This update is broken. You are using function _string_length_check in the code but that function is not defined. Moreover, not all vulnerable methods are fixed.
>>> from PIL import ImageFont
>>> loaded_font = ImageFont.truetype("./FreeMono.ttf", 20, layout_engine=ImageFont.Layout.BASIC)
>>> loaded_font.getsize("A" * 1000001)
<stdin>:1: DeprecationWarning: getsize is deprecated and will be removed in Pillow 10 (2023-07-01). Use getbbox or getlength instead.
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.11/site-packages/PIL/ImageFont.py", line 483, in getsize
_string_length_check(text)
^^^^^^^^^^^^^^^^^^^^
NameError: name '_string_length_check' is not defined
BZ#2247821 CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument [fedora-all]
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
BZ#2247821 CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument [fedora-all]
This update has been submitted for testing by smani.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update is broken. You are using function
_string_length_checkin the code but that function is not defined. Moreover, not all vulnerable methods are fixed.For example, this code should raise an error:
And this one demonstrates the missing function:
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
no regressions noted
This update can be pushed to stable now if the maintainer wishes
Works without issues till now
This update has been obsoleted by python-pillow-9.5.0-3.fc38.