[PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

  • Done
  • quality assurance status badge
Details
5 participants
  • Lars-Dominik Braun
  • Leo Famulari
  • Ludovic Courtès
  • Nicolas Graves
  • Simon Tournier
Owner
unassigned
Submitted by
Nicolas Graves
Severity
normal
N
N
Nicolas Graves wrote on 30 Jan 2023 14:47
(address . guix-patches@gnu.org)(address . ngraves@ngraves.fr)
20230130134751.30647-1-ngraves@ngraves.fr
* gnu/packages/python-xyz.scm (python-pillow): Update to 9.3.0.
---
gnu/packages/python-xyz.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (22 lines)
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index b14c4ff0f3..9df636c7e0 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -7591,13 +7591,13 @@ (define-public python-pikepdf
(define-public python-pillow
(package
(name "python-pillow")
- (version "9.2.0")
+ (version "9.3.0")
(source (origin
(method url-fetch)
(uri (pypi-uri "Pillow" version))
(sha256
(base32
- "011wgm1mssjchpva9wsi2a07im9czyjvik137xlp5f0g7vykdrkm"))
+ "03vn7s6rq943knjglm6w82clbmvd8bya1yc0sw402mksalma4df9"))
(modules '((guix build utils)))
(snippet '(begin
(delete-file-recursively "src/thirdparty")))))
--
2.39.1
L
L
Lars-Dominik Braun wrote on 4 Feb 2023 16:57
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 61172@debbugs.gnu.org)
Y96AUKgxt2w8fvji@philomena
Hi,

it’s nothing we can merge to master unfortunately, because it causes
quite a few number of rebuilds. Do you know whether Python packages
are graftable? I never tried that.

Lars
L
L
Leo Famulari wrote on 5 Feb 2023 12:53
Re: [bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
(address . 61172@debbugs.gnu.org)
f6812f8e-7d49-441b-83f0-9cc52bafb29a@app.fastmail.com
On Sat, Feb 4, 2023, at 16:57, Lars-Dominik Braun wrote:
Toggle quote (7 lines)
> Hi,
>
> it’s nothing we can merge to master unfortunately, because it causes
> quite a few number of rebuilds. Do you know whether Python packages
> are graftable? I never tried that.


Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.

Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
L
L
Lars-Dominik Braun wrote on 12 Feb 2023 09:31
(name . Leo Famulari)(address . leo@famulari.name)
Y+ij8RWOxLUM54Ko@noor.fritz.box
Hi,

Toggle quote (1 lines)
> Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.
that was my feeling too. Attached is a patch that only applies the CVE
fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
should re-build packages, so they can run their test-suites.

Toggle quote (1 lines)
> Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
Do we have a branch for that already?

Lars
From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <lars@6xq.net>
Date: Sat, 11 Feb 2023 14:47:59 +0100
Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.


* gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable.
(python-pillow): Add replacement.
* gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
* gnu/local.mk: Register it.
---
gnu/local.mk | 1 +
.../python-pillow-CVE-2022-45199.patch | 36 +++++++++++++++++++
gnu/packages/python-xyz.scm | 5 +++
3 files changed, 42 insertions(+)
create mode 100644 gnu/packages/patches/python-pillow-CVE-2022-45199.patch

Toggle diff (79 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index b432a95026..4b72416d3c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1732,6 +1732,7 @@ dist_patch_DATA = \
%D%/packages/patches/python-peachpy-determinism.patch \
%D%/packages/patches/python-pep8-stdlib-tokenize-compat.patch \
%D%/packages/patches/python-piexif-fix-tests-with-pillow-7.2.patch \
+ %D%/packages/patches/python-pillow-CVE-2022-45199.patch \
%D%/packages/patches/python-pyfakefs-remove-bad-test.patch \
%D%/packages/patches/python-pyflakes-test-location.patch \
%D%/packages/patches/python2-pyopenssl-openssl-compat.patch \
diff --git a/gnu/packages/patches/python-pillow-CVE-2022-45199.patch b/gnu/packages/patches/python-pillow-CVE-2022-45199.patch
new file mode 100644
index 0000000000..3b01d3a8f4
--- /dev/null
+++ b/gnu/packages/patches/python-pillow-CVE-2022-45199.patch
@@ -0,0 +1,36 @@
+From 13f2c5ae14901c89c38f898496102afd9daeaf6d Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Fri, 28 Oct 2022 14:11:25 +0200
+Subject: [PATCH 1/5] Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
+
+A large value in the SAMPLESPERPIXEL tag could lead to a memory and
+runtime DOS in TiffImagePlugin.py when setting up the context for
+image decoding.
+
+diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
+index 04a63bd2b44..46166fc6335 100644
+--- a/src/PIL/TiffImagePlugin.py
++++ b/src/PIL/TiffImagePlugin.py
+@@ -257,6 +257,8 @@
+ (MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
+ }
+
++MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
++
+ PREFIXES = [
+ b"MM\x00\x2A", # Valid TIFF header with big-endian byte order
+ b"II\x2A\x00", # Valid TIFF header with little-endian byte order
+@@ -1396,6 +1398,12 @@ def _setup(self):
+ SAMPLESPERPIXEL,
+ 3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
+ )
++
++ if samples_per_pixel > MAX_SAMPLESPERPIXEL:
++ # DOS check, samples_per_pixel can be a Long, and we extend the tuple below
++ logger.error("More samples per pixel than can be decoded: %s", samples_per_pixel)
++ raise SyntaxError("Invalid value for samples per pixel")
++
+ if samples_per_pixel < bps_actual_count:
+ # If a file has more values in bps_tuple than expected,
+ # remove the excess.
+
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index 15f1a80fed..bfc3afd5db 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -7589,6 +7589,7 @@ (define-public python-pillow
(package
(name "python-pillow")
(version "9.2.0")
+ (replacement python-pillow/security-fixes)
(source (origin
(method url-fetch)
(uri (pypi-uri "Pillow" version))
@@ -7636,6 +7637,10 @@ (define-public python-pillow
"http://www.pythonware.com/products/pil/license.htm"
"The PIL Software License"))))
+(define-public python-pillow/security-fixes
+ (package-with-patches python-pillow
+ (search-patches "python-pillow-CVE-2022-45199.patch")))
+
(define-public python-pillow-2.9
(package
(inherit python-pillow)
--
2.39.1
L
L
Ludovic Courtès wrote on 16 Mar 2023 12:30
Re: bug#61172: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
(name . Lars-Dominik Braun)(address . lars@6xq.net)
87mt4dexxc.fsf_-_@gnu.org
Hi,

Lars-Dominik Braun <lars@6xq.net> skribis:

Toggle quote (8 lines)
>> Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.
> that was my feeling too. Attached is a patch that only applies the CVE
> fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
> should re-build packages, so they can run their test-suites.
>
>> Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
> Do we have a branch for that already?

There’s ‘core-updates’.

Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
ungrafting patch right away on ‘core-updates’ (I think Leo had something
even smarter in mind, I forgot the details).

Toggle quote (12 lines)
>>From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
> From: Lars-Dominik Braun <lars@6xq.net>
> Date: Sat, 11 Feb 2023 14:47:59 +0100
> Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.
>
> Fixes: <https://issues.guix.gnu.org/issue/61172>
>
> * gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable.
> (python-pillow): Add replacement.
> * gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
> * gnu/local.mk: Register it.

LGTM, please push!

Thanks,
Ludo’.
L
L
Lars-Dominik Braun wrote on 19 Mar 2023 11:49
(name . Ludovic Courtès)(address . ludo@gnu.org)
ZBbo05XCPmk4y9Fm@noor.fritz.box
Hi,

Toggle quote (2 lines)
> LGTM, please push!

c16add7fd9783db46bb5b308a885af62f0299e61 gnu: python-pillow: Fix CVE-2022-45199.

But to ungraft we have to merge master into core-updates first. Not
really on my agenda right now.

Cheers,
Lars
Closed
L
L
Leo Famulari wrote on 19 Mar 2023 18:14
(name . Ludovic Courtès)(address . ludo@gnu.org)
ZBdC8mOLV6nebAaF@jasmine.lan
On Thu, Mar 16, 2023 at 12:30:07PM +0100, Ludovic Courtès wrote:
Toggle quote (4 lines)
> Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
> ungrafting patch right away on ‘core-updates’ (I think Leo had something
> even smarter in mind, I forgot the details).

I think we should try to do frequent ungrafting branches, at least for
non-core packages like python-pillow. We have the build capacity.

The Cuirass web interface is not as helpful or detailed as that of
qa.guix.gnu.org, and QA cannot currently build such large changes, but
we should still create and try to build these branches.
S
S
Simon Tournier wrote on 4 Apr 2023 13:34
Re: [bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
86r0szubhp.fsf@gmail.com
Hi,

On Sun, 12 Feb 2023 at 09:31, Lars-Dominik Braun <lars@6xq.net> wrote:

Toggle quote (2 lines)
> +(define-public python-pillow/security-fixes

This package should not be publicly exposed but hidden. Otherwise an
ambiguity is raised: two packages are installable from the CLI with the
exact same version.

Cheers,
simon
?