'[oss-security] Pillow 10.2.0 released, fixes CVE-2023-50447'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Pillow 10.2.0 released, fixes CVE-2023-50447
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2024-01-20 17:01:59
Message-ID: 35642984-999e-4671-899e-3b6f93bd7136 () oracle ! com
[Download RAW message or body]

Version 10.2.0 of the Pillow module for Python was released on January 2:
https://github.com/python-pillow/Pillow/releases/tag/10.2.0

The release notes listed three security related changes at
https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#security :

 > * ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH *
 >
 > To protect against potential DOS attacks when using arbitrary strings as text
 > input, Pillow will now raise a ValueError if the number of characters passed
 > into PIL.ImageFont.ImageFont.getmask() is over a certain limit,
 > PIL.ImageFont.MAX_STRING_LENGTH.
 >
 > This threshold can be changed by setting PIL.ImageFont.MAX_STRING_LENGTH.
 > It can be disabled by setting ImageFont.MAX_STRING_LENGTH = None.
 >
 > A decompression bomb check has also been added to
 > PIL.ImageFont.ImageFont.getmask().
 >
 >
 > * ImageFont.getmask: Trim glyph size *
 >
 > To protect against potential DOS attacks when using PIL fonts,
 > PIL.ImageFont.ImageFont now trims the size of individual glyphs
 > so that they do not extend beyond the bitmap image.
 >
 >
 > *ImageMath.eval: Restricted environment keys*
 >
 > CVE-2023-50447: If an attacker has control over the keys passed to the
 > environment argument of PIL.ImageMath.eval(), they may be able to execute
 > arbitrary code. To prevent this, keys matching the names of builtins and
 > keys containing double underscores will now raise a ValueError.

More information about CVE-2023-50447 was posted by Duarte Santos
of Checkmarx's Research Group at:
https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/

Checkmarx also posted a short advisory for it at:
https://devhub.checkmarx.com/cve-details/CVE-2023-50447/

The fix for this CVE appears to have been provided by this set of changes:
https://github.com/python-pillow/Pillow/pull/7655

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic