File tree 2 files changed +8
-7
lines changed
2 files changed +8
-7
lines changed Original file line number Diff line number Diff line change @@ -5,13 +5,13 @@ Changelog (Pillow)
559.0.0 (2022-01-02)
66------------------
77
8- - Restrict builtins for ImageMath.eval(). CVE TBD #5923
8+ - Restrict builtins for ImageMath.eval(). CVE-2022-22817 #5923
99 [radarhere]
1010
1111- Ensure JpegImagePlugin stops at the end of a truncated file #5921
1212 [radarhere]
1313
14- - Fixed ImagePath.Path array handling. CVEs TBD #5920
14+ - Fixed ImagePath.Path array handling. CVE-2022-22815, CVE-2022-22816 #5920
1515 [radarhere]
1616
1717- Remove consecutive duplicate tiles that only differ by their offset #5919
Original file line number Diff line number Diff line change @@ -119,15 +119,16 @@ Google's `OSS-Fuzz`_ project for finding this issue.
119119Restrict builtins available to ImageMath.eval
120120^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
121121
122- To limit :py:class: `PIL.ImageMath ` to working with images, Pillow will now restrict the
123- builtins available to :py:meth: `PIL.ImageMath.eval `. This will help prevent problems
124- arising if users evaluate arbitrary expressions, such as
125- ``ImageMath.eval("exec(exit())") ``. CVE TBD
122+ :cve: ` CVE-2022-22817 `: To limit :py:class: `PIL.ImageMath ` to working with images, Pillow
123+ will now restrict the builtins available to :py:meth: `PIL.ImageMath.eval `. This will
124+ help prevent problems arising if users evaluate arbitrary expressions, such as
125+ ``ImageMath.eval("exec(exit())") ``.
126126
127127Fixed ImagePath.Path array handling
128128^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
129129
130- CWE-126 and CWE-665 were found when initializing ``ImagePath.Path ``. CVEs TBD
130+ :cve: `CVE-2022-22815 ` (CWE-126) and :cve: `CVE-2022-22816 ` (CWE-665) were found when
131+ initializing ``ImagePath.Path ``.
131132
132133.. _OSS-Fuzz : https://github.com/google/oss-fuzz
133134
You can’t perform that action at this time.
0 commit comments