Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Upgrade the Python Pillow package to 10.2.0 by the Dependabot alert. This package affects on other packages: PyYAML, reportlab and rst2pdf, which were also upgraded in this commit. **Dependabot alerts** *< 10.0.0*: Pillow Denial of Service vulnerability. An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. *< 10.0.1*: - Bundled libwebp in Pillow vulnerable. Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2. - libwebp: OOB write in BuildHuffmanTable. Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. *< 10.2.0*: Arbitrary Code Execution in Pillow. Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
- Loading branch information
