imagededup icon indicating copy to clipboard operation
imagededup copied to clipboard
verified publisher icon idealo

imagededup 0.2.2 has requirement Pillow<7.0.0. Any plans to support versions 7.00 and up?

Open metaljerk opened this issue 5 years ago • 2 comments

Hello,

Pillow below version 7.0.0 currently is marked for [1]CVE-2020-5310, [2]CVE-2020-5311, and [3]CVE-2020-5312.

Are there any plans to allow Pillow>7.0.0?

[1]https://nvd.nist.gov/vuln/detail/CVE-2020-5310 [2]https://nvd.nist.gov/vuln/detail/CVE-2020-5311 [3]https://nvd.nist.gov/vuln/detail/CVE-2020-5312

metaljerk avatar Jan 29 '20 17:01 metaljerk

Pillow 7.2.0 does seem to work without any changes. All tests run fine except from a AHash() test because convert('L') seems to use some different rounding, but that shouldn't be a real issue, should it?

Emilv2 avatar Oct 03 '20 21:10 Emilv2

Apparently, Pillow==6.2.2 addresses the mentioned security issues: https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html

More generally, AHash generates different hashes with the latest Pillow release (8.0.0), which isn't ideal. Would need to investigate exactly why that is and think of possible workarounds to address the issue.

tanujjain avatar Oct 19 '20 16:10 tanujjain

Hi, the version of imagededup supports Pillow>=9.0. That should address this issue.

tanujjain avatar Oct 28 '22 14:10 tanujjain