Update dependency pillow to v10 [SECURITY] #62
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
d7ca45a
to
b3e407e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==9.5.0->==10.3.0GitHub Vulnerability Alerts
CVE-2023-4863
Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.
GHSA-56pw-mpj4-fxww
Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.
CVE-2023-44271
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
CVE-2023-50447
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
CVE-2024-28219
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
Release Notes
python-pillow/Pillow (pillow)
v10.3.0Compare Source
CVE-2024-28219: Use
strncpyto avoid buffer overflow #7928[radarhere, hugovk]
Deprecate
eval(), replacing it withlambda_eval()andunsafe_eval()#7927[radarhere, hugovk]
Raise
ValueErrorif seeking to greater than offset-sized integer in TIFF #7883[radarhere]
Add
--reportargument to__main__.pyto omit supported formats #7818[nulano, radarhere, hugovk]
Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920
[radarhere]
Fix editable installation with custom build backend and configuration options #7658
[nulano, radarhere]
Fix putdata() for I;16N on big-endian #7209
[Yay295, hugovk, radarhere]
Determine MPO size from markers, not EXIF data #7884
[radarhere]
Improved conversion from RGB to RGBa, LA and La #7888
[radarhere]
Support FITS images with GZIP_1 compression #7894
[radarhere]
Use I;16 mode for 9-bit JPEG 2000 images #7900
[scaramallion, radarhere]
Raise ValueError if kmeans is negative #7891
[radarhere]
Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893
[radarhere]
Raise ValueError for negative values when loading P1-P3 PPM images #7882
[radarhere]
Added reading of JPEG2000 palettes #7870
[radarhere]
Added alpha_quality argument when saving WebP images #7872
[radarhere]
Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881
[radarhere]
Stop reading EPS image at EOF marker #7753
[radarhere]
PSD layer co-ordinates may be negative #7706
[radarhere]
Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791
[radarhere]
When saving GIF frame that restores to background color, do not fill identical pixels #7788
[radarhere]
Fixed reading PNG iCCP compression method #7823
[radarhere]
Allow writing IFDRational to UNDEFINED tag #7840
[radarhere]
Fix logged tag name when loading Exif data #7842
[radarhere]
Use maximum frame size in IHDR chunk when saving APNG images #7821
[radarhere]
Prevent opening P TGA images without a palette #7797
[radarhere]
Use palette when loading ICO images #7798
[radarhere]
Use consistent arguments for load_read and load_seek #7713
[radarhere]
Turn off nullability warnings for macOS SDK #7827
[radarhere]
Fix shift-sign issue in Convert.c #7838
[r-barnes, radarhere]
Open 16-bit grayscale PNGs as I;16 #7849
[radarhere]
Handle truncated chunks at the end of PNG images #7709
[lajiyuan, radarhere]
Match mask size to pasted image size in GifImagePlugin #7779
[radarhere]
Release GIL while calling
WebPAnimDecoderGetNext#7782[evanmiller, radarhere]
Fixed reading FLI/FLC images with a prefix chunk #7804
[twolife]
Update wl-paste handling and return None for some errors in grabclipboard() on Linux #7745
[nik012003, radarhere]
Remove execute bit from
setup.py#7760[hugovk]
Do not support using test-image-results to upload images after test failures #7739
[radarhere]
Changed ImageMath.ops to be static #7721
[radarhere]
Fix APNG info after seeking backwards more than twice #7701
[esoma, radarhere]
Deprecate ImageCms constants and versions() function #7702
[nulano, radarhere]
Added PerspectiveTransform #7699
[radarhere]
Add support for reading and writing grayscale PFM images #7696
[nulano, hugovk]
Add LCMS2 flags to ImageCms #7676
[nulano, radarhere, hugovk]
Rename x64 to AMD64 in winbuild #7693
[nulano]
v10.2.0Compare Source
Add
keep_rgboption when saving JPEG to prevent conversion of RGB colorspace #7553[bgilbert, radarhere]
Trim glyph size in ImageFont.getmask() #7669, #7672
[radarhere, nulano]
Deprecate IptcImagePlugin helpers #7664
[nulano, hugovk, radarhere]
Allow uncompressed TIFF images to be saved in chunks #7650
[radarhere]
Concatenate multiple JPEG EXIF markers #7496
[radarhere]
Changed IPTC tile tuple to match other plugins #7661
[radarhere]
Do not assign new fp attribute when exiting context manager #7566
[radarhere]
Support arbitrary masks for uncompressed RGB DDS images #7589
[radarhere, akx]
Support setting ROWSPERSTRIP tag #7654
[radarhere]
Apply ImageFont.MAX_STRING_LENGTH to ImageFont.getmask() #7662
[radarhere]
Optimise
ImageColorusingfunctools.lru_cache#7657[hugovk]
Restricted environment keys for ImageMath.eval() #7655
[wiredfool, radarhere]
Optimise
ImageMode.getmodeusingfunctools.lru_cache#7641[hugovk, radarhere]
Fix incorrect color blending for overlapping glyphs #7497
[ZachNagengast, nulano, radarhere]
Attempt memory mapping when tile args is a string #7565
[radarhere]
Fill identical pixels with transparency in subsequent frames when saving GIF #7568
[radarhere]
Corrected duration when combining multiple GIF frames into single frame #7521
[radarhere]
Handle disposing GIF background from outside palette #7515
[radarhere]
Seek past the data when skipping a PSD layer #7483
[radarhere]
Import plugins relative to the module #7576
[deliangyang, jaxx0n]
Translate encoder error codes to strings; deprecate
ImageFile.raise_oserror()#7609[bgilbert, radarhere]
Support reading BC4U and DX10 BC1 images #6486
[REDxEYE, radarhere, hugovk]
Optimize ImageStat.Stat.extrema #7593
[florath, radarhere]
Handle pathlib.Path in FreeTypeFont #7578
[radarhere, hugovk, nulano]
Added support for reading DX10 BC4 DDS images #7603
[sambvfx, radarhere]
Optimized ImageStat.Stat.count #7599
[florath]
Correct PDF palette size when saving #7555
[radarhere]
Fixed closing file pointer with olefile 0.47 #7594
[radarhere]
Raise ValueError when TrueType font size is not greater than zero #7584, #7587
[akx, radarhere]
If absent, do not try to close fp when closing image #7557
[RaphaelVRossi, radarhere]
Allow configuring JPEG restart marker interval on save #7488
[bgilbert, radarhere]
Decrement reference count for PyObject #7549
[radarhere]
Implement
streamtype=1option for tables-only JPEG encoding #7491[bgilbert, radarhere]
If save_all PNG only has one frame, do not create animated image #7522
[radarhere]
Fixed frombytes() for images with a zero dimension #7493
[radarhere]
v10.1.0Compare Source
Added TrueType default font to allow for different sizes #7354
[radarhere]
Fixed invalid argument warning #7442
[radarhere]
Added ImageOps cover method #7412
[radarhere, hugovk]
Catch struct.error from truncated EXIF when reading JPEG DPI #7458
[radarhere]
Consider default image when selecting mode for PNG save_all #7437
[radarhere]
Support BGR;15, BGR;16 and BGR;24 access, unpacking and putdata #7303
[radarhere]
Added CMYK to RGB unpacker #7310
[radarhere]
Improved flexibility of XMP parsing #7274
[radarhere]
Support reading 8-bit YCbCr TIFF images #7415
[radarhere]
Allow saving I;16B images as PNG #7302
[radarhere]
Corrected drawing I;16 points and writing I;16 text #7257
[radarhere]
Set blue channel to 128 for BC5S #7413
[radarhere]
Increase flexibility when reading IPTC fields #7319
[radarhere]
Set C palette to be empty by default #7289
[radarhere]
Added gs_binary to control Ghostscript use on all platforms #7392
[radarhere]
Read bounding box information from the trailer of EPS files if specified #7382
[nopperl, radarhere]
Added reading 8-bit color DDS images #7426
[radarhere]
Added has_transparency_data #7420
[radarhere, hugovk]
Fixed bug when reading BC5S DDS images #7401
[radarhere]
Prevent TIFF orientation from being applied more than once #7383
[radarhere]
Use previous pixel alpha for QOI_OP_RGB #7357
[radarhere]
Added BC5U reading #7358
[radarhere]
Allow getpixel() to accept a list #7355
[radarhere, homm]
Allow GaussianBlur and BoxBlur to accept a sequence of x and y radii #7336
[radarhere]
Expand JPEG buffer size when saving optimized or progressive #7345
[radarhere]
Added session type check for Linux in ImageGrab.grabclipboard() #7332
[TheNooB2706, radarhere, hugovk]
Allow "loop=None" when saving GIF images #7329
[radarhere]
Fixed transparency when saving P mode images to PDF #7323
[radarhere]
Added saving LA images as PDFs #7299
[radarhere]
Set SMaskInData to 1 for PDFs with alpha #7316, #7317
[radarhere]
Changed Image mode property to be read-only by default #7307
[radarhere]
Silence exceptions in repr_jpeg and repr_png #7266
[mtreinish, radarhere]
Do not use transparency when saving GIF if it has been removed when normalizing mode #7284
[radarhere]
Fix missing symbols when libtiff depends on libjpeg #7270
[heitbaum]
v10.0.1Compare Source
Updated libwebp to 1.3.2 #7395
[radarhere]
Updated zlib to 1.3 #7344
[radarhere]
v10.0.0Compare Source
Fixed deallocating mask images #7246
[radarhere]
Added ImageFont.MAX_STRING_LENGTH #7244
[radarhere, hugovk]
Fix Windows build with pyproject.toml #7230
[hugovk, nulano, radarhere]
Do not close provided file handles with libtiff #7199
[radarhere]
Convert to HSV if mode is HSV in getcolor() #7226
[radarhere]
Added alpha_only argument to getbbox() #7123
[radarhere. hugovk]
Prioritise speed in repr_png #7242
[radarhere]
Do not use CFFI access by default on PyPy #7236
[radarhere]
Limit size even if one dimension is zero in decompression bomb check #7235
[radarhere]
Use --config-settings instead of deprecated --global-option #7171
[radarhere]
Better C integer definitions #6645
[Yay295, hugovk]
Fixed finding dependencies on Cygwin #7175
[radarhere]
Changed grabclipboard() to use PNG instead of JPG compression on macOS #7219
[abey79, radarhere]
Added in_place argument to ImageOps.exif_transpose() #7092
[radarhere]
Fixed calling putpalette() on L and LA images before load() #7187
[radarhere]
Fixed saving TIFF multiframe images with LONG8 tag types #7078
[radarhere]
Fixed combining single duration across duplicate APNG frames #7146
[radarhere]
Remove temporary file when error is raised #7148
[radarhere]
Do not use temporary file when grabbing clipboard on Linux #7200
[radarhere]
If the clipboard fails to open on Windows, wait and try again #7141
[radarhere]
Fixed saving multiple 1 mode frames to GIF #7181
[radarhere]
Replaced absolute PIL import with relative import #7173
[radarhere]
Replaced deprecated Py_FileSystemDefaultEncoding for Python >= 3.12 #7192
[radarhere]
Improved wl-paste mimetype handling in ImageGrab #7094
[rrcgat, radarhere]
Added repr_jpeg() for IPython display_jpeg #7135
[n3011, radarhere, nulano]
Use "/sbin/ldconfig" if ldconfig is not found #7068
[radarhere]
Prefer screenshots using XCB over gnome-screenshot #7143
[nulano, radarhere]
Fixed joined corners for ImageDraw rounded_rectangle() odd dimensions #7151
[radarhere]
Support reading signed 8-bit TIFF images #7111
[radarhere]
Added width argument to ImageDraw regular_polygon #7132
[radarhere]
Support I mode for ImageFilter.BuiltinFilter #7108
[radarhere]
Raise error from stderr of Linux ImageGrab.grabclipboard() command #7112
[radarhere]
Added unpacker from I;16B to I;16 #7125
[radarhere]
Support float font sizes #7107
[radarhere]
Use later value for duplicate xref entries in PdfParser #7102
[radarhere]
Load before getting size in getstate #7105
[bigcat88, radarhere]
Fixed type handling for include and lib directories #7069
[adisbladis, radarhere]
Remove deprecations for Pillow 10.0.0 #7059, #7080
[hugovk, radarhere]
Drop support for soon-EOL Python 3.7 #7058
[hugovk, radarhere]
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.