From 2f38e20da832a5f336e1fb68ed02111e3a24a57f Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Thu, 14 Mar 2024 13:58:05 -0400 Subject: [PATCH] Fix headers and retro-add notes for #7864 - Include CVE link in title (via @hugovk) - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589 --- docs/releasenotes/10.0.0.rst | 9 +++----- docs/releasenotes/10.0.1.rst | 9 ++++---- docs/releasenotes/10.2.0.rst | 9 ++------ docs/releasenotes/2.3.1.rst | 14 +++++++----- docs/releasenotes/2.3.2.rst | 12 ++++++++++ docs/releasenotes/2.5.2.rst | 12 ++++++++++ docs/releasenotes/3.1.1.rst | 31 +++++++------------------- docs/releasenotes/3.1.2.rst | 9 ++------ docs/releasenotes/6.2.0.rst | 10 ++++----- docs/releasenotes/6.2.2.rst | 37 ++++++++++--------------------- docs/releasenotes/7.1.0.rst | 40 +++++++++++++--------------------- docs/releasenotes/8.0.1.rst | 9 ++------ docs/releasenotes/8.1.0.rst | 27 +++++------------------ docs/releasenotes/8.1.1.rst | 38 +++++++++----------------------- docs/releasenotes/8.1.2.rst | 18 +++++---------- docs/releasenotes/8.2.0.rst | 36 ++++++++++-------------------- docs/releasenotes/8.3.0.rst | 12 ++-------- docs/releasenotes/8.3.2.rst | 9 ++------ docs/releasenotes/9.0.0.rst | 6 ++--- docs/releasenotes/9.0.1.rst | 22 +++++-------------- docs/releasenotes/9.1.1.rst | 11 +++------- docs/releasenotes/index.rst | 2 ++ docs/releasenotes/template.rst | 9 ++------ 23 files changed, 137 insertions(+), 254 deletions(-) create mode 100644 docs/releasenotes/2.3.2.rst create mode 100644 docs/releasenotes/2.5.2.rst diff --git a/docs/releasenotes/10.0.0.rst b/docs/releasenotes/10.0.0.rst index 993ec4d5d02..adada6e0151 100644 --- a/docs/releasenotes/10.0.0.rst +++ b/docs/releasenotes/10.0.0.rst @@ -14,13 +14,10 @@ now been fixed. This effectively dates to the PIL fork, since problem images would still have been processed before Pillow started checking for decompression bombs. -Fix CVE-2023-44271 -^^^^^^^^^^^^^^^^^^ +.. _Added ImageFont.MAX_STRING_LENGTH: -.. note:: More information about this vulnerability included in database record :cve:`2023-44271` - -Added ImageFont.MAX_STRING_LENGTH -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2023-44271`: Added ImageFont.MAX_STRING_LENGTH +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To protect against potential DOS attacks when using arbitrary strings as text input, Pillow will now raise a :py:exc:`ValueError` if the number of characters diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst index ab0f98123da..a260fc3819a 100644 --- a/docs/releasenotes/10.0.1.rst +++ b/docs/releasenotes/10.0.1.rst @@ -4,13 +4,12 @@ Security ======== -Fix CVE-2023-4863 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2023-4863` +:cve:`2023-4863`: Updated install script and updated wheels +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This release provides an updated install script and updated wheels to -include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP. +include libwebp 1.3.2, preventing a potential heap buffer overflow in +WebP. Updated tests to pass with latest zlib version ============================================== diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index 63cbe8806cd..0ffad2e8a1c 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -25,13 +25,8 @@ To protect against potential DOS attacks when using PIL fonts, :py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that they do not extend beyond the bitmap image. -Fix CVE-2023-50447 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2023-50447` - -ImageMath.eval: Restricted environment keys -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2023-50447`: ImageMath.eval: Restricted environment keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If an attacker has control over the keys passed to the ``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute diff --git a/docs/releasenotes/2.3.1.rst b/docs/releasenotes/2.3.1.rst index cad00aa4103..2c7c8285a3e 100644 --- a/docs/releasenotes/2.3.1.rst +++ b/docs/releasenotes/2.3.1.rst @@ -4,10 +4,14 @@ Security ======== -Fix CVE-2014-1932, CVE-2014-1933 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +These issues reported in `Debian bug #737059 `_. -.. note:: More information about these vulnerabilities included in database records :cve:`2014-1932`, :cve:`2014-1933` +:cve:`2014-1932`: Fix insecure use of :py:func:`tempfile.mktemp` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Fix insecure use of :py:func:`tempfile.mktemp` as reported in -`Debian bug #737059 `_. +The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. + +:cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. diff --git a/docs/releasenotes/2.3.2.rst b/docs/releasenotes/2.3.2.rst new file mode 100644 index 00000000000..a8ed32718aa --- /dev/null +++ b/docs/releasenotes/2.3.2.rst @@ -0,0 +1,12 @@ +2.3.2 +----- + +Security +======== + +:cve:`2014-3589`: Fix DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and +2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted +block size. diff --git a/docs/releasenotes/2.5.2.rst b/docs/releasenotes/2.5.2.rst new file mode 100644 index 00000000000..77365ef3e6e --- /dev/null +++ b/docs/releasenotes/2.5.2.rst @@ -0,0 +1,12 @@ +2.5.2 +----- + +Security +======== + +:cve:`2014-3589`: Fix DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and +2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted +block size. diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 7f66ac344b9..6e03382b29f 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -4,13 +4,8 @@ Security ======== -Fix CVE-2016-0740 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2016-0740` - -Buffer overflow in TiffDecode.c -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2016-0740`: Buffer overflow in TiffDecode.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a @@ -27,16 +22,11 @@ image data over 64k is written over the heap, causing a segfault. This issue was found by security researcher FourOne. -Fix CVE-2016-0775 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2016-0775` +:cve:`2016-0775`: Buffer overflow in FliDecode.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Buffer overflow in FliDecode.c -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In all versions of Pillow, dating back at least to -the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. +In all versions of Pillow, dating back at least to the last PIL 1.1.7 +release, FliDecode.c has a buffer overflow error. Around line 192: @@ -61,13 +51,8 @@ off the end of the memory buffer, causing a segfault. This issue was found by Alyssa Besseling at Atlassian. -Fix CVE-2016-2533 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability available in :cve:`2016-2533` - -Buffer overflow in PcdDecode.c -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2016-2533`: Buffer overflow in PcdDecode.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index 1a46d8e639b..a9615497795 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -4,13 +4,8 @@ Security ======== -Fix CVE-2016-3076 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2016-3076` - -Buffer overflow in Jpeg2KEncode.c -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2016-3076`: Buffer overflow in Jpeg2KEncode.c +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing large Jpeg2000 files, allowing for code execution or other diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index ea1f310d7fd..9c504da0f41 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -23,13 +23,11 @@ Decompression bomb checks have been added to GIF and ICO formats. An error is now raised if a TIFF dimension is a string, rather than trying to perform operations on it. -Fix CVE-2019-16865 -^^^^^^^^^^^^^^^^^^ +:cve:`2019-16865`: Fix DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about this vulnerability included in database record :cve:`2019-16865` - -The CVE is regarding DOS problems, such as consuming large -amounts of memory, or taking a large amount of time to process an image. +The CVE is regarding DOS problems, such as consuming large amounts of memory, +or taking a large amount of time to process an image. API Additions ============= diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 648d1d66d74..a95ab1cce6e 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -4,45 +4,32 @@ Security ======== -This release fixes several buffer overruns and DOS attacks reported in CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312 and CVE-2020-5313. +This release fixes several buffer overruns and DOS attacks. -Fix CVE-2019-19911 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2019-19911` - -DOS attack vulnerability -~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2019-19911`: DOS attack vulnerability +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If an FPX image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow. -Fix CVE-2020-5310 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-5310` +:cve:`2020-5310`: Overflow checks added to TIFF image processing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image. -Fix CVE-2020-5311 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-5311` +:cve:`2020-5311`: Overflow checks added to SGI image processing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Buffer overruns were found when processing an SGI image. Checks have been added to prevent this. -Fix CVE-2020-5312 -^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-5312` - -Buffer overruns were found when processing an SGI PCX. Checks have been added to prevent this. +:cve:`2020-5312`: Overflow checks added to PCX image processing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Fix CVE-2020-5313 -^^^^^^^^^^^^^^^^^ +Buffer overruns were found when processing a PCX image. Checks have been added to prevent this. -.. note:: More information about this vulnerability included in database record :cve:`2020-5313` +:cve:`2020-5313`: Overflow checks added to FLI image processing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Buffer overruns were found when processing an FLI image. Checks have been added to prevent this. diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index da6595d5ba7..e5e8b6a5af6 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -6,40 +6,30 @@ Security This release includes many security fixes. -Fix CVE-2020-10177 -^^^^^^^^^^^^^^^^^^ +:cve:`2020-10177`: Multiple out-of-bounds reads in FLI decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about this vulnerability included in database record :cve:`2020-10177` +Pillow before 7.1.0 has multiple out-of-bounds reads in ``libImaging/FliDecode.c``. -Multiple out-of-bounds reads in FLI decoding. +:cve:`2020-10378`: Bounds overflow in PCX decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Fix CVE-2020-10378 -^^^^^^^^^^^^^^^^^^ +In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. -.. note:: More information about this vulnerability included in database record :cve:`2020-10378` +:cve:`2020-10379`: Two buffer overflows in TIFF decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Bounds overflow in PCX decoding. +In Pillow before 7.1.0, there are two buffer overflows in ``libImaging/TiffDecode.c``. -Fix CVE-2020-10379 -^^^^^^^^^^^^^^^^^^ +:cve:`2020-10994`: Bounds overflow in JPEG 2000 decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about this vulnerability included in database record :cve:`2020-10379` +In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. -Two buffer overflows in TIFF decoding. - -Fix CVE-2020-10994 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-10994` - -Bounds overflow in JPEG 2000 decoding. - -Fix CVE-2020-11538 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-11538` +:cve:`2020-11538`: Buffer overflow in SGI-RLE decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Buffer overflow in SGI-RLE decoding. +In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. API Changes =========== diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index a492241d7f9..29a28443f5e 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -4,13 +4,8 @@ Security ======== -Fix CVE-2020-15999 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-15999` - -Update FreeType in wheels to `2.10.4`_ -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2020-15999`: Update FreeType in wheels to `2.10.4`_ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index 909954a37ee..5c399331846 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -9,25 +9,15 @@ This release includes security fixes. * An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF * An out-of-bounds read when saving a GIF of 1px width -Fix CVE-2020-35653 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-35653` - -Buffer read overrun in PCX decoding -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2020-35653`: Buffer read overrun in PCX decoding +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The PCX image decoder used the reported image stride to calculate the row buffer, rather than calculating it from the image size. This issue dates back to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this. -Fix CVE-2020-35654 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-35654` - -TIFF out-of-bounds write error -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2020-35654`: TIFF out-of-bounds write error +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). @@ -36,13 +26,8 @@ leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through `Tidelift`_. -Fix CVE-2020-35655 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2020-35655` - -SGI Decode buffer overrun -~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2020-35655`: SGI Decode buffer overrun +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 7b56b838ee7..84e9c8f86e0 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -4,40 +4,22 @@ Security ======== -Fix CVE-2021-25289 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-25289` +:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``. -Fix CVE-2021-25290 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-25290` - -In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size. - -Fix CVE-2021-25291 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-25291` - -In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile``. - -Fix CVE-2021-25292 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-25292`: - -The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack. +:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Fix CVE-2021-25293 -^^^^^^^^^^^^^^^^^^ +:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: More information about this vulnerability included in database record :cve:`2021-25293` +:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. +:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Other Changes ============= diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index af60a862e93..7d4a6c0be04 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -4,27 +4,21 @@ Security ======== -Fix CVE-2021-27921 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-27921` +:cve:`2021-27921`: There is an exhaustion of memory DOS in BLP images +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in BLP images. where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. -Fix CVE-2021-27922 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-27921` +:cve:`2021-27921`: There is an exhaustion of memory DOS in ICNS images +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. -Fix CVE-2021-27923 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-27923` +:cve:`2021-27923`: There is an exhaustion of memory DOS in ICO images +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is an exhaustion of memory DOS in ICO images where Pillow did not properly check the reported size of the contained image. These images could cause arbitrarily large memory allocations. diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index adbabce3a45..6e8fd5cdebe 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -4,25 +4,17 @@ Security ======== -These were all found with `OSS-Fuzz`_. +These issues were all found with `OSS-Fuzz`_. -Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about these vulnerabilities included in database records - :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675` - -OOB read in Jpeg2KDecode -~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675`: OOB read in Jpeg2KDecode +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * For J2k images with multiple bands, it's legal to have different widths for each band, e.g. 1 byte for ``L``, 4 bytes for ``A``. * This dates to Pillow 2.4.0. -Fix CVE-2021-28675 -- DOS attack in PsdImagePlugin -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-28675` +:cve:`2021-28675`: DOS attack in PsdImagePlugin +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input layers with regard to the size of the data block, this could lead to a @@ -30,19 +22,15 @@ Fix CVE-2021-28675 -- DOS attack in PsdImagePlugin :py:meth:`~PIL.Image.Image.load`. * This dates to the PIL fork. -Fix CVE-2021-28676 -- FLI image DOS attack -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-28676` +:cve:`2021-28676`: FLI image DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ``FliDecode.c`` did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. * This dates to the PIL fork. -Fix CVE-2021-28677 -- EPS DOS on _open -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-28677` +:cve:`2021-28677`: EPS DOS on _open +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line endings. It accidentally used a quadratic method of accumulating lines while looking @@ -51,10 +39,8 @@ Fix CVE-2021-28677 -- EPS DOS on _open open phase, before an image was accepted for opening. * This dates to the PIL fork. -CVE-2021-28678 -- BLP DOS attack -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-28678` +:cve:`2021-28678`: BLP DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets returned data. This could lead to a denial-of-service where the decoder could be run a diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index 94ad37bb1b9..3ef9bb9b334 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -4,16 +4,8 @@ Security ======== -Buffer overflow -^^^^^^^^^^^^^^^ - -Fix CVE-2021-34552 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-34552` - -Buffer overflow -~~~~~~~~~~~~~~~ +:cve:`2021-34552`: Buffer overflow +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger buffer overflow in Convert.c. diff --git a/docs/releasenotes/8.3.2.rst b/docs/releasenotes/8.3.2.rst index 6796365641c..34ba703f70a 100644 --- a/docs/releasenotes/8.3.2.rst +++ b/docs/releasenotes/8.3.2.rst @@ -4,13 +4,8 @@ Security ======== -Fix CVE-2021-23437 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2021-23437` - -Avoid potential ReDoS (regular expression denial of service) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2021-23437`: Avoid potential ReDoS (regular expression denial of service) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index 534209117a5..b22912baf17 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -56,10 +56,8 @@ will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This help prevent problems arising if users evaluate arbitrary expressions, such as ``ImageMath.eval("exec(exit())")``. -Fix CVE-2022-22817 -- ImagePath.Path array handling -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-22815` +:cve:`2022-22815`: ImagePath.Path array handling +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``. diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst index ab6c6cbdde3..a25e3f5ac66 100644 --- a/docs/releasenotes/9.0.1.rst +++ b/docs/releasenotes/9.0.1.rst @@ -6,30 +6,20 @@ Security This release addresses several security problems. -Fix CVE-2022-24303 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-24303` - -Temp image removal -~~~~~~~~~~~~~~~~~~ +:cve:`2022-24303`: Temp image removal +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after ``im.show()`` (and related actions), and potentially remove an unrelated file. This has been present since PIL. -Fix CVE-2022-24303 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-22817` - -Restrict lambda expressions -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +:cve:`2022-22817`: Restrict lambda expressions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ While Pillow 9.0 restricted top-level builtins available to -:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda -expressions. These are now also restricted. +:py:meth:`PIL.ImageMath.eval`, it did not prevent builtins +available to lambda expressions. These are now also restricted. Other Changes ============= diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index f8f1a802ba0..d538e88c0f9 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -4,15 +4,10 @@ Security ======== -This release addresses several security problems. +This release addresses several security issues. -Fix CVE-2022-30595 -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`2022-30595` - -Heap buffer overflow -~~~~~~~~~~~~~~~~~~~~ +:cve:`2022-30595`: Heap buffer overflow +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index e1ebd650966..17a95c6f62a 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -69,5 +69,7 @@ expected to be backported to earlier versions. 3.0.0 2.8.0 2.7.0 + 2.5.2 + 2.3.2 2.3.1 versioning diff --git a/docs/releasenotes/template.rst b/docs/releasenotes/template.rst index 65671808185..cfc7221a3cc 100644 --- a/docs/releasenotes/template.rst +++ b/docs/releasenotes/template.rst @@ -9,13 +9,8 @@ TODO TODO -Fix CVE-YYYY-XXXXX -^^^^^^^^^^^^^^^^^^ - -.. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX` - -TODO -~~~~ +:cve:`YYYY-XXXXX`: TODO +^^^^^^^^^^^^^^^^^^^^^^^ TODO