Skip to content

Commit

Permalink
Merge pull request #5940 from hugovk/add-cves
Browse files Browse the repository at this point in the history
Add CVE IDs
  • Loading branch information
radarhere authored Jan 7, 2022
2 parents 5908ccc + b2c6db8 commit 7191555
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 7 deletions.
4 changes: 2 additions & 2 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,13 @@ Changelog (Pillow)
9.0.0 (2022-01-02)
------------------

- Restrict builtins for ImageMath.eval(). CVE TBD #5923
- Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923
[radarhere]

- Ensure JpegImagePlugin stops at the end of a truncated file #5921
[radarhere]

- Fixed ImagePath.Path array handling. CVEs TBD #5920
- Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920
[radarhere]

- Remove consecutive duplicate tiles that only differ by their offset #5919
Expand Down
11 changes: 6 additions & 5 deletions docs/releasenotes/9.0.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -119,15 +119,16 @@ Google's `OSS-Fuzz`_ project for finding this issue.
Restrict builtins available to ImageMath.eval
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the
builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems
arising if users evaluate arbitrary expressions, such as
``ImageMath.eval("exec(exit())")``. CVE TBD
:cve:`CVE-2022-22817`: To limit :py:class:`PIL.ImageMath` to working with images, Pillow
will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will
help prevent problems arising if users evaluate arbitrary expressions, such as
``ImageMath.eval("exec(exit())")``.

Fixed ImagePath.Path array handling
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. CVEs TBD
:cve:`CVE-2022-22815` (CWE-126) and :cve:`CVE-2022-22816` (CWE-665) were found when
initializing ``ImagePath.Path``.

.. _OSS-Fuzz: https://github.com/google/oss-fuzz

Expand Down

0 comments on commit 7191555

Please sign in to comment.