GNU bug report logs - #47259
python-pillow-simd package vulnerable to at least CVE-2021-25293

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 19 Mar 2021 10:38:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47259 in the body.
You can then email your comments to 47259 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#47259; Package guix. (Fri, 19 Mar 2021 10:38:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 19 Mar 2021 10:38:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: python-pillow-simd package vulnerable to at least CVE-2021-25293
Date: Fri, 19 Mar 2021 11:37:09 +0100
[Message part 1 (text/plain, inline)]
Hello!

pillow-simd is a fork of pillow (
https://github.com/uploadcare/pillow-simd), it's currently still at
version 7.x and it does not seem like it backports security patches
from pillow.

$ ./pre-inst-env guix refresh -l python-pillow-simd
No dependents other than itself: python-pillow-simd <at> 7.1.2

Do we remove it? Do we want to commit to backporting/applying all fixes
from python-pillow back in python-pillow-simd ourselves (I don't)?

Léo
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout <at> zaclys.net> to control <at> debbugs.gnu.org. (Fri, 19 Mar 2021 10:40:02 GMT) Full text and rfc822 format available.

Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 02:59:01 GMT) Full text and rfc822 format available.

Notification sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer. (Wed, 23 Mar 2022 02:59:02 GMT) Full text and rfc822 format available.

Message #12 received at 47259-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Cc: 47259-done <at> debbugs.gnu.org
Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least
 CVE-2021-25293
Date: Tue, 22 Mar 2022 22:57:55 -0400
Hi Léo,

Léo Le Bouter <lle-bout <at> zaclys.net> writes:

> Hello!
>
> pillow-simd is a fork of pillow (
> https://github.com/uploadcare/pillow-simd), it's currently still at
> version 7.x and it does not seem like it backports security patches
> from pillow.

Thanks for the heads-up; our package is currently at 9.0.0, and I've
just updated it to 9.0.0.post1.

Closing.

Maxim




Information forwarded to bug-guix <at> gnu.org:
bug#47259; Package guix. (Wed, 23 Mar 2022 12:40:02 GMT) Full text and rfc822 format available.

Message #15 received at 47259-done <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Léo Le
 Bouter <lle-bout <at> zaclys.net>
Cc: 47259-done <at> debbugs.gnu.org
Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least
 CVE-2021-25293
Date: Wed, 23 Mar 2022 13:39:25 +0100
[Message part 1 (text/plain, inline)]
Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
> Léo Le Bouter <lle-bout <at> zaclys.net> writes:
> 
> > Hello!
> > 
> > pillow-simd is a fork of pillow (
> > https://github.com/uploadcare/pillow-simd), it's currently still at
> > version 7.x and it does not seem like it backports security patches
> > from pillow.
> 
> Thanks for the heads-up; our package is currently at 9.0.0, and I've
> just updated it to 9.0.0.post1.

Something went wrong
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
the version in the version field contains a "v" prefix which is dropped
in Guix.
Additionally, the package name is missing from the commit message,
though that cannot be corrected retroactively.

WDYT of removing the "v", and changing the "commit" field to

  (commit (string-append "v" version))

?

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#47259; Package guix. (Wed, 23 Mar 2022 16:14:01 GMT) Full text and rfc822 format available.

Message #18 received at 47259-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Maxime Devos <maximedevos <at> telenet.be>
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>,
 47259-done <at> debbugs.gnu.org
Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least
 CVE-2021-25293
Date: Wed, 23 Mar 2022 12:13:32 -0400
Hi,

Maxime Devos <maximedevos <at> telenet.be> writes:

> Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
>> Léo Le Bouter <lle-bout <at> zaclys.net> writes:
>> 
>> > Hello!
>> > 
>> > pillow-simd is a fork of pillow (
>> > https://github.com/uploadcare/pillow-simd), it's currently still at
>> > version 7.x and it does not seem like it backports security patches
>> > from pillow.
>> 
>> Thanks for the heads-up; our package is currently at 9.0.0, and I've
>> just updated it to 9.0.0.post1.
>
> Something went wrong
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
> the version in the version field contains a "v" prefix which is dropped
> in Guix.
> Additionally, the package name is missing from the commit message,
> though that cannot be corrected retroactively.

Hum, apologies, it must have been late :-).

> WDYT of removing the "v", and changing the "commit" field to
>
>   (commit (string-append "v" version))
>

I see that Nicholas has already fixed it; thank you!

Maxim




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 21 Apr 2022 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 342 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.