File tree 2 files changed +24
-0
lines changed
2 files changed +24
-0
lines changed Original file line number Diff line number Diff line change 1+ 9.0.1
2+ -----
3+
4+ Security
5+ ========
6+
7+ This release addresses several security problems.
8+
9+ :cve: `CVE-2022-24303 `: If the path to the temporary directory on Linux or macOS
10+ contained a space, this would break removal of the temporary image file after
11+ ``im.show() `` (and related actions), and potentially remove an unrelated file. This
12+ been present since PIL.
13+
14+ :cve: `CVE-2022-22817 `: While Pillow 9.0 restricted top-level builtins available to
15+ :py:meth: `PIL.ImageMath.eval `, it did not prevent builtins available to lambda
16+ expressions. These are now also restricted.
17+
18+ Other Changes
19+ =============
20+
21+ Pillow 9.0 added support for ``xdg-open `` as an image viewer, but there have been
22+ reports that the temporary image file was removed too quickly to be loaded into the
23+ final application. A delay has been added.
Original file line number Diff line number Diff line change @@ -14,6 +14,7 @@ expected to be backported to earlier versions.
1414.. toctree ::
1515 :maxdepth: 2
1616
17+ 9.0.1
1718 9.0.0
1819 8.4.0
1920 8.3.2
You can’t perform that action at this time.
0 commit comments