Update dependency pillow to v10.3.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pillow (changelog)	==10.2.0 → ==10.3.0

---

Pillow buffer overflow vulnerability

CVE-2024-28219 / GHSA-44wm-f244-xhp3

More information

Details

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-28219
• https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#security
• https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061
• https://lists.debian.org/debian-lts-announce/2024/04/msg00008.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M
• https://github.com/advisories/GHSA-44wm-f244-xhp3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

python-pillow/Pillow (pillow)

v10.3.0

Compare Source

• CVE-2024-28219: Use strncpy to avoid buffer overflow #​7928
  [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #​7927
  [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #​7883
  [radarhere]

• Add --report argument to __main__.py to omit supported formats #​7818
  [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #​7918, #​7920
  [radarhere]

• Fix editable installation with custom build backend and configuration options #​7658
  [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #​7209
  [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #​7884
  [radarhere]

• Improved conversion from RGB to RGBa, LA and La #​7888
  [radarhere]

• Support FITS images with GZIP_1 compression #​7894
  [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #​7900
  [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #​7891
  [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #​7893
  [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #​7882
  [radarhere]

• Added reading of JPEG2000 palettes #​7870
  [radarhere]

• Added alpha_quality argument when saving WebP images #​7872
  [radarhere]

• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #​7881
  [radarhere]

• Stop reading EPS image at EOF marker #​7753
  [radarhere]

• PSD layer co-ordinates may be negative #​7706
  [radarhere]

• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #​7791
  [radarhere]

• When saving GIF frame that restores to background color, do not fill identical pixels #​7788
  [radarhere]

• Fixed reading PNG iCCP compression method #​7823
  [radarhere]

• Allow writing IFDRational to UNDEFINED tag #​7840
  [radarhere]

• Fix logged tag name when loading Exif data #​7842
  [radarhere]

• Use maximum frame size in IHDR chunk when saving APNG images #​7821
  [radarhere]

• Prevent opening P TGA images without a palette #​7797
  [radarhere]

• Use palette when loading ICO images #​7798
  [radarhere]

• Use consistent arguments for load_read and load_seek #​7713
  [radarhere]

• Turn off nullability warnings for macOS SDK #​7827
  [radarhere]

• Fix shift-sign issue in Convert.c #​7838
  [r-barnes, radarhere]

• Open 16-bit grayscale PNGs as I;16 #​7849
  [radarhere]

• Handle truncated chunks at the end of PNG images #​7709
  [lajiyuan, radarhere]

• Match mask size to pasted image size in GifImagePlugin #​7779
  [radarhere]

• Release GIL while calling WebPAnimDecoderGetNext #​7782
  [evanmiller, radarhere]

• Fixed reading FLI/FLC images with a prefix chunk #​7804
  [twolife]

• Update wl-paste handling and return None for some errors in grabclipboard() on Linux #​7745
  [nik012003, radarhere]

• Remove execute bit from setup.py #​7760
  [hugovk]

• Do not support using test-image-results to upload images after test failures #​7739
  [radarhere]

• Changed ImageMath.ops to be static #​7721
  [radarhere]

• Fix APNG info after seeking backwards more than twice #​7701
  [esoma, radarhere]

• Deprecate ImageCms constants and versions() function #​7702
  [nulano, radarhere]

• Added PerspectiveTransform #​7699
  [radarhere]

• Add support for reading and writing grayscale PFM images #​7696
  [nulano, hugovk]

• Add LCMS2 flags to ImageCms #​7676
  [nulano, radarhere, hugovk]

• Rename x64 to AMD64 in winbuild #​7693
  [nulano]

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 39.75%. Comparing base (004cb48) to head (7adb34d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #203   +/-   ##
=======================================
  Coverage   39.75%   39.75%           
=======================================
  Files          68       68           
  Lines       10032    10032           
  Branches     1897     1897           
=======================================
  Hits         3988     3988           
  Misses       5704     5704           
  Partials      340      340           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.