From 851626e1b58070da23f925b28ce77dddbbd37eb8 Mon Sep 17 00:00:00 2001 From: Evgeny Semenov Date: Mon, 29 Jan 2024 15:27:54 +0000 Subject: [PATCH] doc: Security update by Dependabot Upgrade the Python Pillow package to 10.2.0 by the Dependabot alert. This package affects on other reportlab and rst2pdf packages, which were also upgraded in this commit. Dependabot alerts: "< 10.0.0": Pillow Denial of Service vulnerability. An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. "< 10.0.1": - Bundled libwebp in Pillow vulnerable. Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2. - libwebp: OOB write in BuildHuffmanTable. Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. "< 10.2.0": Arbitrary Code Execution in Pillow. Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). Signed-off-by: Evgeny Semenov --- doc/requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/requirements.txt b/doc/requirements.txt index f0d622b9..05f51bd3 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -9,13 +9,13 @@ importlib-metadata==6.0.0 Jinja2==3.1.2 MarkupSafe==2.1.1 packaging==23.0 -Pillow==9.4.0 +Pillow==10.2.0 Pygments==2.14.0 pytz==2022.7.1 PyYAML==6.0.1 -reportlab==3.6.12 +reportlab==4.0.9 requests==2.28.2 -rst2pdf==0.99 +rst2pdf==0.101 smartypants==2.0.1 snowballstemmer==2.2.0 Sphinx==5.3.0