Pillow 10.2.0 released, fixes CVE-2023-50447

[Alan Coopersmith <alan.coopersmith () oracle com>]

Version 10.2.0 of the Pillow module for Python was released on January 2:
https://github.com/python-pillow/Pillow/releases/tag/10.2.0

The release notes listed three security related changes at
https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#security :

> * ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH *
>
> To protect against potential DOS attacks when using arbitrary strings as text
> input, Pillow will now raise a ValueError if the number of characters passed
> into PIL.ImageFont.ImageFont.getmask() is over a certain limit,
> PIL.ImageFont.MAX_STRING_LENGTH.
>
> This threshold can be changed by setting PIL.ImageFont.MAX_STRING_LENGTH.
> It can be disabled by setting ImageFont.MAX_STRING_LENGTH = None.
>
> A decompression bomb check has also been added to
> PIL.ImageFont.ImageFont.getmask().
>
>
> * ImageFont.getmask: Trim glyph size *
>
> To protect against potential DOS attacks when using PIL fonts,
> PIL.ImageFont.ImageFont now trims the size of individual glyphs
> so that they do not extend beyond the bitmap image.
>
>
> *ImageMath.eval: Restricted environment keys*
>
> CVE-2023-50447: If an attacker has control over the keys passed to the
> environment argument of PIL.ImageMath.eval(), they may be able to execute
> arbitrary code. To prevent this, keys matching the names of builtins and
> keys containing double underscores will now raise a ValueError.

More information about CVE-2023-50447 was posted by Duarte Santos
of Checkmarx’s Research Group at:
https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/

Checkmarx also posted a short advisory for it at:
https://devhub.checkmarx.com/cve-details/CVE-2023-50447/

The fix for this CVE appears to have been provided by this set of changes:
https://github.com/python-pillow/Pillow/pull/7655

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris