Skip to content

Commit

Permalink
Fix headers and retro-add notes for #7864
Browse files Browse the repository at this point in the history
- Include CVE link in title (via @hugovk)
- Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
  • Loading branch information
aclark4life committed Mar 15, 2024
1 parent f61e184 commit c69dcc1
Show file tree
Hide file tree
Showing 23 changed files with 137 additions and 254 deletions.
9 changes: 3 additions & 6 deletions docs/releasenotes/10.0.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,10 @@ now been fixed.
This effectively dates to the PIL fork, since problem images would still have
been processed before Pillow started checking for decompression bombs.

Fix CVE-2023-44271
^^^^^^^^^^^^^^^^^^
.. _Added ImageFont.MAX_STRING_LENGTH:

.. note:: More information about this vulnerability included in database record :cve:`2023-44271`

Added ImageFont.MAX_STRING_LENGTH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2023-44271`: Added ImageFont.MAX_STRING_LENGTH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To protect against potential DOS attacks when using arbitrary strings as text
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
Expand Down
9 changes: 4 additions & 5 deletions docs/releasenotes/10.0.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,12 @@
Security
========

Fix CVE-2023-4863
^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2023-4863`
:cve:`2023-4863`: Updated install script and updated wheels
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This release provides an updated install script and updated wheels to
include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP.
include libwebp 1.3.2, preventing a potential heap buffer overflow in
WebP.

Updated tests to pass with latest zlib version
==============================================
Expand Down
9 changes: 2 additions & 7 deletions docs/releasenotes/10.2.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,8 @@ To protect against potential DOS attacks when using PIL fonts,
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
they do not extend beyond the bitmap image.

Fix CVE-2023-50447
^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2023-50447`

ImageMath.eval: Restricted environment keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2023-50447`: ImageMath.eval: Restricted environment keys
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If an attacker has control over the keys passed to the
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
Expand Down
14 changes: 9 additions & 5 deletions docs/releasenotes/2.3.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,14 @@
Security
========

Fix CVE-2014-1932, CVE-2014-1933
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These issues reported in `Debian bug #737059 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059>`_.

.. note:: More information about these vulnerabilities included in database records :cve:`2014-1932`, :cve:`2014-1933`
:cve:`2014-1932`: Fix insecure use of :py:func:`tempfile.mktemp`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Fix insecure use of :py:func:`tempfile.mktemp` as reported in
`Debian bug #737059 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059>`_.
The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.

:cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp`
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.
12 changes: 12 additions & 0 deletions docs/releasenotes/2.3.2.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
2.3.2
-----

Security
========

:cve:`2014-3589`: Fix DOS attack
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
block size.
12 changes: 12 additions & 0 deletions docs/releasenotes/2.5.2.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
2.5.2
-----

Security
========

:cve:`2014-3589`: Fix DOS attack
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
block size.
31 changes: 8 additions & 23 deletions docs/releasenotes/3.1.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,8 @@
Security
========

Fix CVE-2016-0740
^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2016-0740`

Buffer overflow in TiffDecode.c
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2016-0740`: Buffer overflow in TiffDecode.c
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Pillow 3.1.0 and earlier when linked against
libtiff >= 4.0.0 on x64 may overflow a buffer when reading a
Expand All @@ -27,16 +22,11 @@ image data over 64k is written over the heap, causing a segfault.

This issue was found by security researcher FourOne.

Fix CVE-2016-0775
^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2016-0775`
:cve:`2016-0775`: Buffer overflow in FliDecode.c
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Buffer overflow in FliDecode.c
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In all versions of Pillow, dating back at least to
the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error.
In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, FliDecode.c has a buffer overflow error.

Around line 192:

Expand All @@ -61,13 +51,8 @@ off the end of the memory buffer, causing a segfault.

This issue was found by Alyssa Besseling at Atlassian.

Fix CVE-2016-2533
^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability available in :cve:`2016-2533`

Buffer overflow in PcdDecode.c
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2016-2533`: Buffer overflow in PcdDecode.c
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In all versions of Pillow, dating back at least to the
last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error.
Expand Down
9 changes: 2 additions & 7 deletions docs/releasenotes/3.1.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,8 @@
Security
========

Fix CVE-2016-3076
^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2016-3076`

Buffer overflow in Jpeg2KEncode.c
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2016-3076`: Buffer overflow in Jpeg2KEncode.c
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Pillow between 2.5.0 and 3.1.1 may overflow a buffer
when writing large Jpeg2000 files, allowing for code execution or other
Expand Down
10 changes: 4 additions & 6 deletions docs/releasenotes/6.2.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,11 @@ Decompression bomb checks have been added to GIF and ICO formats.
An error is now raised if a TIFF dimension is a string, rather than trying to
perform operations on it.

Fix CVE-2019-16865
^^^^^^^^^^^^^^^^^^
:cve:`2019-16865`: Fix DOS attack
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2019-16865`

The CVE is regarding DOS problems, such as consuming large
amounts of memory, or taking a large amount of time to process an image.
The CVE is regarding DOS problems, such as consuming large amounts of memory,
or taking a large amount of time to process an image.

API Additions
=============
Expand Down
37 changes: 12 additions & 25 deletions docs/releasenotes/6.2.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,45 +4,32 @@
Security
========

This release fixes several buffer overruns and DOS attacks reported in CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312 and CVE-2020-5313.
This release fixes several buffer overruns and DOS attacks.

Fix CVE-2019-19911
^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2019-19911`

DOS attack vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2019-19911`: DOS attack vulnerability
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If an FPX image reports that it has a large number of bands, a large amount of
resources will be used when trying to process the image. This is fixed by
limiting the number of bands to those usable by Pillow.

Fix CVE-2020-5310
^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-5310`
:cve:`2020-5310`: Overflow checks added to TIFF image processing
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Overflow checks have been added when calculating the size of a memory block to be reallocated
in the processing of a TIFF image.

Fix CVE-2020-5311
^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-5311`
:cve:`2020-5311`: Overflow checks added to SGI image processing
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Buffer overruns were found when processing an SGI image. Checks have been added to prevent this.

Fix CVE-2020-5312
^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-5312`

Buffer overruns were found when processing an SGI PCX. Checks have been added to prevent this.
:cve:`2020-5312`: Overflow checks added to PCX image processing
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Fix CVE-2020-5313
^^^^^^^^^^^^^^^^^
Buffer overruns were found when processing a PCX image. Checks have been added to prevent this.

.. note:: More information about this vulnerability included in database record :cve:`2020-5313`
:cve:`2020-5313`: Overflow checks added to FLI image processing
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Buffer overruns were found when processing an FLI image. Checks have been added to prevent this.
40 changes: 15 additions & 25 deletions docs/releasenotes/7.1.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,40 +6,30 @@ Security

This release includes many security fixes.

Fix CVE-2020-10177
^^^^^^^^^^^^^^^^^^
:cve:`2020-10177`: Multiple out-of-bounds reads in FLI decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-10177`
Pillow before 7.1.0 has multiple out-of-bounds reads in ``libImaging/FliDecode.c``.

Multiple out-of-bounds reads in FLI decoding.
:cve:`2020-10378`: Bounds overflow in PCX decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Fix CVE-2020-10378
^^^^^^^^^^^^^^^^^^
In ``libImaging/PcxDecode.c`` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.

.. note:: More information about this vulnerability included in database record :cve:`2020-10378`
:cve:`2020-10379`: Two buffer overflows in TIFF decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Bounds overflow in PCX decoding.
In Pillow before 7.1.0, there are two buffer overflows in ``libImaging/TiffDecode.c``.

Fix CVE-2020-10379
^^^^^^^^^^^^^^^^^^
:cve:`2020-10994`: Bounds overflow in JPEG 2000 decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-10379`
In ``libImaging/Jpeg2KDecode.c`` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.

Two buffer overflows in TIFF decoding.

Fix CVE-2020-10994
^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-10994`

Bounds overflow in JPEG 2000 decoding.

Fix CVE-2020-11538
^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-11538`
:cve:`2020-11538`: Buffer overflow in SGI-RLE decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Buffer overflow in SGI-RLE decoding.
In ``libImaging/SgiRleDecode.c`` in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

API Changes
===========
Expand Down
9 changes: 2 additions & 7 deletions docs/releasenotes/8.0.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,8 @@
Security
========

Fix CVE-2020-15999
^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-15999`

Update FreeType in wheels to `2.10.4`_
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2020-15999`: Update FreeType in wheels to `2.10.4`_
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A heap buffer overflow has been found in the handling of embedded PNG bitmaps,
introduced in FreeType version 2.6.
Expand Down
27 changes: 6 additions & 21 deletions docs/releasenotes/8.1.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,15 @@ This release includes security fixes.
* An out-of-bounds read when saving TIFFs with custom metadata through LibTIFF
* An out-of-bounds read when saving a GIF of 1px width

Fix CVE-2020-35653
^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-35653`

Buffer read overrun in PCX decoding
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2020-35653`: Buffer read overrun in PCX decoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The PCX image decoder used the reported image stride to calculate
the row buffer, rather than calculating it from the image size. This issue dates back
to the PIL fork. Thanks to Google's `OSS-Fuzz`_ project for finding this.

Fix CVE-2020-35654
^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-35654`

TIFF out-of-bounds write error
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2020-35654`: TIFF out-of-bounds write error
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Out-of-bounds write in ``TiffDecode.c`` when reading corrupt YCbCr
files in some LibTIFF versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04).
Expand All @@ -36,13 +26,8 @@ leading to an out-of-bounds write in ``TiffDecode.c``. This potentially affects
versions from 6.0.0 to 8.0.1, depending on the version of LibTIFF. This was reported through
`Tidelift`_.

Fix CVE-2020-35655
^^^^^^^^^^^^^^^^^^

.. note:: More information about this vulnerability included in database record :cve:`2020-35655`

SGI Decode buffer overrun
~~~~~~~~~~~~~~~~~~~~~~~~~
:cve:`2020-35655`: SGI Decode buffer overrun
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

4 byte read overflow in ``SgiRleDecode.c``, where the code was not correctly
checking the offsets and length tables. Independently reported through `Tidelift`_ and Google's
Expand Down
Loading

0 comments on commit c69dcc1

Please sign in to comment.