GNU bug report logs - #47259
python-pillow-simd package vulnerable to at least CVE-2021-25293

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Fri, 19 Mar 2021 10:38:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 19 Mar 2021 10:37:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 19 06:37:23 2021
Received: from localhost ([127.0.0.1]:48901 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lNCVP-0007DS-4h
	for submit <at> debbugs.gnu.org; Fri, 19 Mar 2021 06:37:23 -0400
Received: from lists.gnu.org ([209.51.188.17]:45088)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lNCVN-0007DL-UZ
 for submit <at> debbugs.gnu.org; Fri, 19 Mar 2021 06:37:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:52970)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lNCVN-0007pC-Mz
 for bug-guix@HIDDEN; Fri, 19 Mar 2021 06:37:21 -0400
Received: from mail.zaclys.net ([178.33.93.72]:59077)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lNCVG-0006LM-TF
 for bug-guix@HIDDEN; Fri, 19 Mar 2021 06:37:21 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12JAb9fj024589
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Fri, 19 Mar 2021 11:37:10 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12JAb9fj024589
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616150230;
 bh=LfPwn2aN4UDHDp52e7IP59SKaHCnPClsLQqbHhqII7I=;
 h=Subject:From:To:Date:From;
 b=ijf2NTjycZ8zvX45Ep0QpdhlORVcJo42KuoMnXeSjqaWjbutGt2FhI3nAkXm0hX5K
 p5vX2kRAuOZUKkMByP27Ed3gxdSEyrnkITF9W9TtB4V/jR4THflQeT8FluJNeLBT3X
 DdMWdtsC6x7xF5EuPpO4EcrZKSxnQgM/co2eK4sI=
Message-ID: <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@HIDDEN>
Subject: python-pillow-simd package vulnerable to at least CVE-2021-25293
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Fri, 19 Mar 2021 11:37:09 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-DAPQS9E+YIbvLipdBdw8"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-DAPQS9E+YIbvLipdBdw8
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello!

pillow-simd is a fork of pillow (
https://github.com/uploadcare/pillow-simd), it's currently still at
version 7.x and it does not seem like it backports security patches
from pillow.

$ ./pre-inst-env guix refresh -l python-pillow-simd
No dependents other than itself: python-pillow-simd@HIDDEN

Do we remove it? Do we want to commit to backporting/applying all fixes
from python-pillow back in python-pillow-simd ourselves (I don't)?

L=C3=A9o

--=-DAPQS9E+YIbvLipdBdw8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUftUACgkQRaix6GvN
EKYLoA/+KW+i8wvals9itmcRbJxnmkICe6qOqy8lYxm2i48jn6soZvYquQBa0IoV
WKMKVpsuKG6iqWxDuBeufDWMnSCO95z9mQK5m/+dMsWW6hpu7FYNnfvTxJHZjZLG
obYktCTXTde+XKbnzgj0F1vXpPVxKf1WY0ZHaMF/rSMLJ+ZS4gaZOzLr6Wr9ZPCU
vBr3fIA+uBzUy7BOQNR3Ac87TEbB/JVYWMyB4hqmR61iBRPwMR5BJKxfbFXXAWmD
esxDWL044034br6zPo0beW+FCfvH9JzVHudgPF+a2UV5uYmRr1FQbbaDje0+e09B
WGBpYJh6cYSlh5HW8iIJ9qYNpXQG8+KNthQDKWrBmX57/Bt9oltIZ583Fz5d6NPU
4OQEZ9n+Dhyp15oYppXMb101BnUriiH0nCoeyEsJCMZA8NH2CTRazT3iKGDzq+yS
jdsNlMAEMnlXgf4B/nC74vyfNLhgwPs53waGZZAGBLomye/H94zx3xHrRa31EWwK
cTeg/x3cbVllHN21CuBNAt6PKEseip2cPKED4SSWqoeNEmh+Jdn6kitSa2em/07R
oAiQ7MPBGvTU/LcTyPM8C7fWY8vvPySdNRpLp31n9j0CWReK8Yc3fo4Aibi6o3eZ
ImLG+afXPD8O/apBEj5U3LCGAz7NHvI/hDa6na/heqG8C2BUf9w=
=NKXC
-----END PGP SIGNATURE-----

--=-DAPQS9E+YIbvLipdBdw8--





Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47259; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 19 Mar 2021 10:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.