chore(deps): update dependency pillow to v10 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Pillow (changelog)	^9.2.0 -> ^10.3.0

GitHub Vulnerability Alerts

CVE-2022-45199

Pillow starting with 9.2.0 and prior to 9.3.0 allows denial of service via SAMPLESPERPIXEL. A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DOS in TiffImagePlugin.py when setting up the context for image decoding. This issue has been patched in version 9.3.0.

CVE-2023-4863

Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.

GHSA-56pw-mpj4-fxww

Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

CVE-2023-44271

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

CVE-2023-50447

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

CVE-2024-28219

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

---

Release Notes

python-pillow/Pillow (Pillow)

v10.3.0

Compare Source

• CVE-2024-28219: Use strncpy to avoid buffer overflow #​7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #​7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #​7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #​7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #​7918, #​7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #​7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #​7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #​7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #​7888 [radarhere]

• Support FITS images with GZIP_1 compression #​7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #​7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #​7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #​7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #​7882 [radarhere]

• Added reading of JPEG2000 palettes #​7870 [radarhere]

• Added alpha_quality argument when saving WebP images #​7872 [radarhere]

• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #​7881 [radarhere]

• Stop reading EPS image at EOF marker #​7753 [radarhere]

• PSD layer co-ordinates may be negative #​7706 [radarhere]

• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #​7791 [radarhere]

• When saving GIF frame that restores to background color, do not fill identical pixels #​7788 [radarhere]

• Fixed reading PNG iCCP compression method #​7823 [radarhere]

• Allow writing IFDRational to UNDEFINED tag #​7840 [radarhere]

• Fix logged tag name when loading Exif data #​7842 [radarhere]

• Use maximum frame size in IHDR chunk when saving APNG images #​7821 [radarhere]

• Prevent opening P TGA images without a palette #​7797 [radarhere]

• Use palette when loading ICO images #​7798 [radarhere]

• Use consistent arguments for load_read and load_seek #​7713 [radarhere]

• Turn off nullability warnings for macOS SDK #​7827 [radarhere]

• Fix shift-sign issue in Convert.c #​7838 [r-barnes, radarhere]

• Open 16-bit grayscale PNGs as I;16 #​7849 [radarhere]

• Handle truncated chunks at the end of PNG images #​7709 [lajiyuan, radarhere]

• Match mask size to pasted image size in GifImagePlugin #​7779 [radarhere]

• Release GIL while calling WebPAnimDecoderGetNext #​7782 [evanmiller, radarhere]

• Fixed reading FLI/FLC images with a prefix chunk #​7804 [twolife]

• Update wl-paste handling and return None for some errors in grabclipboard() on Linux #​7745 [nik012003, radarhere]

• Remove execute bit from setup.py #​7760 [hugovk]

• Do not support using test-image-results to upload images after test failures #​7739 [radarhere]

• Changed ImageMath.ops to be static #​7721 [radarhere]

• Fix APNG info after seeking backwards more than twice #​7701 [esoma, radarhere]

• Deprecate ImageCms constants and versions() function #​7702 [nulano, radarhere]

• Added PerspectiveTransform #​7699 [radarhere]

• Add support for reading and writing grayscale PFM images #​7696 [nulano, hugovk]

• Add LCMS2 flags to ImageCms #​7676 [nulano, radarhere, hugovk]

• Rename x64 to AMD64 in winbuild #​7693 [nulano]

v10.2.0

Compare Source

• Add keep_rgb option when saving JPEG to prevent conversion of RGB colorspace #​7553 [bgilbert, radarhere]

• Trim glyph size in ImageFont.getmask() #​7669, #​7672 [radarhere, nulano]

• Deprecate IptcImagePlugin helpers #​7664 [nulano, hugovk, radarhere]

• Allow uncompressed TIFF images to be saved in chunks #​7650 [radarhere]

• Concatenate multiple JPEG EXIF markers #​7496 [radarhere]

• Changed IPTC tile tuple to match other plugins #​7661 [radarhere]

• Do not assign new fp attribute when exiting context manager #​7566 [radarhere]

• Support arbitrary masks for uncompressed RGB DDS images #​7589 [radarhere, akx]

• Support setting ROWSPERSTRIP tag #​7654 [radarhere]

• Apply ImageFont.MAX_STRING_LENGTH to ImageFont.getmask() #​7662 [radarhere]

• Optimise ImageColor using functools.lru_cache #​7657 [hugovk]

• Restricted environment keys for ImageMath.eval() #​7655 [wiredfool, radarhere]

• Optimise ImageMode.getmode using functools.lru_cache #​7641 [hugovk, radarhere]

• Fix incorrect color blending for overlapping glyphs #​7497 [ZachNagengast, nulano, radarhere]

• Attempt memory mapping when tile args is a string #​7565 [radarhere]

• Fill identical pixels with transparency in subsequent frames when saving GIF #​7568 [radarhere]

• Corrected duration when combining multiple GIF frames into single frame #​7521 [radarhere]

• Handle disposing GIF background from outside palette #​7515 [radarhere]

• Seek past the data when skipping a PSD layer #​7483 [radarhere]

• Import plugins relative to the module #​7576 [deliangyang, jaxx0n]

• Translate encoder error codes to strings; deprecate ImageFile.raise_oserror() #​7609 [bgilbert, radarhere]

• Support reading BC4U and DX10 BC1 images #​6486 [REDxEYE, radarhere, hugovk]

• Optimize ImageStat.Stat.extrema #​7593 [florath, radarhere]

• Handle pathlib.Path in FreeTypeFont #​7578 [radarhere, hugovk, nulano]

• Added support for reading DX10 BC4 DDS images #​7603 [sambvfx, radarhere]

• Optimized ImageStat.Stat.count #​7599 [florath]

• Correct PDF palette size when saving #​7555 [radarhere]

• Fixed closing file pointer with olefile 0.47 #​7594 [radarhere]

• Raise ValueError when TrueType font size is not greater than zero #​7584, #​7587 [akx, radarhere]

• If absent, do not try to close fp when closing image #​7557 [RaphaelVRossi, radarhere]

• Allow configuring JPEG restart marker interval on save #​7488 [bgilbert, radarhere]

• Decrement reference count for PyObject #​7549 [radarhere]

• Implement streamtype=1 option for tables-only JPEG encoding #​7491 [bgilbert, radarhere]

• If save_all PNG only has one frame, do not create animated image #​7522 [radarhere]

• Fixed frombytes() for images with a zero dimension #​7493 [radarhere]

v10.1.0

Compare Source

• Added TrueType default font to allow for different sizes #​7354 [radarhere]

• Fixed invalid argument warning #​7442 [radarhere]

• Added ImageOps cover method #​7412 [radarhere, hugovk]

• Catch struct.error from truncated EXIF when reading JPEG DPI #​7458 [radarhere]

• Consider default image when selecting mode for PNG save_all #​7437 [radarhere]

• Support BGR;15, BGR;16 and BGR;24 access, unpacking and putdata #​7303 [radarhere]

• Added CMYK to RGB unpacker #​7310 [radarhere]

• Improved flexibility of XMP parsing #​7274 [radarhere]

• Support reading 8-bit YCbCr TIFF images #​7415 [radarhere]

• Allow saving I;16B images as PNG #​7302 [radarhere]

• Corrected drawing I;16 points and writing I;16 text #​7257 [radarhere]

• Set blue channel to 128 for BC5S #​7413 [radarhere]

• Increase flexibility when reading IPTC fields #​7319 [radarhere]

• Set C palette to be empty by default #​7289 [radarhere]

• Added gs_binary to control Ghostscript use on all platforms #​7392 [radarhere]

• Read bounding box information from the trailer of EPS files if specified #​7382 [nopperl, radarhere]

• Added reading 8-bit color DDS images #​7426 [radarhere]

• Added has_transparency_data #​7420 [radarhere, hugovk]

• Fixed bug when reading BC5S DDS images #​7401 [radarhere]

• Prevent TIFF orientation from being applied more than once #​7383 [radarhere]

• Use previous pixel alpha for QOI_OP_RGB #​7357 [radarhere]

• Added BC5U reading #​7358 [radarhere]

• Allow getpixel() to accept a list #​7355 [radarhere, homm]

• Allow GaussianBlur and BoxBlur to accept a sequence of x and y radii #​7336 [radarhere]

• Expand JPEG buffer size when saving optimized or progressive #​7345 [radarhere]

• Added session type check for Linux in ImageGrab.grabclipboard() #​7332 [TheNooB2706, radarhere, hugovk]

• Allow "loop=None" when saving GIF images #​7329 [radarhere]

• Fixed transparency when saving P mode images to PDF #​7323 [radarhere]

• Added saving LA images as PDFs #​7299 [radarhere]

• Set SMaskInData to 1 for PDFs with alpha #​7316, #​7317 [radarhere]

• Changed Image mode property to be read-only by default #​7307 [radarhere]

• Silence exceptions in repr_jpeg and repr_png #​7266 [mtreinish, radarhere]

• Do not use transparency when saving GIF if it has been removed when normalizing mode #​7284 [radarhere]

• Fix missing symbols when libtiff depends on libjpeg #​7270 [heitbaum]

v10.0.1

Compare Source

• Updated libwebp to 1.3.2 #​7395 [radarhere]

• Updated zlib to 1.3 #​7344 [radarhere]

v10.0.0

Compare Source

• Fixed deallocating mask images #​7246 [radarhere]

• Added ImageFont.MAX_STRING_LENGTH #​7244 [radarhere, hugovk]

• Fix Windows build with pyproject.toml #​7230 [hugovk, nulano, radarhere]

• Do not close provided file handles with libtiff #​7199 [radarhere]

• Convert to HSV if mode is HSV in getcolor() #​7226 [radarhere]

• Added alpha_only argument to getbbox() #​7123 [radarhere. hugovk]

• Prioritise speed in repr_png #​7242 [radarhere]

• Do not use CFFI access by default on PyPy #​7236 [radarhere]

• Limit size even if one dimension is zero in decompression bomb check #​7235 [radarhere]

• Use --config-settings instead of deprecated --global-option #​7171 [radarhere]

• Better C integer definitions #​6645 [Yay295, hugovk]

• Fixed finding dependencies on Cygwin #​7175 [radarhere]

• Changed grabclipboard() to use PNG instead of JPG compression on macOS #​7219 [abey79, radarhere]

• Added in_place argument to ImageOps.exif_transpose() #​7092 [radarhere]

• Fixed calling putpalette() on L and LA images before load() #​7187 [radarhere]

• Fixed saving TIFF multiframe images with LONG8 tag types #​7078 [radarhere]

• Fixed combining single duration across duplicate APNG frames #​7146 [radarhere]

• Remove temporary file when error is raised #​7148 [radarhere]

• Do not use temporary file when grabbing clipboard on Linux #​7200 [radarhere]

• If the clipboard fails to open on Windows, wait and try again #​7141 [radarhere]

• Fixed saving multiple 1 mode frames to GIF #​7181 [radarhere]

• Replaced absolute PIL import with relative import #​7173 [radarhere]

• Replaced deprecated Py_FileSystemDefaultEncoding for Python >= 3.12 #​7192 [radarhere]

• Improved wl-paste mimetype handling in ImageGrab #​7094 [rrcgat, radarhere]

• Added repr_jpeg() for IPython display_jpeg #​7135 [n3011, radarhere, nulano]

• Use "/sbin/ldconfig" if ldconfig is not found #​7068 [radarhere]

• Prefer screenshots using XCB over gnome-screenshot #​7143 [nulano, radarhere]

• Fixed joined corners for ImageDraw rounded_rectangle() odd dimensions #​7151 [radarhere]

• Support reading signed 8-bit TIFF images #​7111 [radarhere]

• Added width argument to ImageDraw regular_polygon #​7132 [radarhere]

• Support I mode for ImageFilter.BuiltinFilter #​7108 [radarhere]

• Raise error from stderr of Linux ImageGrab.grabclipboard() command #​7112 [radarhere]

• Added unpacker from I;16B to I;16 #​7125 [radarhere]

• Support float font sizes #​7107 [radarhere]

• Use later value for duplicate xref entries in PdfParser #​7102 [radarhere]

• Load before getting size in getstate #​7105 [bigcat88, radarhere]

• Fixed type handling for include and lib directories #​7069 [adisbladis, radarhere]

• Remove deprecations for Pillow 10.0.0 #​7059, #​7080 [hugovk, radarhere]

• Drop support for soon-EOL Python 3.7 #​7058 [hugovk, radarhere]

v9.5.0

Compare Source

• Added ImageSourceData to TAGS_V2 #​7053 [radarhere]

• Clear PPM half token after use #​7052 [radarhere]

• Removed absolute path to ldconfig #​7044 [radarhere]

• Support custom comments and PLT markers when saving JPEG2000 images #​6903 [joshware, radarhere, hugovk]

• Load before getting size in array_interface #​7034 [radarhere]

• Support creating BGR;15, BGR;16 and BGR;24 images, but drop support for BGR;32 #​7010 [radarhere]

• Consider transparency when applying APNG blend mask #​7018 [radarhere]

• Round duration when saving animated WebP images #​6996 [radarhere]

• Added reading of JPEG2000 comments #​6909 [radarhere]

• Decrement reference count #​7003 [radarhere, nulano]

• Allow libtiff_support_custom_tags to be missing #​7020 [radarhere]

• Improved I;16N support #​6834 [radarhere]

• Added QOI reading #​6852 [radarhere, hugovk]

• Added saving RGBA images as PDFs #​6925 [radarhere]

• Do not raise an error if os.environ does not contain PATH #​6935 [radarhere, hugovk]

• Close OleFileIO instance when closing or exiting FPX or MIC #​7005 [radarhere]

• Added int to IFDRational for Python >= 3.11 #​6998 [radarhere]

• Added memoryview support to Dib.frombytes() #​6988 [radarhere, nulano]

• Close file pointer copy in the libtiff encoder if still open #​6986 [fcarron, radarhere]

• Raise an error if ImageDraw co-ordinates are incorrectly ordered #​6978 [radarhere]

• Added "corners" argument to ImageDraw rounded_rectangle() #​6954 [radarhere]

• Added memoryview support to frombytes() #​6974 [radarhere]

• Allow comments in FITS images #​6973 [radarhere]

• Support saving PDF with different X and Y resolutions #​6961 [jvanderneutstulen, radarhere, hugovk]

• Fixed writing int as UNDEFINED tag #​6950 [radarhere]

• Raise an error if EXIF data is too long when saving JPEG #​6939 [radarhere]

• Handle more than one directory returned by pkg-config #​6896 [sebastic, radarhere]

• Do not retry past formats when loading all formats for the first time #​6902 [radarhere]

• Do not retry specified formats if they failed when opening #​6893 [radarhere]

• Do not unintentionally load TIFF format at first #​6892 [radarhere]

• Stop reading when EPS line becomes too long #​6897 [radarhere]

• Allow writing IFDRational to BYTE tag #​6890 [radarhere]

• Raise ValueError for BoxBlur filter with negative radius #​6874 [hugovk, radarhere]

• Support arbitrary number of loaded modules on Windows #​6761 [javidcf, radarhere, nulano]

v9.4.0

Compare Source

• Fixed null pointer dereference crash with malformed font #​6846 [wiredfool, radarhere]

• Return from ImagingFill early if image has a zero dimension #​6842 [radarhere]

• Reversed deprecations for Image constants, except for duplicate Resampling attributes #​6830 [radarhere]

• Improve exception traceback readability #​6836 [hugovk, radarhere]

• Do not attempt to read IFD1 if absent #​6840 [radarhere]

• Fixed writing int as ASCII tag #​6800 [radarhere]

• If available, use wl-paste or xclip for grabclipboard() on Linux #​6783 [radarhere]

• Added signed option when saving JPEG2000 images #​6709 [radarhere]

• Patch OpenJPEG to include ARM64 fix #​6718 [radarhere]

• Added support for I;16 modes in putdata() #​6825 [radarhere]

• Added conversion from RGBa to RGB #​6708 [radarhere]

• Added DDS support for uncompressed L and LA images #​6820 [radarhere, REDxEYE]

• Added LightSource tag values to ExifTags #​6749 [radarhere]

• Fixed PyAccess after changing ICO size #​6821 [radarhere]

• Do not use EXIF from info when saving PNG images #​6819 [radarhere]

• Fixed saving EXIF data to MPO #​6817 [radarhere]

• Added Exif hide_offsets() #​6762 [radarhere]

• Only compare to previous frame when checking for duplicate GIF frames while saving #​6787 [radarhere]

• Always initialize all plugins in registered_extensions() #​6811 [radarhere]

• Ignore non-opaque WebP background when saving as GIF #​6792 [radarhere]

• Only set tile in ImageFile setstate #​6793 [radarhere]

• When reading BLP, do not trust JPEG decoder to determine image is CMYK #​6767 [radarhere]

• Added IFD enum to ExifTags #​6748 [radarhere]

• Fixed bug combining GIF frame durations #​6779 [radarhere]

• Support saving JPEG comments #​6774 [smason, radarhere]

• Added getxmp() to WebPImagePlugin #​6758 [radarhere]

• Added "exact" option when saving WebP #​6747 [ashafaei, radarhere]

• Use fractional coordinates when drawing text #​6722 [radarhere]

• Fixed writing int as BYTE tag #​6740 [radarhere]

• Added MP Format Version when saving MPO #​6735 [radarhere]

• Added Interop to ExifTags #​6724 [radarhere]

• CVE-2007-4559 patch when building on Windows #​6704 [TrellixVulnTeam, nulano, radarhere]

• Fix compiler warning: accessing 64 bytes in a region of size 48 #​6714 [wiredfool]

• Use verbose flag for pip install #​6713 [wiredfool, radarhere]

v9.3.0

Compare Source

• Limit SAMPLESPERPIXEL to avoid runtime DOS #​6700 [wiredfool]

• Initialize libtiff buffer when saving #​6699 [radarhere]

• Inline fname2char to fix memory leak #​6329 [nulano]

• Fix memory leaks related to text features #​6330 [nulano]

• Use double quotes for version check on old CPython on Windows #​6695 [hugovk]

• Remove backup implementation of Round for Windows platforms #​6693 [cgohlke]

• Fixed set_variation_by_name offset #​6445 [radarhere]

• Fix malloc in _imagingft.c:font_setvaraxes #​6690 [cgohlke]

• Release Python GIL when converting images using matrix operations #​6418 [hmaarrfk]

• Added ExifTags enums #​6630 [radarhere]

• Do not modify previous frame when calculating delta in PNG #​6683 [radarhere]

• Added support for reading BMP images with RLE4 compression #​6674 [npjg, radarhere]

• Decode JPEG compressed BLP1 data in original mode #​6678 [radarhere]

• Added GPS TIFF tag info #​6661 [radarhere]

• Added conversion between RGB/RGBA/RGBX and LAB #​6647 [radarhere]

• Do not attempt normalization if mode is already normal #​6644 [radarhere]

• Fixed seeking to an L frame in a GIF #​6576 [radarhere]

• Consider all frames when selecting mode for PNG save_all #​6610 [radarhere]

• Don't reassign crc on ChunkStream close #​6627 [wiredfool, radarhere]

• Raise a warning if NumPy failed to raise an error during conversion #​6594 [radarhere]

• Show all frames in ImageShow #​6611 [radarhere]

• Allow FLI palette chunk to not be first #​6626 [radarhere]

• If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #​6592 [radarhere]

• Round box position to integer when pasting embedded color #​6517 [radarhere, nulano]

• Removed EXIF prefix when saving WebP #​6582 [radarhere]

• Pad IM palette to 768 bytes when saving #​6579 [radarhere]

• Added DDS BC6H reading #​6449 [ShadelessFox, REDxEYE, radarhere]

• Added support for opening WhiteIsZero 16-bit integer TIFF images #​6642 [JayWiz, radarhere]

• Raise an error when allocating translucent color to RGB palette #​6654 [jsbueno, radarhere]

• Added reading of TIFF child images #​6569 [radarhere]

• Improved ImageOps palette handling #​6596 [PososikTeam, radarhere]

• Defer parsing of palette into colors #​6567 [radarhere]

• Apply transparency to P images in ImageTk.PhotoImage #​6559 [radarhere]

• Use rounding in ImageOps contain() and pad() #​6522 [bibinhashley, radarhere]

• Fixed GIF remapping to palette with duplicate entries #​6548 [radarhere]

• Allow remap_palette() to return an image with less than 256 palette entries #​6543 [radarhere]

• Corrected BMP and TGA palette size when saving #​6500 [radarhere]

• Do not call load() before draft() in Image.thumbnail #​6539 [radarhere]

• Copy palette when converting from P to PA #​6497 [radarhere]

• Allow RGB and RGBA values for PA image putpixel #​6504 [radarhere]

• Removed support for tkinter in PyPy before Python 3.6 #​6551 [nulano]

• Do not use CCITTFaxDecode filter if libtiff is not available #​6518 [radarhere]

• Fallback to not using mmap if buffer is not large enough #​6510 [radarhere]

• Fixed writing bytes as ASCII tag #​6493 [radarhere]

• Open 1 bit EPS in mode 1 #​6499 [radarhere]

• Removed support for tkinter before Python 1.5.2 #​6549 [radarhere]

• Allow default ImageDraw font to be set #​6484 [radarhere, hugovk]

• Save 1 mode PDF using CCITTFaxDecode filter #​6470 [radarhere]

• Added support for RGBA PSD images #​6481 [radarhere]

• Parse orientation from XMP tag contents #​6463 [bigcat88, radarhere]

• Added support for reading ATI1/ATI2 (BC4/BC5) DDS images #​6457 [REDxEYE, radarhere]

• Do not clear GIF tile when checking number of frames #​6455 [radarhere]

• Support saving multiple MPO frames #​6444 [radarhere]

• Do not double quote Pillow version for setuptools >= 60 #​6450 [radarhere]

• Added ABGR BMP mask mode #​6436 [radarhere]

• Fixed PSDraw rectangle #​6429 [radarhere]

• Raise ValueError if PNG sRGB chunk is truncated #​6431 [radarhere]

• Handle missing Python executable in ImageShow on macOS #​6416 [bryant1410, radarhere]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.