Backfill release notes with security fix details

[aclark4life]

In #1015 @homm wisely noted that CHANGES.rst is full of "one liners" and that sometimes more detail is needed, which led to the addition of release notes in #1032 corresponding with Pillow 2.7 which was the current release at the time. Thus formally implementing the procedure of adding release notes to every release since.

Fast forward to now and I've noticed that it's hard to find a comprehensive list of all security fixes with details including corresponding CVEs because prior to the release of Pillow 2.7 they are only listed in CHANGES.rst where very little detail is included.

So, I'm planning to back fill the release notes with the entire history of Pillow security fixes with details gathered from CHANGES.rst, git log and various CVE databases. This has to be done with some care so as to avoid providing confusing or even incorrect details about Pillow's security history.

For example, starting with Pillow 2.3.1 we have this commit:

commit 1e331e3e6a40141ca8eee4f5da9f74e895423b66
Author: wiredfool <[email protected]>
Date:   Fri Mar 14 15:56:41 2014 -0700
    
    Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059

And these details from NIST:

CVE-2014-1932

The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.

CVE-2014-1933

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

Accordingly, to begin, I'll create docs/releasenotes/2.3.1.rst and add this information to it. Then I'll repeat the process for all releases between 2.3 to present that contain security fixes. Some but not all security fixes from 2.7 to present are already listed in release notes, but I want to confirm that.

For example here's all the CVEs from CHANGES.rst:

• CVE-2007-4559 patch when building on Windows CVE-2007-4559 patch when building on Windows #6704
• When reading past the end of a TGA scan line, reduce bytes left. CVE-2022-30595
• In show_file, use os.remove to remove temporary images. CVE-2022-24303 In show_file, use os.remove to remove temporary images #6010
• Restrict builtins within lambdas for ImageMath.eval. CVE-2022-22817 Restrict builtins within lambdas for ImageMath.eval #6009
• Restrict builtins for ImageMath.eval(). CVE-2022-22817 CVE-2022-22817 Restrict builtins for ImageMath.eval() #5923
• Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 CVE-2022-22815, CVE-2022-22816: Fixed ImagePath.Path array handling #5920
• CVE-2021-23437 Raise ValueError if color specifier is too long
• Use snprintf instead of sprintf. CVE-2021-34552 Use snprintf instead of sprintf #5567
• Moved CVE image to pillow-depends Moved CVE image to pillow-depends #5561
• Fix Memory DOS in BLP (CVE-2021-27921), ICNS (CVE-2021-27922) and ICO (CVE-2021-27923) Image Plugins
• Use more specific regex chars to prevent ReDoS. CVE-2021-25292
• Fix OOB Read in TiffDecode.c, and check the tile validity before reading. CVE-2021-25291
• Fix negative size read in TiffDecode.c. CVE-2021-25290
• Fix OOB read in SgiRleDecode.c. CVE-2021-25293
• Incorrect error code checking in TiffDecode.c. CVE-2021-25289
• Fix TIFF OOB Write error. CVE-2020-35654 Fix TIFF OOB Write error #5175
• Fix for Read Overflow in PCX Decoding. CVE-2020-35653 Fix for Buffer Read Overrun in PCX Decoding #5174
• Fix for SGI Decode buffer overrun. CVE-2020-35655 Fix for SGI Decode buffer overrun #5173
• Moved string_dimension CVE image to pillow-depends Moved string_dimension CVE image to pillow-depends #4993
• Update FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999.
• Moved CVE images to pillow-depends Moved CVE images to pillow-depends #4929
• Overflow checks for realloc for tiff decoding. CVE-2020-5310
• Catch SGI buffer overrun. CVE-2020-5311
• Catch PCX P mode buffer overrun. CVE-2020-5312
• Catch FLI buffer overrun. CVE-2020-5313
• Raise an error for an invalid number of bands in FPX image. CVE-2019-19911
• Fixed an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076
• Fixed a buffer overflow in PcdDecode.c causing a segfault when opening PhotoCD files. CVE-2016-2533
• Fixed a buffer overflow in FliDecode.c causing a segfault when opening FLI files. CVE-2016-0775
• Fixed a buffer overflow in TiffDecode.c causing an arbitrary amount of memory to be overwritten when opening a specially crafted invalid TIFF file. CVE-2016-0740
• Fix CVE-2014-9601, potential PNG decompression DOS Fix potential PNG decompression DOS #1060
• Fix CVE-2014-9601, potential PNG decompression DOS Fix potential PNG decompression DOS #1060
• Fixed CVE-2014-3598, a DOS in the Jpeg2KImagePlugin
• Fixed CVE-2014-3589, a DOS in the IcnsImagePlugin
• Fixed CVE-2014-3598, a DOS in the Jpeg2KImagePlugin (backport)
• Fixed CVE-2014-3589, a DOS in the IcnsImagePlugin (backport)
• Fixed CVE-2014-3589, a DOS in the IcnsImagePlugin (backport)
• Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933)

And here's all CVEs mentioned in the release notes:

• docs/releasenotes/10.0.0.rst::cve:2023-44271: To protect against potential DOS attacks when using arbitrary strings as text
• docs/releasenotes/10.0.1.rst:This release addresses :cve:2023-4863, by providing an updated install script and
• docs/releasenotes/10.2.0.rst::cve:2023-50447: If an attacker has control over the keys passed to the
• docs/releasenotes/3.1.1.rst:CVE-2016-0740 -- Buffer overflow in TiffDecode.c
• docs/releasenotes/3.1.1.rst:may overflow a buffer when reading a specially crafted tiff file (:cve:2016-0740).
• docs/releasenotes/3.1.1.rst:CVE-2016-0775 -- Buffer overflow in FliDecode.c
• docs/releasenotes/3.1.1.rst:release, FliDecode.c has a buffer overflow error (:cve:2016-0775).
• docs/releasenotes/3.1.1.rst:CVE-2016-2533 -- Buffer overflow in PcdDecode.c
• docs/releasenotes/3.1.1.rst:release, PcdDecode.c has a buffer overflow error (:cve:2016-2533).
• docs/releasenotes/3.1.2.rst:CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c
• docs/releasenotes/3.1.2.rst:corruption (:cve:2016-3076).
• docs/releasenotes/6.2.0.rst::cve:2019-16865. The CVE is regarding DOS problems, such as consuming large
• docs/releasenotes/6.2.2.rst::cve:2019-19911 is regarding FPX images. If an image reports that it has a large
• docs/releasenotes/6.2.2.rst:Buffer overruns were found when processing an SGI (:cve:2020-5311),
• docs/releasenotes/6.2.2.rst:PCX (:cve:2020-5312) or FLI image (:cve:2020-5313). Checks have been added
• docs/releasenotes/6.2.2.rst::cve:2020-5310: Overflow checks have been added when calculating the size of a
• docs/releasenotes/7.1.0.rst:* :cve:2020-10177 Fix multiple out-of-bounds reads in FLI decoding
• docs/releasenotes/7.1.0.rst:* :cve:2020-10378 Fix bounds overflow in PCX decoding
• docs/releasenotes/7.1.0.rst:* :cve:2020-10379 Fix two buffer overflows in TIFF decoding
• docs/releasenotes/7.1.0.rst:* :cve:2020-10994 Fix bounds overflow in JPEG 2000 decoding
• docs/releasenotes/7.1.0.rst:* :cve:2020-11538 Fix buffer overflow in SGI-RLE decoding
• docs/releasenotes/8.0.1.rst:Update FreeType used in binary wheels to 2.10.4_ to fix :cve:2020-15999:
• docs/releasenotes/8.1.0.rst:vulnerability introduced in FreeType 2.6 (:cve:2020-15999).
• docs/releasenotes/8.1.0.rst:* :cve:2020-35653 Buffer read overrun in PCX decoding
• docs/releasenotes/8.1.0.rst:* :cve:2020-35654 Fix TIFF out-of-bounds write error
• docs/releasenotes/8.1.0.rst:* :cve:2020-35655 Fix for SGI Decode buffer overrun
• docs/releasenotes/8.1.1.rst::cve:2021-25289: The previous fix for :cve:2020-35654 was insufficient
• docs/releasenotes/8.1.1.rst::cve:2021-25290: In TiffDecode.c, there is a negative-offset memcpy
• docs/releasenotes/8.1.1.rst::cve:2021-25291: In TiffDecode.c, invalid tile boundaries could lead to
• docs/releasenotes/8.1.1.rst::cve:2021-25292: The PDF parser has a catastrophic backtracking regex
• docs/releasenotes/8.1.1.rst::cve:2021-25293: There is an out-of-bounds read in SgiRleDecode.c,
• docs/releasenotes/8.1.2.rst:There is an exhaustion of memory DOS in the BLP (:cve:2021-27921),
• docs/releasenotes/8.1.2.rst:ICNS (:cve:2021-27922) and ICO (:cve:2021-27923) container formats
• docs/releasenotes/8.2.0.rst::cve:2021-25287, :cve:2021-25288: Fix OOB read in Jpeg2KDecode
• docs/releasenotes/8.2.0.rst::cve:2021-28675: Fix DOS in PsdImagePlugin
• docs/releasenotes/8.2.0.rst::cve:2021-28676: Fix FLI DOS
• docs/releasenotes/8.2.0.rst::cve:2021-28677: Fix EPS DOS on _open
• docs/releasenotes/8.2.0.rst::cve:2021-28678: Fix BLP DOS
• docs/releasenotes/8.3.0.rst:This release addresses :cve:2021-34552. PIL since 1.1.4 and Pillow since 1.0
• docs/releasenotes/8.3.2.rst:* :cve:2021-23437: Avoid a potential ReDoS (regular expression denial of service)
• docs/releasenotes/9.0.0.rst:vulnerability introduced in FreeType 2.6 (:cve:2020-15999).
• docs/releasenotes/9.0.0.rst::cve:2022-22817: To limit :py:class:PIL.ImageMath to working with images, Pillow
• docs/releasenotes/9.0.0.rst::cve:2022-22815 (:cwe:126) and :cve:2022-22816 (:cwe:665) were
• docs/releasenotes/9.0.1.rst::cve:2022-24303: If the path to the temporary directory on Linux or macOS
• docs/releasenotes/9.0.1.rst::cve:2022-22817: While Pillow 9.0 restricted top-level builtins available to
• docs/releasenotes/9.1.1.rst::cve:2022-30595: When reading a TGA file with RLE packets that cross scan lines,

And here's all the CVEs mentioned in git log along with line numbers:

• 5: Combine CVEs
• 75: - Include CVE link in title (via @hugovk)
• 76: - Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
• 172: - Add suggested CVE format to template
• 175: - Update all existing CVE notes to match template
• 6216: Merge pull request Add CVE-2023-44271 to release notes #7520 from hugovk/CVE-2023-44271
• 6218: Add CVE-2023-44271 to release notes
• 6236: Add CVE-2023-44271 to ImageFont.MAX_STRING_LENGTH fix in release notes
• 17903: Merge pull request CVE-2007-4559 patch when building on Windows #6704 from nulano/cve-2007-4559
• 17905: CVE-2007-4559 patch in winbuild
• 29490: Merge pull request Add CVE IDs #5940 from hugovk/add-cves
• 29492: Add CVE IDs
• 29498: Add CVE IDs
• 29692: Merge pull request CVEs TBD #5924 from radarhere/cves
• 29694: CVEs TBD
• 29700: CVEs TBD
• 34352: Moved CVE image to pillow-depends
• 36703: Add test for CVE-2021-25292 ReDoS
• 36746: Add test for CVE-2021-25292 ReDoS
• 36948: Fix BLP DOS -- CVE-2021-28678
• 36959: Fix DOS in PSDImagePlugin -- CVE-2021-28675
• 36983: Fix FLI DOS -- CVE-2021-28676
• 36994: Fix EPS DOS on _open -- CVE-2021-28677
• 37007: Fix OOB Read in Jpeg2KDecode CVE-2021-25287,CVE-2021-25288
• 38554: Added more CVE numbers to 8.1.1 release notes
• 38560: Added more CVE numbers [ci skip]
• 38775: * CVE-2021-25292
• 38781: Fix for CVE-2021-25291
• 38793: * CVE-2021-25290
• 38802: * CVE-2021-25293
• 38811: * CVE-2021-25289
• 39694: Merge pull request Corrected CVE number #5213 from radarhere/cve_number
• 39696: Corrected CVE number
• 39702: Corrected CVE number
• 40296: Document CVE fixes
• 40328: Document CVE fixes [ci skip]
• 40367: Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.
• 40385: Fix CVE-2020-35654 - OOB Write in TiffDecode.c
• 40426: Fix for SGI Decode buffer overrun CVE-2020-35655
• 41754: Autolink CVEs with sphinx-issues
• 43998: Moved CVE images to pillow-depends
• 44004: Moved CVE images to pillow-depends
• 49550: Update 7.1.0 release notes with CVEs
• 49595: Update release notes with CVEs [CI skip]
• 52891: Merge pull request Add assigned CVE numbers #4332 from hugovk/add-cve-numbers
• 52893: Add assigned CVE numbers
• 52899: Add assigned CVE numbers
• 90226: Fixed j2k integer overflow error on encode - CVE-2016-3076
• 90863: Updated CVE id
• 90871: Added final CVE id
• 91104: Fix for buffer overflow in TiffDecode.c CVE-2016-0740
• 91110: FLI overflow error fix and testcase CVE-2016-0775
• 100454: Updated Changes.rst (cve number) [ci skip]
• 104720: J2k DOS fix -- CVE-2014-3598
• 104865: Merge pull request Icns DOS fix -- CVE-2014-3589 #845 from wiredfool/icns_cve
• 104867: Icns DOS fix -- CVE-2014-3589
• 104886: Icns DOS fix -- CVE-2014-3589
• 111730: Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059

If you have any comments/questions/concerns please add them here!