Merge pull request #7877 from python-pillow/7864-backfill

Backfill release notes with security fix details

docs/releasenotes/10.0.0.rst

@@ -1,6 +1,33 @@
 10.0.0
 ------
 
+Security
+========
+
+Limit size even if one dimension is zero
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When performing decompression bomb checks, Pillow did not reject images with
+excessive width and zero height, or zero width and excessive height. That has
+now been fixed.
+
+This effectively dates to the PIL fork, since problem images would still have
+been processed before Pillow started checking for decompression bombs.
+
+.. _Added ImageFont.MAX_STRING_LENGTH:
+
+:cve:`2023-44271`: Added ImageFont.MAX_STRING_LENGTH
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To protect against potential DOS attacks when using arbitrary strings as text
+input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
+passed into ImageFont methods is over a certain limit,
+:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
+
+This threshold can be changed by setting
+:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
+``ImageFont.MAX_STRING_LENGTH = None``.
+
 Backwards Incompatible Changes
 ==============================
 
@@ -157,31 +184,6 @@ Added ``alpha_only`` argument to ``getbbox()``
 and the image has an alpha channel, trim transparent pixels. Otherwise, trim
 pixels when all channels are zero.
 
-Security
-========
-
-Limit size even if one dimension is zero
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-When performing decompression bomb checks, Pillow did not reject images with
-excessive width and zero height, or zero width and excessive height. That has
-now been fixed.
-
-This effectively dates to the PIL fork, since problem images would still have
-been processed before Pillow started checking for decompression bombs.
-
-Added ImageFont.MAX_STRING_LENGTH
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-:cve:`2023-44271`: To protect against potential DOS attacks when using arbitrary strings as text
-input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
-passed into ImageFont methods is over a certain limit,
-:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
-
-This threshold can be changed by setting
-:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
-``ImageFont.MAX_STRING_LENGTH = None``.
-
 Other Changes
 =============
 

docs/releasenotes/10.0.1.rst

@@ -4,11 +4,17 @@
 Security
 ========
 
-This release addresses :cve:`2023-4863`, by providing an updated install script and
-updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow
-in WebP.
+:cve:`2023-4863`: Updated install script and updated wheels
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This release provides an updated install script and updated wheels to
+include libwebp 1.3.2, preventing a potential heap buffer overflow in
+WebP.
+
+Other Changes
+=============
 
 Updated tests to pass with latest zlib version
-==============================================
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The release of zlib 1.3 caused one of the tests in the Pillow test suite to fail.

docs/releasenotes/10.2.0.rst

@@ -1,6 +1,38 @@
 10.2.0
 ------
 
+Security
+========
+
+ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To protect against potential DOS attacks when using arbitrary strings as text input,
+Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
+:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
+:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
+
+This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
+can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
+
+A decompression bomb check has also been added to
+:py:meth:`PIL.ImageFont.ImageFont.getmask`.
+
+ImageFont.getmask: Trim glyph size
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To protect against potential DOS attacks when using PIL fonts,
+:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
+they do not extend beyond the bitmap image.
+
+:cve:`2023-50447`: ImageMath.eval: Restricted environment keys
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If an attacker has control over the keys passed to the
+``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
+arbitrary code. To prevent this, keys matching the names of builtins and keys
+containing double underscores will now raise a :py:exc:`ValueError`.
+
 Deprecations
 ============
 
@@ -63,38 +95,6 @@ JPEG tables-only streamtype
 When saving JPEG files, ``streamtype`` can now be set to 1, for tables-only. This will
 output only the quantization and Huffman tables for the image.
 
-Security
-========
-
-ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-To protect against potential DOS attacks when using arbitrary strings as text input,
-Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
-:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
-:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
-
-This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
-can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
-
-A decompression bomb check has also been added to
-:py:meth:`PIL.ImageFont.ImageFont.getmask`.
-
-ImageFont.getmask: Trim glyph size
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-To protect against potential DOS attacks when using PIL fonts,
-:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
-they do not extend beyond the bitmap image.
-
-ImageMath.eval: Restricted environment keys
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-:cve:`2023-50447`: If an attacker has control over the keys passed to the
-``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
-arbitrary code. To prevent this, keys matching the names of builtins and keys
-containing double underscores will now raise a :py:exc:`ValueError`.
-
 Other Changes
 =============
 

docs/releasenotes/10.3.0.rst

@@ -1,6 +1,19 @@
 10.3.0
 ------
 
+Security
+========
+
+TODO
+^^^^
+
+TODO
+
+:cve:`YYYY-XXXXX`: TODO
+^^^^^^^^^^^^^^^^^^^^^^^
+
+TODO
+
 Backwards Incompatible Changes
 ==============================
 
@@ -63,14 +76,6 @@ Added PerspectiveTransform
 that all of the :py:data:`~PIL.Image.Transform` values now have a corresponding
 subclass of :py:class:`~PIL.ImageTransform.Transform`.
 
-Security
-========
-
-TODO
-^^^^
-
-TODO
-
 Other Changes
 =============
 
@@ -85,3 +90,19 @@ Release GIL when fetching WebP frames
 
 Python's Global Interpreter Lock is now released when fetching WebP frames from
 the libwebp decoder.
+
+Added release notes for past releases
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Added release notes for past releases: ``2.6.0``, ``2.5.2``,
+``2.3.2``, ``2.3.1``. With these additions we are able to
+provide a comprehensive list of all Pillow CVE records from
+1995 to 2024 across three noteworthy periods:
+
+- 1995-2009: No known CVEs
+- 2010-2018: :cve:`2014-1932`, :cve:`2014-3589`, :cve:`2016-0740`, :cve:`2016-3076`
+- 2019-2024: :cve:`2019-16865`, :cve:`2019-19911`, :cve:`2020-10177`, :cve:`2020-15999`,
+  :cve:`2020-35653`, :cve:`2021-25289`, :cve:`2020-35654`, :cve:`2020-35654`,
+  :cve:`2021-27921`, :cve:`2021-27922`, :cve:`2021-27923`, :cve:`2021-25287`,
+  :cve:`2021-25288`, :cve:`2021-34552`, :cve:`2021-23437`, :cve:`2022-22817`,
+  :cve:`2022-24303`, :cve:`2022-30595`, :cve:`2023-44271`, :cve:`2023-4863`

docs/releasenotes/2.3.1.rst

@@ -0,0 +1,26 @@
+2.3.1
+-----
+
+Security
+========
+
+These issues reported in
+`Debian bug #737059 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059>`_.
+
+:cve:`2014-1932`: Fix insecure use of :py:func:`tempfile.mktemp`
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The (1) load_djpeg function in ``JpegImagePlugin.py``, (2) Ghostscript function
+in EpsImagePlugin.py, (3) load function in ``IptcImagePlugin.py``, and (4)
+``_copy`` function in Image.py in Python Image Library (PIL) 1.1.7 and earlier
+and Pillow before 2.3.1 do not properly create temporary files, which allow
+local users to overwrite arbitrary files and obtain sensitive information via a
+symlink attack on the temporary file.
+
+:cve:`2014-1933`: Fix insecure use of :py:func:`tempfile.mktemp`
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The (1) ``JpegImagePlugin.py`` and (2) ``EpsImagePlugin.py`` scripts in Python
+Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of
+temporary files on the command line, which makes it easier for local users to
+conduct symlink attacks by listing the processes.

docs/releasenotes/2.3.2.rst

@@ -0,0 +1,14 @@
+2.3.2
+-----
+
+Security
+========
+
+:cve:`2014-3589`: Fix DOS attack
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
+2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
+block size.
+
+Found and reported by Andrew Drake of dropbox.com

docs/releasenotes/2.5.2.rst

@@ -0,0 +1,14 @@
+2.5.2
+-----
+
+Security
+========
+
+:cve:`2014-3589`: Fix DOS attack
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
+2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
+block size.
+
+Found and reported by Andrew Drake of dropbox.com

docs/releasenotes/2.6.0.rst

@@ -0,0 +1,22 @@
+2.6.0
+-----
+
+Security
+========
+
+:cve:`2014-3589`: Fix DOS attack
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``PIL/IcnsImagePlugin.py`` in Python Imaging Library (PIL) and Pillow before 2.3.2 and
+2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted
+block size.
+
+Found and reported by Andrew Drake of dropbox.com
+
+Other Changes
+=============
+
+Relaxed precision of some tests
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Relaxed imagedraw tests to allow slight errors for x86 vs x64.