Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Upgrade the Python Pillow package to 10.2.0 by the Dependabot alert. This package affects on other reportlab and rst2pdf packages, which were also upgraded in this commit. Dependabot alerts: "< 10.0.0": Pillow Denial of Service vulnerability. An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. "< 10.0.1": - Bundled libwebp in Pillow vulnerable. Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2. - libwebp: OOB write in BuildHuffmanTable. Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. "< 10.2.0": Arbitrary Code Execution in Pillow. Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). Signed-off-by: Evgeny Semenov <[email protected]>
- Loading branch information
