Giters

stephenmcd / mezzanine

CMS framework for Django

Home Page:http://mezzanine.jupo.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Pillow pinned to insecure version

gherkz opened this issue · comments

commented

The current pinning of Pillow >= 7, <8 results in an insecure version of Pillow being used:

$ pipenv check
Checking PEP 508 requirements...
Passed!
Checking installed package safety...
40264: pillow <8.0.1 resolved (7.2.0 installed)!
Pillow 8.0.1 updates FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999.

40265: pillow <8.1.0 resolved (7.2.0 installed)!
Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175.

40270: pillow <8.1.0 resolved (7.2.0 installed)!
Pillow 8.1.0 includes a fix for Read Overflow in PCX Decoding. CVE-2020-35653 #5174.

40271: pillow <8.1.0 resolved (7.2.0 installed)!
Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173.

40266: pillow <8.1.1 resolved (7.2.0 installed)!
Pillow 8.1.1 uses more specific regex chars to prevent ReDoS. CVE-2021-25292.

40272: pillow <8.1.1 resolved (7.2.0 installed)!
Pillow 8.1.1 fixes OOB Read in TiffDecode.c, and checks the tile validity before reading. CVE-2021-25291.

40273: pillow <8.1.1 resolved (7.2.0 installed)!
Pillow 8.1.1 fixes OOB read in SgiRleDecode.c. CVE-2021-25293.

40274: pillow <8.1.1 resolved (7.2.0 installed)!
Pillow 8.1.1 fixes incorrect error code checking in TiffDecode.c. CVE-2021-25289.

40275: pillow <8.1.1 resolved (7.2.0 installed)!
Pillow 8.1.1 fixes negative size read in TiffDecode.c. CVE-2021-25290.

40263: pillow <8.1.2 resolved (7.2.0 installed)!
Pillow 8.1.2 fixes memory DOS in BLP Image Plugin (CVE-2021-27921).

40267: pillow <8.1.2 resolved (7.2.0 installed)!
Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).

40268: pillow <8.1.2 resolved (7.2.0 installed)!
Pillow 8.1.2 fixes memory DOS in ICO Image Plugin (CVE-2021-27923).

40269: pillow <8.1.2 resolved (7.2.0 installed)!
Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).

I'm not sure if Pillow really needs to be pinned to <8, although I understand why it would have been previously. 1ae2b1b introduced this when converting to setup.cfg and pytest, and I assume it was pinned to <8 because pillow version 8 wasn't released at the time of 1ae2b1b.

I suspect the latest Pillow will probably work fine, but I can't seem to run the tests so can't confirm. I'll make a PR regardless, and can rebase it if necessary.

commented

Fixed in 721847e.

commented

Thanks @jerivas!