Clean up for #7864

Before back fill, clean up.

- Add suggested CVE format to template
- Move Security to the top of release notes
- Fix headings
- Update all existing CVE notes to match template

docs/releasenotes/10.0.0.rst

@@ -1,6 +1,35 @@
 10.0.0
 ------
 
+Security
+========
+
+Limit size even if one dimension is zero
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When performing decompression bomb checks, Pillow did not reject images with
+excessive width and zero height, or zero width and excessive height. That has
+now been fixed.
+
+This effectively dates to the PIL fork, since problem images would still have
+been processed before Pillow started checking for decompression bombs.
+
+Fix CVE-2023-44271
+^^^^^^^^^^^^^^^^^^
+
+Added ImageFont.MAX_STRING_LENGTH.
+
+.. note:: More information about this vulnerability included in database record :cve:`2023-44271`
+
+To protect against potential DOS attacks when using arbitrary strings as text
+input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
+passed into ImageFont methods is over a certain limit,
+:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
+
+This threshold can be changed by setting
+:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
+``ImageFont.MAX_STRING_LENGTH = None``.
+
 Backwards Incompatible Changes
 ==============================
 
@@ -157,31 +186,6 @@ Added ``alpha_only`` argument to ``getbbox()``
 and the image has an alpha channel, trim transparent pixels. Otherwise, trim
 pixels when all channels are zero.
 
-Security
-========
-
-Limit size even if one dimension is zero
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-When performing decompression bomb checks, Pillow did not reject images with
-excessive width and zero height, or zero width and excessive height. That has
-now been fixed.
-
-This effectively dates to the PIL fork, since problem images would still have
-been processed before Pillow started checking for decompression bombs.
-
-Added ImageFont.MAX_STRING_LENGTH
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-:cve:`2023-44271`: To protect against potential DOS attacks when using arbitrary strings as text
-input, Pillow will now raise a :py:exc:`ValueError` if the number of characters
-passed into ImageFont methods is over a certain limit,
-:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
-
-This threshold can be changed by setting
-:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It can be disabled by setting
-``ImageFont.MAX_STRING_LENGTH = None``.
-
 Other Changes
 =============
 

docs/releasenotes/10.0.1.rst

@@ -4,9 +4,15 @@
 Security
 ========
 
-This release addresses :cve:`2023-4863`, by providing an updated install script and
-updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow
-in WebP.
+Fix CVE-2023-4863
+^^^^^^^^^^^^^^^^^
+
+Updated install script and wheels with libwebp 1.3.2
+
+.. note:: More information about this vulnerability included in database record :cve:`2023-4863`
+
+This release provides an updated install script and updated wheels to
+include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP.
 
 Updated tests to pass with latest zlib version
 ==============================================

docs/releasenotes/10.2.0.rst

@@ -1,6 +1,42 @@
 10.2.0
 ------
 
+Security
+========
+
+ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To protect against potential DOS attacks when using arbitrary strings as text input,
+Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
+:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
+:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
+
+This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
+can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
+
+A decompression bomb check has also been added to
+:py:meth:`PIL.ImageFont.ImageFont.getmask`.
+
+ImageFont.getmask: Trim glyph size
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To protect against potential DOS attacks when using PIL fonts,
+:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
+they do not extend beyond the bitmap image.
+
+Fix CVE-2023-50447
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ImageMath.eval: Restricted environment keys.
+
+.. note:: More information about this vulnerability included in database record :cve:`2023-50447`
+
+If an attacker has control over the keys passed to the
+``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
+arbitrary code. To prevent this, keys matching the names of builtins and keys
+containing double underscores will now raise a :py:exc:`ValueError`.
+
 Deprecations
 ============
 
@@ -63,38 +99,6 @@ JPEG tables-only streamtype
 When saving JPEG files, ``streamtype`` can now be set to 1, for tables-only. This will
 output only the quantization and Huffman tables for the image.
 
-Security
-========
-
-ImageFont.getmask: Applied ImageFont.MAX_STRING_LENGTH
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-To protect against potential DOS attacks when using arbitrary strings as text input,
-Pillow will now raise a :py:exc:`ValueError` if the number of characters passed into
-:py:meth:`PIL.ImageFont.ImageFont.getmask` is over a certain limit,
-:py:data:`PIL.ImageFont.MAX_STRING_LENGTH`.
-
-This threshold can be changed by setting :py:data:`PIL.ImageFont.MAX_STRING_LENGTH`. It
-can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
-
-A decompression bomb check has also been added to
-:py:meth:`PIL.ImageFont.ImageFont.getmask`.
-
-ImageFont.getmask: Trim glyph size
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-To protect against potential DOS attacks when using PIL fonts,
-:py:class:`PIL.ImageFont.ImageFont` now trims the size of individual glyphs so that
-they do not extend beyond the bitmap image.
-
-ImageMath.eval: Restricted environment keys
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-:cve:`2023-50447`: If an attacker has control over the keys passed to the
-``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
-arbitrary code. To prevent this, keys matching the names of builtins and keys
-containing double underscores will now raise a :py:exc:`ValueError`.
-
 Other Changes
 =============
 

docs/releasenotes/3.1.1.rst

@@ -1,12 +1,19 @@
-
 3.1.1
-=====
+-----
+
+Security
+========
+
+Fix CVE-2016-0740
+^^^^^^^^^^^^^^^^^
+
+Buffer overflow in TiffDecode.c.
 
-CVE-2016-0740 -- Buffer overflow in TiffDecode.c
-------------------------------------------------
+.. note:: More information about this vulnerability included in database record :cve:`2016-0740`
 
-Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
-may overflow a buffer when reading a specially crafted tiff file (:cve:`2016-0740`).
+Pillow 3.1.0 and earlier when linked against
+libtiff >= 4.0.0 on x64 may overflow a buffer when reading a
+specially crafted tiff file. 
 
 Specifically, libtiff >= 4.0.0 changed the return type of
 ``TIFFScanlineSize`` from ``int32`` to machine dependent
@@ -19,12 +26,15 @@ image data over 64k is written over the heap, causing a segfault.
 
 This issue was found by security researcher FourOne.
 
+Fix CVE-2016-0775
+^^^^^^^^^^^^^^^^^
 
-CVE-2016-0775 -- Buffer overflow in FliDecode.c
------------------------------------------------
+Buffer overflow in FliDecode.c.
 
-In all versions of Pillow, dating back at least to the last PIL 1.1.7
-release, FliDecode.c has a buffer overflow error (:cve:`2016-0775`).
+.. note:: More information about this vulnerability included in database record :cve:`2016-0775`
+
+In all versions of Pillow, dating back at least to
+the last PIL 1.1.7 release, FliDecode.c has a buffer overflow error. 
 
 Around line 192:
 
@@ -49,11 +59,15 @@ off the end of the memory buffer, causing a segfault.
 
 This issue was found by Alyssa Besseling at Atlassian.
 
-CVE-2016-2533 -- Buffer overflow in PcdDecode.c
------------------------------------------------
+Fix CVE-2016-2533
+^^^^^^^^^^^^^^^^^
+
+Buffer overflow in PcdDecode.c.
+
+.. note:: More information about this vulnerability available in :cve:`2016-2533`
 
-In all versions of Pillow, dating back at least to the last PIL 1.1.7
-release, ``PcdDecode.c`` has a buffer overflow error (:cve:`2016-2533`).
+In all versions of Pillow, dating back at least to the
+last PIL 1.1.7 release, ``PcdDecode.c`` has a buffer overflow error. 
 
 The ``state.buffer`` for ``PcdDecode.c`` is allocated based on a 3
 bytes per pixel sizing, where ``PcdDecode.c`` wrote into the buffer
@@ -62,7 +76,7 @@ the buffer into other Python object storage. In some cases, this
 causes a segfault, in others an internal Python malloc error.
 
 Integer overflow in Resample.c
-------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 If a large value was passed into the new size for an image, it is
 possible to overflow an ``int32`` value passed into malloc.

docs/releasenotes/3.1.2.rst

@@ -1,13 +1,19 @@
-
 3.1.2
-=====
+-----
+
+Security
+========
+
+Fix CVE-2016-3076
+^^^^^^^^^^^^^^^^^
+
+Buffer overflow in Jpeg2KEncode.c.
 
-CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c
---------------------------------------------------
+.. note:: More information about this vulnerability included in database record :cve:`2016-3076`
 
-Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing
-large Jpeg2000 files, allowing for code execution or other memory
-corruption (:cve:`2016-3076`).
+Pillow between 2.5.0 and 3.1.1 may overflow a buffer
+when writing large Jpeg2000 files, allowing for code execution or other
+memory corruption. 
 
 This occurs specifically in the function ``j2k_encode_entry``, at the line:
 

docs/releasenotes/6.2.0.rst

@@ -1,6 +1,38 @@
 6.2.0
 -----
 
+Security
+========
+
+This release catches several buffer overruns and fixes CVE-2019-16865.
+
+Buffer overruns
+^^^^^^^^^^^^^^^
+
+In RawDecode.c, an error is now thrown if skip is calculated to be less than
+zero. It is intended to skip padding between lines, not to go backwards.
+
+In PsdImagePlugin, if the combined sizes of the individual parts is larger than
+the declared size of the extra data field, then it looked for the next layer by
+seeking backwards. This is now corrected by seeking to (the start of the layer
++ the size of the extra data field) instead of (the read parts of the layer +
+the rest of the layer).
+
+Decompression bomb checks have been added to GIF and ICO formats.
+
+An error is now raised if a TIFF dimension is a string, rather than trying to
+perform operations on it.
+
+Fix CVE-2019-16865
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+DOS attack vulnerabilities.
+
+.. note:: More information about this vulnerability included in database record :cve:`2019-16865`
+
+The CVE is regarding DOS problems, such as consuming large
+amounts of memory, or taking a large amount of time to process an image.
+
 API Additions
 =============
 
@@ -65,27 +97,6 @@ There has been a longstanding warning that the defaults of ``Image.frombuffer``
 may change in the future for the "raw" decoder. The change will now take place
 in Pillow 7.0.
 
-Security
-========
-
-This release catches several buffer overruns, as well as addressing
-:cve:`2019-16865`. The CVE is regarding DOS problems, such as consuming large
-amounts of memory, or taking a large amount of time to process an image.
-
-In RawDecode.c, an error is now thrown if skip is calculated to be less than
-zero. It is intended to skip padding between lines, not to go backwards.
-
-In PsdImagePlugin, if the combined sizes of the individual parts is larger than
-the declared size of the extra data field, then it looked for the next layer by
-seeking backwards. This is now corrected by seeking to (the start of the layer
-+ the size of the extra data field) instead of (the read parts of the layer +
-the rest of the layer).
-
-Decompression bomb checks have been added to GIF and ICO formats.
-
-An error is now raised if a TIFF dimension is a string, rather than trying to
-perform operations on it.
-
 Other Changes
 =============