SUSE 5183 Published by

A python-CairoSVG, python-Pillow security update has been released for openSUSE Leap 15.2



openSUSE-SU-2021:1134-1: moderate: Security update for python-CairoSVG, python-Pillow


openSUSE Security Update: Security update for python-CairoSVG, python-Pillow
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1134-1
Rating: moderate
References: #1180832 #1180833 #1180834 #1181281
Cross-References: CVE-2020-15999 CVE-2020-35653 CVE-2020-35654
CVE-2020-35655 CVE-2021-25289 CVE-2021-25290
CVE-2021-25291 CVE-2021-25292 CVE-2021-25293
CVE-2021-27921 CVE-2021-27922 CVE-2021-27923
CVE-2021-34552
CVSS scores:
CVE-2020-15999 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2020-15999 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-35653 (NVD) : 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
CVE-2020-35653 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CVE-2020-35654 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-35654 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-35655 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CVE-2020-35655 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CVE-2021-25289 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-25289 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-25290 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-25290 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-25291 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-25291 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-25292 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-25293 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-25293 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-27921 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-27922 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-27923 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-34552 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-34552 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes 13 vulnerabilities is now available.

Description:

This update for python-CairoSVG, python-Pillow fixes the following issues:

Update to version 2.5.1.

* Security fix: When processing SVG files, CairoSVG was using two regular
expressions which are vulnerable to Regular Expression Denial of Service
(REDoS). If an attacker provided a malicious SVG, it could make CairoSVG
get stuck processing the file for a very long time.
* Fix marker positions for unclosed paths
* Follow hint when only output_width or output_height is set
* Handle opacity on raster images
* Don???t crash when use tags reference unknown tags
* Take care of the next letter when A/a is replaced by l
* Fix misalignment in node.vertices

Updates for version 2.5.0.

* Drop support of Python 3.5, add support of Python 3.9.
* Add EPS export
* Add background-color, negate-colors, and invert-images options
* Improve support for font weights
* Fix opacity of patterns and gradients
* Support auto-start-reverse value for orient
* Draw images contained in defs
* Add Exif transposition support
* Handle dominant-baseline
* Support transform-origin

python-Pillow update to version 8.3.1:

* Catch OSError when checking if fp is sys.stdout #5585 [radarhere]
* Handle removing orientation from alternate types of EXIF data #5584
[radarhere]
* Make Image.__array__ take optional dtype argument #5572 [t-vi, radarhere]

* Use snprintf instead of sprintf. CVE-2021-34552 #5567 [radarhere]
* Limit TIFF strip size when saving with LibTIFF #5514 [kmilos]
* Allow ICNS save on all operating systems #4526 [baletu, radarhere,
newpanjing, hugovk]
* De-zigzag JPEG's DQT when loading; deprecate convert_dict_qtables #4989
[gofr, radarhere]
* Replaced xml.etree.ElementTree #5565 [radarhere]
* Moved CVE image to pillow-depends #5561 [radarhere]
* Added tag data for IFD groups #5554 [radarhere]
* Improved ImagePalette #5552 [radarhere]
* Add DDS saving #5402 [radarhere]
* Improved getxmp() #5455 [radarhere]
* Convert to float for comparison with float in IFDRational __eq__ #5412
[radarhere]
* Allow getexif() to access TIFF tag_v2 data #5416 [radarhere]
* Read FITS image mode and size #5405 [radarhere]
* Merge parallel horizontal edges in ImagingDrawPolygon #5347 [radarhere,
hrdrq]
* Use transparency behind first GIF frame and when disposing to background
#5557 [radarhere, zewt]
* Avoid unstable nature of qsort in Quant.c #5367 [radarhere]
* Copy palette to new images in ImageOps expand #5551 [radarhere]
* Ensure palette string matches RGB mode #5549 [radarhere]
* Do not modify EXIF of original image instance in exif_transpose() #5547
[radarhere]
* Fixed default numresolution for small JPEG2000 images #5540 [radarhere]
* Added DDS BC5 reading #5501 [radarhere]
* Raise an error if ImageDraw.textbbox is used without a TrueType font
#5510 [radarhere]
* Added ICO saving in BMP format #5513 [radarhere]
* Ensure PNG seeks to end of previous chunk at start of load_end #5493
[radarhere]
* Do not allow TIFF to seek to a past frame #5473 [radarhere]
* Avoid race condition when displaying images with eog #5507 [mconst]
* Added specific error messages when ink has incorrect number of bands
#5504 [radarhere]
* Allow converting an image to a numpy array to raise errors #5379
[radarhere]
* Removed DPI rounding from BMP, JPEG, PNG and WMF loading #5476, #5470
[radarhere]
* Remove spikes when drawing thin pieslices #5460 [xtsm]
* Updated default value for SAMPLESPERPIXEL TIFF tag #5452 [radarhere]
* Removed TIFF DPI rounding #5446 [radarhere, hugovk]
* Include code in WebP error #5471 [radarhere]
* Do not alter pixels outside mask when drawing text on an image with
transparency #5434 [radarhere]
* Reset handle when seeking backwards in TIFF #5443 [radarhere]
* Replace sys.stdout with sys.stdout.buffer when saving #5437 [radarhere]
* Fixed UNDEFINED TIFF tag of length 0 being changed in roundtrip #5426
[radarhere]
* Fixed bug when checking FreeType2 version if it is not installed #5445
[radarhere]
* Do not round dimensions when saving PDF #5459 [radarhere]
* Added ImageOps contain() #5417 [radarhere, hugovk]
* Changed WebP default "method" value to 4 #5450 [radarhere]
* Switched to saving 1-bit PDFs with DCTDecode #5430 [radarhere]
* Use bpp from ICO header #5429 [radarhere]
* Corrected JPEG APP14 transform value #5408 [radarhere]
* Changed TIFF tag 33723 length to 1 #5425 [radarhere]
* Changed ImageMorph incorrect mode errors to ValueError #5414 [radarhere]
* Add EXIF tags specified in EXIF 2.32 #5419 [gladiusglad]
* Treat previous contents of first GIF frame as transparent #5391
[radarhere]
* For special image modes, revert default resize resampling to NEAREST
#5411 [radarhere]
* JPEG2000: Support decoding subsampled RGB and YCbCr images #4996
[nulano, radarhere]
* Stop decoding BC1 punchthrough alpha in BC2&3 #4144 [jansol]
* Use zero if GIF background color index is missing #5390 [radarhere]
* Fixed ensuring that GIF previous frame was loaded #5386 [radarhere]
* Valgrind fixes #5397 [wiredfool]
* Round down the radius in rounded_rectangle #5382 [radarhere]
* Fixed reading uncompressed RGB data from DDS #5383 [radarhere]

update to version 8.2.0:

* Added getxmp() method #5144 [UrielMaD, radarhere]
* Add ImageShow support for GraphicsMagick #5349 [latosha-maltba,
radarhere]
* Do not load transparent pixels from subsequent GIF frames #5333 [zewt,
radarhere]
* Use LZW encoding when saving GIF images #5291 [raygard]
* Set all transparent colors to be equal in quantize() #5282 [radarhere]
* Allow PixelAccess to use Python __int__ when parsing x and y #5206
[radarhere]
* Removed Image._MODEINFO #5316 [radarhere]
* Add preserve_tone option to autocontrast #5350 [elejke, radarhere]
* Fixed linear_gradient and radial_gradient I and F modes #5274 [radarhere]
* Add support for reading TIFFs with PlanarConfiguration=2 #5364
[kkopachev, wiredfool, nulano]
* Deprecated categories #5351 [radarhere]
* Do not premultiply alpha when resizing with Image.NEAREST resampling
#5304 [nulano]
* Dynamically link FriBiDi instead of Raqm #5062 [nulano]
* Allow fewer PNG palette entries than the bit depth maximum when saving
#5330 [radarhere]
* Use duration from info dictionary when saving WebP #5338 [radarhere]
* Stop flattening EXIF IFD into getexif() #4947 [radarhere, kkopachev]
* Replaced tiff_deflate with tiff_adobe_deflate compression when saving
TIFF images #5343 [radarhere]
* Save ICC profile from TIFF encoderinfo #5321 [radarhere]
* Moved RGB fix inside ImageQt class #5268 [radarhere]
* Allow alpha_composite destination to be negative #5313 [radarhere]
* Ensure file is closed if it is opened by ImageQt.ImageQt #5260
[radarhere]
* Added ImageDraw rounded_rectangle method #5208 [radarhere]
* Added IPythonViewer #5289 [radarhere, Kipkurui-mutai]
* Only draw each rectangle outline pixel once #5183 [radarhere]
* Use mmap instead of built-in Win32 mapper #5224 [radarhere, cgohlke]
* Handle PCX images with an odd stride #5214 [radarhere]
* Only read different sizes for "Large Thumbnail" MPO frames #5168
[radarhere]
* Added PyQt6 support #5258 [radarhere]
* Changed Image.open formats parameter to be case-insensitive #5250
[Piolie, radarhere]
* Deprecate Tk/Tcl 8.4, to be removed in Pillow 10 (2023-01-02) #5216
[radarhere]
* Added tk version to pilinfo #5226 [radarhere, nulano]
* Support for ignoring tests when running valgrind #5150 [wiredfool,
radarhere, hugovk]
* OSS-Fuzz support #5189 [wiredfool, radarhere]

update to 8.1.2:

- Fix Memory DOS in BLP (CVE-2021-27921), ICNS (CVE-2021-27922) and ICO
(CVE-2021-27923) Image Plugins

Update to 8.1.1

- Security

* CVE-2021-25289: The previous fix for CVE-2020-35654 was insufficent due
to incorrect error checking in TiffDecode.c.
* CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with
an invalid size
* CVE-2021-25291: In TiffDecode.c, invalid tile boundaries could lead to
an OOB Read in TiffReadRGBATile
* CVE-2021-25292: The PDF parser has a catastrophic backtracking regex
that could be used as a DOS attack.
* CVE-2021-25293: There is an Out of Bounds Read in SGIRleDecode.c, since
pillow 4.3.0.

There is an Exhaustion of Memory DOS in the ICNS, ICO, and BLP container
formats where Pillow did not properly check the reported size of the
contained image. These images could cause arbitrariliy large memory
allocations. This was reported by Jiayi Lin, Luke Shaffer, Xinran Xie, and
Akshay Ajayan of ASU.edu.

Other Changes

- A crash with the feature flags for LibJpeg and Webp on unreleased Python
3.10 has been fixed

- Fix rpmlint warning about duplicate file definition
- Fix package build by relying on %python_subpackages for
Obsoletes/Conflicts (boo#1181281)

update to 8.1.0 (boo#1180833, boo#1180834, boo#1180832):

* Fix TIFF OOB Write error. CVE-2020-35654
* Fix for Read Overflow in PCX Decoding. CVE-2020-35653
* Fix for SGI Decode buffer overrun. CVE-2020-35655
* Fix OOB Read when saving GIF of xsize=1
* Makefile updates
* Add support for PySide6
* Use disposal settings from previous frame in APNG
* Added exception explaining that _repr_png_ saves to PNG
* Use previous disposal method in GIF load_end
* Allow putpalette to accept 1024 integers to include alpha values
* Fix OOB Read when writing TIFF with custom Metadata
* Added append_images support for ICO
* Block TIFFTAG_SUBIFD
* Fixed dereferencing potential null pointers
* Deprecate FreeType 2.7
* Moved warning to end of execution
* Removed unused fromstring and tostring C methods
* init() if one of the formats is unrecognised
* Moved string_dimension CVE image to pillow-depends
* Support raw rgba8888 for DDS

update to version 8.0.1:

* Update FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999.
[radarhere]
* Moved string_dimension image to pillow-depends #4993 [radarhere]

changes from version 8.0.0:

* Drop support for EOL Python 3.5 #4746, #4794 [hugovk, radarhere, nulano]
* Drop support for PyPy3 < 7.2.0 #4964 [nulano]
* Remove ImageCms.CmsProfile attributes deprecated since 3.2.0 #4768
[hugovk, radarhere]
* Remove long-deprecated Image.py functions #4798 [hugovk, nulano,
radarhere]
* Add support for 16-bit precision JPEG quantization values #4918 [gofr]
* Added reading of IFD tag type #4979 [radarhere]
* Initialize offset memory for PyImagingPhotoPut #4806 [nqbit]
* Fix TiffDecode comparison warnings #4756 [nulano]
* Docs: Add dark mode #4968 [hugovk, nulano]
* Added macOS SDK install path to library and include directories #4974
[radarhere, fxcoudert]
* Imaging.h: prevent confusion with system #4923 [ax3l, ,radarhere]
* Avoid using pkg_resources in PIL.features.pilinfo #4975 [nulano]
* Add getlength and getbbox functions for TrueType fonts #4959 [nulano,
radarhere, hugovk]
* Allow tuples with one item to give single color value in getink #4927
[radarhere, nulano]
* Add support for CBDT and COLR fonts #4955 [nulano, hugovk]
* Removed OSError in favour of DecompressionBombError for BMP #4966
[radarhere]
* Implemented another ellipse drawing algorithm #4523 [xtsm, radarhere]
* Removed unused JpegImagePlugin._fixup_dict function #4957 [radarhere]
* Added reading and writing of private PNG chunks #4292 [radarhere]
* Implement anchor for TrueType fonts #4930 [nulano, hugovk]
* Fixed bug in Exif __delitem__ #4942 [radarhere]
* Fix crash in ImageTk.PhotoImage on MinGW 64-bit #4946 [nulano]
* Moved CVE images to pillow-depends #4929 [radarhere]
* Refactor font_getsize and font_render #4910 [nulano]
* Fixed loading profile with non-ASCII path on Windows #4914 [radarhere]
* Fixed effect_spread bug for zero distance #4908 [radarhere, hugovk]
* Added formats parameter to Image.open #4837 [nulano, radarhere]
* Added regular_polygon draw method #4846 [comhar]
* Raise proper TypeError in putpixel #4882 [nulano, hugovk]
* Added writing of subIFDs #4862 [radarhere]
* Fix IFDRational __eq__ bug #4888 [luphord, radarhere]
* Fixed duplicate variable name #4885 [liZe, radarhere]
* Added homebrew zlib include directory #4842 [radarhere]
* Corrected inverted PDF CMYK colors #4866 [radarhere]
* Do not try to close file pointer if file pointer is empty #4823
[radarhere]
* ImageOps.autocontrast: add mask parameter #4843 [navneeth, hugovk]
* Read EXIF data tEXt chunk into info as bytes instead of string #4828
[radarhere]
* Replaced distutils with setuptools #4797, #4809, #4814, #4817, #4829,
#4890 [hugovk, radarhere]
* Add MIME type to PsdImagePlugin #4788 [samamorgan]
* Allow ImageOps.autocontrast to specify low and high cutoffs separately
#4749 [millionhz, radarhere]

update to version 7.2.0:

* Do not convert I;16 images when showing PNGs #4744 [radarhere]
* Fixed ICNS file pointer saving #4741 [radarhere]
* Fixed loading non-RGBA mode APNGs with dispose background #4742
[radarhere]
* Deprecated _showxv #4714 [radarhere]
* Deprecate Image.show(command="...") #4646 [nulano, hugovk, radarhere]
* Updated JPEG magic number #4707 [Cykooz, radarhere]
* Change STRIPBYTECOUNTS to LONG if necessary when saving #4626
[radarhere, hugovk]
* Write JFIF header when saving JPEG #4639 [radarhere]
* Replaced tiff_jpeg with jpeg compression when saving TIFF images #4627
[radarhere]
* Writing TIFF tags: improved BYTE, added UNDEFINED #4605 [radarhere]
* Consider transparency when pasting text on an RGBA image #4566
[radarhere]
* Added method argument to single frame WebP saving #4547 [radarhere]
* Use ImageFileDirectory_v2 in Image.Exif #4637 [radarhere]
* Corrected reading EXIF metadata without prefix #4677 [radarhere]
* Fixed drawing a jointed line with a sequence of numeric values #4580
[radarhere]
* Added support for 1-D NumPy arrays #4608 [radarhere]
* Parse orientation from XMP tags #4560 [radarhere]
* Speed up text layout by not rendering glyphs #4652 [nulano]
* Fixed ZeroDivisionError in Image.thumbnail #4625 [radarhere]
* Replaced TiffImagePlugin DEBUG with logging #4550 [radarhere]
* Fix repeatedly loading .gbr #4620 [ElinksFr, radarhere]
* JPEG: Truncate icclist instead of setting to None #4613 [homm]
* Fixes default offset for Exif #4594 [rodrigob, radarhere]
* Fixed bug when unpickling TIFF images #4565 [radarhere]
* Fix pickling WebP #4561 [hugovk, radarhere]
* Replace IOError and WindowsError aliases with OSError #4536 [hugovk,
radarhere]

Update to 7.1.2:

* This fixes a regression introduced in 7.1.0 when adding support for APNG
files.
* When calling seek(n) on a regular PNG where n > 0, it failed to raise an
EOFError as it should have done

update to version 7.1.1:

* Fix regression seeking and telling PNGs #4512 #4514 [hugovk, radarhere]

changes from version 7.1.0:

* Fix multiple OOB reads in FLI decoding #4503 [wiredfool]
* Fix buffer overflow in SGI-RLE decoding #4504 [wiredfool, hugovk]
* Fix bounds overflow in JPEG 2000 decoding #4505 [wiredfool]
* Fix bounds overflow in PCX decoding #4506 [wiredfool]
* Fix 2 buffer overflows in TIFF decoding #4507 [wiredfool]
* Add APNG support #4243 [pmrowla, radarhere, hugovk]
* ImageGrab.grab() for Linux with XCB #4260 [nulano, radarhere]
* Added three new channel operations #4230 [dwastberg, radarhere]
* Prevent masking of Image reduce method in Jpeg2KImagePlugin #4474
[radarhere, homm]
* Added reading of earlier ImageMagick PNG EXIF data #4471 [radarhere]
* Fixed endian handling for I;16 getextrema #4457 [radarhere]
* Release buffer if function returns prematurely #4381 [radarhere]
* Add JPEG comment to info dictionary #4455 [radarhere]
* Fix size calculation of Image.thumbnail() #4404 [orlnub123]
* Fixed stroke on FreeType < 2.9 #4401 [radarhere]
* If present, only use alpha channel for bounding box #4454 [radarhere]
* Warn if an unknown feature is passed to features.check() #4438
[jdufresne]
* Fix Name field length when saving IM images #4424 [hugovk, radarhere]
* Allow saving of zero quality JPEG images #4440 [radarhere]
* Allow explicit zero width to hide outline #4334 [radarhere]
* Change ContainerIO return type to match file object mode #4297
[jdufresne, radarhere]
* Only draw each polygon pixel once #4333 [radarhere]
* Add support for shooting situation Exif IFD tags #4398 [alexagv]
* Handle multiple and malformed JPEG APP13 markers #4370 [homm]
* Depends: Update libwebp to 1.1.0 #4342, libjpeg to 9d #4352 [radarhere]

update to version 7.0.0:

* Drop support for EOL Python 2.7 #4109 [hugovk, radarhere, jdufresne]
* Fix rounding error on RGB to L conversion #4320 [homm]
* Exif writing fixes: Rational boundaries and signed/unsigned types #3980
[kkopachev, radarhere]
* Allow loading of WMF images at a given DPI #4311 [radarhere]
* Added reduce operation #4251 [homm]
* Raise ValueError for io.StringIO in Image.open #4302 [radarhere, hugovk]
* Fix thumbnail geometry when DCT scaling is used #4231 [homm, radarhere]
* Use default DPI when exif provides invalid x_resolution #4147 [beipang2,
radarhere]
* Change default resize resampling filter from NEAREST to BICUBIC #4255
[homm]
* Fixed black lines on upscaled images with the BOX filter #4278 [homm]
* Better thumbnail aspect ratio preservation #4256 [homm]
* Add La mode packing and unpacking #4248 [homm]
* Include tests in coverage reports #4173 [hugovk]
* Handle broken Photoshop data #4239 [radarhere]
* Raise a specific exception if no data is found for an MPO frame #4240
[radarhere]
* Fix Unicode support for PyPy #4145 [nulano]
* Added UnidentifiedImageError #4182 [radarhere, hugovk]
* Remove deprecated __version__ from plugins #4197 [hugovk, radarhere]
* Fixed freeing unallocated pointer when resizing with height too large
#4116 [radarhere]
* Copy info in Image.transform #4128 [radarhere]
* Corrected DdsImagePlugin setting info gamma #4171 [radarhere]
* Depends: Update libtiff to 4.1.0 #4195, Tk Tcl to 8.6.10 #4229,
libimagequant to 2.12.6 #4318 [radarhere]
* Improve handling of file resources #3577 [jdufresne]
* Removed CI testing of Fedora 29 #4165 [hugovk]
* Added pypy3 to tox envlist #4137 [jdufresne]
* Drop support for EOL PyQt4 and PySide #4108 [hugovk, radarhere]
* Removed deprecated setting of TIFF image sizes #4114 [radarhere]
* Removed deprecated PILLOW_VERSION #4107 [hugovk]
* Changed default frombuffer raw decoder args #1730 [radarhere]

Update to 6.2.1:

* Pillow 6.2.1 supports Python 3.8.

Update to 6.2.0:

* text stroking
* image grab on multi-monitor windows
* Full notes:
  https://pillow.readthedocs.io/en/stable/releasenotes/6.2.0.html

update to version 6.1.0:

* Deprecate Image.__del__ #3929 [jdufresne]
* Tiff: Add support for JPEG quality #3886 [olt]
* Respect the PKG_CONFIG environment variable when building #3928 [chewi]
* Use explicit memcpy() to avoid unaligned memory accesses #3225 [DerDakon]
* Improve encoding of TIFF tags #3861 [olt]
* Update Py_UNICODE to Py_UCS4 #3780 [nulano]
* Consider I;16 pixel size when drawing #3899 [radarhere]
* Add TIFFTAG_SAMPLEFORMAT to blocklist #3926 [cgohlke, radarhere]
* Create GIF deltas from background colour of GIF frames if disposal mode
is 2 #3708 [sircinnamon, radarhere]
* Added ImageSequence all_frames #3778 [radarhere]
* Use unsigned int to store TIFF IFD offsets #3923 [cgohlke]
* Include CPPFLAGS when searching for libraries #3819 [jefferyto]
* Updated TIFF tile descriptors to match current decoding functionality
#3795 [dmnisson]
* Added an image.entropy() method (second revision) #3608 [fish2000]
* Pass the correct types to PyArg_ParseTuple #3880 [QuLogic]
* Fixed crash when loading non-font bytes #3912 [radarhere]
* Fix SPARC memory alignment issues in Pack/Unpack functions #3858
[kulikjak]
* Added CMYK;16B and CMYK;16N unpackers #3913 [radarhere]
* Fixed bugs in calculating text size #3864 [radarhere]
* Add __main__.py to output basic format and support information #3870
[jdufresne]
* Added variation font support #3802 [radarhere]
* Do not down-convert if image is LA when showing with PNG format #3869
[radarhere]
* Improve handling of PSD frames #3759 [radarhere]
* Improved ICO and ICNS loading #3897 [radarhere]
* Changed Preview application path so that it is no longer static #3896
[radarhere]
* Corrected ttb text positioning #3856 [radarhere]
* Handle unexpected ICO image sizes #3836 [radarhere]
* Fixed bits value for RGB;16N unpackers #3837 [kkopachev]
* Travis CI: Add Fedora 30, remove Fedora 28 #3821 [hugovk]
* Added reading of CMYK;16L TIFF images #3817 [radarhere]
* Fixed dimensions of 1-bit PDFs #3827 [radarhere]
* Fixed opening mmap image through Path on Windows #3825 [radarhere]
* Fixed ImageDraw arc gaps #3824 [radarhere]
* Expand GIF to include frames with extents outside the image size #3822
[radarhere]
* Fixed ImageTk getimage #3814 [radarhere]
* Fixed bug in decoding large images #3791 [radarhere]
* Fixed reading APP13 marker without Photoshop data #3771 [radarhere]
* Added option to include layered windows in ImageGrab.grab on Windows
#3808 [radarhere]
* Detect libimagequant when installed by pacman on MingW #3812 [radarhere]
* Fixed raqm layout bug #3787 [radarhere]
* Fixed loading font with non-Unicode path on Windows #3785 [radarhere]
* Travis CI: Upgrade PyPy from 6.0.0 to 7.1.1 #3783 [hugovk, johnthagen]
* Depends: Updated openjpeg to 2.3.1 #3794, raqm to 0.7.0 #3877,
libimagequant to 2.12.3 #3889 [radarhere]
* Fix numpy bool bug #3790 [radarhere]

Update to 6.0.0:

* Python 2.7 support will be removed in Pillow 7.0.0 #3682 [hugovk]
* Add EXIF class #3625 [radarhere]
* Add ImageOps exif_transpose method #3687 [radarhere]
* Added warnings to deprecated CMSProfile attributes #3615 [hugovk]
* Documented reading TIFF multiframe images #3720 [akuchling]
* Improved speed of opening an MPO file #3658 [Glandos]
* Update palette in quantize #3721 [radarhere]
* Improvements to TIFF is_animated and n_frames #3714 [radarhere]
* Fixed incompatible pointer type warnings #3754 [radarhere]
* Improvements to PA and LA conversion and palette operations #3728
[radarhere]
* Consistent DPI rounding #3709 [radarhere]
* Change size of MPO image to match frame #3588 [radarhere]
* Read Photoshop resolution data #3701 [radarhere]
* Ensure image is mutable before saving #3724 [radarhere]
* Correct remap_palette documentation #3740 [radarhere]
* Promote P images to PA in putalpha #3726 [radarhere]
* Allow RGB and RGBA values for new P images #3719 [radarhere]
* Fixed TIFF bug when seeking backwards and then forwards #3713 [radarhere]
* Cache EXIF information #3498 [Glandos]
* Added transparency for all PNG greyscale modes #3744 [radarhere]
* Fix deprecation warnings in Python 3.8 #3749 [radarhere]
* Fixed GIF bug when rewinding to a non-zero frame #3716 [radarhere]
* Only close original fp in __del__ and __exit__ if original fp is
exclusive #3683 [radarhere]
* Fix BytesWarning in Tests/test_numpy.py #3725 [jdufresne]
* Add missing MIME types and extensions #3520 [pirate486743186]
* Add I;16 PNG save #3566 [radarhere]
* Add support for BMP RGBA bitfield compression #3705 [radarhere]
* Added ability to set language for text rendering #3693 [iwsfutcmd]
* Only close exclusive fp on Image __exit__ #3698 [radarhere]
* Changed EPS subprocess stdout from devnull to None #3635 [radarhere]
* Add reading old-JPEG compressed TIFFs #3489 [kkopachev]
* Add EXIF support for PNG #3674 [radarhere]
* Add option to set dither param on quantize #3699 [glasnt]
* Add reading of DDS uncompressed RGB data #3673 [radarhere]
* Correct length of Tiff BYTE tags #3672 [radarhere]
* Add DIB saving and loading through Image open #3691 [radarhere]
* Removed deprecated VERSION #3624 [hugovk]
* Fix 'BytesWarning: Comparison between bytes and string' in PdfDict #3580
[jdufresne]
* Do not resize in Image.thumbnail if already the destination size #3632
[radarhere]
* Replace .seek() magic numbers with io.SEEK_* constants #3572 [jdufresne]
* Make ContainerIO.isatty() return a bool, not int #3568 [jdufresne]
* Add support to all transpose operations for I;16 modes #3563, #3741
[radarhere]
* Deprecate support for PyQt4 and PySide #3655 [hugovk, radarhere]
* Add TIFF compression codecs: LZMA, Zstd, WebP #3555 [cgohlke]
* Fixed pickling of iTXt class with protocol > 1 #3537 [radarhere]
* _util.isPath returns True for pathlib.Path objects #3616 [wbadart]
* Remove unnecessary unittest.main() boilerplate from test files #3631
[jdufresne]
* Exif: Seek to IFD offset #3584 [radarhere]
* Deprecate PIL.*ImagePlugin.__version__ attributes #3628 [jdufresne]
* Docs: Add note about ImageDraw operations that exceed image bounds #3620
[radarhere]
* Allow for unknown PNG chunks after image data #3558 [radarhere]
* Changed EPS subprocess stdin from devnull to None #3611 [radarhere]
* Fix possible integer overflow #3609 [cgohlke]
* Catch BaseException for resource cleanup handlers #3574 [jdufresne]
* Improve pytest configuration to allow specific tests as CLI args #3579
[jdufresne]
* Drop support for Python 3.4 #3596 [hugovk]
* Remove deprecated PIL.OleFileIO #3598 [hugovk]
* Remove deprecated ImageOps undocumented functions #3599 [hugovk]
* Depends: Update libwebp to 1.0.2 #3602 [radarhere]
* Detect MIME types #3525 [radarhere]

update to version 5.4.1:

* File closing: Only close __fp if not fp #3540 [radarhere]
* Fix build for Termux #3529 [pslacerda]
* PNG: Detect MIME types #3525 [radarhere]
* PNG: Handle IDAT chunks after image end #3532 [radarhere]

changes from version 5.4.0:

* Docs: Improved ImageChops documentation #3522 [radarhere]
* Allow RGB and RGBA values for P image putpixel #3519 [radarhere]
* Add APNG extension to PNG plugin #3501 [pirate486743186, radarhere]
* Lookup ld.so.cache instead of hardcoding search paths #3245 [pslacerda]
* Added custom string TIFF tags #3513 [radarhere]
* Improve setup.py configuration #3395 [diorcety]
* Read textual chunks located after IDAT chunks for PNG #3506 [radarhere]
* Performance: Don't try to hash value if enum is empty #3503 [Glandos]
* Added custom int and float TIFF tags #3350 [radarhere]
* Fixes for issues reported by static code analysis #3393 [frenzymadness]
* GIF: Wait until mode is normalized to copy im.info into encoderinfo
#3187 [radarhere]
* Docs: Add page of deprecations and removals #3486 [hugovk]
* Travis CI: Upgrade PyPy from 5.8.0 to 6.0 #3488 [hugovk]
* Travis CI: Allow lint job to fail #3467 [hugovk]
* Resolve __fp when closing and deleting #3261 [radarhere]
* Close exclusive fp before discarding #3461 [radarhere]
* Updated open files documentation #3490 [radarhere]
* Added libjpeg_turbo to check_feature #3493 [radarhere]
* Change color table index background to tuple when saving as WebP #3471
[radarhere]
* Allow arbitrary number of comment extension subblocks #3479 [radarhere]
* Ensure previous FLI frame is loaded before seeking to the next #3478
[radarhere]
* ImageShow improvements #3450 [radarhere]
* Depends: Update libimagequant to 2.12.2 #3442, libtiff to 4.0.10 #3458,
libwebp to 1.0.1 #3468, Tk Tcl to 8.6.9 #3465 [radarhere]
* Check quality_layers type #3464 [radarhere]
* Add context manager, __del__ and close methods to TarIO #3455 [radarhere]
* Test: Do not play sound when running screencapture command #3454
[radarhere]
* Close exclusive fp on open exception #3456 [radarhere]
* Only close existing fp in WebP if fp is exclusive #3418 [radarhere]
* Docs: Re-add the downloads badge #3443 [hugovk]
* Added negative index to PixelAccess #3406 [Nazime]
* Change tuple background to global color table index when saving as GIF
#3385 [radarhere]
* Test: Improved ImageGrab tests #3424 [radarhere]
* Flake8 fixes #3422, #3440 [radarhere, hugovk]
* Only ask for YCbCr->RGB libtiff conversion for jpeg-compressed tiffs
#3417 [kkopachev]
* Optimise ImageOps.fit by combining resize and crop #3409 [homm]

update to version 5.3.0:

* Changed Image size property to be read-only by default #3203 [radarhere]
* Add warnings if image file identification fails due to lack of WebP
support #3169 [radarhere, hugovk]
* Hide the Ghostscript progress dialog popup on Windows #3378 [hugovk]
* Adding support to reading tiled and YcbCr jpeg tiffs through libtiff
#3227 [kkopachev]
* Fixed None as TIFF compression argument #3310 [radarhere]
* Changed GIF seek to remove previous info items #3324 [radarhere]
* Improved PDF document info #3274 [radarhere]
* Add line width parameter to rectangle and ellipse-based shapes #3094
[hugovk, radarhere]
* Fixed decompression bomb check in _crop #3313 [dinkolubina, hugovk]
* Added support to ImageDraw.floodfill for non-RGB colors #3377 [radarhere]
* Tests: Avoid catching unexpected exceptions in tests #2203 [jdufresne]
* Use TextIOWrapper.detach() instead of NoCloseStream #2214 [jdufresne]
* Added transparency to matrix conversion #3205 [radarhere]
* Added ImageOps pad method #3364 [radarhere]
* Give correct extrema for I;16 format images #3359 [bz2]
* Added PySide2 #3279 [radarhere]
* Corrected TIFF tags #3369 [radarhere]
* CI: Install CFFI and pycparser without any PYTHONOPTIMIZE #3374 [hugovk]
* Read/Save RGB webp as RGB (instead of RGBX) #3298 [kkopachev]
* ImageDraw: Add line joints #3250 [radarhere]
* Improved performance of ImageDraw floodfill method #3294 [yo1995]
* Fix builds with --parallel #3272 [hsoft]
* Add more raw Tiff modes (RGBaX, RGBaXX, RGBAX, RGBAXX) #3335 [homm]
* Close existing WebP fp before setting new fp #3341 [radarhere]
* Add orientation, compression and id_section as TGA save keyword
arguments #3327 [radarhere]
* Convert int values of RATIONAL TIFF tags to floats #3338 [radarhere,
wiredfool]
* Fix code for PYTHONOPTIMIZE #3233 [hugovk]
* Changed ImageFilter.Kernel to subclass ImageFilter.BuiltinFilter,
instead of the other way around #3273 [radarhere]
* Remove unused draw.draw_line, draw.draw_point and font.getabc methods
#3232 [hugovk]
* Tests: Added ImageFilter tests #3295 [radarhere]
* Tests: Added ImageChops tests #3230 [hugovk, radarhere]
* AppVeyor: Download lib if not present in pillow-depends #3316 [radarhere]
* Travis CI: Add Python 3.7 and Xenial #3234 [hugovk]
* Docs: Added documentation for NumPy conversion #3301 [radarhere]
* Depends: Update libimagequant to 2.12.1 #3281 [radarhere]
* Add three-color support to ImageOps.colorize #3242 [tsennott]
* Tests: Add LA to TGA test modes #3222 [danpla]
* Skip outline if the draw operation fills with the same colour #2922
[radarhere]
* Flake8 fixes #3173, #3380 [radarhere]
* Avoid deprecated 'U' mode when opening files #2187 [jdufresne]

update to version 5.2.0:

* Fixed saving a multiframe image as a single frame PDF #3137 [radarhere]
* If a Qt version is already imported, attempt to use it first #3143
[radarhere]
* Fix transform fill color for alpha images #3147 [fozcode]
* TGA: Add support for writing RLE data #3186 [danpla]
* TGA: Read and write LA data #3178 [danpla]
* QuantOctree.c: Remove erroneous attempt to average over an empty range
#3196 [tkoeppe]
* Changed ICNS format tests to pass on OS X 10.11 #3202 [radarhere]
* Fixed bug in ImageDraw.multiline_textsize() #3114 [tianyu139]
* Added getsize_multiline support for PIL.ImageFont #3113 [tianyu139]
* Added ImageFile get_format_mimetype method #3190 [radarhere]
* Changed mmap file pointer to use context manager #3216 [radarhere]
* Changed ellipse point calculations to be more evenly distributed #3142
[radarhere]
* Only extract first Exif segment #2946 [hugovk]
* Tests: Test ImageDraw2, WalImageFile #3135, #2989 [hugovk]
* Remove unnecessary '#if 0' code #3075 [hugovk]
* Tests: Added GD tests #1817 [radarhere]
* Fix collections ABCs DeprecationWarning in Python 3.7 #3123 [hugovk]
* unpack_from is faster than unpack of slice #3201 [landfillbaby]
* Docs: Add coordinate system links and file handling links in
documentation #3204, #3214 [radarhere]
* Tests: TestFilePng: Fix test_save_l_transparency() #3182 [danpla]
* Docs: Correct argument name #3171 [radarhere]
* Docs: Update CMake download URL #3166 [radarhere]
* Docs: Improve Image.transform documentation #3164 [radarhere]
* Fix transform fillcolor argument when image mode is RGBA or LA #3163
[radarhere]
* Tests: More specific Exception testing #3158 [radarhere]
* Add getrgb HSB/HSV color strings #3148 [radarhere]
* Allow float values in getrgb HSL color string #3146 [radarhere]
* AppVeyor: Upgrade to Python 2.7.15 and 3.4.4 #3140 [radarhere]
* AppVeyor: Upgrade to PyPy 6.0.0 #3133 [hugovk]
* Deprecate PILLOW_VERSION and VERSION #3090 [hugovk]
* Support Python 3.7 #3076 [hugovk]
* Depends: Update freetype to 2.9.1, libjpeg to 9c, libwebp to 1.0.0
#3121, #3136, #3108 [radarhere]
* Build macOS wheels with Xcode 6.4, supporting older macOS versions #3068
[wiredfool]
* Fix _i2f compilation on some GCC versions #3067 [homm]
* Changed encoderinfo to have priority over info when saving GIF images
#3086 [radarhere]
* Rename PIL.version to PIL._version and remove it from module #3083 [homm]
* Enable background colour parameter on rotate #3057 [storesource]
* Remove unnecessary #if 1 directive #3072 [jdufresne]
* Remove unused Python class, Path #3070 [jdufresne]
* Fix dereferencing type-punned pointer will break strict-aliasing #3069
[jdufresne]

update to version 5.1.0:

* Close fp before return in ImagingSavePPM #3061 [kathryndavies]
* Added documentation for ICNS append_images #3051 [radarhere]
* Docs: Move intro text below its header #3021 [hugovk]
* CI: Rename appveyor.yml as .appveyor.yml #2978 [hugovk]
* Fix TypeError for JPEG2000 parser feed #3042 [hugovk]
* Certain corrupted jpegs can result in no data read #3023 [kkopachev]
* Add support for BLP file format #3007 [jleclanche]
* Simplify version checks #2998 [hugovk]
* Fix "invalid escape sequence" warning on Python 3.6+ #2996 [timgraham]
* Allow append_images to set .icns scaled images #3005 [radarhere]
* Support appending to existing PDFs #2965 [vashek]
* Fix and improve efficient saving of ICNS on macOS #3004 [radarhere]
* Build: Enable pip cache in AppVeyor build #3009 [thijstriemstra]
* Trim trailing whitespace #2985 [Metallicow]
* Docs: Correct reference to Image.new method #3000 [radarhere]
* Rearrange ImageFilter classes into alphabetical order #2990 [radarhere]
* Test: Remove duplicate line #2983 [radarhere]
* Build: Update AppVeyor PyPy version #3003 [radarhere]
* Tiff: Open 8 bit Tiffs with 5 or 6 channels, discarding extra channels
#2938 [homm]
* Readme: Added Twitter badge #2930 [hugovk]
* Removed __main__ code from ImageCms #2942 [radarhere]
* Test: Changed assert statements to unittest calls #2961 [radarhere]
* Depends: Update libimagequant to 2.11.10, raqm to 0.5.0, freetype to 2.9
#3036, #3017, #2957 [radarhere]
* Remove _imaging.crc32 in favor of builtin Python crc32 implementation
#2935 [wiredfool]
* Move Tk directory to src directory #2928 [hugovk]
* Enable pip cache in Travis CI #2933 [jdufresne]
* Remove unused and duplicate imports #2927 [radarhere]
* Docs: Changed documentation references to 2.x to 2.7 #2921 [radarhere]
* Fix memory leak when opening webp files #2974 [wiredfool]
* Setup: Fix "TypeError: 'NoneType' object is not iterable" for PPC and
CRUX #2951 [hugovk]
* Setup: Add libdirs for ppc64le and armv7l #2968 [nehaljwani]

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-1134=1


Package List:

- openSUSE Leap 15.2 (noarch):

python3-CairoSVG-2.5.1-lp152.2.3.1

- openSUSE Leap 15.2 (x86_64):

python-Pillow-debuginfo-8.3.1-lp152.5.3.1
python-Pillow-debugsource-8.3.1-lp152.5.3.1
python3-Pillow-8.3.1-lp152.5.3.1
python3-Pillow-debuginfo-8.3.1-lp152.5.3.1
python3-Pillow-tk-8.3.1-lp152.5.3.1
python3-Pillow-tk-debuginfo-8.3.1-lp152.5.3.1

References:

  https://www.suse.com/security/cve/CVE-2020-15999.html
  https://www.suse.com/security/cve/CVE-2020-35653.html
  https://www.suse.com/security/cve/CVE-2020-35654.html
  https://www.suse.com/security/cve/CVE-2020-35655.html
  https://www.suse.com/security/cve/CVE-2021-25289.html
  https://www.suse.com/security/cve/CVE-2021-25290.html
  https://www.suse.com/security/cve/CVE-2021-25291.html
  https://www.suse.com/security/cve/CVE-2021-25292.html
  https://www.suse.com/security/cve/CVE-2021-25293.html
  https://www.suse.com/security/cve/CVE-2021-27921.html
  https://www.suse.com/security/cve/CVE-2021-27922.html
  https://www.suse.com/security/cve/CVE-2021-27923.html
  https://www.suse.com/security/cve/CVE-2021-34552.html
  https://bugzilla.suse.com/1180832
  https://bugzilla.suse.com/1180833
  https://bugzilla.suse.com/1180834
  https://bugzilla.suse.com/1181281