search

softboiler / boilercv

Computer vision routines suitable for nucleate pool boiling bubble analysis
https://softboiler.org/boilercv/
MIT License
0 stars 2 forks source link

Update dependency pillow to v10.3.0 [SECURITY] - autoclosed #200

Closed renovate[bot] closed 4 months ago

renovate[bot] commented 4 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pillow (changelog) ==10.0.0 -> ==10.3.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-4863

Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.

CVE-2023-50447

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

GHSA-56pw-mpj4-fxww

Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

CVE-2024-28219

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

Release Notes

python-pillow/Pillow (pillow) ### [`v10.3.0`](https://togithub.com/python-pillow/Pillow/blob/HEAD/CHANGES.rst#1030-2024-04-01) [Compare Source](https://togithub.com/python-pillow/Pillow/compare/10.2.0...10.3.0) - CVE-2024-28219: Use `strncpy` to avoid buffer overflow [#​7928](https://togithub.com/python-pillow/Pillow/issues/7928) \[radarhere, hugovk] - Deprecate `eval()`, replacing it with `lambda_eval()` and `unsafe_eval()` [#​7927](https://togithub.com/python-pillow/Pillow/issues/7927) \[radarhere, hugovk] - Raise `ValueError` if seeking to greater than offset-sized integer in TIFF [#​7883](https://togithub.com/python-pillow/Pillow/issues/7883) \[radarhere] - Add `--report` argument to `__main__.py` to omit supported formats [#​7818](https://togithub.com/python-pillow/Pillow/issues/7818) \[nulano, radarhere, hugovk] - Added RGB to I;16, I;16L, I;16B and I;16N conversion [#​7918](https://togithub.com/python-pillow/Pillow/issues/7918), [#​7920](https://togithub.com/python-pillow/Pillow/issues/7920) \[radarhere] - Fix editable installation with custom build backend and configuration options [#​7658](https://togithub.com/python-pillow/Pillow/issues/7658) \[nulano, radarhere] - Fix putdata() for I;16N on big-endian [#​7209](https://togithub.com/python-pillow/Pillow/issues/7209) \[Yay295, hugovk, radarhere] - Determine MPO size from markers, not EXIF data [#​7884](https://togithub.com/python-pillow/Pillow/issues/7884) \[radarhere] - Improved conversion from RGB to RGBa, LA and La [#​7888](https://togithub.com/python-pillow/Pillow/issues/7888) \[radarhere] - Support FITS images with GZIP\_1 compression [#​7894](https://togithub.com/python-pillow/Pillow/issues/7894) \[radarhere] - Use I;16 mode for 9-bit JPEG 2000 images [#​7900](https://togithub.com/python-pillow/Pillow/issues/7900) \[scaramallion, radarhere] - Raise ValueError if kmeans is negative [#​7891](https://togithub.com/python-pillow/Pillow/issues/7891) \[radarhere] - Remove TIFF tag OSUBFILETYPE when saving using libtiff [#​7893](https://togithub.com/python-pillow/Pillow/issues/7893) \[radarhere] - Raise ValueError for negative values when loading P1-P3 PPM images [#​7882](https://togithub.com/python-pillow/Pillow/issues/7882) \[radarhere] - Added reading of JPEG2000 palettes [#​7870](https://togithub.com/python-pillow/Pillow/issues/7870) \[radarhere] - Added alpha_quality argument when saving WebP images [#​7872](https://togithub.com/python-pillow/Pillow/issues/7872) \[radarhere] - Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions [#​7881](https://togithub.com/python-pillow/Pillow/issues/7881) \[radarhere] - Stop reading EPS image at EOF marker [#​7753](https://togithub.com/python-pillow/Pillow/issues/7753) \[radarhere] - PSD layer co-ordinates may be negative [#​7706](https://togithub.com/python-pillow/Pillow/issues/7706) \[radarhere] - Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer [#​7791](https://togithub.com/python-pillow/Pillow/issues/7791) \[radarhere] - When saving GIF frame that restores to background color, do not fill identical pixels [#​7788](https://togithub.com/python-pillow/Pillow/issues/7788) \[radarhere] - Fixed reading PNG iCCP compression method [#​7823](https://togithub.com/python-pillow/Pillow/issues/7823) \[radarhere] - Allow writing IFDRational to UNDEFINED tag [#​7840](https://togithub.com/python-pillow/Pillow/issues/7840) \[radarhere] - Fix logged tag name when loading Exif data [#​7842](https://togithub.com/python-pillow/Pillow/issues/7842) \[radarhere] - Use maximum frame size in IHDR chunk when saving APNG images [#​7821](https://togithub.com/python-pillow/Pillow/issues/7821) \[radarhere] - Prevent opening P TGA images without a palette [#​7797](https://togithub.com/python-pillow/Pillow/issues/7797) \[radarhere] - Use palette when loading ICO images [#​7798](https://togithub.com/python-pillow/Pillow/issues/7798) \[radarhere] - Use consistent arguments for load_read and load_seek [#​7713](https://togithub.com/python-pillow/Pillow/issues/7713) \[radarhere] - Turn off nullability warnings for macOS SDK [#​7827](https://togithub.com/python-pillow/Pillow/issues/7827) \[radarhere] - Fix shift-sign issue in Convert.c [#​7838](https://togithub.com/python-pillow/Pillow/issues/7838) \[r-barnes, radarhere] - Open 16-bit grayscale PNGs as I;16 [#​7849](https://togithub.com/python-pillow/Pillow/issues/7849) \[radarhere] - Handle truncated chunks at the end of PNG images [#​7709](https://togithub.com/python-pillow/Pillow/issues/7709) \[lajiyuan, radarhere] - Match mask size to pasted image size in GifImagePlugin [#​7779](https://togithub.com/python-pillow/Pillow/issues/7779) \[radarhere] - Release GIL while calling `WebPAnimDecoderGetNext` [#​7782](https://togithub.com/python-pillow/Pillow/issues/7782) \[evanmiller, radarhere] - Fixed reading FLI/FLC images with a prefix chunk [#​7804](https://togithub.com/python-pillow/Pillow/issues/7804) \[twolife] - Update wl-paste handling and return None for some errors in grabclipboard() on Linux [#​7745](https://togithub.com/python-pillow/Pillow/issues/7745) \[nik012003, radarhere] - Remove execute bit from `setup.py` [#​7760](https://togithub.com/python-pillow/Pillow/issues/7760) \[hugovk] - Do not support using test-image-results to upload images after test failures [#​7739](https://togithub.com/python-pillow/Pillow/issues/7739) \[radarhere] - Changed ImageMath.ops to be static [#​7721](https://togithub.com/python-pillow/Pillow/issues/7721) \[radarhere] - Fix APNG info after seeking backwards more than twice [#​7701](https://togithub.com/python-pillow/Pillow/issues/7701) \[esoma, radarhere] - Deprecate ImageCms constants and versions() function [#​7702](https://togithub.com/python-pillow/Pillow/issues/7702) \[nulano, radarhere] - Added PerspectiveTransform [#​7699](https://togithub.com/python-pillow/Pillow/issues/7699) \[radarhere] - Add support for reading and writing grayscale PFM images [#​7696](https://togithub.com/python-pillow/Pillow/issues/7696) \[nulano, hugovk] - Add LCMS2 flags to ImageCms [#​7676](https://togithub.com/python-pillow/Pillow/issues/7676) \[nulano, radarhere, hugovk] - Rename x64 to AMD64 in winbuild [#​7693](https://togithub.com/python-pillow/Pillow/issues/7693) \[nulano] ### [`v10.2.0`](https://togithub.com/python-pillow/Pillow/blob/HEAD/CHANGES.rst#1020-2024-01-02) [Compare Source](https://togithub.com/python-pillow/Pillow/compare/10.1.0...10.2.0) - Add `keep_rgb` option when saving JPEG to prevent conversion of RGB colorspace [#​7553](https://togithub.com/python-pillow/Pillow/issues/7553) \[bgilbert, radarhere] - Trim glyph size in ImageFont.getmask() [#​7669](https://togithub.com/python-pillow/Pillow/issues/7669), [#​7672](https://togithub.com/python-pillow/Pillow/issues/7672) \[radarhere, nulano] - Deprecate IptcImagePlugin helpers [#​7664](https://togithub.com/python-pillow/Pillow/issues/7664) \[nulano, hugovk, radarhere] - Allow uncompressed TIFF images to be saved in chunks [#​7650](https://togithub.com/python-pillow/Pillow/issues/7650) \[radarhere] - Concatenate multiple JPEG EXIF markers [#​7496](https://togithub.com/python-pillow/Pillow/issues/7496) \[radarhere] - Changed IPTC tile tuple to match other plugins [#​7661](https://togithub.com/python-pillow/Pillow/issues/7661) \[radarhere] - Do not assign new fp attribute when exiting context manager [#​7566](https://togithub.com/python-pillow/Pillow/issues/7566) \[radarhere] - Support arbitrary masks for uncompressed RGB DDS images [#​7589](https://togithub.com/python-pillow/Pillow/issues/7589) \[radarhere, akx] - Support setting ROWSPERSTRIP tag [#​7654](https://togithub.com/python-pillow/Pillow/issues/7654) \[radarhere] - Apply ImageFont.MAX_STRING_LENGTH to ImageFont.getmask() [#​7662](https://togithub.com/python-pillow/Pillow/issues/7662) \[radarhere] - Optimise `ImageColor` using `functools.lru_cache` [#​7657](https://togithub.com/python-pillow/Pillow/issues/7657) \[hugovk] - Restricted environment keys for ImageMath.eval() [#​7655](https://togithub.com/python-pillow/Pillow/issues/7655) \[wiredfool, radarhere] - Optimise `ImageMode.getmode` using `functools.lru_cache` [#​7641](https://togithub.com/python-pillow/Pillow/issues/7641) \[hugovk, radarhere] - Fix incorrect color blending for overlapping glyphs [#​7497](https://togithub.com/python-pillow/Pillow/issues/7497) \[ZachNagengast, nulano, radarhere] - Attempt memory mapping when tile args is a string [#​7565](https://togithub.com/python-pillow/Pillow/issues/7565) \[radarhere] - Fill identical pixels with transparency in subsequent frames when saving GIF [#​7568](https://togithub.com/python-pillow/Pillow/issues/7568) \[radarhere] - Corrected duration when combining multiple GIF frames into single frame [#​7521](https://togithub.com/python-pillow/Pillow/issues/7521) \[radarhere] - Handle disposing GIF background from outside palette [#​7515](https://togithub.com/python-pillow/Pillow/issues/7515) \[radarhere] - Seek past the data when skipping a PSD layer [#​7483](https://togithub.com/python-pillow/Pillow/issues/7483) \[radarhere] - Import plugins relative to the module [#​7576](https://togithub.com/python-pillow/Pillow/issues/7576) \[deliangyang, jaxx0n] - Translate encoder error codes to strings; deprecate `ImageFile.raise_oserror()` [#​7609](https://togithub.com/python-pillow/Pillow/issues/7609) \[bgilbert, radarhere] - Support reading BC4U and DX10 BC1 images [#​6486](https://togithub.com/python-pillow/Pillow/issues/6486) \[REDxEYE, radarhere, hugovk] - Optimize ImageStat.Stat.extrema [#​7593](https://togithub.com/python-pillow/Pillow/issues/7593) \[florath, radarhere] - Handle pathlib.Path in FreeTypeFont [#​7578](https://togithub.com/python-pillow/Pillow/issues/7578) \[radarhere, hugovk, nulano] - Added support for reading DX10 BC4 DDS images [#​7603](https://togithub.com/python-pillow/Pillow/issues/7603) \[sambvfx, radarhere] - Optimized ImageStat.Stat.count [#​7599](https://togithub.com/python-pillow/Pillow/issues/7599) \[florath] - Correct PDF palette size when saving [#​7555](https://togithub.com/python-pillow/Pillow/issues/7555) \[radarhere] - Fixed closing file pointer with olefile 0.47 [#​7594](https://togithub.com/python-pillow/Pillow/issues/7594) \[radarhere] - Raise ValueError when TrueType font size is not greater than zero [#​7584](https://togithub.com/python-pillow/Pillow/issues/7584), [#​7587](https://togithub.com/python-pillow/Pillow/issues/7587) \[akx, radarhere] - If absent, do not try to close fp when closing image [#​7557](https://togithub.com/python-pillow/Pillow/issues/7557) \[RaphaelVRossi, radarhere] - Allow configuring JPEG restart marker interval on save [#​7488](https://togithub.com/python-pillow/Pillow/issues/7488) \[bgilbert, radarhere] - Decrement reference count for PyObject [#​7549](https://togithub.com/python-pillow/Pillow/issues/7549) \[radarhere] - Implement `streamtype=1` option for tables-only JPEG encoding [#​7491](https://togithub.com/python-pillow/Pillow/issues/7491) \[bgilbert, radarhere] - If save_all PNG only has one frame, do not create animated image [#​7522](https://togithub.com/python-pillow/Pillow/issues/7522) \[radarhere] - Fixed frombytes() for images with a zero dimension [#​7493](https://togithub.com/python-pillow/Pillow/issues/7493) \[radarhere] ### [`v10.1.0`](https://togithub.com/python-pillow/Pillow/blob/HEAD/CHANGES.rst#1010-2023-10-15) [Compare Source](https://togithub.com/python-pillow/Pillow/compare/10.0.1...10.1.0) - Added TrueType default font to allow for different sizes [#​7354](https://togithub.com/python-pillow/Pillow/issues/7354) \[radarhere] - Fixed invalid argument warning [#​7442](https://togithub.com/python-pillow/Pillow/issues/7442) \[radarhere] - Added ImageOps cover method [#​7412](https://togithub.com/python-pillow/Pillow/issues/7412) \[radarhere, hugovk] - Catch struct.error from truncated EXIF when reading JPEG DPI [#​7458](https://togithub.com/python-pillow/Pillow/issues/7458) \[radarhere] - Consider default image when selecting mode for PNG save_all [#​7437](https://togithub.com/python-pillow/Pillow/issues/7437) \[radarhere] - Support BGR;15, BGR;16 and BGR;24 access, unpacking and putdata [#​7303](https://togithub.com/python-pillow/Pillow/issues/7303) \[radarhere] - Added CMYK to RGB unpacker [#​7310](https://togithub.com/python-pillow/Pillow/issues/7310) \[radarhere] - Improved flexibility of XMP parsing [#​7274](https://togithub.com/python-pillow/Pillow/issues/7274) \[radarhere] - Support reading 8-bit YCbCr TIFF images [#​7415](https://togithub.com/python-pillow/Pillow/issues/7415) \[radarhere] - Allow saving I;16B images as PNG [#​7302](https://togithub.com/python-pillow/Pillow/issues/7302) \[radarhere] - Corrected drawing I;16 points and writing I;16 text [#​7257](https://togithub.com/python-pillow/Pillow/issues/7257) \[radarhere] - Set blue channel to 128 for BC5S [#​7413](https://togithub.com/python-pillow/Pillow/issues/7413) \[radarhere] - Increase flexibility when reading IPTC fields [#​7319](https://togithub.com/python-pillow/Pillow/issues/7319) \[radarhere] - Set C palette to be empty by default [#​7289](https://togithub.com/python-pillow/Pillow/issues/7289) \[radarhere] - Added gs_binary to control Ghostscript use on all platforms [#​7392](https://togithub.com/python-pillow/Pillow/issues/7392) \[radarhere] - Read bounding box information from the trailer of EPS files if specified [#​7382](https://togithub.com/python-pillow/Pillow/issues/7382) \[nopperl, radarhere] - Added reading 8-bit color DDS images [#​7426](https://togithub.com/python-pillow/Pillow/issues/7426) \[radarhere] - Added has_transparency_data [#​7420](https://togithub.com/python-pillow/Pillow/issues/7420) \[radarhere, hugovk] - Fixed bug when reading BC5S DDS images [#​7401](https://togithub.com/python-pillow/Pillow/issues/7401) \[radarhere] - Prevent TIFF orientation from being applied more than once [#​7383](https://togithub.com/python-pillow/Pillow/issues/7383) \[radarhere] - Use previous pixel alpha for QOI_OP_RGB [#​7357](https://togithub.com/python-pillow/Pillow/issues/7357) \[radarhere] - Added BC5U reading [#​7358](https://togithub.com/python-pillow/Pillow/issues/7358) \[radarhere] - Allow getpixel() to accept a list [#​7355](https://togithub.com/python-pillow/Pillow/issues/7355) \[radarhere, homm] - Allow GaussianBlur and BoxBlur to accept a sequence of x and y radii [#​7336](https://togithub.com/python-pillow/Pillow/issues/7336) \[radarhere] - Expand JPEG buffer size when saving optimized or progressive [#​7345](https://togithub.com/python-pillow/Pillow/issues/7345) \[radarhere] - Added session type check for Linux in ImageGrab.grabclipboard() [#​7332](https://togithub.com/python-pillow/Pillow/issues/7332) \[TheNooB2706, radarhere, hugovk] - Allow "loop=None" when saving GIF images [#​7329](https://togithub.com/python-pillow/Pillow/issues/7329) \[radarhere] - Fixed transparency when saving P mode images to PDF [#​7323](https://togithub.com/python-pillow/Pillow/issues/7323) \[radarhere] - Added saving LA images as PDFs [#​7299](https://togithub.com/python-pillow/Pillow/issues/7299) \[radarhere] - Set SMaskInData to 1 for PDFs with alpha [#​7316](https://togithub.com/python-pillow/Pillow/issues/7316), [#​7317](https://togithub.com/python-pillow/Pillow/issues/7317) \[radarhere] - Changed Image mode property to be read-only by default [#​7307](https://togithub.com/python-pillow/Pillow/issues/7307) \[radarhere] - Silence exceptions in *repr_jpeg* and *repr_png* [#​7266](https://togithub.com/python-pillow/Pillow/issues/7266) \[mtreinish, radarhere] - Do not use transparency when saving GIF if it has been removed when normalizing mode [#​7284](https://togithub.com/python-pillow/Pillow/issues/7284) \[radarhere] - Fix missing symbols when libtiff depends on libjpeg [#​7270](https://togithub.com/python-pillow/Pillow/issues/7270) \[heitbaum] ### [`v10.0.1`](https://togithub.com/python-pillow/Pillow/blob/HEAD/CHANGES.rst#1001-2023-09-15) [Compare Source](https://togithub.com/python-pillow/Pillow/compare/10.0.0...10.0.1) - Updated libwebp to 1.3.2 [#​7395](https://togithub.com/python-pillow/Pillow/issues/7395) \[radarhere] - Updated zlib to 1.3 [#​7344](https://togithub.com/python-pillow/Pillow/issues/7344) \[radarhere]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.