Skip to content

Commit

Permalink
Clean up for #7864
Browse files Browse the repository at this point in the history
Before back fill, clean up.

- Add suggested CVE format to template
- Move Security to the top of release notes
- Fix headings
- Update all existing CVE notes to match template
  • Loading branch information
aclark4life committed Mar 13, 2024
1 parent 9e3d1a7 commit c9c9a18
Show file tree
Hide file tree
Showing 20 changed files with 571 additions and 307 deletions.
54 changes: 29 additions & 25 deletions docs/releasenotes/10.0.0.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,35 @@
10.0.0
------

Security
========

Limit size even if one dimension is zero
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

When performing decompression bomb checks, Pillow did not reject images with
excessive width and zero height, or zero width and excessive height. That has
now been fixed.

This effectively dates to the PIL fork, since problem images would still have
been processed before Pillow started checking for decompression bombs.

Fix CVE-2023-44271
^^^^^^^^^^^^^^^^^^

Added ImageFont.MAX_STRING_LENGTH.

.. note:: More information about this vulnerability included in database record :cve:`2023-44271`

To protect against potential DOS attacks when using arbitrary strings as text
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
passed into ImageFont methods is over a certain limit,
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.

This threshold can be changed by setting
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
``ImageFont.MAX_STRING_LENGTH = None``.

Backwards Incompatible Changes
==============================

Expand Down Expand Up @@ -157,31 +186,6 @@ Added ``alpha_only`` argument to ``getbbox()``
and the image has an alpha channel, trim transparent pixels. Otherwise, trim
pixels when all channels are zero.

Security
========

Limit size even if one dimension is zero
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

When performing decompression bomb checks, Pillow did not reject images with
excessive width and zero height, or zero width and excessive height. That has
now been fixed.

This effectively dates to the PIL fork, since problem images would still have
been processed before Pillow started checking for decompression bombs.

Added ImageFont.MAX_STRING_LENGTH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

:cve:`2023-44271`: To protect against potential DOS attacks when using arbitrary strings as text
input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
passed into ImageFont methods is over a certain limit,
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.

This threshold can be changed by setting
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
``ImageFont.MAX_STRING_LENGTH = None``.

Other Changes
=============

Expand Down
12 changes: 9 additions & 3 deletions docs/releasenotes/10.0.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,15 @@
Security
========

This release addresses :cve:`2023-4863`, by providing an updated install script and
updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow
in WebP.
Fix CVE-2023-4863
^^^^^^^^^^^^^^^^^

Updated install script and wheels with libwebp 1.3.2

.. note:: More information about this vulnerability included in database record :cve:`2023-4863`

This release provides an updated install script and updated wheels to
include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP.

Updated tests to pass with latest zlib version
==============================================
Expand Down
68 changes: 36 additions & 32 deletions docs/releasenotes/10.2.0.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,42 @@
10.2.0
------

Security
========

ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To protect against potential DOS attacks when using arbitrary strings as text input,
Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.

This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.

A decompression bomb check has also been added to
:py:meth:`PIL.ImageFont.ImageFont.getmask`.

ImageFont.getmask: Trim glyph size
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To protect against potential DOS attacks when using PIL fonts,
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
they do not extend beyond the bitmap image.

Fix CVE-2023-50447
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

ImageMath.eval: Restricted environment keys.

.. note:: More information about this vulnerability included in database record :cve:`2023-50447`

If an attacker has control over the keys passed to the
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
arbitrary code. To prevent this, keys matching the names of builtins and keys
containing double underscores will now raise a :py:exc:`ValueError`.

Deprecations
============

Expand Down Expand Up @@ -63,38 +99,6 @@ JPEG tables-only streamtype
When saving JPEG files, ``streamtype`` can now be set to 1, for tables-only. This will
output only the quantization and Huffman tables for the image.

Security
========

ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To protect against potential DOS attacks when using arbitrary strings as text input,
Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.

This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.

A decompression bomb check has also been added to
:py:meth:`PIL.ImageFont.ImageFont.getmask`.

ImageFont.getmask: Trim glyph size
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To protect against potential DOS attacks when using PIL fonts,
:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
they do not extend beyond the bitmap image.

ImageMath.eval: Restricted environment keys
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

:cve:`2023-50447`: If an attacker has control over the keys passed to the
``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
arbitrary code. To prevent this, keys matching the names of builtins and keys
containing double underscores will now raise a :py:exc:`ValueError`.

Other Changes
=============

Expand Down
44 changes: 29 additions & 15 deletions docs/releasenotes/3.1.1.rst
Original file line number Diff line number Diff line change
@@ -1,12 +1,19 @@

3.1.1
=====
-----

Security
========

Fix CVE-2016-0740
^^^^^^^^^^^^^^^^^

Buffer overflow in TiffDecode.c.

CVE-2016-0740 -- Buffer overflow in TiffDecode.c
------------------------------------------------
.. note:: More information about this vulnerability included in database record :cve:`2016-0740`

Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
may overflow a buffer when reading a specially crafted tiff file (:cve:`2016-0740`).
Pillow 3.1.0 and earlier when linked against
libtiff >= 4.0.0 on x64 may overflow a buffer when reading a
specially crafted tiff file.

Specifically, libtiff >= 4.0.0 changed the return type of
``TIFFScanlineSize`` from ``int32`` to machine dependent
Expand All @@ -19,12 +26,15 @@ image data over 64k is written over the heap, causing a segfault.

This issue was found by security researcher FourOne.

Fix CVE-2016-0775
^^^^^^^^^^^^^^^^^

CVE-2016-0775 -- Buffer overflow in FliDecode.c
-----------------------------------------------
Buffer overflow in FliDecode.c.

In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`).
.. note:: More information about this vulnerability included in database record :cve:`2016-0775`

In all versions of Pillow, dating back at least to
the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error.

Around line 192:

Expand All @@ -49,11 +59,15 @@ off the end of the memory buffer, causing a segfault.

This issue was found by Alyssa Besseling at Atlassian.

CVE-2016-2533 -- Buffer overflow in PcdDecode.c
-----------------------------------------------
Fix CVE-2016-2533
^^^^^^^^^^^^^^^^^

Buffer overflow in PcdDecode.c.

.. note:: More information about this vulnerability available in :cve:`2016-2533`

In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`).
In all versions of Pillow, dating back at least to the
last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error.

The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3
bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer
Expand All @@ -62,7 +76,7 @@ the buffer into other Python object storage. In some cases, this
causes a segfault, in others an internal Python malloc error.

Integer overflow in Resample.c
------------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If a large value was passed into the new size for an image, it is
possible to overflow an ``int32`` value passed into malloc.
Expand Down
20 changes: 13 additions & 7 deletions docs/releasenotes/3.1.2.rst
Original file line number Diff line number Diff line change
@@ -1,13 +1,19 @@

3.1.2
=====
-----

Security
========

Fix CVE-2016-3076
^^^^^^^^^^^^^^^^^

Buffer overflow in Jpeg2KEncode.c.

CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c
--------------------------------------------------
.. note:: More information about this vulnerability included in database record :cve:`2016-3076`

Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing
large Jpeg2000 files, allowing for code execution or other memory
corruption (:cve:`2016-3076`).
Pillow between 2.5.0 and 3.1.1 may overflow a buffer
when writing large Jpeg2000 files, allowing for code execution or other
memory corruption.

This occurs specifically in the function ``j2k_encode_entry``, at the line:

Expand Down
53 changes: 32 additions & 21 deletions docs/releasenotes/6.2.0.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,38 @@
6.2.0
-----

Security
========

This release catches several buffer overruns and fixes CVE-2019-16865.

Buffer overruns
^^^^^^^^^^^^^^^

In RawDecode.c, an error is now thrown if skip is calculated to be less than
zero. It is intended to skip padding between lines, not to go backwards.

In PsdImagePlugin, if the combined sizes of the individual parts is larger than
the declared size of the extra data field, then it looked for the next layer by
seeking backwards. This is now corrected by seeking to (the start of the layer
+ the size of the extra data field) instead of (the read parts of the layer +
the rest of the layer).

Decompression bomb checks have been added to GIF and ICO formats.

An error is now raised if a TIFF dimension is a string, rather than trying to
perform operations on it.

Fix CVE-2019-16865
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

DOS attack vulnerabilities.

.. note:: More information about this vulnerability included in database record :cve:`2019-16865`

The CVE is regarding DOS problems, such as consuming large
amounts of memory, or taking a large amount of time to process an image.

API Additions
=============

Expand Down Expand Up @@ -65,27 +97,6 @@ There has been a longstanding warning that the defaults of ``Image.frombuffer``
may change in the future for the "raw" decoder. The change will now take place
in Pillow 7.0.

Security
========

This release catches several buffer overruns, as well as addressing
:cve:`2019-16865`. The CVE is regarding DOS problems, such as consuming large
amounts of memory, or taking a large amount of time to process an image.

In RawDecode.c, an error is now thrown if skip is calculated to be less than
zero. It is intended to skip padding between lines, not to go backwards.

In PsdImagePlugin, if the combined sizes of the individual parts is larger than
the declared size of the extra data field, then it looked for the next layer by
seeking backwards. This is now corrected by seeking to (the start of the layer
+ the size of the extra data field) instead of (the read parts of the layer +
the rest of the layer).

Decompression bomb checks have been added to GIF and ICO formats.

An error is now raised if a TIFF dimension is a string, rather than trying to
perform operations on it.

Other Changes
=============

Expand Down
Loading

0 comments on commit c9c9a18

Please sign in to comment.