Skip to content

Update dependency pillow to v11.3.0 [SECURITY] #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Update dependency pillow to v11.3.0 [SECURITY] #48

renovate wants to merge 2 commits into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 1, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pillow (changelog) 11.2.1 -> 11.3.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-48379

There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space.

This only affects users who save untrusted data as a compressed DDS image.

  • Unclear how large the potential write could be. It is likely limited by process segfault, so it's not necessarily deterministic. It may be practically unbounded.
  • Unclear if there's a restriction on the bytes that could be emitted. It's likely that the only restriction is that the bytes would be emitted in chunks of 8 or 16.

This was introduced in Pillow 11.2.0 when the feature was added.

Release Notes

python-pillow/Pillow (pillow)

v11.3.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file pillow labels Jul 1, 2025
@renovate renovate bot requested a review from AlbertUnruh July 1, 2025 17:32
@renovate
Copy link
Contributor Author

renovate bot commented Jul 1, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlbertUnruh AlbertUnruh Awaiting requested review from AlbertUnruh

At least 1 approving review is required to merge this pull request.

Assignees

@AlbertUnruh AlbertUnruh

Labels

dependencies Pull requests that update a dependency file pillow

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AlbertUnruh