From b0e28048d692effadfe7a4268a03e1d20e0198bb Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Fri, 18 Aug 2023 22:22:51 +1000 Subject: [PATCH 1/6] Updated zlib to 1.3 --- Tests/test_file_png.py | 2 +- winbuild/build_prepare.py | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Tests/test_file_png.py b/Tests/test_file_png.py index c4db9790524..b460761d838 100644 --- a/Tests/test_file_png.py +++ b/Tests/test_file_png.py @@ -79,7 +79,7 @@ def get_chunks(self, filename): def test_sanity(self, tmp_path): # internal version number - assert re.search(r"\d+\.\d+\.\d+(\.\d+)?$", features.version_codec("zlib")) + assert re.search(r"\d+(\.\d+){1,3}$", features.version_codec("zlib")) test_file = str(tmp_path / "temp.png") diff --git a/winbuild/build_prepare.py b/winbuild/build_prepare.py index 5a5bb8e0ade..960d2886cf0 100644 --- a/winbuild/build_prepare.py +++ b/winbuild/build_prepare.py @@ -130,9 +130,9 @@ def cmd_msbuild( "bins": ["cjpeg.exe", "djpeg.exe"], }, "zlib": { - "url": "https://zlib.net/zlib1213.zip", - "filename": "zlib1213.zip", - "dir": "zlib-1.2.13", + "url": "https://zlib.net/zlib13.zip", + "filename": "zlib13.zip", + "dir": "zlib-1.3", "license": "README", "license_pattern": "Copyright notice:\n\n(.+)$", "build": [ From 730f74600e8215ab510f71bb1fbb49d906c4356b Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Thu, 14 Sep 2023 15:32:33 +1000 Subject: [PATCH 2/6] Updated libwebp to 1.3.2 --- depends/install_webp.sh | 2 +- winbuild/build_prepare.py | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/depends/install_webp.sh b/depends/install_webp.sh index 4636aab437b..6f867ab3788 100755 --- a/depends/install_webp.sh +++ b/depends/install_webp.sh @@ -1,7 +1,7 @@ #!/bin/bash # install webp -archive=libwebp-1.3.1 +archive=libwebp-1.3.2 ./download-and-extract.sh $archive https://raw.githubusercontent.com/python-pillow/pillow-depends/main/$archive.tar.gz diff --git a/winbuild/build_prepare.py b/winbuild/build_prepare.py index 960d2886cf0..a88ec7a095a 100644 --- a/winbuild/build_prepare.py +++ b/winbuild/build_prepare.py @@ -157,9 +157,9 @@ def cmd_msbuild( "libs": [r"liblzma.lib"], }, "libwebp": { - "url": "http://downloads.webmproject.org/releases/webp/libwebp-1.3.1.tar.gz", - "filename": "libwebp-1.3.1.tar.gz", - "dir": "libwebp-1.3.1", + "url": "http://downloads.webmproject.org/releases/webp/libwebp-1.3.2.tar.gz", + "filename": "libwebp-1.3.2.tar.gz", + "dir": "libwebp-1.3.2", "license": "COPYING", "build": [ cmd_rmdir(r"output\release-static"), # clean From b4c7d4b8b2710b7af6cc944a804902eb75fd9056 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Fri, 15 Sep 2023 21:22:29 +1000 Subject: [PATCH 3/6] Update CHANGES.rst [ci skip] --- CHANGES.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGES.rst b/CHANGES.rst index 94cd6e7bc75..e1d052e02e2 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -2,6 +2,15 @@ Changelog (Pillow) ================== +10.0.1 (2023-09-15) +------------------- + +- Updated zlib to 1.3 #7344 + [radarhere] + +- Updated libwebp to 1.3.2 #7395 + [radarhere] + 10.0.0 (2023-07-01) ------------------- From d50250d9eab741ae3ddd592d8910cfd7973b9d35 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Fri, 15 Sep 2023 21:37:50 +1000 Subject: [PATCH 4/6] Added release notes for 10.0.1 --- docs/releasenotes/10.0.1.rst | 14 ++++++++++++++ docs/releasenotes/index.rst | 1 + 2 files changed, 15 insertions(+) create mode 100644 docs/releasenotes/10.0.1.rst diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst new file mode 100644 index 00000000000..df4ae5dd9fd --- /dev/null +++ b/docs/releasenotes/10.0.1.rst @@ -0,0 +1,14 @@ +10.0.1 +------ + +Updated tests to pass with latest zlib version +============================================== + +The release of zlib 1.3 caused one of the tests in the Pillow test suite to fail. + +Security +======== + +This release addresses :cve:`2023-4863`, by providing an updated install script and +updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow +in WebP. diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index 9bca9854152..1dee0715372 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -14,6 +14,7 @@ expected to be backported to earlier versions. .. toctree:: :maxdepth: 2 + 10.0.1 10.0.0 9.5.0 9.4.0 From a62f2402a6bcf11a0a1670542216725a3f9190e0 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Fri, 15 Sep 2023 21:31:05 +1000 Subject: [PATCH 5/6] 10.0.1 version bump --- src/PIL/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PIL/_version.py b/src/PIL/_version.py index 1fc7f7334aa..f3455f1f1f7 100644 --- a/src/PIL/_version.py +++ b/src/PIL/_version.py @@ -1,2 +1,2 @@ # Master version for Pillow -__version__ = "10.0.0" +__version__ = "10.0.1" From e34d346f10c0b1c814661e662a3e0c1ef084cf1c Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Fri, 15 Sep 2023 21:55:25 +1000 Subject: [PATCH 6/6] Updated order --- CHANGES.rst | 4 ++-- docs/releasenotes/10.0.1.rst | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index e1d052e02e2..b4dc1d6646e 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -5,10 +5,10 @@ Changelog (Pillow) 10.0.1 (2023-09-15) ------------------- -- Updated zlib to 1.3 #7344 +- Updated libwebp to 1.3.2 #7395 [radarhere] -- Updated libwebp to 1.3.2 #7395 +- Updated zlib to 1.3 #7344 [radarhere] 10.0.0 (2023-07-01) diff --git a/docs/releasenotes/10.0.1.rst b/docs/releasenotes/10.0.1.rst index df4ae5dd9fd..6ac30e7fce1 100644 --- a/docs/releasenotes/10.0.1.rst +++ b/docs/releasenotes/10.0.1.rst @@ -1,14 +1,14 @@ 10.0.1 ------ -Updated tests to pass with latest zlib version -============================================== - -The release of zlib 1.3 caused one of the tests in the Pillow test suite to fail. - Security ======== This release addresses :cve:`2023-4863`, by providing an updated install script and updated wheels to include libwebp 1.3.2, preventing a potential heap buffer overflow in WebP. + +Updated tests to pass with latest zlib version +============================================== + +The release of zlib 1.3 caused one of the tests in the Pillow test suite to fail.