This is a limited proof of concept to search for research data, not a production system.

Search the MIT Libraries

Title: python-pillow/Pillow: 9.1.1

Type Software Hugo van Kemenade, Andrew Murray, wiredfool, Jeffrey A. Clark, "Alex", Alexander Karpinsky, Ondrej Baranovič, Christoph Gohlke, Jon Dufresne, DWesl, David Schmidt, Konstantin Kopachev, Alastair Houghton, Sandro Mani, Steve Landey, vashek, Josh Ware, Jason Douglas, Stanislau T., David Caro, Uriel Martinez, Steve Kossouho, Riley Lahd, Antony Lee, Eric W. Brown, Oliver Tonnhofer, Piolie, Mickael Bonfill, Max Base, Peter Rowlands (변기호) (2022): python-pillow/Pillow: 9.1.1. Zenodo. Software. https://zenodo.org/record/6557874

Authors: Hugo van Kemenade (Nord Software) ; Andrew Murray ; wiredfool ; Jeffrey A. Clark, "Alex" (ACLARK.NET, LLC) ; Alexander Karpinsky (Uploadcare) ; Ondrej Baranovič ; Christoph Gohlke (University of California, Irvine) ; Jon Dufresne (Pioneer Valley Books) ; DWesl ; David Schmidt ; Konstantin Kopachev (@groupninemedia) ; Alastair Houghton (@apple) ; Sandro Mani (@sourcepole) ; Steve Landey (Asana, but not on this account) ; vashek ; Josh Ware (Primary Health Care Ltd) ; Jason Douglas (Step Mobile) ; Stanislau T. ; David Caro ; Uriel Martinez (You-i Lab) ; Steve Kossouho ; Riley Lahd ; Antony Lee ; Eric W. Brown (Iotopia Solutions, Inc.) ; Oliver Tonnhofer (Omniscale) ; Piolie ; Mickael Bonfill (@Unity-Technologies) ; Max Base (@GitHub Open Source Maintainer) ; Peter Rowlands (변기호) ;

Links

Summary

This release addresses several security problems.

CVE-2022-30595: When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow.

Opening an image with a zero or negative height has been found to bypass a decompression bomb check. This will now raise a SyntaxError instead, in turn raising a PIL.UnidentifiedImageError.

More information

  • DOI: 10.5281/zenodo.6557874

Dates

  • Publication date: 2022
  • Issued: May 17, 2022

Rights

  • info:eu-repo/semantics/openAccess Open Access

Much of the data past this point we don't have good examples of yet. Please share in #rdi slack if you have good examples for anything that appears below. Thanks!

Format

electronic resource

Relateditems

DescriptionItem typeRelationshipUri
IsSupplementTohttps://github.com/python-pillow/Pillow/tree/9.1.1
IsVersionOfhttps://doi.org/10.5281/zenodo.596518
IsPartOfhttps://zenodo.org/communities/zenodo