Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: Security update by Dependabot #592

Merged
merged 2 commits into from
Feb 28, 2024
Merged

doc: Security update by Dependabot #592

merged 2 commits into from
Feb 28, 2024

Conversation

qwersem
Copy link
Collaborator

@qwersem qwersem commented Jan 23, 2024
edited
Loading

Upgrade the Python Pillow package to 10.2.0 by the Dependabot alert. This package affects on other packages: PyYAML, reportlab and rst2pdf, which were also upgraded in this commit.

@qwersem qwersem self-assigned this Jan 23, 2024
@qwersem qwersem marked this pull request as draft January 24, 2024 16:28
@qwersem qwersem force-pushed the semenov-upgrade-py-pillow-pkg branch from de88a07 to cd1ccec Compare January 24, 2024 17:13
@qwersem qwersem marked this pull request as ready for review January 24, 2024 17:17
@qwersem qwersem requested review from kolerov and abrodkin January 24, 2024 17:17
abrodkin
abrodkin approved these changes Jan 24, 2024
View reviewed changes
Copy link
Member

@abrodkin abrodkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, though adding information on how that change was verified is much appreciated.

@qwersem qwersem marked this pull request as draft January 29, 2024 12:44
@qwersem
doc: Upgrade the PyYAML package at a minor level
3da90bf 
PyYAML 6.0.0 is broken with cython 3, so this package is upgraded to 6.0.1, see yaml/pyyaml#724 (comment).

Signed-off-by: Evgeny Semenov <[email protected]>
@qwersem
doc: Security update by Dependabot
851626e 
Upgrade the Python Pillow package to 10.2.0 by the Dependabot alert. This package affects on other reportlab and rst2pdf packages, which were also upgraded in this commit.

Dependabot alerts:
"< 10.0.0": Pillow Denial of Service vulnerability. An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
"< 10.0.1":
	- Bundled libwebp in Pillow vulnerable. Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.
	- libwebp: OOB write in BuildHuffmanTable. Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.
"< 10.2.0": Arbitrary Code Execution in Pillow. Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Signed-off-by: Evgeny Semenov <[email protected]>
@qwersem qwersem force-pushed the semenov-upgrade-py-pillow-pkg branch 6 times, most recently from 747211f to 851626e Compare January 29, 2024 16:22
@qwersem qwersem marked this pull request as ready for review January 29, 2024 16:23
@qwersem qwersem merged commit 8e1ca51 into arc-releases Feb 28, 2024
2 checks passed
@qwersem qwersem deleted the semenov-upgrade-py-pillow-pkg branch February 28, 2024 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abrodkin abrodkin abrodkin approved these changes

@kolerov kolerov Awaiting requested review from kolerov

Assignees

@qwersem qwersem

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@qwersem @abrodkin