From 84f85b670425dbb89ba549ffdb7b70bceaacd52d Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:00:35 +1000 Subject: [PATCH 01/13] Add release notes for #9718 --- docs/releasenotes/12.2.0.rst | 2 +- docs/releasenotes/12.3.0.rst | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/releasenotes/12.2.0.rst b/docs/releasenotes/12.2.0.rst index c03a2848237..f40819035fa 100644 --- a/docs/releasenotes/12.2.0.rst +++ b/docs/releasenotes/12.2.0.rst @@ -25,7 +25,7 @@ these checks did not consider integer overflow. This has been corrected. When parsing a PDF, if a trailer refers to itself, or a more complex cyclic loop exists, then an infinite loop occurs. Pillow now keeps a record of which trailers it -has already processed. PdfParser was added in Pillow 4.2.0. +has already processed. PdfParser was added in Pillow 5.1.0. :cve:`2026-42308`: Integer overflow when processing fonts ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 534f22b86d3..f9d5e61a0d3 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -4,10 +4,12 @@ Security ======== -TODO -^^^^ +Prevent decompression bomb when parsing PDF +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -TODO +When parsing a PDF, ``PdfStream.decode()`` attempts to decompress data without any +limit. A default maximum of ``ImageFile.SAFEBLOCK`` has been added. PdfParser was added +in Pillow 5.1.0. :cve:`YYYY-XXXXX`: TODO ^^^^^^^^^^^^^^^^^^^^^^^ @@ -30,14 +32,6 @@ TODO TODO -API changes -=========== - -TODO -^^^^ - -TODO - API additions ============= @@ -51,6 +45,12 @@ default, images will be captured at 2x. If ``scale_down`` is ``True``, they will Previously, macOS screenshots with a ``bbox`` were captured at 1x by default. +Added ``max_length`` argument to ``PdfStream.decode()`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +When calling ``PdfStream.decode()``, the maximum length of data to decode can now be +specified. This will default to ``ImageFile.SAFEBLOCK``. + Other changes ============= From d0b7831c8a0f187882c2f62519b10797848eba12 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:06:29 +1000 Subject: [PATCH 02/13] Add release notes for #9692 --- docs/releasenotes/12.3.0.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index f9d5e61a0d3..57a8d3574ac 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -11,10 +11,12 @@ When parsing a PDF, ``PdfStream.decode()`` attempts to decompress data without a limit. A default maximum of ``ImageFile.SAFEBLOCK`` has been added. PdfParser was added in Pillow 5.1.0. -:cve:`YYYY-XXXXX`: TODO -^^^^^^^^^^^^^^^^^^^^^^^ +:cve:`2026-55798`: WindowsViewer.get_command injection +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -TODO +If an attacker has control over the path passed to +ImageShow.WindowsViewer.get_command(), and the result is executed by the user, the +attacker may be able to execute arbitrary shell commands. Backwards incompatible changes ============================== From 525c4815601f25e8af000472ab87530327e733b5 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:10:45 +1000 Subject: [PATCH 03/13] Add release notes for #9708 --- docs/releasenotes/12.3.0.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 57a8d3574ac..e0afeab3cfb 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -18,6 +18,13 @@ If an attacker has control over the path passed to ImageShow.WindowsViewer.get_command(), and the result is executed by the user, the attacker may be able to execute arbitrary shell commands. +EpsImagePlugin infinite loop +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If a negative byte count is specified for the BeginBinary byte count, an infinite loop +is possible as Pillow seeks repeatedly backwards. This value will now be validated. +BeginBinary parsing was only added in Pillow 12.0.0. + Backwards incompatible changes ============================== From 76c6a71a100ffd7adc6f02976421ae48ecb3577d Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:20:58 +1000 Subject: [PATCH 04/13] Add release notes for #9704 --- docs/releasenotes/12.3.0.rst | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index e0afeab3cfb..20baa8bb590 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -18,13 +18,20 @@ If an attacker has control over the path passed to ImageShow.WindowsViewer.get_command(), and the result is executed by the user, the attacker may be able to execute arbitrary shell commands. -EpsImagePlugin infinite loop -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +EPS image infinite loop +^^^^^^^^^^^^^^^^^^^^^^^ If a negative byte count is specified for the BeginBinary byte count, an infinite loop is possible as Pillow seeks repeatedly backwards. This value will now be validated. BeginBinary parsing was only added in Pillow 12.0.0. +JPEG2000 image memory usage +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The total component width was incorrectly accumulated across tiles within a JPEG2000 +image, potentially leading to excessive memory use. This was introduced as part of an +earlier security fix in Pillow 8.2.0, but has now been fixed. + Backwards incompatible changes ============================== From eb947e0591631c4cb9fa04f9e3c4248720fffdff Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:30:00 +1000 Subject: [PATCH 05/13] Add release notes for #9719 --- docs/releasenotes/12.3.0.rst | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 20baa8bb590..f4c173a89ae 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -9,44 +9,36 @@ Prevent decompression bomb when parsing PDF When parsing a PDF, ``PdfStream.decode()`` attempts to decompress data without any limit. A default maximum of ``ImageFile.SAFEBLOCK`` has been added. PdfParser was added -in Pillow 5.1.0. +in Pillow 5.1.0. Reported by `redyank `__. :cve:`2026-55798`: WindowsViewer.get_command injection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If an attacker has control over the path passed to ImageShow.WindowsViewer.get_command(), and the result is executed by the user, the -attacker may be able to execute arbitrary shell commands. +attacker may be able to execute arbitrary shell commands. Reported by Bin Luo, +University of Electronic Science and Technology of China (luob87709@gmail.com). EPS image infinite loop ^^^^^^^^^^^^^^^^^^^^^^^ If a negative byte count is specified for the BeginBinary byte count, an infinite loop is possible as Pillow seeks repeatedly backwards. This value will now be validated. -BeginBinary parsing was only added in Pillow 12.0.0. +BeginBinary parsing was only added in Pillow 12.0.0. Reported by +`jiagongzheng-stack `__. JPEG2000 image memory usage ^^^^^^^^^^^^^^^^^^^^^^^^^^^ The total component width was incorrectly accumulated across tiles within a JPEG2000 image, potentially leading to excessive memory use. This was introduced as part of an -earlier security fix in Pillow 8.2.0, but has now been fixed. +earlier security fix in Pillow 8.2.0, but has now been fixed. Reported by Fr3v1. -Backwards incompatible changes -============================== +McIdas out-of-bounds (OOB) read +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -TODO -^^^^ - -TODO - -Deprecations -============ - -TODO -^^^^ - -TODO +McIdas images can specify the stride, and if incorrectly set, may cause an OOB read. +This has been fixed. Reported by Devansh Shah, RUDRA Cybersecurity Pvt. Ltd. API additions ============= From ae5a594081cabef4793b54c7a3f1b00250b0fe11 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:34:36 +1000 Subject: [PATCH 06/13] Add release notes for #9695 --- docs/releasenotes/12.3.0.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index f4c173a89ae..402198205ed 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -40,6 +40,13 @@ McIdas out-of-bounds (OOB) read McIdas images can specify the stride, and if incorrectly set, may cause an OOB read. This has been fixed. Reported by Devansh Shah, RUDRA Cybersecurity Pvt. Ltd. +Out-of-bounds (OOB) write from large RankFilter sizes +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +:py:class:`~PIL.ImageFilter.RankFilter`, and its subclasses, can potentially write +out-of-bounds if given a large size. This has been fixed. Reported by +`Seratov `__. + API additions ============= From a3ce69d28ae3d2eb35593fef98d5b1c9518a83b1 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:38:59 +1000 Subject: [PATCH 07/13] Add release notes for #9709 --- docs/releasenotes/12.3.0.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 402198205ed..3d691466fd4 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -47,6 +47,14 @@ Out-of-bounds (OOB) write from large RankFilter sizes out-of-bounds if given a large size. This has been fixed. Reported by `Seratov `__. +Out-of-bounds (OOB) read when saving 1 mode TGA images +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Saving 1 mode images as TGA with run-length encoding can trigger an OOB read. This was +added in Pillow 5.2.0, but the functionality is not possible under the TGA +specification, so it has been removed. Reported by +`Seratov `__. + API additions ============= From 2bdba9e88af6db246f58bba4ab64b1f162dcb002 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:45:44 +1000 Subject: [PATCH 08/13] Add release notes for #9711 --- docs/releasenotes/12.3.0.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 3d691466fd4..636e5369c8f 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -55,6 +55,13 @@ added in Pillow 5.2.0, but the functionality is not possible under the TGA specification, so it has been removed. Reported by `Seratov `__. +:cve:`2026-54059`, :cve:`2026-54060`, :cve:`2026-55379`: Prevent FontFile decompression bomb +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Decompression bomb checks have now been added to :py:class:`~PIL.FontFile.FontFile`, +and its subclasses, checking the width and height of characters. Reported by Rahul +Singh and Dinesh. + API additions ============= From 69b6c1a27c3d4fe1b2544c6d2898ffb1229e359b Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:48:17 +1000 Subject: [PATCH 09/13] Add release notes for #9693 --- docs/releasenotes/12.3.0.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 636e5369c8f..9b8816f650d 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -62,6 +62,13 @@ Decompression bomb checks have now been added to :py:class:`~PIL.FontFile.FontFi and its subclasses, checking the width and height of characters. Reported by Rahul Singh and Dinesh. +:cve:`2026-55380`: Prevent GD decompression bomb +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A decompression bomb check has been added to :py:class:`~PIL.GdImageFile.GdImageFile`. +This is format must be explicitly called though, rather than being accessible from +``Image.open()``. Reported by Rahul Singh. + API additions ============= From 0669a537f31ee6a778189a19d63ea52df6f777aa Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:51:17 +1000 Subject: [PATCH 10/13] Add release notes for #9703 --- docs/releasenotes/12.3.0.rst | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 9b8816f650d..a8b8efe12e2 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -40,6 +40,14 @@ McIdas out-of-bounds (OOB) read McIdas images can specify the stride, and if incorrectly set, may cause an OOB read. This has been fixed. Reported by Devansh Shah, RUDRA Cybersecurity Pvt. Ltd. +Out-of-bounds (OOB) read when saving 1 mode TGA images +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Saving 1 mode images as TGA with run-length encoding can trigger an OOB read. This was +added in Pillow 5.2.0, but the functionality is not possible under the TGA +specification, so it has been removed. Reported by +`Seratov `__. + Out-of-bounds (OOB) write from large RankFilter sizes ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -47,12 +55,11 @@ Out-of-bounds (OOB) write from large RankFilter sizes out-of-bounds if given a large size. This has been fixed. Reported by `Seratov `__. -Out-of-bounds (OOB) read when saving 1 mode TGA images -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Out-of-bounds (OOB) write from ``Image.paste()`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Saving 1 mode images as TGA with run-length encoding can trigger an OOB read. This was -added in Pillow 5.2.0, but the functionality is not possible under the TGA -specification, so it has been removed. Reported by +Large paste box dimensions can cause an OOB write in ``Image.crop()``, +``Image.paste()`` and ``Image.alpha_composite()``. This has been fixed. Reported by `Seratov `__. :cve:`2026-54059`, :cve:`2026-54060`, :cve:`2026-55379`: Prevent FontFile decompression bomb From 7411e597b59c1f8aeaaee85203506559c5e63c94 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 30 Jun 2026 20:55:15 +1000 Subject: [PATCH 11/13] Add release notes for #9715 --- docs/releasenotes/12.3.0.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index a8b8efe12e2..922912d4114 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -62,6 +62,13 @@ Large paste box dimensions can cause an OOB write in ``Image.crop()``, ``Image.paste()`` and ``Image.alpha_composite()``. This has been fixed. Reported by `Seratov `__. +Out-of-bounds (OOB) write in ``ImageCmsTransform`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Apply a transform mode to a different image mode can trigger an OOB write in +``ImageCmsTransform``. Errors are now raised if the mode does not match. Reported by +`Seratov `__. + :cve:`2026-54059`, :cve:`2026-54060`, :cve:`2026-55379`: Prevent FontFile decompression bomb ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From 9c4eb57d0bbc6eddb88c2031bf7887809ef030d4 Mon Sep 17 00:00:00 2001 From: Andrew Murray <3112309+radarhere@users.noreply.github.com> Date: Wed, 1 Jul 2026 08:55:14 +1000 Subject: [PATCH 12/13] Apply suggestions from code review Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- docs/releasenotes/12.3.0.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 922912d4114..1e8ce9eeab1 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -8,14 +8,14 @@ Prevent decompression bomb when parsing PDF ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When parsing a PDF, ``PdfStream.decode()`` attempts to decompress data without any -limit. A default maximum of ``ImageFile.SAFEBLOCK`` has been added. PdfParser was added +limit. A default maximum of ``ImageFile.SAFEBLOCK`` has been added. ``PdfParser`` was added in Pillow 5.1.0. Reported by `redyank `__. :cve:`2026-55798`: WindowsViewer.get_command injection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If an attacker has control over the path passed to -ImageShow.WindowsViewer.get_command(), and the result is executed by the user, the +``ImageShow.WindowsViewer.get_command()``, and the result is executed by the user, the attacker may be able to execute arbitrary shell commands. Reported by Bin Luo, University of Electronic Science and Technology of China (luob87709@gmail.com). From 249253178e69f3d99aec2f3bc384c87bb7b6d20e Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Wed, 1 Jul 2026 09:20:16 +1000 Subject: [PATCH 13/13] Rearrange text --- docs/releasenotes/12.3.0.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/releasenotes/12.3.0.rst b/docs/releasenotes/12.3.0.rst index 1e8ce9eeab1..0699dfba66a 100644 --- a/docs/releasenotes/12.3.0.rst +++ b/docs/releasenotes/12.3.0.rst @@ -8,8 +8,8 @@ Prevent decompression bomb when parsing PDF ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ When parsing a PDF, ``PdfStream.decode()`` attempts to decompress data without any -limit. A default maximum of ``ImageFile.SAFEBLOCK`` has been added. ``PdfParser`` was added -in Pillow 5.1.0. Reported by `redyank `__. +limit. A default maximum of ``ImageFile.SAFEBLOCK`` has been added. ``PdfParser`` was +added in Pillow 5.1.0. Reported by `redyank `__. :cve:`2026-55798`: WindowsViewer.get_command injection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^