This release addresses several critical CVEs.
CVE-2020-35654
: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.
CVE-2021-25289
: Catch TiffDecode heap-based buffer overflow. Add test files that show the CVE was fixed
CVE-2022-22815
: Fixed ImagePath.Path array handling
- :py
.PsdImagePlugin.PsdImageFile
did not sanity check the number of input layers with regard to the size of the data block, this could lead to a denial-of-service on :py~PIL.Image.open
prior to :py~PIL.Image.Image.load
. - This dates to the PIL fork.
CVE-2022-22816
: Fixed ImagePath.Path array handling
CVE-2020-10994
: In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
CVE-2021-28676
`: FliDecode did not properly check that the block advance was non-zero,potentally leading to an infinite loop on load.
CVE-2021-28677
: An issue was discovered in Pillow before 8.2.0. For EPSdata, the readline implementation used in EPSImageFile has to deal with any combination of r and n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
- cve
`CVE-2022-45199`: Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.