-
pillow (8.1.2+dfsg-0.3ubuntu0.1) impish-security; urgency=medium
* SECURITY UPDATE: regular expression DoS
- debian/patches/CVE-2021-23437.patch: raise ValueError if color
specifier is too long in Tests/test_imagecolor.py,
src/PIL/ImageColor.py.
- CVE-2021-23437
* SECURITY UPDATE: improper initialization
- debian/patches/CVE-2022-22815.patch: initialize coordinates to zero
in Tests/test_imagepath.py, src/path.c.
- CVE-2022-22815
* SECURITY UPDATE: buffer over-read during initialization
- debian/patches/CVE-2022-22816.patch: handle case where path count is
zero in Tests/test_imagepath.py, src/path.c.
- CVE-2022-22816
* SECURITY UPDATE: evaluation of arbitrary expressions
- debian/patches/CVE-2022-22817.patch: restrict builtins for
ImageMath.eval in Tests/test_imagemath.py, src/PIL/ImageMath.py.
- CVE-2022-22817
-- Marc Deslauriers <email address hidden> Wed, 12 Jan 2022 12:49:56 -0500
-
pillow (8.1.2+dfsg-0.3) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix "CVE-2021-34552 - buffer overflow in Convert.c. Replace sprintf with
snprintf. Backport upstream change from 8.3 to 8.1. (Closes: #991293)
-- Neil Williams <email address hidden> Tue, 20 Jul 2021 06:42:31 +0100
-
pillow (8.1.2+dfsg-0.2) unstable; urgency=medium
* Non-maintainer upload.
* Cherrypick security fixes from 8.2:
- CVE-2021-25287 / CVE-2021-25288 / CVE-2021-28675 / CVE-2021-28676
CVE-2021-28677 / CVE-2021-28678 (Closes: #989062)
-- Moritz Muehlenhoff <email address hidden> Sun, 13 Jun 2021 18:11:04 +0200
-
pillow (8.1.2+dfsg-0.1ubuntu1) impish; urgency=medium
* SECURITY UPDATE: OOB read in Jpeg2KDecode
- debian/patches/CVE-2021-25287_8.patch: handle different widths for
each band in src/libImaging/Jpeg2KDecode.c.
- CVE-2021-25287
- CVE-2021-25288
* SECURITY UPDATE: DOS in PsdImagePlugin
- debian/patches/CVE-2021-28675.patch: sanity check the number of
input layers in Tests/test_decompression_bomb.py,
Tests/test_file_apng.py, Tests/test_file_blp.py,
Tests/test_file_tiff.py, src/PIL/ImageFile.py,
src/PIL/PsdImagePlugin.py.
- CVE-2021-28675
* SECURITY UPDATE: FLI DOS
- debian/patches/CVE-2021-28676.patch: check the block advance in
src/libImaging/FliDecode.c.
- CVE-2021-28676
* SECURITY UPDATE: EPS DOS on _open
- debian/patches/CVE-2021-28677.patch: properly handle line endings in
src/PIL/EpsImagePlugin.py.
- CVE-2021-28677
* SECURITY UPDATE: BLP DOS
- debian/patches/CVE-2021-28678.patch: check that reads return data in
src/PIL/BlpImagePlugin.py.
- CVE-2021-28678
-- Marc Deslauriers <email address hidden> Tue, 18 May 2021 07:02:45 -0400
-
pillow (8.1.2+dfsg-0.1) unstable; urgency=medium
* Non-maintainer upload.
* Repack for DFSG compliance and update d/copyright. Closes: #952899.
* Update d/watch for +dfsg repack.
-- Romain Porte <email address hidden> Sat, 24 Apr 2021 15:51:24 +0200
-
pillow (8.1.2-1) unstable; urgency=high
* New upstream version.
- Fix Memory DOS in BLP (CVE-2021-27921), ICNS (CVE-2021-27922)
and ICO (CVE-2021-27923) Image Plugins.
-- Matthias Klose <email address hidden> Tue, 09 Mar 2021 08:12:51 +0100