From 669ba7fe2ac9163dc96322ede5b67f950b013c18 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Wed, 13 Mar 2024 14:40:00 -0400 Subject: [PATCH] Clean up for #7864 --- docs/releasenotes/10.0.0.rst | 4 ++-- docs/releasenotes/10.0.1.rst | 2 -- docs/releasenotes/10.2.0.rst | 4 ++-- docs/releasenotes/3.1.1.rst | 12 ++++++------ docs/releasenotes/3.1.2.rst | 4 ++-- docs/releasenotes/6.2.0.rst | 2 -- docs/releasenotes/6.2.2.rst | 26 +++++++------------------- docs/releasenotes/7.1.0.rst | 20 ++++++++++---------- docs/releasenotes/8.0.1.rst | 4 +--- docs/releasenotes/8.1.0.rst | 12 ++++++------ docs/releasenotes/8.1.1.rst | 20 ++++---------------- docs/releasenotes/8.1.2.rst | 23 ++++++----------------- docs/releasenotes/8.2.0.rst | 4 ++-- docs/releasenotes/8.3.0.rst | 4 ++-- docs/releasenotes/8.3.2.rst | 4 ++-- docs/releasenotes/9.0.0.rst | 4 ++-- docs/releasenotes/9.0.1.rst | 4 ++-- docs/releasenotes/9.1.1.rst | 4 ++-- docs/releasenotes/template.rst | 4 ++-- 19 files changed, 60 insertions(+), 101 deletions(-) diff --git a/docs/releasenotes/10.0.0.rst b/docs/releasenotes/10.0.0.rst index 4be590edf8c..25e73bff627 100644 --- a/docs/releasenotes/10.0.0.rst +++ b/docs/releasenotes/10.0.0.rst @@ -17,10 +17,10 @@ been processed before Pillow started checking for decompression bombs. Fix CVE-2023-44271 ^^^^^^^^^^^^^^^^^^ -Added ImageFont.MAX_STRING_LENGTH. - .. note:: More information about this vulnerability included in database record :cve:`2023-44271` +Added ImageFont.MAX_STRING_LENGTH. + To protect against potential DOS attacks when using arbitrary strings as text input, Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into ImageFont methods is over a certain limit, diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst index 0b75d2efaef..ab0f98123da 100644 --- a/docs/releasenotes/10.0.1.rst +++ b/docs/releasenotes/10.0.1.rst @@ -7,8 +7,6 @@ Security Fix CVE-2023-4863 ^^^^^^^^^^^^^^^^^ -Updated install script and wheels with libwebp 1.3.2 - .. note:: More information about this vulnerability included in database record :cve:`2023-4863` This release provides an updated install script and updated wheels to diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index 412995da5be..38a31ebf4a1 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -28,10 +28,10 @@ they do not extend beyond the bitmap image. Fix CVE-2023-50447 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -ImageMath.eval: Restricted environment keys. - .. note:: More information about this vulnerability included in database record :cve:`2023-50447` +ImageMath.eval: Restricted environment keys. + If an attacker has control over the keys passed to the ``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute arbitrary code. To prevent this, keys matching the names of builtins and keys diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 7d0fcbdf211..153c12ab030 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -7,10 +7,10 @@ Security Fix CVE-2016-0740 ^^^^^^^^^^^^^^^^^ -Buffer overflow in TiffDecode.c. - .. note:: More information about this vulnerability included in database record :cve:`2016-0740` +Buffer overflow in TiffDecode.c. + Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a specially crafted tiff file. @@ -29,10 +29,10 @@ This issue was found by security researcher FourOne. Fix CVE-2016-0775 ^^^^^^^^^^^^^^^^^ -Buffer overflow in FliDecode.c. - .. note:: More information about this vulnerability included in database record :cve:`2016-0775` +Buffer overflow in FliDecode.c. + In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. @@ -62,10 +62,10 @@ This issue was found by Alyssa Besseling at Atlassian. Fix CVE-2016-2533 ^^^^^^^^^^^^^^^^^ -Buffer overflow in PcdDecode.c. - .. note:: More information about this vulnerability available in :cve:`2016-2533` +Buffer overflow in PcdDecode.c. + In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index c8e24c8c2b3..fff93b8e4eb 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -7,10 +7,10 @@ Security Fix CVE-2016-3076 ^^^^^^^^^^^^^^^^^ -Buffer overflow in Jpeg2KEncode.c. - .. note:: More information about this vulnerability included in database record :cve:`2016-3076` +Buffer overflow in Jpeg2KEncode.c. + Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing large Jpeg2000 files, allowing for code execution or other memory corruption. diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index cab01cfad54..6dd65be9d11 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -26,8 +26,6 @@ perform operations on it. Fix CVE-2019-16865 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -DOS attack vulnerabilities. - .. note:: More information about this vulnerability included in database record :cve:`2019-16865` The CVE is regarding DOS problems, such as consuming large diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 96bf0471244..704ea6876be 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -9,51 +9,39 @@ This release fixes several buffer overruns and DOS attacks reported in CVE-2019- Fix CVE-2019-19911 ^^^^^^^^^^^^^^^^^^ -DOS attack vulnerability. - .. note:: More information about this vulnerability included in database record :cve:`2019-19911` +DOS attack vulnerability. + If an FPX image reports that it has a large number of bands, a large amount of resources will be used when trying to process the image. This is fixed by limiting the number of bands to those usable by Pillow. - Fix CVE-2020-5310 ^^^^^^^^^^^^^^^^^ -Overflow checks added to TIFF image processing. - .. note:: More information about this vulnerability included in database record :cve:`2020-5310` -Overflow checks have been added when calculating the size of a -memory block to be reallocated in the processing of a TIFF image. +Overflow checks have been added when calculating the size of a memory block to be reallocated +in the processing of a TIFF image. Fix CVE-2020-5311 ^^^^^^^^^^^^^^^^^ -Overflow checks added to SGI image processing. - .. note:: More information about this vulnerability included in database record :cve:`2020-5311` -Buffer overruns were found when processing an SGI image. Checks -have been added to prevent this. +Buffer overruns were found when processing an SGI image. Checks have been added to prevent this. Fix CVE-2020-5312 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Overflow checks added to PCX image processing. - .. note:: More information about this vulnerability included in database record :cve:`2020-5312` -Buffer overruns were found when processing an SGI PCX. Checks have -been added to prevent this. +Buffer overruns were found when processing an SGI PCX. Checks have been added to prevent this. Fix CVE-2020-5313 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Overflow checks added to FLI image processing. - .. note:: More information about this vulnerability included in database record :cve:`2020-5313` -Buffer overruns were found when processing an FLI image. Checks -have been added to prevent this. +Buffer overruns were found when processing an FLI image. Checks have been added to prevent this. diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index ac9701cae2f..da6595d5ba7 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -9,38 +9,38 @@ This release includes many security fixes. Fix CVE-2020-10177 ^^^^^^^^^^^^^^^^^^ -Multiple out-of-bounds reads in FLI decoding. - .. note:: More information about this vulnerability included in database record :cve:`2020-10177` +Multiple out-of-bounds reads in FLI decoding. + Fix CVE-2020-10378 ^^^^^^^^^^^^^^^^^^ -Bounds overflow in PCX decoding. - .. note:: More information about this vulnerability included in database record :cve:`2020-10378` +Bounds overflow in PCX decoding. + Fix CVE-2020-10379 ^^^^^^^^^^^^^^^^^^ -Two buffer overflows in TIFF decoding - .. note:: More information about this vulnerability included in database record :cve:`2020-10379` +Two buffer overflows in TIFF decoding. + Fix CVE-2020-10994 ^^^^^^^^^^^^^^^^^^ -Bounds overflow in JPEG 2000 decoding - .. note:: More information about this vulnerability included in database record :cve:`2020-10994` +Bounds overflow in JPEG 2000 decoding. + Fix CVE-2020-11538 ^^^^^^^^^^^^^^^^^^ -Buffer overflow in SGI-RLE decoding - .. note:: More information about this vulnerability included in database record :cve:`2020-11538` +Buffer overflow in SGI-RLE decoding. + API Changes =========== diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index eb995ebe1ea..54ce4085384 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -7,11 +7,9 @@ Security Fix CVE-2020-15999 ^^^^^^^^^^^^^^^^^^ -Update FreeType version in wheels. - .. note:: More information about this vulnerability included in database record :cve:`2020-15999` -Update FreeType used in binary wheels to `2.10.4`_. +Update FreeType in wheels to `2.10.4`_. - A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index 141489cb50f..0fbf6ffe3cf 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -12,10 +12,10 @@ This release includes security fixes. Fix CVE-2020-35653 ^^^^^^^^^^^^^^^^^^ -Buffer read overrun in PCX decoding. - .. note:: More information about this vulnerability included in database record :cve:`2020-35653` +Buffer read overrun in PCX decoding. + The PCX image decoder used the reported image stride to calculate the row buffer, rather than calculating it from the image size. This issue dates back to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this. @@ -23,10 +23,10 @@ to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this. Fix CVE-2020-35654 ^^^^^^^^^^^^^^^^^^ -TIFF out-of-bounds write error. - .. note:: More information about this vulnerability included in database record :cve:`2020-35654` +TIFF out-of-bounds write error. + Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode, @@ -37,10 +37,10 @@ versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was repo Fix CVE-2020-35655 ^^^^^^^^^^^^^^^^^^ -SGI Decode buffer overrun - .. note:: More information about this vulnerability included in database record :cve:`2020-35655` +SGI Decode buffer overrun. + 4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's `OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1. diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 3e084351998..7f871bac1c1 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -7,8 +7,6 @@ Security Fix CVE-2021-25289 ^^^^^^^^^^^^^^^^^^ -The previous fix for CVE-2020-35654 was insufficient. - .. note:: More information about this vulnerability included in database record :cve:`2021-25289` The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``. @@ -16,40 +14,30 @@ The previous fix for :cve:`2020-35654` was insufficient due to incorrect error c Fix CVE-2021-25290 ^^^^^^^^^^^^^^^^^^ -In ``TiffDecode.c`` there is a negative-offset. - .. note:: More information about this vulnerability included in database record :cve:`2021-25290` -In ``TiffDecode.c``, there is a negative-offset ``memcpy`` -with an invalid size. +In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size. Fix CVE-2021-25291 ^^^^^^^^^^^^^^^^^^ -``TiffDecode.c`` has invalid tile boundaries. - .. note:: More information about this vulnerability included in database record :cve:`2021-25291` -In ``TiffDecode.c``, invalid tile boundaries could lead to -an out-of-bounds read in ``TIFFReadRGBATile``. +In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile``. Fix CVE-2021-25292 ^^^^^^^^^^^^^^^^^^ -The PDF parser has a catastrophic backtracking regex. - .. note:: More information about this vulnerability included in database record :cve:`2021-25292`: -The PDF parser has a catastrophic backtracking regex -that could be used as a DOS attack. +The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack. Fix CVE-2021-25293 ^^^^^^^^^^^^^^^^^^ -There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. - .. note:: More information about this vulnerability included in database record :cve:`2021-25293` +There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. Other Changes ============= diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index 6d4baa2b6f2..af60a862e93 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -7,38 +7,27 @@ Security Fix CVE-2021-27921 ^^^^^^^^^^^^^^^^^^ -There is an exhaustion of memory DOS in BLP images. - .. note:: More information about this vulnerability included in database record :cve:`2021-27921` -There is an exhaustion of memory DOS in BLP -images where Pillow did not properly check the reported size of the -contained image. These images could cause arbitrarily large memory +There is an exhaustion of memory DOS in BLP images. where Pillow did not properly check the +reported size of the contained image. These images could cause arbitrarily large memory allocations. Fix CVE-2021-27922 ^^^^^^^^^^^^^^^^^^ -There is an exhaustion of memory DOS in ICNS images. - .. note:: More information about this vulnerability included in database record :cve:`2021-27921` -There is an exhaustion of memory DOS in the ICNS -images where Pillow did not properly check the reported size of the -contained image. These images could cause arbitrarily large memory -allocations. +There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the +reported size of the contained image. These images could cause arbitrarily large memory allocations. Fix CVE-2021-27923 ^^^^^^^^^^^^^^^^^^ -There is an exhaustion of memory DOS in ICO images. - .. note:: More information about this vulnerability included in database record :cve:`2021-27923` -There is an exhaustion of memory DOS in ICO -images where Pillow did not properly check the reported size of the -contained image. These images could cause arbitrarily large memory -allocations. +There is an exhaustion of memory DOS in ICO images where Pillow did not properly check the reported +size of the contained image. These images could cause arbitrarily large memory allocations. These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and Akshay Ajayan of `Arizona State University `_. diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index 7e647841e1d..ea2d7b857cc 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -9,11 +9,11 @@ These were all found with `OSS-Fuzz`_. Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -OOB read in Jpeg2KDecode - .. note:: More information about these vulnerabilities included in database records :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675` +OOB read in Jpeg2KDecode + * For J2k images with multiple bands, it's legal to have different widths for each band, e.g. 1 byte for ``L``, 4 bytes for ``A``. * This dates to Pillow 2.4.0. diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index b0b016a08f1..e5f8e7996cf 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -10,10 +10,10 @@ Buffer overflow Fix CVE-2021-34552 ^^^^^^^^^^^^^^^^^^ -Buffer overflow - .. note:: More information about this vulnerability included in database record :cve:`2021-34552` +Buffer overflow + PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger buffer overflow in Convert.c. diff --git a/docs/releasenotes/8.3.2.rst b/docs/releasenotes/8.3.2.rst index 7e2007649f3..3a2295e6a85 100644 --- a/docs/releasenotes/8.3.2.rst +++ b/docs/releasenotes/8.3.2.rst @@ -7,10 +7,10 @@ Security Fix CVE-2021-23437 ^^^^^^^^^^^^^^^^^^ -Avoid potential ReDoS (regular expression denial of service) - .. note:: More information about this vulnerability included in database record :cve:`2021-23437` +Avoid potential ReDoS (regular expression denial of service) + Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is too long. Present since Pillow 5.2.0. diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index b46932b2423..2f74f3d7038 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -46,10 +46,10 @@ Google's `OSS-Fuzz`_ project for finding this issue. Fix CVE-2022-22817 ^^^^^^^^^^^^^^^^^^ -Restrict builtins available to ImageMath.eval - .. note:: More information about this vulnerability included in database record :cve:`2022-22817` +Restrict builtins available to ImageMath.eval. + To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems arising if users evaluate arbitrary expressions, such as diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst index b8003e88642..392cf68af84 100644 --- a/docs/releasenotes/9.0.1.rst +++ b/docs/releasenotes/9.0.1.rst @@ -9,10 +9,10 @@ This release addresses several security problems. Fix CVE-2022-24303 ^^^^^^^^^^^^^^^^^^ -Temp image removal - .. note:: More information about this vulnerability included in database record :cve:`2022-24303` +Temp image removal. + If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after ``im.show()`` (and related actions), and potentially remove an unrelated file. This diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index 4ae596f3e28..85a1653cccf 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -9,10 +9,10 @@ This release addresses several security problems. Fix CVE-2022-30595 ^^^^^^^^^^^^^^^^^^ -Heap buffer overflow - .. note:: More information about this vulnerability included in database record :cve:`2022-30595` +Heap buffer overflow. + When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow diff --git a/docs/releasenotes/template.rst b/docs/releasenotes/template.rst index 08dbead7f7a..3a89ca55e6c 100644 --- a/docs/releasenotes/template.rst +++ b/docs/releasenotes/template.rst @@ -9,8 +9,8 @@ TODO TODO -Fix CVE-YYYY-XXXXX -- TODO -^^^^^^^^^^^^^^^^^^^^^^^^^^ +Fix CVE-YYYY-XXXXX +^^^^^^^^^^^^^^^^^^ .. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX`