Skip to content

Commit

Permalink
Clean up for #7864
Browse files Browse the repository at this point in the history
  • Loading branch information
aclark4life committed Mar 13, 2024
1 parent c9c9a18 commit 669ba7f
Show file tree
Hide file tree
Showing 19 changed files with 60 additions and 101 deletions.
4 changes: 2 additions & 2 deletions docs/releasenotes/10.0.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ been processed before Pillow started checking for decompression bombs.
Fix CVE-2023-44271
^^^^^^^^^^^^^^^^^^

Added ImageFont.MAX_STRING_LENGTH.

.. note:: More information about this vulnerability included in database record :cve:`2023-44271`

Added ImageFont.MAX_STRING_LENGTH.

To protect against potential DOS attacks when using arbitrary strings as text
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
passed into ImageFont methods is over a certain limit,
Expand Down
2 changes: 0 additions & 2 deletions docs/releasenotes/10.0.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ Security
Fix CVE-2023-4863
^^^^^^^^^^^^^^^^^

Updated install script and wheels with libwebp 1.3.2

.. note:: More information about this vulnerability included in database record :cve:`2023-4863`

This release provides an updated install script and updated wheels to
Expand Down
4 changes: 2 additions & 2 deletions docs/releasenotes/10.2.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@ they do not extend beyond the bitmap image.
Fix CVE-2023-50447
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

ImageMath.eval: Restricted environment keys.

.. note:: More information about this vulnerability included in database record :cve:`2023-50447`

ImageMath.eval: Restricted environment keys.

If an attacker has control over the keys passed to the
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
arbitrary code. To prevent this, keys matching the names of builtins and keys
Expand Down
12 changes: 6 additions & 6 deletions docs/releasenotes/3.1.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ Security
Fix CVE-2016-0740
^^^^^^^^^^^^^^^^^

Buffer overflow in TiffDecode.c.

.. note:: More information about this vulnerability included in database record :cve:`2016-0740`

Buffer overflow in TiffDecode.c.

Pillow 3.1.0 and earlier when linked against
libtiff >= 4.0.0 on x64 may overflow a buffer when reading a
specially crafted tiff file.
Expand All @@ -29,10 +29,10 @@ This issue was found by security researcher FourOne.
Fix CVE-2016-0775
^^^^^^^^^^^^^^^^^

Buffer overflow in FliDecode.c.

.. note:: More information about this vulnerability included in database record :cve:`2016-0775`

Buffer overflow in FliDecode.c.

In all versions of Pillow, dating back at least to
the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error.

Expand Down Expand Up @@ -62,10 +62,10 @@ This issue was found by Alyssa Besseling at Atlassian.
Fix CVE-2016-2533
^^^^^^^^^^^^^^^^^

Buffer overflow in PcdDecode.c.

.. note:: More information about this vulnerability available in :cve:`2016-2533`

Buffer overflow in PcdDecode.c.

In all versions of Pillow, dating back at least to the
last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error.

Expand Down
4 changes: 2 additions & 2 deletions docs/releasenotes/3.1.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ Security
Fix CVE-2016-3076
^^^^^^^^^^^^^^^^^

Buffer overflow in Jpeg2KEncode.c.

.. note:: More information about this vulnerability included in database record :cve:`2016-3076`

Buffer overflow in Jpeg2KEncode.c.

Pillow between 2.5.0 and 3.1.1 may overflow a buffer
when writing large Jpeg2000 files, allowing for code execution or other
memory corruption.
Expand Down
2 changes: 0 additions & 2 deletions docs/releasenotes/6.2.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ perform operations on it.
Fix CVE-2019-16865
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

DOS attack vulnerabilities.

.. note:: More information about this vulnerability included in database record :cve:`2019-16865`

The CVE is regarding DOS problems, such as consuming large
Expand Down
26 changes: 7 additions & 19 deletions docs/releasenotes/6.2.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -9,51 +9,39 @@ This release fixes several buffer overruns and DOS attacks reported in CVE-2019-
Fix CVE-2019-19911
^^^^^^^^^^^^^^^^^^

DOS attack vulnerability.

.. note:: More information about this vulnerability included in database record :cve:`2019-19911`

DOS attack vulnerability.

If an FPX image reports that it has a large number of bands, a large amount of
resources will be used when trying to process the image. This is fixed by
limiting the number of bands to those usable by Pillow.


Fix CVE-2020-5310
^^^^^^^^^^^^^^^^^

Overflow checks added to TIFF image processing.

.. note:: More information about this vulnerability included in database record :cve:`2020-5310`

Overflow checks have been added when calculating the size of a
memory block to be reallocated in the processing of a TIFF image.
Overflow checks have been added when calculating the size of a memory block to be reallocated
in the processing of a TIFF image.

Fix CVE-2020-5311
^^^^^^^^^^^^^^^^^

Overflow checks added to SGI image processing.

.. note:: More information about this vulnerability included in database record :cve:`2020-5311`

Buffer overruns were found when processing an SGI image. Checks
have been added to prevent this.
Buffer overruns were found when processing an SGI image. Checks have been added to prevent this.

Fix CVE-2020-5312
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Overflow checks added to PCX image processing.

.. note:: More information about this vulnerability included in database record :cve:`2020-5312`

Buffer overruns were found when processing an SGI PCX. Checks have
been added to prevent this.
Buffer overruns were found when processing an SGI PCX. Checks have been added to prevent this.

Fix CVE-2020-5313
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Overflow checks added to FLI image processing.

.. note:: More information about this vulnerability included in database record :cve:`2020-5313`

Buffer overruns were found when processing an FLI image. Checks
have been added to prevent this.
Buffer overruns were found when processing an FLI image. Checks have been added to prevent this.
20 changes: 10 additions & 10 deletions docs/releasenotes/7.1.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -9,38 +9,38 @@ This release includes many security fixes.
Fix CVE-2020-10177
^^^^^^^^^^^^^^^^^^

Multiple out-of-bounds reads in FLI decoding.

.. note:: More information about this vulnerability included in database record :cve:`2020-10177`

Multiple out-of-bounds reads in FLI decoding.

Fix CVE-2020-10378
^^^^^^^^^^^^^^^^^^

Bounds overflow in PCX decoding.

.. note:: More information about this vulnerability included in database record :cve:`2020-10378`

Bounds overflow in PCX decoding.

Fix CVE-2020-10379
^^^^^^^^^^^^^^^^^^

Two buffer overflows in TIFF decoding

.. note:: More information about this vulnerability included in database record :cve:`2020-10379`

Two buffer overflows in TIFF decoding.

Fix CVE-2020-10994
^^^^^^^^^^^^^^^^^^

Bounds overflow in JPEG 2000 decoding

.. note:: More information about this vulnerability included in database record :cve:`2020-10994`

Bounds overflow in JPEG 2000 decoding.

Fix CVE-2020-11538
^^^^^^^^^^^^^^^^^^

Buffer overflow in SGI-RLE decoding

.. note:: More information about this vulnerability included in database record :cve:`2020-11538`

Buffer overflow in SGI-RLE decoding.

API Changes
===========

Expand Down
4 changes: 1 addition & 3 deletions docs/releasenotes/8.0.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,9 @@ Security
Fix CVE-2020-15999
^^^^^^^^^^^^^^^^^^

Update FreeType version in wheels.

.. note:: More information about this vulnerability included in database record :cve:`2020-15999`

Update FreeType used in binary wheels to `2.10.4`_.
Update FreeType in wheels to `2.10.4`_.

- A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
introduced in FreeType version 2.6.
Expand Down
12 changes: 6 additions & 6 deletions docs/releasenotes/8.1.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -12,21 +12,21 @@ This release includes security fixes.
Fix CVE-2020-35653
^^^^^^^^^^^^^^^^^^

Buffer read overrun in PCX decoding.

.. note:: More information about this vulnerability included in database record :cve:`2020-35653`

Buffer read overrun in PCX decoding.

The PCX image decoder used the reported image stride to calculate
the row buffer, rather than calculating it from the image size. This issue dates back
to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this.

Fix CVE-2020-35654
^^^^^^^^^^^^^^^^^^

TIFF out-of-bounds write error.

.. note:: More information about this vulnerability included in database record :cve:`2020-35654`

TIFF out-of-bounds write error.

Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr
files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04).
In some cases LibTIFF's interpretation of the file is different when reading in RGBA mode,
Expand All @@ -37,10 +37,10 @@ versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was repo
Fix CVE-2020-35655
^^^^^^^^^^^^^^^^^^

SGI Decode buffer overrun

.. note:: More information about this vulnerability included in database record :cve:`2020-35655`

SGI Decode buffer overrun.

4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly
checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's
`OSS-Fuzz`_. This vulnerability covers Pillow versions 4.3.0->8.0.1.
Expand Down
20 changes: 4 additions & 16 deletions docs/releasenotes/8.1.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,49 +7,37 @@ Security
Fix CVE-2021-25289
^^^^^^^^^^^^^^^^^^

The previous fix for CVE-2020-35654 was insufficient.

.. note:: More information about this vulnerability included in database record :cve:`2021-25289`

The previous fix for :cve:`2020-35654` was insufficient due to incorrect error checking in ``TiffDecode.c``.

Fix CVE-2021-25290
^^^^^^^^^^^^^^^^^^

In ``TiffDecode.c`` there is a negative-offset.

.. note:: More information about this vulnerability included in database record :cve:`2021-25290`

In ``TiffDecode.c``, there is a negative-offset ``memcpy``
with an invalid size.
In ``TiffDecode.c``, there is a negative-offset ``memcpy`` with an invalid size.

Fix CVE-2021-25291
^^^^^^^^^^^^^^^^^^

``TiffDecode.c`` has invalid tile boundaries.

.. note:: More information about this vulnerability included in database record :cve:`2021-25291`

In ``TiffDecode.c``, invalid tile boundaries could lead to
an out-of-bounds read in ``TIFFReadRGBATile``.
In ``TiffDecode.c``, invalid tile boundaries could lead to an out-of-bounds read in ``TIFFReadRGBATile``.

Fix CVE-2021-25292
^^^^^^^^^^^^^^^^^^

The PDF parser has a catastrophic backtracking regex.

.. note:: More information about this vulnerability included in database record :cve:`2021-25292`:

The PDF parser has a catastrophic backtracking regex
that could be used as a DOS attack.
The PDF parser has a catastrophic backtracking regex that could be used as a DOS attack.

Fix CVE-2021-25293
^^^^^^^^^^^^^^^^^^

There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0.

.. note:: More information about this vulnerability included in database record :cve:`2021-25293`

There is an out-of-bounds read in ``SgiRleDecode.c`` since Pillow 4.3.0.

Other Changes
=============
Expand Down
23 changes: 6 additions & 17 deletions docs/releasenotes/8.1.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,38 +7,27 @@ Security
Fix CVE-2021-27921
^^^^^^^^^^^^^^^^^^

There is an exhaustion of memory DOS in BLP images.

.. note:: More information about this vulnerability included in database record :cve:`2021-27921`

There is an exhaustion of memory DOS in BLP
images where Pillow did not properly check the reported size of the
contained image. These images could cause arbitrarily large memory
There is an exhaustion of memory DOS in BLP images. where Pillow did not properly check the
reported size of the contained image. These images could cause arbitrarily large memory
allocations.

Fix CVE-2021-27922
^^^^^^^^^^^^^^^^^^

There is an exhaustion of memory DOS in ICNS images.

.. note:: More information about this vulnerability included in database record :cve:`2021-27921`

There is an exhaustion of memory DOS in the ICNS
images where Pillow did not properly check the reported size of the
contained image. These images could cause arbitrarily large memory
allocations.
There is an exhaustion of memory DOS in ICNS images where Pillow did not properly check the
reported size of the contained image. These images could cause arbitrarily large memory allocations.

Fix CVE-2021-27923
^^^^^^^^^^^^^^^^^^

There is an exhaustion of memory DOS in ICO images.

.. note:: More information about this vulnerability included in database record :cve:`2021-27923`

There is an exhaustion of memory DOS in ICO
images where Pillow did not properly check the reported size of the
contained image. These images could cause arbitrarily large memory
allocations.
There is an exhaustion of memory DOS in ICO images where Pillow did not properly check the reported
size of the contained image. These images could cause arbitrarily large memory allocations.

These were reported by Jiayi Lin, Luke Shaffer, Xinran Xie and
Akshay Ajayan of `Arizona State University <https://www.asu.edu/>`_.
4 changes: 2 additions & 2 deletions docs/releasenotes/8.2.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ These were all found with `OSS-Fuzz`_.
Fix CVE-2021-25287, CVE-2021-25288, CVE-2021-28675
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

OOB read in Jpeg2KDecode

.. note:: More information about these vulnerabilities included in database records
:cve:`2021-25287`, :cve:`2021-25288`, :cve:`2021-28675`

OOB read in Jpeg2KDecode

* For J2k images with multiple bands, it's legal to have different widths for each band,
e.g. 1 byte for ``L``, 4 bytes for ``A``.
* This dates to Pillow 2.4.0.
Expand Down
4 changes: 2 additions & 2 deletions docs/releasenotes/8.3.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ Buffer overflow
Fix CVE-2021-34552
^^^^^^^^^^^^^^^^^^

Buffer overflow

.. note:: More information about this vulnerability included in database record :cve:`2021-34552`

Buffer overflow

PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger
buffer overflow in Convert.c.

Expand Down
4 changes: 2 additions & 2 deletions docs/releasenotes/8.3.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ Security
Fix CVE-2021-23437
^^^^^^^^^^^^^^^^^^

Avoid potential ReDoS (regular expression denial of service)

.. note:: More information about this vulnerability included in database record :cve:`2021-23437`

Avoid potential ReDoS (regular expression denial of service)

Avoid a potential ReDoS (regular expression denial of service) in :py:class:`~PIL.ImageColor`'s
:py:meth:`~PIL.ImageColor.getrgb` by raising :py:exc:`ValueError` if the color specifier is
too long. Present since Pillow 5.2.0.
Expand Down
Loading

0 comments on commit 669ba7f

Please sign in to comment.