Update dependency pillow to v9 [SECURITY] #342
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==8.3.1->==9.0.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-22815
Pillow is the friendly PIL (Python Imaging Library) fork.
path_getbboxinpath.cin Pillow before 9.0.0 improperly initializesImagePath.Path.CVE-2022-22816
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
CVE-2022-24303
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
CVE-2022-22817
PIL.ImageMath.evalin Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec methodImageMath.eval("exec(exit())").While Pillow 9.0.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted in 9.0.1.
GHSA-4fx9-vc88-q2xc
JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.
If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.
Release Notes
python-pillow/Pillow (pillow)
v9.0.1Compare Source
In show_file, use os.remove to remove temporary images. CVE-2022-24303 #6010
[radarhere, hugovk]
Restrict builtins within lambdas for ImageMath.eval. CVE-2022-22817 #6009
[radarhere]
v9.0.0Compare Source
Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923
[radarhere]
Ensure JpegImagePlugin stops at the end of a truncated file #5921
[radarhere]
Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920
[radarhere]
Remove consecutive duplicate tiles that only differ by their offset #5919
[radarhere]
Improved I;16 operations on big endian #5901
[radarhere]
Limit quantized palette to number of colors #5879
[radarhere]
Fixed palette index for zeroed color in FASTOCTREE quantize #5869
[radarhere]
When saving RGBA to GIF, make use of first transparent palette entry #5859
[radarhere]
Pass SAMPLEFORMAT to libtiff #5848
[radarhere]
Added rounding when converting P and PA #5824
[radarhere]
Improved putdata() documentation and data handling #5910
[radarhere]
Exclude carriage return in PDF regex to help prevent ReDoS #5912
[hugovk]
Fixed freeing pointer in ImageDraw.Outline.transform #5909
[radarhere]
Added ImageShow support for xdg-open #5897
[m-shinder, radarhere]
Support 16-bit grayscale ImageQt conversion #5856
[cmbruns, radarhere]
Convert subsequent GIF frames to RGB or RGBA #5857
[radarhere]
Do not prematurely return in ImageFile when saving to stdout #5665
[infmagic2047, radarhere]
Added support for top right and bottom right TGA orientations #5829
[radarhere]
Corrected ICNS file length in header #5845
[radarhere]
Block tile TIFF tags when saving #5839
[radarhere]
Added line width argument to polygon #5694
[radarhere]
Do not redeclare class each time when converting to NumPy #5844
[radarhere]
Only prevent repeated polygon pixels when drawing with transparency #5835
[radarhere]
Add support for pickling TrueType fonts #5826
[hugovk, radarhere]
Only prefer command line tools SDK on macOS over default MacOSX SDK #5828
[radarhere]
Drop support for soon-EOL Python 3.6 #5768
[hugovk, nulano, radarhere]
Fix compilation on 64-bit Termux #5793
[landfillbaby]
Use title for display in ImageShow #5788
[radarhere]
Remove support for FreeType 2.7 and older #5777
[hugovk, radarhere]
Fix for PyQt6 #5775
[hugovk, radarhere]
Removed deprecated PILLOW_VERSION, Image.show command parameter, Image._showxv and ImageFile.raise_ioerror #5776
[radarhere]
v8.4.0Compare Source
Prefer global transparency in GIF when replacing with background color #5756
[radarhere]
Added "exif" keyword argument to TIFF saving #5575
[radarhere]
Copy Python palette to new image in quantize() #5696
[radarhere]
Read ICO AND mask from end #5667
[radarhere]
Actually check the framesize in FliDecode.c #5659
[wiredfool]
Determine JPEG2000 mode purely from ihdr header box #5654
[radarhere]
Fixed using info dictionary when writing multiple APNG frames #5611
[radarhere]
Allow saving 1 and L mode TIFF with PhotometricInterpretation 0 #5655
[radarhere]
For GIF save_all with palette, do not include palette with each frame #5603
[radarhere]
Keep transparency when converting from P to LA or PA #5606
[radarhere]
Copy palette to new image in transform() #5647
[radarhere]
Added "transparency" argument to EpsImagePlugin load() #5620
[radarhere]
Corrected pathlib.Path detection when saving #5633
[radarhere]
Added WalImageFile class #5618
[radarhere]
Consider I;16 pixel size when drawing text #5598
[radarhere]
If default conversion from P is RGB with transparency, convert to RGBA #5594
[radarhere]
Speed up rotating square images by 90 or 270 degrees #5646
[radarhere]
Add support for reading DPI information from JPEG2000 images
[rogermb, radarhere]
Catch TypeError from corrupted DPI value in EXIF #5639
[homm, radarhere]
Do not close file pointer when saving SGI images #5645
[farizrahman4u, radarhere]
Deprecate ImagePalette size parameter #5641
[radarhere, hugovk]
Prefer command line tools SDK on macOS #5624
[radarhere]
Added tags when saving YCbCr TIFF #5597
[radarhere]
PSD layer count may be negative #5613
[radarhere]
Fixed ImageOps expand with tuple border on P image #5615
[radarhere]
Fixed error saving APNG with duplicate frames and different duration times #5609
[thak1411, radarhere]
v8.3.2Compare Source
CVE-2021-23437 Raise ValueError if color specifier is too long
[hugovk, radarhere]
Fix 6-byte OOB read in FliDecode
[wiredfool]
Add support for Python 3.10 #5569, #5570
[hugovk, radarhere]
Ensure TIFF
RowsPerStripis multiple of 8 for JPEG compression #5588[kmilos, radarhere]
Updates for
ImagePalettechannel order #5599[radarhere]
Hide FriBiDi shim symbols to avoid conflict with real FriBiDi library #5651
[nulano]
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.