Merge branch 'master' into travis_arch

.travis.yml

@@ -40,45 +40,21 @@ matrix:
       env: PYTHONOPTIMIZE=2
       services: xvfb
 
-    - env: DOCKER="alpine" DOCKER_TAG="master"
-    - env: DOCKER="arch" DOCKER_TAG="master" # contains PyQt5
-    - env: DOCKER="ubuntu-16.04-xenial-amd64" DOCKER_TAG="master"
-    - env: DOCKER="ubuntu-18.04-bionic-amd64" DOCKER_TAG="master"
-    - env: DOCKER="debian-9-stretch-x86" DOCKER_TAG="master"
-    - env: DOCKER="debian-10-buster-x86" DOCKER_TAG="master"
-    - env: DOCKER="centos-6-amd64" DOCKER_TAG="master"
-    - env: DOCKER="centos-7-amd64" DOCKER_TAG="master"
-    - env: DOCKER="centos-8-amd64" DOCKER_TAG="master"
-    - env: DOCKER="amazon-1-amd64" DOCKER_TAG="master"
-    - env: DOCKER="amazon-2-amd64" DOCKER_TAG="master"
-    - env: DOCKER="fedora-30-amd64" DOCKER_TAG="master"
-    - env: DOCKER="fedora-31-amd64" DOCKER_TAG="master"
-
-services:
-  - docker
-
-before_install:
-  - if [ "$DOCKER" ]; then travis_retry docker pull pythonpillow/$DOCKER:$DOCKER_TAG; fi
-
 install:
   - |
     if [ "$LINT" == "true" ]; then
       pip install tox
-    elif [ "$DOCKER" == "" ]; then
+    else
       .travis/install.sh;
     fi
 
 script:
 - |
   if [ "$LINT" == "true" ]; then
     tox -e lint
-  elif [ "$DOCKER" == "" ]; then
+  else
     .travis/build.sh
     .travis/test.sh
-  elif [ "$DOCKER" ]; then
-    # the Pillow user in the docker container is UID 1000
-    sudo chown -R 1000 $TRAVIS_BUILD_DIR
-    docker run -v $TRAVIS_BUILD_DIR:/Pillow pythonpillow/$DOCKER:$DOCKER_TAG
   fi
 
 after_success:

.travis/after_success.sh

@@ -23,7 +23,7 @@ if [[ $TRAVIS ]]; then
     codecov
 fi
 
-if [ "$TRAVIS_PYTHON_VERSION" == "3.7" ] && [ "$DOCKER" == "" ]; then
+if [ "$TRAVIS_PYTHON_VERSION" == "3.7" ]; then
     # Coverage and quality reports on just the latest diff.
     depends/diffcover-install.sh
     depends/diffcover-run.sh

.travis/install.sh

@@ -21,6 +21,7 @@ if [[ $TRAVIS_PYTHON_VERSION == 3.* ]]; then
   if [[ $TRAVIS_CPU_ARCH == "amd64" ]]; then
     sudo apt-get -qq install pyqt5-dev-tools
     pip install pyqt5
+    pip install pyqt5!=5.14.1
   fi
 fi
 

CHANGES.rst

@@ -97,16 +97,16 @@ Changelog (Pillow)
 
 - This is the last Pillow release to support Python 2.7 #3642
 
-- Overflow checks for realloc for tiff decoding. CVE TBD
+- Overflow checks for realloc for tiff decoding. CVE-2020-5310
   [wiredfool, radarhere]
 
-- Catch SGI buffer overrun. CVE TBD
+- Catch SGI buffer overrun. CVE-2020-5311
   [radarhere]
 
-- Catch PCX P mode buffer overrun. CVE TBD
+- Catch PCX P mode buffer overrun. CVE-2020-5312
   [radarhere]
 
-- Catch FLI buffer overrun. CVE TBD
+- Catch FLI buffer overrun. CVE-2020-5313
   [radarhere]
 
 - Raise an error for an invalid number of bands in FPX image. CVE-2019-19911

LICENSE

@@ -9,8 +9,22 @@ Pillow is the friendly PIL fork. It is
 
 Like PIL, Pillow is licensed under the open source PIL Software License:
 
-By obtaining, using, and/or copying this software and/or its associated documentation, you agree that you have read, understood, and will comply with the following terms and conditions:
+By obtaining, using, and/or copying this software and/or its associated
+documentation, you agree that you have read, understood, and will comply
+with the following terms and conditions:
 
-Permission to use, copy, modify, and distribute this software and its associated documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies, and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Secret Labs AB or the author not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.
+Permission to use, copy, modify, and distribute this software and its
+associated documentation for any purpose and without fee is hereby granted,
+provided that the above copyright notice appears in all copies, and that
+both that copyright notice and this permission notice appear in supporting
+documentation, and that the name of Secret Labs AB or the author not be
+used in advertising or publicity pertaining to distribution of the software
+without specific, written prior permission.
 
-SECRET LABS AB AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL SECRET LABS AB OR THE AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+SECRET LABS AB AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
+SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
+IN NO EVENT SHALL SECRET LABS AB OR THE AUTHOR BE LIABLE FOR ANY SPECIAL,
+INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.

docs/releasenotes/6.2.2.rst

@@ -4,15 +4,14 @@
 Security
 ========
 
-This release addresses several security problems (CVEs TBD), as well as addressing
-CVE-2019-19911.
+This release addresses several security problems.
 
 CVE-2019-19911 is regarding FPX images. If an image reports that it has a large number
 of bands, a large amount of resources will be used when trying to process the
 image. This is fixed by limiting the number of bands to those usable by Pillow.
 
-Buffer overruns were found when processing an SGI, PCX or FLI image. Checks
-have been added to prevent this.
+Buffer overruns were found when processing an SGI (CVE-2020-5311), PCX (CVE-2020-5312)
+or FLI image (CVE-2020-5313). Checks have been added to prevent this.
 
-Overflow checks have been added when calculating the size of a memory block to
-be reallocated in the processing of a TIFF image.
+CVE-2020-5310: Overflow checks have been added when calculating the size of a memory
+block to be reallocated in the processing of a TIFF image.