Pillow: Question regarding CVE-2019-16865

Created on 7 Oct 2019 · 2Comments · Source: python-pillow/Pillow

Hi,
I am looking at CVE-2019-16865 [0] reported as fixed with the new 6.2 release, but the information about it is quite limited and I could not find a specific mention in git log. In addition the Changelog does not seem to mention anything specifically security related.

Would it be possible to elaborate a bit about the issue and maybe point to a commit fixing the issue ?

Thanks in advance!

[0] https://nvd.nist.gov/vuln/detail/CVE-2019-16865

Question

Source

rfrohl

Most helpful comment

@hugovk Thanks for the quick answer!

rfrohl on 7 Oct 2019

👍2

All 2 comments

Hi, it's the changes from these PRs:

https://github.com/python-pillow/Pillow/pull/4101 "Corrected negative seeks"
https://github.com/python-pillow/Pillow/pull/4102 "Added decompression bomb checks"
https://github.com/python-pillow/Pillow/pull/4103 "Catch buffer overruns"
https://github.com/python-pillow/Pillow/pull/4104 "Raise error if TIFF dimension is a string"

hugovk on 7 Oct 2019

👍2

@hugovk Thanks for the quick answer!

rfrohl on 7 Oct 2019

👍2

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Unexpected, additional outline in ImageDraw.ellipse, even for outline=None

HansHirse · 3Comments

Truncated progressive JPEGs do not load

vytisb · 4Comments

Pillow 6.2.2 and 7.0.0 jpg save

mmalenta · 3Comments

Grayscale PNG image incorrectly converted to RGB

nomarek · 3Comments

ImageFont.getsize() doesn't account for newlines

Larivact · 4Comments