You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pillow <9.3.0 has security vulnerability described here: https://pyup.io/v/51886/f17
fpdf2 depends on Pillow >=6.2.2, so having fpdf2 in dependencies causes for example safety check to fail because of Pillow.
The text was updated successfully, but these errors were encountered:
I'm fine with specifying a higher minimal version of Pillow in fpdf2 dependencies, but for the record this vulnerability seems very minor, based on the PR that fixed the vulnerability ( python-pillow/Pillow#6700 ):
it's a potential Denial Of Service, not an attack vector that would provide control over the app / system to an attacker
it only concerns TIFF files
fpdf2 does not touch this SAMPLESPERPIXEL vulnerable setting in any way. If an application provides a way to alter this setting, that would be from code outside fpdf2 (and then potentially the PIL.Image could be passed to FPDF.image())
fpdf2 does not touch this SAMPLESPERPIXEL vulnerable setting in any way.
If I understand it correctly, then SAMPLESPERPIXEL is a tag in TIFF files. In other words, any software using fpdf2 (and thus Pillow) could be made to crash by feeding it a maliciously manipulated TIFF file. Apparently only version 9.2.0 is affected, which was current from july to october of this year.
Pillow <9.3.0 has security vulnerability described here: https://pyup.io/v/51886/f17
fpdf2 depends on Pillow >=6.2.2, so having fpdf2 in dependencies causes for example safety check to fail because of Pillow.
The text was updated successfully, but these errors were encountered: