python-pillow-simd package vulnerable to at least CVE-2021-25293

OpenSubmitted by Léo Le Bouter.
Details
One participant
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 19 Mar 11:37 +0100
(address . bug-guix@gnu.org)
932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net
Hello!
pillow-simd is a fork of pillow (https://github.com/uploadcare/pillow-simd),it's currently still atversion 7.x and it does not seem like it backports security patchesfrom pillow.
$ ./pre-inst-env guix refresh -l python-pillow-simdNo dependents other than itself: python-pillow-simd@7.1.2
Do we remove it? Do we want to commit to backporting/applying all fixesfrom python-pillow back in python-pillow-simd ourselves (I don't)?
Léo
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUftUACgkQRaix6GvNEKYLoA/+KW+i8wvals9itmcRbJxnmkICe6qOqy8lYxm2i48jn6soZvYquQBa0IoVWKMKVpsuKG6iqWxDuBeufDWMnSCO95z9mQK5m/+dMsWW6hpu7FYNnfvTxJHZjZLGobYktCTXTde+XKbnzgj0F1vXpPVxKf1WY0ZHaMF/rSMLJ+ZS4gaZOzLr6Wr9ZPCUvBr3fIA+uBzUy7BOQNR3Ac87TEbB/JVYWMyB4hqmR61iBRPwMR5BJKxfbFXXAWmDesxDWL044034br6zPo0beW+FCfvH9JzVHudgPF+a2UV5uYmRr1FQbbaDje0+e09BWGBpYJh6cYSlh5HW8iIJ9qYNpXQG8+KNthQDKWrBmX57/Bt9oltIZ583Fz5d6NPU4OQEZ9n+Dhyp15oYppXMb101BnUriiH0nCoeyEsJCMZA8NH2CTRazT3iKGDzq+ySjdsNlMAEMnlXgf4B/nC74vyfNLhgwPs53waGZZAGBLomye/H94zx3xHrRa31EWwKcTeg/x3cbVllHN21CuBNAt6PKEseip2cPKED4SSWqoeNEmh+Jdn6kitSa2em/07RoAiQ7MPBGvTU/LcTyPM8C7fWY8vvPySdNRpLp31n9j0CWReK8Yc3fo4Aibi6o3eZImLG+afXPD8O/apBEj5U3LCGAz7NHvI/hDa6na/heqG8C2BUf9w==NKXC-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 19 Mar 11:39 +0100
(address . control@debbugs.gnu.org)
af059ab20e973bb7f22dd8a5bde0a19c4b64a96b.camel@zaclys.net
tags 47259 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUf00ACgkQRaix6GvNEKajThAAw9OK11pgzkU/bGm7YdzlYiZpSXs5QeIH1re/Cnngb0O2K1Z7AgiEcPMf2ai92WcMtnJVLxat+aRFpHj2iZA4cVt42Vxc+DNxOjkb/h6k035SnkBX5hPmsN2rb7Yah5W/wUqtcDEpmyWGlndso2zfQXiXamViTSmiXGZSjyqAVtzIqx4QKRp3+oVFNtu2Gu88kT2HiEKz23luNon6MPS2OrHz2SJ4+si0JBIz4WFNRRfGa/uwDtvbUsyFFEUtLrOXWM6aHbF/Gl3MlNrl7U8MbiMNSoMSKaT41U8mmhlwWX4hePsK3ZVgiRUKEKB2bXG27Nym4Lzk3MwbejfePMCqDlKUKytn2k3RHfgCICpZrYedRU3zF6hXmvQLNcoePGwb2EijmLH1a7t9KMDocB/gsfWXfOZtiJAp/b1b7vk0SdmrHTJX2vhwFsBcbF3KdtBNkh5R8KS+aJ6v+A0NVSMQDJ/qK1KOiPP25si7OvAH0vnRh+CahrRDnk9ztXAVKoJw6Z+01QbDlLavAPh7LVqL7QAI0Ym540BB6SD1fGphDAeaZ7S0FG2wMf6agFw/ZfzzPZn9h28IhZMgTwr3lQ9QQ/o+LOkoiisWZOkHLpJGHaKzlOYtpzQFcHzg2+LCB9y7dBJPwhUuzo6sWiyNDfNct6HTw7Tx7eJEPcP24+4aPUw==tpCq-----END PGP SIGNATURE-----

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47259@debbugs.gnu.org