fix: update pillow minimum version to address CVE vulnerabilities#1886
Open
octo-patch wants to merge 1 commit into
Open
fix: update pillow minimum version to address CVE vulnerabilities#1886octo-patch wants to merge 1 commit into
octo-patch wants to merge 1 commit into
Conversation
sinaptik-ai#1871) The previous constraint `^10.1.0` allowed Pillow versions as old as 10.1.0, which contain known security vulnerabilities: - CVE-2023-50447 (arbitrary code execution via PIL.ImageMath.eval, fixed in 10.2.0) - CVE-2024-28219 (buffer overflow in _imagingcms.c, fixed in 10.3.0) Updated to `>=10.3.0` to enforce a minimum safe version while also allowing users to install newer Pillow versions (11.x, 12.x) compatible with their Python environment.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1871
Problem
The current Pillow dependency constraint
^10.1.0allows installation of Pillow versions with known security vulnerabilities:PIL.ImageMath.eval()environment parameter. Fixed in Pillow 10.2.0._imagingcms.cdue to uncheckedstrcpycalls when processing ICC profiles. Fixed in Pillow 10.3.0.Solution
Updated the minimum Pillow version from
^10.1.0to>=10.3.0. This:<11.0.0upper cap, allowing users on newer Python versions to install Pillow 11.x or 12.xTesting
The change only affects the dependency constraint in
pyproject.toml. The PIL API usage inpandasai/core/response/chart.py(Image.open,Image.save,Image.show) is stable across all Pillow 10.x+ versions.