-
pillow (8.1.2-1ubuntu0.2) hirsute-security; urgency=medium
* SECURITY UPDATE: regular expression DoS
- debian/patches/CVE-2021-23437.patch: raise ValueError if color
specifier is too long in Tests/test_imagecolor.py,
src/PIL/ImageColor.py.
- CVE-2021-23437
* SECURITY UPDATE: Dos via buffer overflow
- debian/patches/CVE-2021-34552.patch: limit sprintf modes to 10
characters in src/libImaging/Convert.c.
- CVE-2021-34552
* SECURITY UPDATE: improper initialization
- debian/patches/CVE-2022-22815.patch: initialize coordinates to zero
in Tests/test_imagepath.py, src/path.c.
- CVE-2022-22815
* SECURITY UPDATE: buffer over-read during initialization
- debian/patches/CVE-2022-22816.patch: handle case where path count is
zero in Tests/test_imagepath.py, src/path.c.
- CVE-2022-22816
* SECURITY UPDATE: evaluation of arbitrary expressions
- debian/patches/CVE-2022-22817.patch: restrict builtins for
ImageMath.eval in Tests/test_imagemath.py, src/PIL/ImageMath.py.
- CVE-2022-22817
-- Marc Deslauriers <email address hidden> Wed, 12 Jan 2022 12:54:47 -0500
-
pillow (8.1.2-1ubuntu0.1) hirsute-security; urgency=medium
* SECURITY UPDATE: OOB read in Jpeg2KDecode
- debian/patches/CVE-2021-25287_8.patch: handle different widths for
each band in src/libImaging/Jpeg2KDecode.c.
- CVE-2021-25287
- CVE-2021-25288
* SECURITY UPDATE: DOS in PsdImagePlugin
- debian/patches/CVE-2021-28675.patch: sanity check the number of
input layers in Tests/test_decompression_bomb.py,
Tests/test_file_apng.py, Tests/test_file_blp.py,
Tests/test_file_tiff.py, src/PIL/ImageFile.py,
src/PIL/PsdImagePlugin.py.
- CVE-2021-28675
* SECURITY UPDATE: FLI DOS
- debian/patches/CVE-2021-28676.patch: check the block advance in
src/libImaging/FliDecode.c.
- CVE-2021-28676
* SECURITY UPDATE: EPS DOS on _open
- debian/patches/CVE-2021-28677.patch: properly handle line endings in
src/PIL/EpsImagePlugin.py.
- CVE-2021-28677
* SECURITY UPDATE: BLP DOS
- debian/patches/CVE-2021-28678.patch: check that reads return data in
src/PIL/BlpImagePlugin.py.
- CVE-2021-28678
-- Marc Deslauriers <email address hidden> Tue, 18 May 2021 07:09:08 -0400
-
pillow (8.1.2-1) unstable; urgency=high
* New upstream version.
- Fix Memory DOS in BLP (CVE-2021-27921), ICNS (CVE-2021-27922)
and ICO (CVE-2021-27923) Image Plugins.
-- Matthias Klose <email address hidden> Tue, 09 Mar 2021 08:12:51 +0100
-
pillow (8.1.1-1) unstable; urgency=high
* New upstream version.
- Use more specific regex chars to prevent ReDoS. CVE-2021-25292.
- Fix OOB Read in TiffDecode.c, and check the tile validity before reading.
CVE-2021-25291.
- Fix negative size read in TiffDecode.c. CVE-2021-25290.
- Fix OOB read in SgiRleDecode.c. CVE-2021-25293.
- Incorrect error code checking in TiffDecode.c. CVE-2021-25289.
-- Matthias Klose <email address hidden> Thu, 04 Mar 2021 07:13:48 +0100
-
pillow (8.1.0-1) unstable; urgency=medium
* New upstream version.
* Bump standards and debhelper versions.
-- Matthias Klose <email address hidden> Wed, 06 Jan 2021 13:18:02 +0100
-
pillow (8.0.1-1build1) hirsute; urgency=medium
* No-change rebuild to drop python3.8 extensions.
-- Matthias Klose <email address hidden> Mon, 07 Dec 2020 18:45:05 +0100
-
pillow (8.0.1-1) unstable; urgency=medium
* New upstream version.
-- Matthias Klose <email address hidden> Thu, 29 Oct 2020 20:02:10 +0100
-
pillow (7.2.0-1build1) hirsute; urgency=medium
* No-change rebuild to build with python3.9 as supported.
-- Matthias Klose <email address hidden> Sat, 24 Oct 2020 12:44:06 +0200
-
pillow (7.2.0-1) unstable; urgency=medium
* New upstream version.
* Update debian/copyright, partially addresses #952899.
- Mention contributors.
- Add copyright information for fonts.
* Bump debhelper version.
-- Matthias Klose <email address hidden> Thu, 16 Jul 2020 13:42:51 +0200
