From ed4cf7813777ad8478cac46f448bc45416a2a99e Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sun, 2 Jan 2022 18:09:45 +1100 Subject: [PATCH] CVEs TBD --- CHANGES.rst | 5 ++++- docs/releasenotes/9.0.0.rst | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 45a087322fd..b4cdeced604 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -5,10 +5,13 @@ Changelog (Pillow) 9.0.0 (unreleased) ------------------ +- Restrict builtins for ImageMath.eval(). CVE TBD #5923 + [radarhere] + - Ensure JpegImagePlugin stops at the end of a truncated file #5921 [radarhere] -- Fixed ImagePath.Path array handling #5920 +- Fixed ImagePath.Path array handling. CVEs TBD #5920 [radarhere] - Remove consecutive duplicate tiles that only differ by their offset #5919 diff --git a/docs/releasenotes/9.0.0.rst b/docs/releasenotes/9.0.0.rst index fb542636e93..f2be128bb90 100644 --- a/docs/releasenotes/9.0.0.rst +++ b/docs/releasenotes/9.0.0.rst @@ -122,12 +122,12 @@ Restrict builtins available to ImageMath.eval To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems arising if users evaluate arbitrary expressions, such as -``ImageMath.eval("exec(exit())")``. +``ImageMath.eval("exec(exit())")``. CVE TBD Fixed ImagePath.Path array handling ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. +CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. CVEs TBD .. _OSS-Fuzz: https://github.com/google/oss-fuzz