Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document CVE fixes #5176

Merged
merged 4 commits into from Jan 2, 2021
Merged

Document CVE fixes #5176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
95f99d5
Document CVE fixes [ci skip]
radarhere Jan 2, 2021
d88fdcd
Updated capitalisation [ci skip]
radarhere Jan 2, 2021
2711549
Link to TideLift [ci skip]
radarhere Jan 2, 2021
cd316fe
Link to OSS-Fuzz [ci skip]
radarhere Jan 2, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 9 additions & 0 deletions CHANGES.rst
View file
Open in desktop
Expand Up @@ -5,6 +5,15 @@ Changelog (Pillow)
8.1.0 (unreleased)
------------------

- Fix TIFF OOB Write error. CVE-2020-35654 #5175
[wiredfool]

- Fix for Read Overflow in PCX Decoding. CVE-2020-35653 #5174
[wiredfool, radarhere]

- Fix for SGI Decode buffer overrun. CVE-2020-35655 #5173
[wiredfool, radarhere]

- Fix OOB Read when saving GIF of xsize=1 #5149
[wiredfool]

Expand Down
36 changes: 26 additions & 10 deletions docs/releasenotes/8.1.0.rst
View file
Open in desktop
Expand Up @@ -20,14 +20,6 @@ Makefile

The 'install-venv' target has been deprecated.

API Changes
===========

TODO
^^^^

TODO

API Additions
=============

Expand All @@ -44,8 +36,32 @@ already exists for the ICNS format.
Security
========

An out-of-bounds read when saving TIFFs with custom metadata through libtiff has been
fixed, as well as when saving a GIF of 1px width.
This release includes security fixes.

* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
* An out-of-bounds read when saving a GIF of 1px width
* :cve:`CVE-2020-35653` Buffer read overrun in PCX decoding

The PCX image decoder used the reported image stride to calculate the row buffer,
rather than calculating it from the image size. This issue dates back to the PIL fork.
Thanks to Google's `OSS-Fuzz`_ project for finding this.

* :cve:`CVE-2020-35654` Fix TIFF OOB Write error

OOB Write in TiffDecode.c when reading corrupt YCbCr files in some LibTIFF versions
(4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases LibTIFF's
interpretation of the file is different when reading in RGBA mode, leading to an Out of
bounds write in TiffDecode.c. This potentially affects Pillow versions from 6.0.0 to
8.0.1, depending on the version of LibTIFF. This was reported through `Tidelift`_.

* :cve:`CVE-2020-35655` Fix for SGI Decode buffer overrun

4 byte read overflow in SGIRleDecode.c, where the code was not correctly checking the
offsets and length tables. Independently reported through `Tidelift`_ and Google's
`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.

.. _Tidelift: https://tidelift.com/subscription/pkg/pypi-pillow?utm_source=pillow&utm_medium=referral&utm_campaign=docs
.. _OSS-Fuzz: https://github.com/google/oss-fuzz

Dependencies
^^^^^^^^^^^^
Expand Down