[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Pillow 10.2.0 released, fixes CVE-2023-50447
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2024-01-20 17:01:59
Message-ID: 35642984-999e-4671-899e-3b6f93bd7136 () oracle ! com
[Download RAW message or body]
Version 10.2.0 of the Pillow module for Python was released on January 2:
https://github.com/python-pillow/Pillow/releases/tag/10.2.0
The release notes listed three security related changes at
https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#security :
> * ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH *
>
> To protect against potential DOS attacks when using arbitrary strings as text
> input, Pillow will now raise a ValueError if the number of characters passed
> into PIL.ImageFont.ImageFont.getmask() is over a certain limit,
> PIL.ImageFont.MAX_STRING_LENGTH.
>
> This threshold can be changed by setting PIL.ImageFont.MAX_STRING_LENGTH.
> It can be disabled by setting ImageFont.MAX_STRING_LENGTH = None.
>
> A decompression bomb check has also been added to
> PIL.ImageFont.ImageFont.getmask().
>
>
> * ImageFont.getmask: Trim glyph size *
>
> To protect against potential DOS attacks when using PIL fonts,
> PIL.ImageFont.ImageFont now trims the size of individual glyphs
> so that they do not extend beyond the bitmap image.
>
>
> *ImageMath.eval: Restricted environment keys*
>
> CVE-2023-50447: If an attacker has control over the keys passed to the
> environment argument of PIL.ImageMath.eval(), they may be able to execute
> arbitrary code. To prevent this, keys matching the names of builtins and
> keys containing double underscores will now raise a ValueError.
More information about CVE-2023-50447 was posted by Duarte Santos
of Checkmarx's Research Group at:
https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/
Checkmarx also posted a short advisory for it at:
https://devhub.checkmarx.com/cve-details/CVE-2023-50447/
The fix for this CVE appears to have been provided by this set of changes:
https://github.com/python-pillow/Pillow/pull/7655
--
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic