Patch security vulnerability in python-pillow

Done

Details

2 participants

Christopher Allan Webber
Leo Famulari

Owner: unassigned

Submitted by: Christopher Allan Webber

Severity: normal

Debbugs page

Christopher Allan Webber wrote 9 years ago

Recipients:(address . bug-guix@gnu.org)

Message-ID:87twkrl1l2.fsf@dustycloud.org

See: https://lwn.net/Articles/677914/

Toggle quote (25 lines)> Package        : pillow
> CVE ID         : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533 
> 
> Multiple security vulnerabilities have been found in Pillow, a Python
> imaging library, which may result in denial of service or the execution
> of arbitrary code if a malformed FLI, PCD or Tiff files is processed.
> 
> For the oldstable distribution (wheezy), this problem has been fixed
> in version 1.1.7-4+deb7u2 of the python-imaging source package.
> 
> For the stable distribution (jessie), this problem has been fixed in
> version 2.6.1-2+deb8u2.
> 
> For the testing distribution (stretch), this problem has been fixed
> in version 3.1.1-1.
> 
> For the unstable distribution (sid), this problem has been fixed in
> version 3.1.1-1.
> 
> We recommend that you upgrade your pillow packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/

I'm trying to figure out where the patches for this are, but I can't

find them. I expected them to maybe be here, but I don't see them here:

http://sources.debian.net/patches/pillow/3.1.1-1/

Leo Famulari wrote 9 years ago

Recipients:(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 22858@debbugs.gnu.org)

Message-ID:20160229214724.GA23259@jasmine

On Mon, Feb 29, 2016 at 12:10:33PM -0800, Christopher Allan Webber wrote:

Toggle quote (30 lines)> See: https://lwn.net/Articles/677914/
> 
> > Package        : pillow
> > CVE ID         : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533 
> > 
> > Multiple security vulnerabilities have been found in Pillow, a Python
> > imaging library, which may result in denial of service or the execution
> > of arbitrary code if a malformed FLI, PCD or Tiff files is processed.
> > 
> > For the oldstable distribution (wheezy), this problem has been fixed
> > in version 1.1.7-4+deb7u2 of the python-imaging source package.
> > 
> > For the stable distribution (jessie), this problem has been fixed in
> > version 2.6.1-2+deb8u2.
> > 
> > For the testing distribution (stretch), this problem has been fixed
> > in version 3.1.1-1.
> > 
> > For the unstable distribution (sid), this problem has been fixed in
> > version 3.1.1-1.
> > 
> > We recommend that you upgrade your pillow packages.
> > 
> > Further information about Debian Security Advisories, how to apply
> > these updates to your system and frequently asked questions can be
> > found at: https://www.debian.org/security/
> 
> I'm trying to figure out where the patches for this are, but I can't
> find them.  I expected them to maybe be here, but I don't see them here:

I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.

When I did that, CVE-2016-2533 wasn't named yet, but my understanding is

that the update does address it:

https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be

Python2-pil *is* vulnerable. However, it seems to have no users in our

source tree. Should we remove it?

Christopher Allan Webber wrote 9 years ago

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 22858@debbugs.gnu.org)

Message-ID:87si0bkus3.fsf@dustycloud.org

Leo Famulari writes:

Toggle quote (12 lines)>> I'm trying to figure out where the patches for this are, but I can't
>> find them.  I expected them to maybe be here, but I don't see them here:
>
> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.
>
> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
> that the update does address it:
> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be
>
> Python2-pil *is* vulnerable. However, it seems to have no users in our
> source tree. Should we remove it?

I think so. Here's a patch to remove it. Look good? (Not sure if this

needs a review or not :))

- Chris

From cbeb28d364bf2df3ef95c547b80830611254fd5c Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Mon, 29 Feb 2016 14:36:01 -0800
Subject: [PATCH] gnu: Remove python2-pil.

* gnu/packages/python.scm (python2-pil): Remove variable.  It is vulnerable to
  CVE-2016-2533, and python2-pillow provides equivalent functionality, so this
  package can be cleanly removed.
---
 gnu/packages/python.scm | 61 -------------------------------------------------
 1 file changed, 61 deletions(-)

Toggle diff (74 lines)diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 812aeb0..4f34537 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -4596,67 +4596,6 @@ converts incoming documents to Unicode and outgoing documents to UTF-8.")
               (strip-python2-variant python-beautifulsoup4)))
     (native-inputs `(("python2-setuptools" ,python2-setuptools)))))
 
-(define-public python2-pil
-  (package
-    (name "python2-pil")
-    (version "1.1.7")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append
-              "http://effbot.org/downloads/Imaging-"
-              version ".tar.gz"))
-        (sha256
-          (base32
-            "04aj80jhfbmxqzvmq40zfi4z3cw6vi01m3wkk6diz3lc971cfnw9"))
-       (modules '((guix build utils)))
-       (snippet
-        ;; Adapt to newer freetype. As the package is unmaintained upstream,
-        ;; there is no use in creating a patch and reporting it.
-        '(substitute* "_imagingft.c"
-           (("freetype/")
-            "freetype2/")))))
-    (build-system python-build-system)
-    (inputs
-      `(("freetype" ,freetype)
-        ("libjpeg" ,libjpeg)
-        ("libtiff" ,libtiff)
-        ("python-setuptools" ,python-setuptools)
-        ("zlib" ,zlib)))
-    (arguments
-     ;; Only the fork python-pillow works with Python 3.
-     `(#:python ,python-2
-       #:tests? #f ; no check target
-       #:phases
-         (alist-cons-before
-          'build 'configure
-          ;; According to README and setup.py, manual configuration is
-          ;; the preferred way of "searching" for inputs.
-          ;; lcms is not found, TCL_ROOT refers to the unavailable tkinter.
-          (lambda* (#:key inputs #:allow-other-keys)
-            (let ((jpeg (assoc-ref inputs "libjpeg"))
-                  (zlib (assoc-ref inputs "zlib"))
-                  (tiff (assoc-ref inputs "libtiff"))
-                  (freetype (assoc-ref inputs "freetype")))
-              (substitute* "setup.py"
-                (("JPEG_ROOT = None")
-                 (string-append "JPEG_ROOT = libinclude(\"" jpeg "\")"))
-                (("ZLIB_ROOT = None")
-                 (string-append "ZLIB_ROOT = libinclude(\"" zlib "\")"))
-                (("TIFF_ROOT = None")
-                 (string-append "TIFF_ROOT = libinclude(\"" tiff "\")"))
-                (("FREETYPE_ROOT = None")
-                 (string-append "FREETYPE_ROOT = libinclude(\""
-                                freetype "\")")))))
-          %standard-phases)))
-    (home-page "http://www.pythonware.com/products/pil/")
-    (synopsis "Python Imaging Library")
-    (description "The Python Imaging Library (PIL) adds image processing
-capabilities to the Python interpreter.")
-    (license (x11-style
-               "file://README"
-               "See 'README' in the distribution."))))
-
 (define-public python2-cssutils
   (package
     (name "python2-cssutils")
-- 
2.6.3

Christopher Allan Webber wrote 9 years ago

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 22858-done@debbugs.gnu.org)

Message-ID:87povfktjv.fsf@dustycloud.org

Christopher Allan Webber writes:

Toggle quote (19 lines)> Leo Famulari writes:
>
>>> I'm trying to figure out where the patches for this are, but I can't
>>> find them.  I expected them to maybe be here, but I don't see them here:
>>
>> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.
>>
>> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
>> that the update does address it:
>> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be
>>
>> Python2-pil *is* vulnerable. However, it seems to have no users in our
>> source tree. Should we remove it?
>
> I think so.  Here's a patch to remove it.  Look good?  (Not sure if this
> needs a review or not :))
>
>  - Chris

Leo gave me some comments on the description on IRC, so I changed those

and pushed!

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 22858@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 22858

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date