oss-sec mailing list archives
Pillow 10.2.0 released, fixes CVE-2023-50447
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Sat, 20 Jan 2024 09:01:59 -0800
Version 10.2.0 of the Pillow module for Python was released on January 2: https://github.com/python-pillow/Pillow/releases/tag/10.2.0 The release notes listed three security related changes at https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#security : > * ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH * > > To protect against potential DOS attacks when using arbitrary strings as text > input, Pillow will now raise a ValueError if the number of characters passed > into PIL.ImageFont.ImageFont.getmask() is over a certain limit, > PIL.ImageFont.MAX_STRING_LENGTH. > > This threshold can be changed by setting PIL.ImageFont.MAX_STRING_LENGTH. > It can be disabled by setting ImageFont.MAX_STRING_LENGTH = None. > > A decompression bomb check has also been added to > PIL.ImageFont.ImageFont.getmask(). > > > * ImageFont.getmask: Trim glyph size * > > To protect against potential DOS attacks when using PIL fonts, > PIL.ImageFont.ImageFont now trims the size of individual glyphs > so that they do not extend beyond the bitmap image. > > > *ImageMath.eval: Restricted environment keys* > > CVE-2023-50447: If an attacker has control over the keys passed to the > environment argument of PIL.ImageMath.eval(), they may be able to execute > arbitrary code. To prevent this, keys matching the names of builtins and > keys containing double underscores will now raise a ValueError. More information about CVE-2023-50447 was posted by Duarte Santos of Checkmarx’s Research Group at: https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/ Checkmarx also posted a short advisory for it at: https://devhub.checkmarx.com/cve-details/CVE-2023-50447/ The fix for this CVE appears to have been provided by this set of changes: https://github.com/python-pillow/Pillow/pull/7655 -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- Pillow 10.2.0 released, fixes CVE-2023-50447 Alan Coopersmith (Jan 20)