Skip to content

9.5.0.1

Latest
Latest

Choose a tag to compare

View all tags
@icanhasmath icanhasmath released this 21 Apr 17:51
9.5.0.1
a102c37
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security release backporting three upstream CVE fixes to Pillow 9.5.0.

Security

CVE-2023-44271: Added ImageFont.MAX_STRING_LENGTH

To protect against potential DOS attacks when using arbitrary strings as text input, Pillow will now raise a ValueError if the number of characters passed into ImageFont methods is over a certain limit, PIL.ImageFont.MAX_STRING_LENGTH.

This threshold can be changed by setting PIL.ImageFont.MAX_STRING_LENGTH. It can be disabled by setting ImageFont.MAX_STRING_LENGTH = None.

Upstream: python-pillow#7244

CVE-2023-50447: Restricted environment keys for ImageMath.eval()

PIL.ImageMath.eval now raises a ValueError if the expression parameter contains a dictionary key that either contains __ or matches the name of one of the Python builtins.

Upstream: python-pillow#7655

CVE-2024-28219: Use strncpy to avoid buffer overflow

To help prevent potential buffer overflows in _imagingcms.c, strcpy has been replaced with strncpy.

Upstream: python-pillow#7928

PRs merged

Assets 2
Loading