Skip to content

Commit

Permalink
CVEs TBD
Browse files Browse the repository at this point in the history
  • Loading branch information
radarhere committed Jan 2, 2022
1 parent d7f60d1 commit ed4cf78
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
5 changes: 4 additions & 1 deletion CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,13 @@ Changelog (Pillow)
9.0.0 (unreleased)
------------------

- Restrict builtins for ImageMath.eval(). CVE TBD #5923
[radarhere]

- Ensure JpegImagePlugin stops at the end of a truncated file #5921
[radarhere]

- Fixed ImagePath.Path array handling #5920
- Fixed ImagePath.Path array handling. CVEs TBD #5920
[radarhere]

- Remove consecutive duplicate tiles that only differ by their offset #5919
Expand Down
4 changes: 2 additions & 2 deletions docs/releasenotes/9.0.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -122,12 +122,12 @@ Restrict builtins available to ImageMath.eval
To limit :py:class:`PIL.ImageMath` to working with images, Pillow will now restrict the
builtins available to :py:meth:`PIL.ImageMath.eval`. This will help prevent problems
arising if users evaluate arbitrary expressions, such as
``ImageMath.eval("exec(exit())")``.
``ImageMath.eval("exec(exit())")``. CVE TBD

Fixed ImagePath.Path array handling
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``.
CWE-126 and CWE-665 were found when initializing ``ImagePath.Path``. CVEs TBD

.. _OSS-Fuzz: https://github.com/google/oss-fuzz

Expand Down

0 comments on commit ed4cf78

Please sign in to comment.