3 -m pip install .[docs,tests] + +On macOS, the last argument may need to be wrapped in quotes, e.g. +``python3 -m pip install ".[tests]"`` + +Therefore ``requirements.txt`` has been removed along with the ``make install-req`` +command for installing its contents. + API Additions ============= diff --git a/docs/releasenotes/9.2.0.rst b/docs/releasenotes/9.2.0.rst index 359a87e6fe8..fe29f2e4f05 100644 --- a/docs/releasenotes/9.2.0.rst +++ b/docs/releasenotes/9.2.0.rst @@ -1,6 +1,11 @@ 9.2.0 ----- +Security +======== + +An additional decompression bomb check has been added for the GIF format. + Deprecations ============ @@ -132,11 +137,6 @@ with "transparency" in ``im.info``, and apply the transparency to the palette in The image's palette mode will become "RGBA", and "transparency" will be removed from ``im.info``. -Security -======== - -An additional decompression bomb check has been added for the GIF format. - Other Changes ============= diff --git a/docs/releasenotes/9.3.0.rst b/docs/releasenotes/9.3.0.rst index 16075ce95ec..e5987ce086c 100644 --- a/docs/releasenotes/9.3.0.rst +++ b/docs/releasenotes/9.3.0.rst @@ -1,6 +1,33 @@ 9.3.0 ----- +Security +======== + +Initialize libtiff buffer when saving +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +When saving a TIFF image to a file object using libtiff, the buffer was not +initialized. This behaviour introduced in Pillow 2.0.0, and has now been fixed. + +Decode JPEG compressed BLP1 data in original mode +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Within the BLP image format, BLP1 data may use JPEG compression. Instead of +telling the JPEG library that this data is in BGRX mode, Pillow will now +decode the data in its natural CMYK mode, then convert it to RGB and rearrange +the channels afterwards. Trying to load the data in an incorrect mode could +result in a segmentation fault. This issue was introduced in Pillow 9.1.0. + +Limit SAMPLESPERPIXEL to avoid runtime DOS +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A large value in the ``SAMPLESPERPIXEL`` tag could lead to a memory and runtime DOS in +``TiffImagePlugin.py`` when setting up the context for image decoding. +This was introduced in Pillow 9.2.0, found with `OSS-Fuzz`_ and fixed by limiting +``SAMPLESPERPIXEL`` to the number of planes that we can decode. + + API Additions ============= @@ -38,33 +65,6 @@ The data from :py:data:`~PIL.ExifTags.TAGS` and :py:data:`~PIL.ExifTags.GPS`. -Security -======== - -Initialize libtiff buffer when saving -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -When saving a TIFF image to a file object using libtiff, the buffer was not -initialized. This behaviour introduced in Pillow 2.0.0, and has now been fixed. - -Decode JPEG compressed BLP1 data in original mode -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Within the BLP image format, BLP1 data may use JPEG compression. Instead of -telling the JPEG library that this data is in BGRX mode, Pillow will now -decode the data in its natural CMYK mode, then convert it to RGB and rearrange -the channels afterwards. Trying to load the data in an incorrect mode could -result in a segmentation fault. This issue was introduced in Pillow 9.1.0. - -Limit SAMPLESPERPIXEL to avoid runtime DOS -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -A large value in the ``SAMPLESPERPIXEL`` tag could lead to a memory and runtime DOS in -``TiffImagePlugin.py`` when setting up the context for image decoding. -This was introduced in Pillow 9.2.0, found with `OSS-Fuzz`_ and fixed by limiting -``SAMPLESPERPIXEL`` to the number of planes that we can decode. - - Other Changes ============= diff --git a/docs/releasenotes/9.5.0.rst b/docs/releasenotes/9.5.0.rst index b1e982fccff..08e9ec2a473 100644 --- a/docs/releasenotes/9.5.0.rst +++ b/docs/releasenotes/9.5.0.rst @@ -1,6 +1,31 @@ 9.5.0 ----- +Security +======== + +Clear PPM half token after use +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Image files that are small on disk are often prevented from expanding to be +big images consuming a large amount of resources simply because they lack the +data to populate those resources. + +PpmImagePlugin might hold onto the last data read for a pixel value in case the +pixel value has not been finished yet. However, that data was not being cleared +afterwards, meaning that infinite data could be available to fill any image +size. This has been present since Pillow 9.2.0. + +That data is now cleared after use. + +Saving TIFF tag ImageSourceData +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If Pillow incorrectly saved the TIFF tag ImageSourceData as ASCII instead of +UNDEFINED, a segmentation fault was triggered. + +The correct tag type will now be used by default instead. + Deprecations ============ @@ -46,31 +71,6 @@ If OpenJPEG 2.4.0 or later is available and the ``plt`` keyword argument is present and true when saving JPEG2000 images, tell the encoder to generate PLT markers. -Security -======== - -Clear PPM half token after use -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Image files that are small on disk are often prevented from expanding to be -big images consuming a large amount of resources simply because they lack the -data to populate those resources. - -PpmImagePlugin might hold onto the last data read for a pixel value in case the -pixel value has not been finished yet. However, that data was not being cleared -afterwards, meaning that infinite data could be available to fill any image -size. This has been present since Pillow 9.2.0. - -That data is now cleared after use. - -Saving TIFF tag ImageSourceData -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -If Pillow incorrectly saved the TIFF tag ImageSourceData as ASCII instead of -UNDEFINED, a segmentation fault was triggered. - -The correct tag type will now be used by default instead. - Other Changes ============= From 73bb28c8660035a9e6ffd1b09aca1a0be3d5a0f3 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 21:53:06 +1100 Subject: [PATCH 14/15] Removed blank lines --- docs/releasenotes/6.2.1.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/releasenotes/6.2.1.rst b/docs/releasenotes/6.2.1.rst index ca298fa702c..372298fbc2a 100644 --- a/docs/releasenotes/6.2.1.rst +++ b/docs/releasenotes/6.2.1.rst @@ -18,8 +18,6 @@ Pillow 7.0.0 will be released on 2020-01-01 and will drop support for Python Other Changes ============= - - Support added for Python 3.8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From 0c436023a0154e343a639784e714fb3e643b9a5c Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 17 Mar 2024 22:06:56 +1100 Subject: [PATCH 15/15] Corrected heading --- docs/releasenotes/8.4.0.rst | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/releasenotes/8.4.0.rst b/docs/releasenotes/8.4.0.rst index e61471e726f..bdc8e802082 100644 --- a/docs/releasenotes/8.4.0.rst +++ b/docs/releasenotes/8.4.0.rst @@ -1,14 +1,11 @@ 8.4.0 ----- -API Changes -=========== - Deprecations -^^^^^^^^^^^^ +============ ImagePalette size parameter -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^ The ``size`` parameter will be removed in Pillow 10.0.0 (2023-07-01).