Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security fixes for 8.2.0 #5377

Merged
merged 10 commits into from Apr 1, 2021
Merged

Security fixes for 8.2.0 #5377

merged 10 commits into from Apr 1, 2021

Commits on Apr 1, 2021

  1. Add security release notes

    @hugovk
    hugovk committed Apr 1, 2021
    Copy the full SHA
    8ec0278 View commit details
    Browse the repository at this point in the history

  2. Fix OOB Read in Jpeg2KDecode CVE-2021-25287,CVE-2021-25288 

    * For J2k images with multiple bands, it's legal in to have different
  widths for each band, e.g. 1 byte for L, 4 bytes for A
* This dates to Pillow 2.4.0
    @wiredfool @hugovk
    wiredfool authored and hugovk committed Apr 1, 2021
    Copy the full SHA
    3bf5edd View commit details
    Browse the repository at this point in the history

  3. Fix EPS DOS on _open -- CVE-2021-28677 

    * The readline used in EPS has to deal with any combination of \r and
  \n as line endings. It used an accidentally quadratic method of
  accumulating lines while looking for a line ending.
* A malicious EPS file could use this to perform a DOS of Pillow in
  the open phase, before an image was accepted for opening.
* This dates to the PIL Fork
    @wiredfool @hugovk
    wiredfool authored and hugovk committed Apr 1, 2021
    Copy the full SHA
    5a5e6db View commit details
    Browse the repository at this point in the history

  4. Fix FLI DOS -- CVE-2021-28676 

    * FliDecode did not properly check that the block advance was
  non-zero, potentally leading to an infinite loop on load.
* This dates to the PIL Fork
* Found with oss-fuzz
    @wiredfool @hugovk
    wiredfool authored and hugovk committed Apr 1, 2021
    Copy the full SHA
    bb6c11f View commit details
    Browse the repository at this point in the history

  5. Fix Memory DOS in ImageFont 

    * A corrupt or specially crafted TTF font could have font metrics that
  lead to unreasonably large sizes when rendering text in
  font. ImageFont.py did not check the image size before allocating
  memory for it.
* Found with oss-fuzz
* This dates from the PIL fork
    @wiredfool @hugovk
    wiredfool authored and hugovk committed Apr 1, 2021
    Copy the full SHA
    ba65f0b View commit details
    Browse the repository at this point in the history

  6. Fix DOS in PSDImagePlugin -- CVE-2021-28675 

    * PSDImagePlugin did not sanity check the number of input layers and
  vs the size of the data block, this could lead to a DOS on
  Image.open prior to Image.load.
* This issue dates to the PIL fork
    @wiredfool @hugovk
    wiredfool authored and hugovk committed Apr 1, 2021
    Copy the full SHA
    22e9bee View commit details
    Browse the repository at this point in the history

  7. Fix BLP DOS -- CVE-2021-28678 

    * BlpImagePlugin did not properly check that reads after jumping to
  file offsets returned data. This could lead to a DOS where the
  decoder could be run a large number of times on empty data
* This dates to Pillow 5.1.0
    @wiredfool @hugovk
    wiredfool authored and hugovk committed Apr 1, 2021
    Copy the full SHA
    496245a View commit details
    Browse the repository at this point in the history

  8. Reorder, roughly alphabetic

    @hugovk
    hugovk committed Apr 1, 2021
    Copy the full SHA
    fea4196 View commit details
    Browse the repository at this point in the history

  9. Review, typos and lint

    @hugovk
    hugovk committed Apr 1, 2021
    Copy the full SHA
    8febdad View commit details
    Browse the repository at this point in the history

  10. Fix typo [ci skip] 

    Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
    @hugovk @radarhere
    hugovk and radarhere committed Apr 1, 2021
    Copy the full SHA
    694c84f View commit details
    Browse the repository at this point in the history