Pillow 12.1.1 released with fix for CVE-2026-25990

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html announces
the release of Pillow 12.1.1 on 2026-02-11 with these changes:
> Security
> --------
> CVE-2026-25990: Fix OOB write with invalid tile extents
>
> Check that tile extents do not use negative x or y offsets when decoding or
> encoding, and raise an error if they do, rather than allowing an OOB write.
>
> An out-of-bounds write may be triggered when opening a specially crafted
> PSD image. This only affects Pillow >= 10.3.0. Reported by Yarden Porat.
>
> Other changes
> -------------
> Patch libavif for svt-av1 4.0 compatibility
>
> A patch has been added to depends/install_libavif.sh, to allow libavif 1.3.0
> to be compatible with the recently released svt-av1 4.0.0.

[At the time of this writing the cached copy on readthedocs has the wrong
 CVE id, but https://github.com/python-pillow/Pillow/pull/9430/changes
 corrects it in the source document.]

https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc
adds that a workaround is available:
> Image.open() has a formats parameter that can be used to prevent PSD images
> from being opened.

https://github.com/python-pillow/Pillow/pull/9427 has the source changes for
the fix.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris