fpdf2 depends on Pillow version having security vulnerability

[aleksilahis]

Pillow <9.3.0 has security vulnerability described here: https://pyup.io/v/51886/f17
fpdf2 depends on Pillow >=6.2.2, so having fpdf2 in dependencies causes for example safety check to fail because of Pillow.

[Lucas-C]

Thank you for the report.

I'm fine with specifying a higher minimal version of Pillow in fpdf2 dependencies, but for the record this vulnerability seems very minor, based on the PR that fixed the vulnerability ( python-pillow/Pillow#6700 ):

• it's a potential Denial Of Service, not an attack vector that would provide control over the app / system to an attacker
• it only concerns TIFF files
• fpdf2 does not touch this SAMPLESPERPIXEL vulnerable setting in any way. If an application provides a way to alter this setting, that would be from code outside fpdf2 (and then potentially the PIL.Image could be passed to FPDF.image())

[gmischler]

• fpdf2 does not touch this SAMPLESPERPIXEL vulnerable setting in any way.

If I understand it correctly, then SAMPLESPERPIXEL is a tag in TIFF files. In other words, any software using fpdf2 (and thus Pillow) could be made to crash by feeding it a maliciously manipulated TIFF file. Apparently only version 9.2.0 is affected, which was current from july to october of this year.

[Lucas-C]

Ah I see, alright. Thank you @gmischler

I opened #630 to forbid Pillow 9.2.0 as a dependency of fpdf2