From ddfbcdb2b6c8e965ec9c6f89503c0ee2e24d9549 Mon Sep 17 00:00:00 2001 From: Alex Clark Date: Wed, 13 Mar 2024 14:15:16 -0400 Subject: [PATCH] Clean up for #7864 Before back fill, clean up. - Add suggested CVE format to template - Move Security to the top of release notes - Fix headings - Update all existing CVE notes to match template --- docs/releasenotes/10.0.0.rst | 54 ++++++++------- docs/releasenotes/10.0.1.rst | 12 +++- docs/releasenotes/10.2.0.rst | 68 +++++++++--------- docs/releasenotes/3.1.1.rst | 44 ++++++++---- docs/releasenotes/3.1.2.rst | 20 ++++-- docs/releasenotes/6.2.0.rst | 53 ++++++++------ docs/releasenotes/6.2.2.rst | 57 ++++++++++++--- docs/releasenotes/7.1.0.rst | 51 +++++++++++--- docs/releasenotes/8.0.1.rst | 9 ++- docs/releasenotes/8.1.0.rst | 96 +++++++++++++++----------- docs/releasenotes/8.1.1.rst | 45 ++++++++++-- docs/releasenotes/8.1.2.rst | 44 ++++++++++-- docs/releasenotes/8.2.0.rst | 122 ++++++++++++++++++--------------- docs/releasenotes/8.3.0.rst | 50 ++++++++------ docs/releasenotes/8.3.2.rst | 27 +++++--- docs/releasenotes/9.0.0.rst | 75 ++++++++++---------- docs/releasenotes/9.0.1.rst | 18 ++++- docs/releasenotes/9.1.1.rst | 9 ++- docs/releasenotes/index.rst | 1 + docs/releasenotes/template.rst | 23 ++++--- 20 files changed, 571 insertions(+), 307 deletions(-) diff --git a/docs/releasenotes/10.0.0.rst b/docs/releasenotes/10.0.0.rst index 705ca04152f..4be590edf8c 100644 --- a/docs/releasenotes/10.0.0.rst +++ b/docs/releasenotes/10.0.0.rst @@ -1,6 +1,35 @@ 10.0.0 ------ +Security +======== + +Limit size even if one dimension is zero +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +When performing decompression bomb checks, Pillow did not reject images with +excessive width and zero height, or zero width and excessive height. That has +now been fixed. + +This effectively dates to the PIL fork, since problem images would still have +been processed before Pillow started checking for decompression bombs. + +Fix CVE-2023-44271 +^^^^^^^^^^^^^^^^^^ + +Added ImageFont.MAX_STRING_LENGTH. + +.. note:: More information about this vulnerability included in database record :cve:`2023-44271` + +To protect against potential DOS attacks when using arbitrary strings as text +input, Pillow will now raise a :py:exc:`ValueError` if the number of characters +passed into ImageFont methods is over a certain limit, +:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. + +This threshold can be changed by setting +:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting +``ImageFont.MAX_STRING_LENGTH = None``. + Backwards Incompatible Changes ============================== @@ -157,31 +186,6 @@ Added ``alpha_only`` argument to ``getbbox()`` and the image has an alpha channel, trim transparent pixels. Otherwise, trim pixels when all channels are zero. -Security -======== - -Limit size even if one dimension is zero -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -When performing decompression bomb checks, Pillow did not reject images with -excessive width and zero height, or zero width and excessive height. That has -now been fixed. - -This effectively dates to the PIL fork, since problem images would still have -been processed before Pillow started checking for decompression bombs. - -Added ImageFont.MAX_STRING_LENGTH -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -:cve:`2023-44271`: To protect against potential DOS attacks when using arbitrary strings as text -input, Pillow will now raise a :py:exc:`ValueError` if the number of characters -passed into ImageFont methods is over a certain limit, -:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. - -This threshold can be changed by setting -:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting -``ImageFont.MAX_STRING_LENGTH = None``. - Other Changes ============= diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst index 6ac30e7fce1..0b75d2efaef 100644 --- a/docs/releasenotes/10.0.1.rst +++ b/docs/releasenotes/10.0.1.rst @@ -4,9 +4,15 @@ Security ======== -This release addresses :cve:`2023-4863`, by providing an updated install script and -updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow -in WebP. +Fix CVE-2023-4863 +^^^^^^^^^^^^^^^^^ + +Updated install script and wheels with libwebp 1.3.2 + +.. note:: More information about this vulnerability included in database record :cve:`2023-4863` + +This release provides an updated install script and updated wheels to +include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP. Updated tests to pass with latest zlib version ============================================== diff --git a/docs/releasenotes/10.2.0.rst b/docs/releasenotes/10.2.0.rst index c3947f64c2e..412995da5be 100644 --- a/docs/releasenotes/10.2.0.rst +++ b/docs/releasenotes/10.2.0.rst @@ -1,6 +1,42 @@ 10.2.0 ------ +Security +======== + +ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To protect against potential DOS attacks when using arbitrary strings as text input, +Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into +:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit, +:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. + +This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It +can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``. + +A decompression bomb check has also been added to +:py:meth:`PIL.ImageFont.ImageFont.getmask`. + +ImageFont.getmask: Trim glyph size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To protect against potential DOS attacks when using PIL fonts, +:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that +they do not extend beyond the bitmap image. + +Fix CVE-2023-50447 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +ImageMath.eval: Restricted environment keys. + +.. note:: More information about this vulnerability included in database record :cve:`2023-50447` + +If an attacker has control over the keys passed to the +``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute +arbitrary code. To prevent this, keys matching the names of builtins and keys +containing double underscores will now raise a :py:exc:`ValueError`. + Deprecations ============ @@ -63,38 +99,6 @@ JPEG tables-only streamtype When saving JPEG files, ``streamtype`` can now be set to 1, for tables-only. This will output only the quantization and Huffman tables for the image. -Security -======== - -ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To protect against potential DOS attacks when using arbitrary strings as text input, -Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into -:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit, -:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. - -This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It -can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``. - -A decompression bomb check has also been added to -:py:meth:`PIL.ImageFont.ImageFont.getmask`. - -ImageFont.getmask: Trim glyph size -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To protect against potential DOS attacks when using PIL fonts, -:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that -they do not extend beyond the bitmap image. - -ImageMath.eval: Restricted environment keys -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -:cve:`2023-50447`: If an attacker has control over the keys passed to the -``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute -arbitrary code. To prevent this, keys matching the names of builtins and keys -containing double underscores will now raise a :py:exc:`ValueError`. - Other Changes ============= diff --git a/docs/releasenotes/3.1.1.rst b/docs/releasenotes/3.1.1.rst index 5d60e116cc1..7d0fcbdf211 100644 --- a/docs/releasenotes/3.1.1.rst +++ b/docs/releasenotes/3.1.1.rst @@ -1,12 +1,19 @@ - 3.1.1 -===== +----- + +Security +======== + +Fix CVE-2016-0740 +^^^^^^^^^^^^^^^^^ + +Buffer overflow in TiffDecode.c. -CVE-2016-0740 -- Buffer overflow in TiffDecode.c ------------------------------------------------- +.. note:: More information about this vulnerability included in database record :cve:`2016-0740` -Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 -may overflow a buffer when reading a specially crafted tiff file (:cve:`2016-0740`). +Pillow 3.1.0 and earlier when linked against +libtiff >= 4.0.0 on x64 may overflow a buffer when reading a +specially crafted tiff file. Specifically, libtiff >= 4.0.0 changed the return type of ``TIFFScanlineSize`` from ``int32`` to machine dependent @@ -19,12 +26,15 @@ image data over 64k is written over the heap, causing a segfault. This issue was found by security researcher FourOne. +Fix CVE-2016-0775 +^^^^^^^^^^^^^^^^^ -CVE-2016-0775 -- Buffer overflow in FliDecode.c ------------------------------------------------ +Buffer overflow in FliDecode.c. -In all versions of Pillow, dating back at least to the last PIL 1.1.7 -release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`). +.. note:: More information about this vulnerability included in database record :cve:`2016-0775` + +In all versions of Pillow, dating back at least to +the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. Around line 192: @@ -49,11 +59,15 @@ off the end of the memory buffer, causing a segfault. This issue was found by Alyssa Besseling at Atlassian. -CVE-2016-2533 -- Buffer overflow in PcdDecode.c ------------------------------------------------ +Fix CVE-2016-2533 +^^^^^^^^^^^^^^^^^ + +Buffer overflow in PcdDecode.c. + +.. note:: More information about this vulnerability available in :cve:`2016-2533` -In all versions of Pillow, dating back at least to the last PIL 1.1.7 -release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`). +In all versions of Pillow, dating back at least to the +last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3 bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer @@ -62,7 +76,7 @@ the buffer into other Python object storage. In some cases, this causes a segfault, in others an internal Python malloc error. Integer overflow in Resample.c ------------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If a large value was passed into the new size for an image, it is possible to overflow an ``int32`` value passed into malloc. diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst index 04325ad868f..c8e24c8c2b3 100644 --- a/docs/releasenotes/3.1.2.rst +++ b/docs/releasenotes/3.1.2.rst @@ -1,13 +1,19 @@ - 3.1.2 -===== +----- + +Security +======== + +Fix CVE-2016-3076 +^^^^^^^^^^^^^^^^^ + +Buffer overflow in Jpeg2KEncode.c. -CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c --------------------------------------------------- +.. note:: More information about this vulnerability included in database record :cve:`2016-3076` -Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing -large Jpeg2000 files, allowing for code execution or other memory -corruption (:cve:`2016-3076`). +Pillow between 2.5.0 and 3.1.1 may overflow a buffer +when writing large Jpeg2000 files, allowing for code execution or other +memory corruption. This occurs specifically in the function ``j2k_encode_entry``, at the line: diff --git a/docs/releasenotes/6.2.0.rst b/docs/releasenotes/6.2.0.rst index 7daac1b1902..cab01cfad54 100644 --- a/docs/releasenotes/6.2.0.rst +++ b/docs/releasenotes/6.2.0.rst @@ -1,6 +1,38 @@ 6.2.0 ----- +Security +======== + +This release catches several buffer overruns and fixes CVE-2019-16865. + +Buffer overruns +^^^^^^^^^^^^^^^ + +In RawDecode.c, an error is now thrown if skip is calculated to be less than +zero. It is intended to skip padding between lines, not to go backwards. + +In PsdImagePlugin, if the combined sizes of the individual parts is larger than +the declared size of the extra data field, then it looked for the next layer by +seeking backwards. This is now corrected by seeking to (the start of the layer ++ the size of the extra data field) instead of (the read parts of the layer + +the rest of the layer). + +Decompression bomb checks have been added to GIF and ICO formats. + +An error is now raised if a TIFF dimension is a string, rather than trying to +perform operations on it. + +Fix CVE-2019-16865 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +DOS attack vulnerabilities. + +.. note:: More information about this vulnerability included in database record :cve:`2019-16865` + +The CVE is regarding DOS problems, such as consuming large +amounts of memory, or taking a large amount of time to process an image. + API Additions ============= @@ -65,27 +97,6 @@ There has been a longstanding warning that the defaults of ``Image.frombuffer`` may change in the future for the "raw" decoder. The change will now take place in Pillow 7.0. -Security -======== - -This release catches several buffer overruns, as well as addressing -:cve:`2019-16865`. The CVE is regarding DOS problems, such as consuming large -amounts of memory, or taking a large amount of time to process an image. - -In RawDecode.c, an error is now thrown if skip is calculated to be less than -zero. It is intended to skip padding between lines, not to go backwards. - -In PsdImagePlugin, if the combined sizes of the individual parts is larger than -the declared size of the extra data field, then it looked for the next layer by -seeking backwards. This is now corrected by seeking to (the start of the layer -+ the size of the extra data field) instead of (the read parts of the layer + -the rest of the layer). - -Decompression bomb checks have been added to GIF and ICO formats. - -An error is now raised if a TIFF dimension is a string, rather than trying to -perform operations on it. - Other Changes ============= diff --git a/docs/releasenotes/6.2.2.rst b/docs/releasenotes/6.2.2.rst index 47692a3de6a..96bf0471244 100644 --- a/docs/releasenotes/6.2.2.rst +++ b/docs/releasenotes/6.2.2.rst @@ -4,15 +4,56 @@ Security ======== -This release addresses several security problems. +This release fixes several buffer overruns and DOS attacks reported in CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312 and CVE-2020-5313. -:cve:`2019-19911` is regarding FPX images. If an image reports that it has a large -number of bands, a large amount of resources will be used when trying to process the -image. This is fixed by limiting the number of bands to those usable by Pillow. +Fix CVE-2019-19911 +^^^^^^^^^^^^^^^^^^ -Buffer overruns were found when processing an SGI (:cve:`2020-5311`), -PCX (:cve:`2020-5312`) or FLI image (:cve:`2020-5313`). Checks have been added -to prevent this. +DOS attack vulnerability. -:cve:`2020-5310`: Overflow checks have been added when calculating the size of a +.. note:: More information about this vulnerability included in database record :cve:`2019-19911` + +If an FPX image reports that it has a large number of bands, a large amount of +resources will be used when trying to process the image. This is fixed by +limiting the number of bands to those usable by Pillow. + + +Fix CVE-2020-5310 +^^^^^^^^^^^^^^^^^ + +Overflow checks added to TIFF image processing. + +.. note:: More information about this vulnerability included in database record :cve:`2020-5310` + +Overflow checks have been added when calculating the size of a memory block to be reallocated in the processing of a TIFF image. + +Fix CVE-2020-5311 +^^^^^^^^^^^^^^^^^ + +Overflow checks added to SGI image processing. + +.. note:: More information about this vulnerability included in database record :cve:`2020-5311` + +Buffer overruns were found when processing an SGI image. Checks +have been added to prevent this. + +Fix CVE-2020-5312 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Overflow checks added to PCX image processing. + +.. note:: More information about this vulnerability included in database record :cve:`2020-5312` + +Buffer overruns were found when processing an SGI PCX. Checks have +been added to prevent this. + +Fix CVE-2020-5313 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Overflow checks added to FLI image processing. + +.. note:: More information about this vulnerability included in database record :cve:`2020-5313` + +Buffer overruns were found when processing an FLI image. Checks +have been added to prevent this. diff --git a/docs/releasenotes/7.1.0.rst b/docs/releasenotes/7.1.0.rst index 6e231464e93..ac9701cae2f 100644 --- a/docs/releasenotes/7.1.0.rst +++ b/docs/releasenotes/7.1.0.rst @@ -1,6 +1,46 @@ 7.1.0 ----- +Security +======== + +This release includes many security fixes. + +Fix CVE-2020-10177 +^^^^^^^^^^^^^^^^^^ + +Multiple out-of-bounds reads in FLI decoding. + +.. note:: More information about this vulnerability included in database record :cve:`2020-10177` + +Fix CVE-2020-10378 +^^^^^^^^^^^^^^^^^^ + +Bounds overflow in PCX decoding. + +.. note:: More information about this vulnerability included in database record :cve:`2020-10378` + +Fix CVE-2020-10379 +^^^^^^^^^^^^^^^^^^ + +Two buffer overflows in TIFF decoding + +.. note:: More information about this vulnerability included in database record :cve:`2020-10379` + +Fix CVE-2020-10994 +^^^^^^^^^^^^^^^^^^ + +Bounds overflow in JPEG 2000 decoding + +.. note:: More information about this vulnerability included in database record :cve:`2020-10994` + +Fix CVE-2020-11538 +^^^^^^^^^^^^^^^^^^ + +Buffer overflow in SGI-RLE decoding + +.. note:: More information about this vulnerability included in database record :cve:`2020-11538` + API Changes =========== @@ -67,17 +107,6 @@ Passing a different value on Windows or macOS will force taking a snapshot using the selected X server; pass an empty string to use the default X server. XCB support is not included in pre-compiled wheels for Windows and macOS. -Security -======== - -This release includes security fixes. - -* :cve:`2020-10177` Fix multiple out-of-bounds reads in FLI decoding -* :cve:`2020-10378` Fix bounds overflow in PCX decoding -* :cve:`2020-10379` Fix two buffer overflows in TIFF decoding -* :cve:`2020-10994` Fix bounds overflow in JPEG 2000 decoding -* :cve:`2020-11538` Fix buffer overflow in SGI-RLE decoding - Other Changes ============= diff --git a/docs/releasenotes/8.0.1.rst b/docs/releasenotes/8.0.1.rst index f7a1cea65da..eb995ebe1ea 100644 --- a/docs/releasenotes/8.0.1.rst +++ b/docs/releasenotes/8.0.1.rst @@ -4,7 +4,14 @@ Security ======== -Update FreeType used in binary wheels to `2.10.4`_ to fix :cve:`2020-15999`: +Fix CVE-2020-15999 +^^^^^^^^^^^^^^^^^^ + +Update FreeType version in wheels. + +.. note:: More information about this vulnerability included in database record :cve:`2020-15999` + +Update FreeType used in binary wheels to `2.10.4`_. - A heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6. diff --git a/docs/releasenotes/8.1.0.rst b/docs/releasenotes/8.1.0.rst index 69726e628b7..141489cb50f 100644 --- a/docs/releasenotes/8.1.0.rst +++ b/docs/releasenotes/8.1.0.rst @@ -1,6 +1,62 @@ 8.1.0 ----- +Security +======== + +This release includes security fixes. + +* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF +* An out-of-bounds read when saving a GIF of 1px width + +Fix CVE-2020-35653 +^^^^^^^^^^^^^^^^^^ + +Buffer read overrun in PCX decoding. + +.. note:: More information about this vulnerability included in database record :cve:`2020-35653` + +The PCX image decoder used the reported image stride to calculate +the row buffer, rather than calculating it from the image size. This issue dates back +to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this. + +Fix CVE-2020-35654 +^^^^^^^^^^^^^^^^^^ + +TIFF out-of-bounds write error. + +.. note:: More information about this vulnerability included in database record :cve:`2020-35654` + +Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr +files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). +In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode, +leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow +versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through +`Tidelift`_. + +Fix CVE-2020-35655 +^^^^^^^^^^^^^^^^^^ + +SGI Decode buffer overrun + +.. note:: More information about this vulnerability included in database record :cve:`2020-35655` + +4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly +checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's +`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1. + +.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs +.. _OSS-Fuzz: https://github.com/google/oss-fuzz + +Dependencies +^^^^^^^^^^^^ + +OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including +security fixes. + +LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including +security fixes discovered by fuzzers. + Deprecations ============ @@ -33,46 +89,6 @@ With this release, a list of images can be provided to the ``append_images`` par when saving, to replace the scaled down versions. This is the same functionality that already exists for the ICNS format. -Security -======== - -This release includes security fixes. - -* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF -* An out-of-bounds read when saving a GIF of 1px width -* :cve:`2020-35653` Buffer read overrun in PCX decoding - -The PCX image decoder used the reported image stride to calculate the row buffer, -rather than calculating it from the image size. This issue dates back to the PIL fork. -Thanks to Google's `OSS-Fuzz`_ project for finding this. - -* :cve:`2020-35654` Fix TIFF out-of-bounds write error - -Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr files in some -LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases -LibTIFF's interpretation of the file is different when reading in RGBA mode, leading to -an out-of-bounds write in ``TiffDecode.c``. This potentially affects Pillow versions -from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through -`Tidelift`_. - -* :cve:`2020-35655` Fix for SGI Decode buffer overrun - -4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly checking the -offsets and length tables. Independently reported through `Tidelift`_ and Google's -`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1. - -.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs -.. _OSS-Fuzz: https://github.com/google/oss-fuzz - -Dependencies -^^^^^^^^^^^^ - -OpenJPEG in the macOS and Linux wheels has been updated from 2.3.1 to 2.4.0, including -security fixes. - -LibTIFF in the macOS and Linux wheels has been updated from 4.1.0 to 4.2.0, including -security fixes discovered by fuzzers. - Other Changes ============= diff --git a/docs/releasenotes/8.1.1.rst b/docs/releasenotes/8.1.1.rst index 18d0a33f1cd..3e084351998 100644 --- a/docs/releasenotes/8.1.1.rst +++ b/docs/releasenotes/8.1.1.rst @@ -4,20 +4,51 @@ Security ======== -:cve:`2021-25289`: The previous fix for :cve:`2020-35654` was insufficient -due to incorrect error checking in ``TiffDecode.c``. +Fix CVE-2021-25289 +^^^^^^^^^^^^^^^^^^ -:cve:`2021-25290`: In ``TiffDecode.c``, there is a negative-offset ``memcpy`` +The previous fix for CVE-2020-35654 was insufficient. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25289` + +The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``. + +Fix CVE-2021-25290 +^^^^^^^^^^^^^^^^^^ + +In ``TiffDecode.c`` there is a negative-offset. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25290` + +In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size. -:cve:`2021-25291`: In ``TiffDecode.c``, invalid tile boundaries could lead to +Fix CVE-2021-25291 +^^^^^^^^^^^^^^^^^^ + +``TiffDecode.c`` has invalid tile boundaries. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25291` + +In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile``. -:cve:`2021-25292`: The PDF parser has a catastrophic backtracking regex +Fix CVE-2021-25292 +^^^^^^^^^^^^^^^^^^ + +The PDF parser has a catastrophic backtracking regex. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25292`: + +The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack. -:cve:`2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``, -since Pillow 4.3.0. +Fix CVE-2021-25293 +^^^^^^^^^^^^^^^^^^ + +There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0. + +.. note:: More information about this vulnerability included in database record :cve:`2021-25293` Other Changes diff --git a/docs/releasenotes/8.1.2.rst b/docs/releasenotes/8.1.2.rst index de50a3f1dad..6d4baa2b6f2 100644 --- a/docs/releasenotes/8.1.2.rst +++ b/docs/releasenotes/8.1.2.rst @@ -4,9 +4,41 @@ Security ======== -There is an exhaustion of memory DOS in the BLP (:cve:`2021-27921`), -ICNS (:cve:`2021-27922`) and ICO (:cve:`2021-27923`) container formats -where Pillow did not properly check the reported size of the contained image. -These images could cause arbitrarily large memory allocations. This was reported -by Jiayi Lin, Luke Shaffer, Xinran Xie, and Akshay Ajayan of -`Arizona State University `_. +Fix CVE-2021-27921 +^^^^^^^^^^^^^^^^^^ + +There is an exhaustion of memory DOS in BLP images. + +.. note:: More information about this vulnerability included in database record :cve:`2021-27921` + +There is an exhaustion of memory DOS in BLP +images where Pillow did not properly check the reported size of the +contained image. These images could cause arbitrarily large memory +allocations. + +Fix CVE-2021-27922 +^^^^^^^^^^^^^^^^^^ + +There is an exhaustion of memory DOS in ICNS images. + +.. note:: More information about this vulnerability included in database record :cve:`2021-27921` + +There is an exhaustion of memory DOS in the ICNS +images where Pillow did not properly check the reported size of the +contained image. These images could cause arbitrarily large memory +allocations. + +Fix CVE-2021-27923 +^^^^^^^^^^^^^^^^^^ + +There is an exhaustion of memory DOS in ICO images. + +.. note:: More information about this vulnerability included in database record :cve:`2021-27923` + +There is an exhaustion of memory DOS in ICO +images where Pillow did not properly check the reported size of the +contained image. These images could cause arbitrarily large memory +allocations. + +These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and +Akshay Ajayan of `Arizona State University `_. diff --git a/docs/releasenotes/8.2.0.rst b/docs/releasenotes/8.2.0.rst index 452077f1a64..7e647841e1d 100644 --- a/docs/releasenotes/8.2.0.rst +++ b/docs/releasenotes/8.2.0.rst @@ -1,6 +1,73 @@ 8.2.0 ----- +Security +======== + +These were all found with `OSS-Fuzz`_. + +Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +OOB read in Jpeg2KDecode + +.. note:: More information about these vulnerabilities included in database records + :cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675` + +* For J2k images with multiple bands, it's legal to have different widths for each band, + e.g. 1 byte for ``L``, 4 bytes for ``A``. +* This dates to Pillow 2.4.0. + +Fix CVE-2021-28675 -- DOS attack in PsdImagePlugin +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2021-28675` + +* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input + layers with regard to the size of the data block, this could lead to a + denial-of-service on :py:meth:`~PIL.Image.open` prior to + :py:meth:`~PIL.Image.Image.load`. +* This dates to the PIL fork. + +Fix CVE-2021-28676 -- FLI image DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2021-28676` + +* ``FliDecode.c`` did not properly check that the block advance was non-zero, + potentially leading to an infinite loop on load. +* This dates to the PIL fork. + +Fix CVE-2021-28677 -- EPS DOS on _open +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2021-28677` + +* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line + endings. It accidentally used a quadratic method of accumulating lines while looking + for a line ending. +* A malicious EPS file could use this to perform a denial-of-service of Pillow in the + open phase, before an image was accepted for opening. +* This dates to the PIL fork. + +CVE-2021-28678 -- BLP DOS attack +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2021-28678` + +* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets + returned data. This could lead to a denial-of-service where the decoder could be run a + large number of times on empty data. +* This dates to Pillow 5.1.0. + +Fix memory DOS in ImageFont +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* A corrupt or specially crafted TTF font could have font metrics that lead to + unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check + the image size before allocating memory for it. +* This dates to the PIL fork. + Deprecations ============ @@ -123,61 +190,6 @@ be specified through a keyword argument:: im.save("out.tif", icc_profile=...) - -Security -======== - -These were all found with `OSS-Fuzz`_. - -:cve:`2021-25287`, :cve:`2021-25288`: Fix OOB read in Jpeg2KDecode -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* For J2k images with multiple bands, it's legal to have different widths for each band, - e.g. 1 byte for ``L``, 4 bytes for ``A``. -* This dates to Pillow 2.4.0. - -:cve:`2021-28675`: Fix DOS in PsdImagePlugin -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input - layers with regard to the size of the data block, this could lead to a - denial-of-service on :py:meth:`~PIL.Image.open` prior to - :py:meth:`~PIL.Image.Image.load`. -* This dates to the PIL fork. - -:cve:`2021-28676`: Fix FLI DOS -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* ``FliDecode.c`` did not properly check that the block advance was non-zero, - potentially leading to an infinite loop on load. -* This dates to the PIL fork. - -:cve:`2021-28677`: Fix EPS DOS on _open -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* The readline used in EPS has to deal with any combination of ``\r`` and ``\n`` as line - endings. It accidentally used a quadratic method of accumulating lines while looking - for a line ending. -* A malicious EPS file could use this to perform a denial-of-service of Pillow in the - open phase, before an image was accepted for opening. -* This dates to the PIL fork. - -:cve:`2021-28678`: Fix BLP DOS -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* ``BlpImagePlugin`` did not properly check that reads after jumping to file offsets - returned data. This could lead to a denial-of-service where the decoder could be run a - large number of times on empty data. -* This dates to Pillow 5.1.0. - -Fix memory DOS in ImageFont -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* A corrupt or specially crafted TTF font could have font metrics that lead to - unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check - the image size before allocating memory for it. -* This dates to the PIL fork. - Other Changes ============= diff --git a/docs/releasenotes/8.3.0.rst b/docs/releasenotes/8.3.0.rst index e74880f6f40..b0b016a08f1 100644 --- a/docs/releasenotes/8.3.0.rst +++ b/docs/releasenotes/8.3.0.rst @@ -1,6 +1,34 @@ 8.3.0 ----- +Security +======== + +Buffer overflow +^^^^^^^^^^^^^^^ + +Fix CVE-2021-34552 +^^^^^^^^^^^^^^^^^^ + +Buffer overflow + +.. note:: More information about this vulnerability included in database record :cve:`2021-34552` + +PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger +buffer overflow in Convert.c. + +Parsing XML +^^^^^^^^^^^ + +Pillow previously parsed XMP data using Python's ``xml`` module. However, this module +is not secure. + +- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve + orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead. +- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It + will now use ``defusedxml`` instead. If the dependency is not present, an empty + dictionary will be returned and a warning raised. + Deprecations ============ @@ -79,28 +107,6 @@ format, through the new ``bitmap_format`` argument:: im.save("out.ico", bitmap_format="bmp") -Security -======== - -Buffer overflow -^^^^^^^^^^^^^^^ - -This release addresses :cve:`2021-34552`. PIL since 1.1.4 and Pillow since 1.0 -allowed parameters passed into a convert function to trigger buffer overflow in -Convert.c. - -Parsing XML -^^^^^^^^^^^ - -Pillow previously parsed XMP data using Python's ``xml`` module. However, this module -is not secure. - -- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve - orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead. -- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added in Pillow 8.2.0. It - will now use ``defusedxml`` instead. If the dependency is not present, an empty - dictionary will be returned and a warning raised. - Other Changes ============= diff --git a/docs/releasenotes/8.3.2.rst b/docs/releasenotes/8.3.2.rst index 3333d63a1e8..7e2007649f3 100644 --- a/docs/releasenotes/8.3.2.rst +++ b/docs/releasenotes/8.3.2.rst @@ -4,14 +4,25 @@ Security ======== -* :cve:`2021-23437`: Avoid a potential ReDoS (regular expression denial of service) - in :py:class:`~PIL.ImageColor`'s :py:meth:`~PIL.ImageColor.getrgb` by raising - :py:exc:`ValueError` if the color specifier is too long. Present since Pillow 5.2.0. - -* Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c`` - incorrectly calculated the required read buffer size when copying a chunk, potentially - reading six extra bytes off the end of the allocated buffer from the heap. Present - since Pillow 7.1.0. This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs. +Fix CVE-2021-23437 +^^^^^^^^^^^^^^^^^^ + +Avoid potential ReDoS (regular expression denial of service) + +.. note:: More information about this vulnerability included in database record :cve:`2021-23437` + +Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s +:py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is +too long. Present since Pillow 5.2.0. + +Fix 6-byte out-of-bounds (OOB) read +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Fix 6-byte out-of-bounds (OOB) read. The previous bounds check in ``FliDecode.c`` incorrectly +calculated the required read buffer size when copying a chunk, potentially reading six extra +bytes off the end of the allocated buffer from the heap. Present since Pillow 7.1.0. + +This bug was found by Google's `OSS-Fuzz`_ `CIFuzz`_ runs. Other Changes ============= diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index 090ec802467..b46932b2423 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -24,6 +24,46 @@ success of Python. Thank you, Fredrik. +Security +======== + +Ensure JpegImagePlugin stops at the end of a truncated file +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that +the last segment of the data will still be processed by the decoder. + +If the EOF marker is not detected as such however, this could lead to an infinite +loop where ``JpegImagePlugin`` keeps trying to end the file. + +Remove consecutive duplicate tiles that only differ by their offset +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To prevent attempts to slow down loading times for images, if an image has consecutive +duplicate tiles that only differ by their offset, only load the last tile. Credit to +Google's `OSS-Fuzz`_ project for finding this issue. + +Fix CVE-2022-22817 +^^^^^^^^^^^^^^^^^^ + +Restrict builtins available to ImageMath.eval + +.. note:: More information about this vulnerability included in database record :cve:`2022-22817` + +To limit :py:class:`PIL.ImageMath` to working with images, Pillow +will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will +help prevent problems arising if users evaluate arbitrary expressions, such as +``ImageMath.eval("exec(exit())")``. + +Fix CVE-2022-22817 -- ImagePath.Path array handling +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`2022-22815` + +(:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were found when initializing ``ImagePath.Path``. + +.. _OSS-Fuzz: https://github.com/google/oss-fuzz + Backwards Incompatible Changes ============================== @@ -97,41 +137,6 @@ Support has been added for the "title" argument in argument will also now be supported, e.g. ``im.show(title="My Image")`` and ``ImageShow.show(im, title="My Image")``. -Security -======== - -Ensure JpegImagePlugin stops at the end of a truncated file -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -``JpegImagePlugin`` may append an EOF marker to the end of a truncated file, so that -the last segment of the data will still be processed by the decoder. - -If the EOF marker is not detected as such however, this could lead to an infinite -loop where ``JpegImagePlugin`` keeps trying to end the file. - -Remove consecutive duplicate tiles that only differ by their offset -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To prevent attempts to slow down loading times for images, if an image has consecutive -duplicate tiles that only differ by their offset, only load the last tile. Credit to -Google's `OSS-Fuzz`_ project for finding this issue. - -Restrict builtins available to ImageMath.eval -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -:cve:`2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow -will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will -help prevent problems arising if users evaluate arbitrary expressions, such as -``ImageMath.eval("exec(exit())")``. - -Fixed ImagePath.Path array handling -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -:cve:`2022-22815` (:cwe:`126`) and :cve:`2022-22816` (:cwe:`665`) were -found when initializing ``ImagePath.Path``. - -.. _OSS-Fuzz: https://github.com/google/oss-fuzz - Other Changes ============= diff --git a/docs/releasenotes/9.0.1.rst b/docs/releasenotes/9.0.1.rst index acb92dc4151..b8003e88642 100644 --- a/docs/releasenotes/9.0.1.rst +++ b/docs/releasenotes/9.0.1.rst @@ -6,12 +6,26 @@ Security This release addresses several security problems. -:cve:`2022-24303`: If the path to the temporary directory on Linux or macOS +Fix CVE-2022-24303 +^^^^^^^^^^^^^^^^^^ + +Temp image removal + +.. note:: More information about this vulnerability included in database record :cve:`2022-24303` + +If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after ``im.show()`` (and related actions), and potentially remove an unrelated file. This has been present since PIL. -:cve:`2022-22817`: While Pillow 9.0 restricted top-level builtins available to +Fix CVE-2022-24303 +^^^^^^^^^^^^^^^^^^ + +Restrict lambda expressions + +.. note:: More information about this vulnerability included in database record :cve:`2022-22817` + +While Pillow 9.0 restricted top-level builtins available to :py:meth:`PIL.ImageMath.eval`, it did not prevent builtins available to lambda expressions. These are now also restricted. diff --git a/docs/releasenotes/9.1.1.rst b/docs/releasenotes/9.1.1.rst index bab70f8f984..4ae596f3e28 100644 --- a/docs/releasenotes/9.1.1.rst +++ b/docs/releasenotes/9.1.1.rst @@ -6,7 +6,14 @@ Security This release addresses several security problems. -:cve:`2022-30595`: When reading a TGA file with RLE packets that cross scan lines, +Fix CVE-2022-30595 +^^^^^^^^^^^^^^^^^^ + +Heap buffer overflow + +.. note:: More information about this vulnerability included in database record :cve:`2022-30595` + +When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow. diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index e86f8082b48..e1ebd650966 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -69,4 +69,5 @@ expected to be backported to earlier versions. 3.0.0 2.8.0 2.7.0 + 2.3.1 versioning diff --git a/docs/releasenotes/template.rst b/docs/releasenotes/template.rst index 440d04b1cc4..08dbead7f7a 100644 --- a/docs/releasenotes/template.rst +++ b/docs/releasenotes/template.rst @@ -1,6 +1,21 @@ xx.y.z ------ +Security +======== + +TODO +^^^^ + +TODO + +Fix CVE-YYYY-XXXXX -- TODO +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: More information about this vulnerability included in database record :cve:`YYYY-XXXXX` + +TODO + Backwards Incompatible Changes ============================== @@ -31,14 +46,6 @@ TODO TODO -Security -======== - -TODO -^^^^ - -TODO - Other Changes =============