Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2023-44271 to release notes #7520

Merged
merged 1 commit into from
Nov 3, 2023

Conversation

hugovk
Copy link
Member

@hugovk hugovk commented Nov 3, 2023

Document that the security fix in 10.0.0 that added ImageFont.MAX_STRING_LENGTH was assigned CVE-2023-44271.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44271

https://devhub.checkmarx.com/cve-details/CVE-2023-44271/

@radarhere radarhere merged commit bee9c59 into python-pillow:main Nov 3, 2023
4 of 5 checks passed
@hugovk hugovk deleted the CVE-2023-44271 branch November 3, 2023 11:43
@jkylekelly
Copy link

jkylekelly commented Nov 8, 2023

Does this CVE only affect references via ImageDraw & ImageDraw2? For example:

    d = ImageDraw.Draw(image)
    d.text(_get_offset(image, font, text), text, font=font, fill="black")

Or would direct calls to the patched ImageFont functions also be vulnerable? I.e., text_bbox = font.getbbox(text) where font is of the class ImageFont.FreeTypeFont?

Thanks!

@radarhere
Copy link
Member

Yes, ImageFont is also relevant. You can see in #7244 that the code for getbbox() was also modified when implementing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants