Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backfill release notes with security fix details #7864

Closed
aclark4life opened this issue Mar 8, 2024 · 0 comments · Fixed by #7877
Closed

Backfill release notes with security fix details #7864

aclark4life opened this issue Mar 8, 2024 · 0 comments · Fixed by #7877

Comments

@aclark4life
Copy link
Member

aclark4life commented Mar 8, 2024

In #1015 @homm wisely noted that CHANGES.rst is full of "one liners" and that sometimes more detail is needed, which led to the addition of release notes in #1032 corresponding with Pillow 2.7 which was the current release at the time. Thus formally implementing the procedure of adding release notes to every release since.

Fast forward to now and I've noticed that it's hard to find a comprehensive list of all security fixes with details including corresponding CVEs because prior to the release of Pillow 2.7 they are only listed in CHANGES.rst where very little detail is included.

So, I'm planning to back fill the release notes with the entire history of Pillow security fixes with details gathered from CHANGES.rst, git log and various CVE databases. This has to be done with some care so as to avoid providing confusing or even incorrect details about Pillow's security history.

For example, starting with Pillow 2.3.1 we have this commit:

commit 1e331e3e6a40141ca8eee4f5da9f74e895423b66
Author: wiredfool <eric-github@soroos.net>
Date:   Fri Mar 14 15:56:41 2014 -0700
    
    Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059

And these details from NIST:

CVE-2014-1932

The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.

CVE-2014-1933

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

Accordingly, to begin, I'll create docs/releasenotes/2.3.1.rst and add this information to it. Then I'll repeat the process for all releases between 2.3 to present that contain security fixes. Some but not all security fixes from 2.7 to present are already listed in release notes, but I want to confirm that.

For example here's all the CVEs from CHANGES.rst:

And here's all CVEs mentioned in the release notes:

  • docs/releasenotes/10.0.0.rst::cve:2023-44271: To protect against potential DOS attacks when using arbitrary strings as text
  • docs/releasenotes/10.0.1.rst:This release addresses :cve:2023-4863, by providing an updated install script and
  • docs/releasenotes/10.2.0.rst::cve:2023-50447: If an attacker has control over the keys passed to the
  • docs/releasenotes/3.1.1.rst:CVE-2016-0740 -- Buffer overflow in TiffDecode.c
  • docs/releasenotes/3.1.1.rst:may overflow a buffer when reading a specially crafted tiff file (:cve:2016-0740).
  • docs/releasenotes/3.1.1.rst:CVE-2016-0775 -- Buffer overflow in FliDecode.c
  • docs/releasenotes/3.1.1.rst:release, FliDecode.c has a buffer overflow error (:cve:2016-0775).
  • docs/releasenotes/3.1.1.rst:CVE-2016-2533 -- Buffer overflow in PcdDecode.c
  • docs/releasenotes/3.1.1.rst:release, PcdDecode.c has a buffer overflow error (:cve:2016-2533).
  • docs/releasenotes/3.1.2.rst:CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c
  • docs/releasenotes/3.1.2.rst:corruption (:cve:2016-3076).
  • docs/releasenotes/6.2.0.rst::cve:2019-16865. The CVE is regarding DOS problems, such as consuming large
  • docs/releasenotes/6.2.2.rst::cve:2019-19911 is regarding FPX images. If an image reports that it has a large
  • docs/releasenotes/6.2.2.rst:Buffer overruns were found when processing an SGI (:cve:2020-5311),
  • docs/releasenotes/6.2.2.rst:PCX (:cve:2020-5312) or FLI image (:cve:2020-5313). Checks have been added
  • docs/releasenotes/6.2.2.rst::cve:2020-5310: Overflow checks have been added when calculating the size of a
  • docs/releasenotes/7.1.0.rst:* :cve:2020-10177 Fix multiple out-of-bounds reads in FLI decoding
  • docs/releasenotes/7.1.0.rst:* :cve:2020-10378 Fix bounds overflow in PCX decoding
  • docs/releasenotes/7.1.0.rst:* :cve:2020-10379 Fix two buffer overflows in TIFF decoding
  • docs/releasenotes/7.1.0.rst:* :cve:2020-10994 Fix bounds overflow in JPEG 2000 decoding
  • docs/releasenotes/7.1.0.rst:* :cve:2020-11538 Fix buffer overflow in SGI-RLE decoding
  • docs/releasenotes/8.0.1.rst:Update FreeType used in binary wheels to 2.10.4_ to fix :cve:2020-15999:
  • docs/releasenotes/8.1.0.rst:vulnerability introduced in FreeType 2.6 (:cve:2020-15999).
  • docs/releasenotes/8.1.0.rst:* :cve:2020-35653 Buffer read overrun in PCX decoding
  • docs/releasenotes/8.1.0.rst:* :cve:2020-35654 Fix TIFF out-of-bounds write error
  • docs/releasenotes/8.1.0.rst:* :cve:2020-35655 Fix for SGI Decode buffer overrun
  • docs/releasenotes/8.1.1.rst::cve:2021-25289: The previous fix for :cve:2020-35654 was insufficient
  • docs/releasenotes/8.1.1.rst::cve:2021-25290: In TiffDecode.c, there is a negative-offset memcpy
  • docs/releasenotes/8.1.1.rst::cve:2021-25291: In TiffDecode.c, invalid tile boundaries could lead to
  • docs/releasenotes/8.1.1.rst::cve:2021-25292: The PDF parser has a catastrophic backtracking regex
  • docs/releasenotes/8.1.1.rst::cve:2021-25293: There is an out-of-bounds read in SgiRleDecode.c,
  • docs/releasenotes/8.1.2.rst:There is an exhaustion of memory DOS in the BLP (:cve:2021-27921),
  • docs/releasenotes/8.1.2.rst:ICNS (:cve:2021-27922) and ICO (:cve:2021-27923) container formats
  • docs/releasenotes/8.2.0.rst::cve:2021-25287, :cve:2021-25288: Fix OOB read in Jpeg2KDecode
  • docs/releasenotes/8.2.0.rst::cve:2021-28675: Fix DOS in PsdImagePlugin
  • docs/releasenotes/8.2.0.rst::cve:2021-28676: Fix FLI DOS
  • docs/releasenotes/8.2.0.rst::cve:2021-28677: Fix EPS DOS on _open
  • docs/releasenotes/8.2.0.rst::cve:2021-28678: Fix BLP DOS
  • docs/releasenotes/8.3.0.rst:This release addresses :cve:2021-34552. PIL since 1.1.4 and Pillow since 1.0
  • docs/releasenotes/8.3.2.rst:* :cve:2021-23437: Avoid a potential ReDoS (regular expression denial of service)
  • docs/releasenotes/9.0.0.rst:vulnerability introduced in FreeType 2.6 (:cve:2020-15999).
  • docs/releasenotes/9.0.0.rst::cve:2022-22817: To limit :py:class:PIL.ImageMath to working with images, Pillow
  • docs/releasenotes/9.0.0.rst::cve:2022-22815 (:cwe:126) and :cve:2022-22816 (:cwe:665) were
  • docs/releasenotes/9.0.1.rst::cve:2022-24303: If the path to the temporary directory on Linux or macOS
  • docs/releasenotes/9.0.1.rst::cve:2022-22817: While Pillow 9.0 restricted top-level builtins available to
  • docs/releasenotes/9.1.1.rst::cve:2022-30595: When reading a TGA file with RLE packets that cross scan lines,

And here's all the CVEs mentioned in git log along with line numbers:

If you have any comments/questions/concerns please add them here!

aclark4life added a commit that referenced this issue Mar 13, 2024
Before back fill, clean up.

- Add suggested CVE format to template
- Move Security to the top of release notes
- Fix headings
- Update all existing CVE notes to match template
aclark4life added a commit that referenced this issue Mar 13, 2024
aclark4life added a commit that referenced this issue Mar 13, 2024
aclark4life added a commit that referenced this issue Mar 14, 2024
- Include CVE link in title (via @hugovk)
- Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
aclark4life added a commit that referenced this issue Mar 14, 2024
Before back fill, clean up.

- Add suggested CVE format to template
- Move Security to the top of release notes
- Fix headings
- Update all existing CVE notes to match template
aclark4life added a commit that referenced this issue Mar 14, 2024
aclark4life added a commit that referenced this issue Mar 14, 2024
aclark4life added a commit that referenced this issue Mar 14, 2024
- Include CVE link in title (via @hugovk)
- Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
aclark4life added a commit that referenced this issue Mar 14, 2024
- Back fill release notes for 3.1.1
- Add credits to 2.3.2, 2.5.2
aclark4life added a commit that referenced this issue Mar 14, 2024
- Restore accidentally overwritten contents
- Update to match updated template
aclark4life added a commit that referenced this issue Mar 15, 2024
- Categorized previously uncategorized notes under ``Other Changes``
- TODO: Fix categorization of notes in ``Other Changes`` that belong in other categories
aclark4life added a commit that referenced this issue Mar 15, 2024
Before back fill, clean up.

- Add suggested CVE format to template
- Move Security to the top of release notes
- Fix headings
- Update all existing CVE notes to match template
aclark4life added a commit that referenced this issue Mar 15, 2024
aclark4life added a commit that referenced this issue Mar 15, 2024
aclark4life added a commit that referenced this issue Mar 15, 2024
- Include CVE link in title (via @hugovk)
- Retro-add release notes for 2.3.2, 2.5.2 for CVE-2014-3589
aclark4life added a commit that referenced this issue Mar 15, 2024
- Back fill release notes for 3.1.1
- Add credits to 2.3.2, 2.5.2
aclark4life added a commit that referenced this issue Mar 15, 2024
- Restore accidentally overwritten contents
- Update to match updated template
aclark4life added a commit that referenced this issue Mar 15, 2024
- Categorized previously uncategorized notes under ``Other Changes``
- TODO: Fix categorization of notes in ``Other Changes`` that belong in other categories
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants