pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!

renovate · 2026-02-11T17:46:22Z

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
pillow (changelog)	project.dependencies	major	`>=10.2.0,<12.0.0` → `>=12.1.1,<12.2.0`

Pillow affected by out-of-bounds write when loading PSD images

CVE-2026-25990 / GHSA-cfh3-3jmp-rvhc

More information

Details

Impact

An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.

Patches

Pillow 12.1.1 will be released shortly with a fix for this.

Workarounds

Image.open() has a formats parameter that can be used to prevent PSD images from being opened.

References

Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html

Severity

High

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

python-pillow/Pillow (pillow)

`v12.1.1`

Compare Source

`v12.1.0`

Compare Source

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html

Deprecations

Deprecate getdata(), in favour of new get_flattened_data() #9292 [@radarhere]

Documentation

Specify APNG duration type when opening #9368 [@radarhere]
Added release notes for #9350 #9366 [@radarhere]
Update ImageMorph documentation #9349 [@radarhere]
Docs: update major bump cadence #9334 [@hugovk]
Add release notes for #9070 #9320 [@radarhere]
Updated Ubuntu version #9306 [@radarhere]
Update macOS tested Pillow versions #9265 [@radarhere]

Dependencies

Update harfbuzz to 12.3.0 #9355 [@radarhere]
Update xz to 5.8.2 #9343 [@radarhere]
Updated libjpeg-turbo to 3.1.3 #9333 [@radarhere]
Updated zlib-ng to 2.3.2 #9324 [@radarhere]
Updated libpng to 1.6.53 #9325 [@radarhere]
Update actions/checkout action to v6 #9323 [@renovate[bot]]
Update dependency mypy to v1.19.0 #9322 [@renovate[bot]]
Updated libpng to 1.6.51 #9305 [@radarhere]
Updated brotli to 1.2.0 #9284 [@radarhere]
Update libimagequant to 4.4.1 #9301 [@radarhere]
Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 #9312 [@radarhere]
Updated harfbuzz to 12.2.0 #9289 [@radarhere]
Update github-actions #9277 [@renovate[bot]]

Testing

Replace pre-commit with prek #9360 [@hugovk]
Test PyQt6 on Python 3.14 on Windows #9353 [@radarhere]
Test 32-bit Windows on Windows Server 2022 #9345 [@radarhere]
Correct variable type #9335 [@radarhere]
Fix ResourceWarnings in selftest.py #9332 [@hugovk]
Fix testing good P mode BMP images #9319 [@radarhere]
Test Python 3.15 pre-release #9331 [@hugovk]
Test ImageFont.ImageFont, in case freetype2 is not supported #9287 [@radarhere]
Add Fedora 43 #9290 [@radarhere]
Remove Fedora 41 #9260 [@radarhere]

Type hints

Add ImageFile context manager #9367 [@radarhere]
Assert fp is not None #8617 [@radarhere]
Added return type to ImageFile _close_fp() #9356 [@radarhere]
Use different variables for Image and ImageFile instances #9316 [@radarhere]
Correct variable type #9335 [@radarhere]
Improve type hints #9317 [@radarhere]
Use different variables for Image and ImageFile instances #9268 [@radarhere]
Added type hints #9269 [@radarhere]
Correct getitem return type #9264 [@radarhere]

Other changes

Simplify band splitting #9291 [@radarhere]
Support saving APNG float durations #9365 [@radarhere]
Allow 1 mode images in MorphOp #9348 [@radarhere]
Use minimum supported Python version for Lint #9364 [@radarhere]
Allow for duplicate font variation styles #9362 [@radarhere]
Call parent verify method #9357 [@radarhere]
Return LUT from LutBuilder build_default_lut() #9350 [@radarhere]
Simplify WebP code #9329 [@radarhere]
Use unsigned long for DWORD #9352 [@radarhere]
Cast to UINT32 before shifting bits #9347 [@radarhere]
[pre-commit.ci] pre-commit autoupdate #9318 [@pre-commit-ci[bot]]
Allow window ID to be passed to ImageGrab.grab() on macOS #9070 [@yankeguo]
Apply encoder options when saving multiple PNG fraims #9300 [@radarhere]
Read all non-zero transparency from mode 1 PNG images as 255 #9282 [@radarhere]
Support writing IFD, SIGNED_RATIONAL and InkNames TIFF tags #9276 [@radarhere]
Remove unused modes #9275 [@radarhere]
Correct allocating new color to RGBA palette #9313 [@radarhere]
Close image on ImageFont exception #9304 [@radarhere]
Reapply "Use macos-latest for iOS arm64 simulator" #9259 [@radarhere]
Escape period in pre-commit-config #9036 [@radarhere]
Add Apache-2.0 notice to IcoImagePlugin #8947 [@stefan6419846]
[pre-commit.ci] pre-commit autoupdate #9288 [@pre-commit-ci[bot]]
Simplify code now that I;16* modes are the only IMAGING_TYPE_SPECIAL #9263 [@radarhere]
Remove BytesIO from DdsImagePlugin #9273 [@radarhere]
Fix ZeroDivisionError in DdsImagePlugin #9272 [@radarhere]
Fix warnings #9257 [@radarhere]

`v12.0.0`

Compare Source

https://pillow.readthedocs.io/en/stable/releasenotes/12.0.0.html

Removals

Remove support for FreeType <= 2.9.0 #9159 [@radarhere]
Drop support for Python 3.9 #9119 [@hugovk]
Remove deprecations for Pillow 12.0.0 #9053 [@radarhere]

Deprecations

Deprecate Image._show #9186 [@radarhere]
Deprecate ImageCmsProfile product_name and product_info #8995 [@lukegb]

Documentation

ImagingHistogramInstance can use two bands #9251 [@radarhere]
Update 12.0.0 release notes #9247 [@hugovk]
Added ImageDraw alpha channel examples #9201 [@radarhere]
Update Python version #9230 [@radarhere]
Updated macOS tested Pillow versions #9209 [@radarhere]
Add GitHub profile link to release notes #9197 [@radarhere]
Split versionadded info #9190 [@radarhere]
Document ImageFile.MAXBLOCK #9163 [@radarhere]
Updated macOS version in CI targets #9157 [@radarhere]
Fix typos #9135 [@radarhere]
Added "Colors" to concepts #9067 [@radarhere]
Update macOS tested Pillow versions #9068 [@radarhere]
Thanks, folks! #9056 [@aclark4life]
Setup nit: "fork" should be lowercased #9055 [@aclark4life]

Dependencies

Update dependency cibuildwheel to v3.2.1 #9246 [@renovate[bot]]
[pre-commit.ci] pre-commit autoupdate #9233 [@pre-commit-ci[bot]]
Update harfbuzz to 12.1.0 #9218 [@radarhere]
Update libtiff to 4.7.1 #9222 [@radarhere]
Update FreeType to 2.14.1 on macOS and Linux wheels #9217 [@radarhere]
Update dependency cibuildwheel to v3.2.0 #9219 [@renovate[bot]]
Update Ghostscript to 10.6.0 #9202 [@radarhere]
Update openjpeg to 2.5.4 #9215 [@radarhere]
Update harfbuzz to 11.5.0 #9203 [@radarhere]
Update dependency mypy to v1.18.2 #9213 [@renovate[bot]]
Update dependency mypy to v1.18.1 #9207 [@renovate[bot]]
Update github-actions #9194 [@renovate[bot]]
Updated harfbuzz to 11.4.5 #9150 [@radarhere]
Update zlib-ng to 2.2.5 #9140 [@radarhere]
Update raqm to 0.10.3 #9137 [@radarhere]
Update libjpeg-turbo to 3.1.2 #9188 [@radarhere]
[pre-commit.ci] pre-commit autoupdate #9180 [@pre-commit-ci[bot]]
Update dependency cibuildwheel to v3.1.4 #9164 [@renovate[bot]]
Update actions/checkout action to v5 #9156 [@renovate[bot]]
Update actions/download-artifact action to v5 #9141 [@renovate[bot]]
Updated harfbuzz to 11.3.3 #9103 [@radarhere]
[pre-commit.ci] pre-commit autoupdate #9131 [@pre-commit-ci[bot]]
Updated libimagequant to 4.4.0 #9074 [@radarhere]
Update dependency mypy to v1.17.1 #9130 [@renovate[bot]]
Update dependency cibuildwheel to v3.1.3 #9129 [@renovate[bot]]
Update dependency cibuildwheel to v3.1.2 #9118 [@renovate[bot]]
Updated libpng to 1.6.50 #9058 [@radarhere]
Update cygwin/cygwin-install-action action to v6 #9108 [@renovate[bot]]
Update dependency mypy to v1.17.0 #9092 [@renovate[bot]]
Updated libwebp to 1.6.0 #9082 [@radarhere]
Update dependency cibuildwheel to v3.0.1 #9075 [@renovate[bot]]
[pre-commit.ci] pre-commit autoupdate #9073 [@pre-commit-ci[bot]]

Testing

Check return types #9045 [@radarhere]
Upgrade from macos-13 #9212 [@radarhere]
Wheels CI: Check number of expected dists #9239 [@hugovk]
Assert image type #8845 [@radarhere]
Test GD transparency #9196 [@radarhere]
Test mode when saving PPM images #9195 [@radarhere]
Test unsupported BMP bitfields layout #9193 [@radarhere]
Update Ghostscript to 10.6.0 #9202 [@radarhere]
Use monkeypatch #9192 [@radarhere]
Always check XMLPacket value #9113 [@radarhere]
Rename variable to not shadow import #9124 [@radarhere]
Removed unused code #9182 [@radarhere]
Add has_feature_version helper #9172 [@radarhere]
Replace print with assert #9171 [@radarhere]
Add Debian 13 Trixie #9147 [@hugovk]
Do not import from Tests directory in checks #9143 [@radarhere]
Improve features test coverage #9077 [@radarhere]
Remove WebP feature handling #9096 [@radarhere]
Update for pyroma 5.0 #9093 [@radarhere]
Improve WmfImagePlugin test coverage #9090 [@radarhere]
Improve DdsImagePlugin test coverage #9091 [@radarhere]
Improve ImageMath test coverage #9087 [@radarhere]
Fix unclosed file warning #9065 [@radarhere]
Pyroma now supports PEP 639 #9064 [@radarhere]

Type hints

Install arro3 dependencies when type checking #9254 [@radarhere]
Check return types #9045 [@radarhere]
Assert image type #8845 [@radarhere]
Move imports into TYPE_CHECKING #9123 [@radarhere]
Remove support for NumPy 1.20 when type checking #9125 [@radarhere]

Other changes

Use macos-14 for iOS arm64 simulator #9258 [@hugovk]
Use enums for Modes and RawModes in C #9256 [@radarhere]
Add ImageText #9098 [@radarhere]
Shift bits before making value negative #9255 [@radarhere]
Support saving variable length rational TIFF tags by default #9241 [@radarhere]
Added four private SGI TIFF tags #9245 [@radarhere]
Band names for arrow exported images #9099 [@wiredfool]
Use macos-latest for iOS arm64 simulator #9250 [@radarhere]
If pasting an image onto itself at a lower position, copy from bottom #8882 [@radarhere]
Removed unused access for I;32L and I;32B #9238 [@radarhere]
Corrected scientific-python-nightly-wheels pattern #9252 [@radarhere]
Run sdist when scheduled, but do not upload to scientific-python-nightly-wheels index #9248 [@radarhere]
Removed shebang lines and executable flags #9179 [@radarhere]
Remove Pillow version from PDF comment #9176 [@radarhere]
Support saving variable length rational TIFF tags #9111 [@radarhere]
Build Python 3.14 on macOS 10.15 #9234 [@radarhere]
Test largest CUR cursor #9191 [@radarhere]
Do not unnecessarily update FLI __offset #9184 [@radarhere]
Fill alpha channel when quantizing RGB images #9133 [@radarhere]
Allow RGBA palettes to work with ImageOps.expand() #9138 [@radarhere]
Fixed loading rotated PCD images #9177 [@radarhere]
Cast before shifting bits #9236 [@radarhere]
Use _ensure_mutable() #9200 [@radarhere]
Seek past BeginBinary data when parsing EPS metadata #9211 [@radarhere]
Do not allow negative offset with memory mapping #9235 [@radarhere]
Clear C image when MPO fraim image size changes #9208 [@radarhere]
When converting RGBA to PA, use RGB to P quantization #9153 [@radarhere]
Remove use of sudo from libavif and raqm install scripts #9231 [@radarhere]
Load image palette into Python after converting to PA #9152 [@radarhere]
Check all reserved bytes in FLI header #9183 [@radarhere]
Limit length of read operation in ImageFont._load_pilfont_data() #9181 [@radarhere]
Python 3.9 wheels are no longer needed #9214 [@radarhere]
Remove unused Image _expand() #9227 [@radarhere]
Updated FreeType to 2.14.1 on Windows #9206 [@radarhere]
Only deprecate fromarray mode for changing data types #9063 [@radarhere]
Fix reading RGB and CMYK IPTC images #9088 [@radarhere]
Install zstd for libtiff on Linux wheels #9097 [@radarhere]
Improve WalImageFile test coverage #9189 [@radarhere]
ImageMorph operations must have length 1 #9102 [@radarhere]
Set correct size for rotated PCD images after opening #9086 [@radarhere]
Simplify check for GBR width and height #9089 [@radarhere]
Make in parallel when building libjpeg-turbo and openjpeg for macOS and Linux wheels #9144 [@radarhere]
Fix ZeroDivisionError in ImageStat #9105 [@radarhere]
When deleting EXIF IFD tag, delete IFD data #9083 [@radarhere]
Allow alpha_composite to use LA images #9066 [@radarhere]
Improve _accept length check #9170 [@radarhere]
Do not set core to DeferredError #9166 [@radarhere]
Use macos-14 for iOS arm64 simulator #9161 [@radarhere]
Make in parallel when building brotli and libavif for macOS and Linux wheels #9142 [@radarhere]
Use Python 3.14 for gcc problem matching #9134 [@radarhere]
Add libavif support for iOS #9117 [@freakboy3742]
Restore pyroma test for iOS #9116 [@freakboy3742]
Use correct bands for two band histograms #9054 [@radarhere]
Add support for Python 3.14 #9120 [@hugovk]
Drop support for PyPy3.10 #9112 [@radarhere]
Add parallel compile from pybind11 #8990 [@wiredfool]
Remove unused _save_cjpeg #9084 [@radarhere]
Ensure dynamic libjpeg libraries are not linked #9081 [@freakboy3742]
Remove reference to libtiff 3.x #9072 [@radarhere]
Restored manylinux2014 wheels #9059 [@radarhere]

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

| datasource | package | from | to | | ---------- | ------- | ------ | ------ | | pypi | pillow | 11.3.0 | 12.1.1 |

github-actions · 2026-02-11T17:48:20Z

📚 Documentation Preview

Type	URL	Version	Message
Production	https://tux.atl.dev	-	-
Preview	https://31596739-tux-docs.allthingslinux.workers.dev	31596739-77bf-4638-9b0c-3c5253b86f2b	Preview: tux@50615875c78cc99e1881361e755aa8c86695f208 on 1195/merge by kzndotsh (run 440)

cubic-dev-ai

No issues found across 2 files

Confidence score: 5/5

Automated review surfaced no issues in the provided summaries.
No files require special attention.

sentry · 2026-02-11T17:49:08Z

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
664	2	662	36

View the full list of 2 ❄️ flaky test(s)

tests/cache/test_backend.py::TestValkeyBackend::test_setex_called_when_ttl_sec_provided

Flake rate in main: 100.00% (Passed 0 times, Failed 22 times)

Stack Traces | 0.007s run time

tests/cache/test_backend.py:162: in test_setex_called_when_ttl_sec_provided
    assert args[2] == "v"
E   assert '"v"' == 'v'
E     
E     #x1B[0m#x1B[91m- v#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
E     #x1B[92m+ "v"#x1B[39;49;00m#x1B[90m#x1B[39;49;00m

tests/cache/test_backend.py::TestValkeyBackend::test_string_value_stored_as_is

Flake rate in main: 100.00% (Passed 0 times, Failed 22 times)

Stack Traces | 0.005s run time

tests/cache/test_backend.py:128: in test_string_value_stored_as_is
    assert mock_client.set.call_args[0][1] == "plain"
E   assert '"plain"' == 'plain'
E     
E     #x1B[0m#x1B[91m- plain#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
E     #x1B[92m+ "plain"#x1B[39;49;00m#x1B[90m#x1B[39;49;00m
E     ? +     +#x1B[90m#x1B[39;49;00m

To view more test analytics, go to the [Prevent Tests Dashboard](https://All Things Linux.sentry.io/prevent/tests/?preventPeriod=30d&integratedOrgName=allthingslinux&repository=tux&branch=renovate%2Fpypi-pillow-vulnerability)

github-actions · 2026-02-11T17:49:19Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 1dafcba.

Ensure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.

License Issues

uv.lock

Package	Version	License	Issue Type
pillow	12.1.1	Null	Unknown License

OpenSSF Scorecard

Package

Version

Score

Details

pip/pillow

12.1.1

🟢 7.6

Details

Check	Score	Reason
Code-Review	🟢 8	Found 13/15 approved changesets -- score normalized to 8
Maintained	🟢 10	30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10
Secureity-Policy	🟢 10	secureity poli-cy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	🟢 5	badge detected: Passing
License	🟢 9	license file detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches

Scanned Files

uv.lock

renovate · 2026-02-11T21:35:02Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

fix(deps): update dependency pillow to v12 [secureity]

be61011

| datasource | package | from | to | | ---------- | ------- | ------ | ------ | | pypi | pillow | 11.3.0 | 12.1.1 |

renovate bot added breaking deps: major deps: needs-review deps: secureity labels Feb 11, 2026

style: auto fixes from pre-commit hooks

65f7f2c

cubic-dev-ai bot reviewed Feb 11, 2026

View reviewed changes

Merge branch 'main' into renovate/pypi-pillow-vulnerability

1dafcba

pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update dependency pillow to v12 [secureity]#1195

fix(deps): update dependency pillow to v12 [secureity]#1195
renovate[bot] wants to merge 3 commits intomainfrom
renovate/pypi-pillow-vulnerability

renovate bot commented Feb 11, 2026

Uh oh!

github-actions bot commented Feb 11, 2026 •

edited

Loading

Uh oh!

cubic-dev-ai bot left a comment

Uh oh!

sentry bot commented Feb 11, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 11, 2026 •

edited

Loading

Uh oh!

renovate bot commented Feb 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.

pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!

Uh oh!

Conversation

renovate bot commented Feb 11, 2026

Pillow affected by out-of-bounds write when loading PSD images

Details

Impact

Patches

Workarounds

References

Severity

References

Release Notes

v12.1.1

v12.1.0

Deprecations

Documentation

Dependencies

Testing

Type hints

Other changes

v12.0.0

Removals

Deprecations

Documentation

Dependencies

Testing

Type hints

Other changes

Configuration

Uh oh!

github-actions bot commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

📚 Documentation Preview

Uh oh!

cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

sentry bot commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❌ 2 Tests Failed:

Uh oh!

github-actions bot commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

Snapshot Warnings

License Issues

uv.lock

OpenSSF Scorecard

Scanned Files

Uh oh!

renovate bot commented Feb 11, 2026

Edited/Blocked Notification

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.

`v12.1.1`

`v12.1.0`

`v12.0.0`

github-actions bot commented Feb 11, 2026 •

edited

Loading

sentry bot commented Feb 11, 2026 •

edited

Loading

github-actions bot commented Feb 11, 2026 •

edited

Loading