python-pillow-simd package vulnerable to at least CVE-2021-25293

  • Done
  • quality assurance status badge
Details
3 participants
  • Léo Le Bouter
  • Maxim Cournoyer
  • Maxime Devos
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 19 Mar 2021 11:37
(address . bug-guix@gnu.org)
932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net
Hello!

pillow-simd is a fork of pillow (
version 7.x and it does not seem like it backports security patches
from pillow.

$ ./pre-inst-env guix refresh -l python-pillow-simd
No dependents other than itself: python-pillow-simd@7.1.2

Do we remove it? Do we want to commit to backporting/applying all fixes
from python-pillow back in python-pillow-simd ourselves (I don't)?

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUftUACgkQRaix6GvN
EKYLoA/+KW+i8wvals9itmcRbJxnmkICe6qOqy8lYxm2i48jn6soZvYquQBa0IoV
WKMKVpsuKG6iqWxDuBeufDWMnSCO95z9mQK5m/+dMsWW6hpu7FYNnfvTxJHZjZLG
obYktCTXTde+XKbnzgj0F1vXpPVxKf1WY0ZHaMF/rSMLJ+ZS4gaZOzLr6Wr9ZPCU
vBr3fIA+uBzUy7BOQNR3Ac87TEbB/JVYWMyB4hqmR61iBRPwMR5BJKxfbFXXAWmD
esxDWL044034br6zPo0beW+FCfvH9JzVHudgPF+a2UV5uYmRr1FQbbaDje0+e09B
WGBpYJh6cYSlh5HW8iIJ9qYNpXQG8+KNthQDKWrBmX57/Bt9oltIZ583Fz5d6NPU
4OQEZ9n+Dhyp15oYppXMb101BnUriiH0nCoeyEsJCMZA8NH2CTRazT3iKGDzq+yS
jdsNlMAEMnlXgf4B/nC74vyfNLhgwPs53waGZZAGBLomye/H94zx3xHrRa31EWwK
cTeg/x3cbVllHN21CuBNAt6PKEseip2cPKED4SSWqoeNEmh+Jdn6kitSa2em/07R
oAiQ7MPBGvTU/LcTyPM8C7fWY8vvPySdNRpLp31n9j0CWReK8Yc3fo4Aibi6o3eZ
ImLG+afXPD8O/apBEj5U3LCGAz7NHvI/hDa6na/heqG8C2BUf9w=
=NKXC
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 19 Mar 2021 11:39
(address . control@debbugs.gnu.org)
af059ab20e973bb7f22dd8a5bde0a19c4b64a96b.camel@zaclys.net
tags 47259 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUf00ACgkQRaix6GvN
EKajThAAw9OK11pgzkU/bGm7YdzlYiZpSXs5QeIH1re/Cnngb0O2K1Z7AgiEcPMf
2ai92WcMtnJVLxat+aRFpHj2iZA4cVt42Vxc+DNxOjkb/h6k035SnkBX5hPmsN2r
b7Yah5W/wUqtcDEpmyWGlndso2zfQXiXamViTSmiXGZSjyqAVtzIqx4QKRp3+oVF
Ntu2Gu88kT2HiEKz23luNon6MPS2OrHz2SJ4+si0JBIz4WFNRRfGa/uwDtvbUsyF
FEUtLrOXWM6aHbF/Gl3MlNrl7U8MbiMNSoMSKaT41U8mmhlwWX4hePsK3ZVgiRUK
EKB2bXG27Nym4Lzk3MwbejfePMCqDlKUKytn2k3RHfgCICpZrYedRU3zF6hXmvQL
NcoePGwb2EijmLH1a7t9KMDocB/gsfWXfOZtiJAp/b1b7vk0SdmrHTJX2vhwFsBc
bF3KdtBNkh5R8KS+aJ6v+A0NVSMQDJ/qK1KOiPP25si7OvAH0vnRh+CahrRDnk9z
tXAVKoJw6Z+01QbDlLavAPh7LVqL7QAI0Ym540BB6SD1fGphDAeaZ7S0FG2wMf6a
gFw/ZfzzPZn9h28IhZMgTwr3lQ9QQ/o+LOkoiisWZOkHLpJGHaKzlOYtpzQFcHzg
2+LCB9y7dBJPwhUuzo6sWiyNDfNct6HTw7Tx7eJEPcP24+4aPUw=
=tpCq
-----END PGP SIGNATURE-----


M
M
Maxim Cournoyer wrote on 23 Mar 2022 03:57
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47259-done@debbugs.gnu.org)
87r16tz87g.fsf@gmail.com
Hi Léo,

Léo Le Bouter <lle-bout@zaclys.net> writes:

Toggle quote (7 lines)
> Hello!
>
> pillow-simd is a fork of pillow (
> https://github.com/uploadcare/pillow-simd), it's currently still at
> version 7.x and it does not seem like it backports security patches
> from pillow.

Thanks for the heads-up; our package is currently at 9.0.0, and I've
just updated it to 9.0.0.post1.

Closing.

Maxim
Closed
M
M
Maxime Devos wrote on 23 Mar 2022 13:39
(address . 47259-done@debbugs.gnu.org)
7318489400ae1f00a40463e55f9637fe41d8e35e.camel@telenet.be
Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
Toggle quote (12 lines)
> Léo Le Bouter <lle-bout@zaclys.net> writes:
>
> > Hello!
> >
> > pillow-simd is a fork of pillow (
> > https://github.com/uploadcare/pillow-simd), it's currently still at
> > version 7.x and it does not seem like it backports security patches
> > from pillow.
>
> Thanks for the heads-up; our package is currently at 9.0.0, and I've
> just updated it to 9.0.0.post1.

Something went wrong
the version in the version field contains a "v" prefix which is dropped
in Guix.
Additionally, the package name is missing from the commit message,
though that cannot be corrected retroactively.

WDYT of removing the "v", and changing the "commit" field to

(commit (string-append "v" version))

?

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYjsU/RccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hLtAP9knKrXn3BJNf42ieAEYwPICxon
nYbCbr12XhYfMfYU2wD7B0Q79YKMFWChESErmFJmteKARa0gXiD7h+OhQswoKQM=
=RZwh
-----END PGP SIGNATURE-----


Closed
M
M
Maxim Cournoyer wrote on 23 Mar 2022 17:13
(name . Maxime Devos)(address . maximedevos@telenet.be)
87mthgy7df.fsf@gmail.com
Hi,

Maxime Devos <maximedevos@telenet.be> writes:

Toggle quote (20 lines)
> Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
>> Léo Le Bouter <lle-bout@zaclys.net> writes:
>>
>> > Hello!
>> >
>> > pillow-simd is a fork of pillow (
>> > https://github.com/uploadcare/pillow-simd), it's currently still at
>> > version 7.x and it does not seem like it backports security patches
>> > from pillow.
>>
>> Thanks for the heads-up; our package is currently at 9.0.0, and I've
>> just updated it to 9.0.0.post1.
>
> Something went wrong
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
> the version in the version field contains a "v" prefix which is dropped
> in Guix.
> Additionally, the package name is missing from the commit message,
> though that cannot be corrected retroactively.

Hum, apologies, it must have been late :-).

Toggle quote (5 lines)
> WDYT of removing the "v", and changing the "commit" field to
>
> (commit (string-append "v" version))
>

I see that Nicholas has already fixed it; thank you!

Maxim
Closed
?