GNU bug report logs

#47259 python-pillow-simd package vulnerable to at least CVE-2021-25293

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#47259; Package guix. (Fri, 19 Mar 2021 10:38:02 GMT) (full text, mbox, link).

Acknowledgement sent to Léo Le Bouter <lle-bout@zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Fri, 19 Mar 2021 10:38:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Subject: python-pillow-simd package vulnerable to at least CVE-2021-25293
Date: Fri, 19 Mar 2021 11:37:09 +0100
[Message part 1 (text/plain, inline)]
Hello!

pillow-simd is a fork of pillow (
https://github.com/uploadcare/pillow-simd), it's currently still at
version 7.x and it does not seem like it backports security patches
from pillow.

$ ./pre-inst-env guix refresh -l python-pillow-simd
No dependents other than itself: python-pillow-simd@7.1.2

Do we remove it? Do we want to commit to backporting/applying all fixes
from python-pillow back in python-pillow-simd ourselves (I don't)?

Léo

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout@zaclys.net> to control@debbugs.gnu.org. (Fri, 19 Mar 2021 10:40:02 GMT) (full text, mbox, link).

Reply sent to Maxim Cournoyer <maxim.cournoyer@gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 02:59:01 GMT) (full text, mbox, link).

Notification sent to Léo Le Bouter <lle-bout@zaclys.net>:
bug acknowledged by developer. (Wed, 23 Mar 2022 02:59:02 GMT) (full text, mbox, link).

Message #12 received at 47259-done@debbugs.gnu.org (full text, mbox, reply):

From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>
Cc: 47259-done@debbugs.gnu.org
Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293
Date: Tue, 22 Mar 2022 22:57:55 -0400
Hi Léo,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> Hello!
>
> pillow-simd is a fork of pillow (
> https://github.com/uploadcare/pillow-simd), it's currently still at
> version 7.x and it does not seem like it backports security patches
> from pillow.

Thanks for the heads-up; our package is currently at 9.0.0, and I've
just updated it to 9.0.0.post1.

Closing.

Maxim

Information forwarded to bug-guix@gnu.org:
bug#47259; Package guix. (Wed, 23 Mar 2022 12:40:02 GMT) (full text, mbox, link).

Message #15 received at 47259-done@debbugs.gnu.org (full text, mbox, reply):

From: Maxime Devos <maximedevos@telenet.be>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>, Léo Le Bouter <lle-bout@zaclys.net>
Cc: 47259-done@debbugs.gnu.org
Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293
Date: Wed, 23 Mar 2022 13:39:25 +0100
[Message part 1 (text/plain, inline)]
Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
> Léo Le Bouter <lle-bout@zaclys.net> writes:
> 
> > Hello!
> > 
> > pillow-simd is a fork of pillow (
> > https://github.com/uploadcare/pillow-simd), it's currently still at
> > version 7.x and it does not seem like it backports security patches
> > from pillow.
> 
> Thanks for the heads-up; our package is currently at 9.0.0, and I've
> just updated it to 9.0.0.post1.

Something went wrong
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
the version in the version field contains a "v" prefix which is dropped
in Guix.
Additionally, the package name is missing from the commit message,
though that cannot be corrected retroactively.

WDYT of removing the "v", and changing the "commit" field to

  (commit (string-append "v" version))

?

Greetings,
Maxime.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#47259; Package guix. (Wed, 23 Mar 2022 16:14:01 GMT) (full text, mbox, link).

Message #18 received at 47259-done@debbugs.gnu.org (full text, mbox, reply):

From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Maxime Devos <maximedevos@telenet.be>
Cc: Léo Le Bouter <lle-bout@zaclys.net>, 47259-done@debbugs.gnu.org
Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293
Date: Wed, 23 Mar 2022 12:13:32 -0400
Hi,

Maxime Devos <maximedevos@telenet.be> writes:

> Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
>> Léo Le Bouter <lle-bout@zaclys.net> writes:
>> 
>> > Hello!
>> > 
>> > pillow-simd is a fork of pillow (
>> > https://github.com/uploadcare/pillow-simd), it's currently still at
>> > version 7.x and it does not seem like it backports security patches
>> > from pillow.
>> 
>> Thanks for the heads-up; our package is currently at 9.0.0, and I've
>> just updated it to 9.0.0.post1.
>
> Something went wrong
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
> the version in the version field contains a "v" prefix which is dropped
> in Guix.
> Additionally, the package name is missing from the commit message,
> though that cannot be corrected retroactively.

Hum, apologies, it must have been late :-).

> WDYT of removing the "v", and changing the "commit" field to
>
>   (commit (string-append "v" version))
>

I see that Nicholas has already fixed it; thank you!

Maxim

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Thu, 21 Apr 2022 11:24:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 14:52:51 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.