Build(deps): [security] bump pillow from 9.4.0 to 10.0.1
Bumps pillow from 9.4.0 to 10.0.1. This update includes security fixes.
Vulnerabilities fixed
Pillow Denial of Service vulnerability An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Patched versions: 10.0.0 Affected versions: >= 0, < 10.0.0
Bundled libwebp in Pillow vulnerable Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.
Patched versions: 10.0.1 Affected versions: < 10.0.1
Release notes
Sourced from pillow's releases.
10.0.1
https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html
Changes
- Updated libwebp to 1.3.2 #7395 [
@radarhere
]- Updated zlib to 1.3 #7344 [
@radarhere
]10.0.0
https://pillow.readthedocs.io/en/stable/releasenotes/10.0.0.html
Changes
- Fixed deallocating mask images #7246 [
@radarhere
]- Added ImageFont.MAX_STRING_LENGTH #7244 [
@radarhere
]- Fix Windows build with pyproject.toml #7230 [
@nulano
]- Do not close provided file handles with libtiff #7199 [
@radarhere
]- Convert to HSV if mode is HSV in getcolor() #7226 [
@radarhere
]- Added alpha_only argument to getbbox() #7123 [
@radarhere
]- Prioritise speed in repr_png #7242 [
@radarhere
]- Limit size even if one dimension is zero in decompression bomb check #7235 [
@radarhere
]- Restored 32-bit support #7234 [
@radarhere
]- Removed deleted file from codecov.yml and increased coverage threshold #7232 [
@radarhere
]- Removed support for 32-bit #7228 [
@radarhere
]- Use --config-settings instead of deprecated --global-option #7171 [
@radarhere
]- Better C integer definitions #6645 [
@Yay295
]- Fixed finding dependencies on Cygwin #7175 [
@radarhere
]- Improved checks in font_render #7218 [
@radarhere
]- Change
grabclipboard()
to use PNG compression on macOS #7219 [@abey79
]- Added PyPy 3.10 and removed PyPy 3.8 #7216 [
@radarhere
]- Added in_place argument to ImageOps.exif_transpose() #7092 [
@radarhere
]- Corrected error code #7177 [
@radarhere
]- Use "not in" #7174 [
@radarhere
]- Only call text_layout once in getmask2 #7206 [
@radarhere
]- Fixed calling putpalette() on L and LA images before load() #7187 [
@radarhere
]- Removed unused INT64 definition #7180 [
@radarhere
]- Updated xz to 5.4.3 #7136 [
@radarhere
]- Fixed saving TIFF multiframe images with LONG8 tag types #7078 [
@radarhere
]- Do not set size unnecessarily if image fails to open #7056 [
@radarhere
]- Removed unused code #7210 [
@radarhere
]- Removed unused variables #7205 [
@radarhere
]- Fixed signedness comparison warning #7203 [
@radarhere
]- Fixed combining single duration across duplicate APNG frames #7146 [
@radarhere
]- Remove temporary file when error is raised #7148 [
@radarhere
]- Do not use temporary file when grabbing clipboard on Linux #7200 [
@radarhere
]- If the clipboard fails to open on Windows, wait and try again #7141 [
@radarhere
]- Fixed saving multiple 1 mode frames to GIF #7181 [
@radarhere
]- Replaced absolute PIL import with relative import #7173 [
@radarhere
]- Removed files and types override #7194 [
@radarhere
]
... (truncated)
Changelog
Sourced from pillow's changelog.
10.0.1 (2023-09-15)
10.0.0 (2023-07-01)
Fixed deallocating mask images #7246 [radarhere]
Added ImageFont.MAX_STRING_LENGTH #7244 [radarhere, hugovk]
Fix Windows build with pyproject.toml #7230 [hugovk, nulano, radarhere]
Do not close provided file handles with libtiff #7199 [radarhere]
Convert to HSV if mode is HSV in getcolor() #7226 [radarhere]
Added alpha_only argument to getbbox() #7123 [radarhere. hugovk]
Prioritise speed in repr_png #7242 [radarhere]
Do not use CFFI access by default on PyPy #7236 [radarhere]
Limit size even if one dimension is zero in decompression bomb check #7235 [radarhere]
Use --config-settings instead of deprecated --global-option #7171 [radarhere]
Better C integer definitions #6645 [Yay295, hugovk]
Fixed finding dependencies on Cygwin #7175 [radarhere]
Changed grabclipboard() to use PNG instead of JPG compression on macOS #7219 [abey79, radarhere]
... (truncated)
Commits
-
e34d346
Updated order -
a62f240
10.0.1 version bump -
d50250d
Added release notes for 10.0.1 -
b4c7d4b
Update CHANGES.rst [ci skip] -
730f746
Updated libwebp to 1.3.2 -
b0e2804
Updated zlib to 1.3 -
6e28ed1
10.0.0 version bump -
c827f3b
Merge pull request #7246 from radarhere/deallocate -
39a3b1d
Fixed deallocating mask images -
8c1dc81
Update CHANGES.rst [ci skip] - Additional commits viewable in compare view