GNU bug report logs -
#47259
python-pillow-simd package vulnerable to at least CVE-2021-25293
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Fri, 19 Mar 2021 10:38:02 UTC
Severity: normal
Tags: security
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47259 in the body.
You can then email your comments to 47259 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#47259
; Package
guix
.
(Fri, 19 Mar 2021 10:38:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Fri, 19 Mar 2021 10:38:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello!
pillow-simd is a fork of pillow (
https://github.com/uploadcare/pillow-simd), it's currently still at
version 7.x and it does not seem like it backports security patches
from pillow.
$ ./pre-inst-env guix refresh -l python-pillow-simd
No dependents other than itself: python-pillow-simd <at> 7.1.2
Do we remove it? Do we want to commit to backporting/applying all fixes
from python-pillow back in python-pillow-simd ourselves (I don't)?
Léo
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
Léo Le Bouter <lle-bout <at> zaclys.net>
to
control <at> debbugs.gnu.org
.
(Fri, 19 Mar 2021 10:40:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
You have taken responsibility.
(Wed, 23 Mar 2022 02:59:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>
:
bug acknowledged by developer.
(Wed, 23 Mar 2022 02:59:02 GMT)
Full text and
rfc822 format available.
Message #12 received at 47259-done <at> debbugs.gnu.org (full text, mbox):
Hi Léo,
Léo Le Bouter <lle-bout <at> zaclys.net> writes:
> Hello!
>
> pillow-simd is a fork of pillow (
> https://github.com/uploadcare/pillow-simd), it's currently still at
> version 7.x and it does not seem like it backports security patches
> from pillow.
Thanks for the heads-up; our package is currently at 9.0.0, and I've
just updated it to 9.0.0.post1.
Closing.
Maxim
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47259
; Package
guix
.
(Wed, 23 Mar 2022 12:40:02 GMT)
Full text and
rfc822 format available.
Message #15 received at 47259-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
> Léo Le Bouter <lle-bout <at> zaclys.net> writes:
>
> > Hello!
> >
> > pillow-simd is a fork of pillow (
> > https://github.com/uploadcare/pillow-simd), it's currently still at
> > version 7.x and it does not seem like it backports security patches
> > from pillow.
>
> Thanks for the heads-up; our package is currently at 9.0.0, and I've
> just updated it to 9.0.0.post1.
Something went wrong
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
the version in the version field contains a "v" prefix which is dropped
in Guix.
Additionally, the package name is missing from the commit message,
though that cannot be corrected retroactively.
WDYT of removing the "v", and changing the "commit" field to
(commit (string-append "v" version))
?
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47259
; Package
guix
.
(Wed, 23 Mar 2022 16:14:01 GMT)
Full text and
rfc822 format available.
Message #18 received at 47259-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Maxime Devos <maximedevos <at> telenet.be> writes:
> Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
>> Léo Le Bouter <lle-bout <at> zaclys.net> writes:
>>
>> > Hello!
>> >
>> > pillow-simd is a fork of pillow (
>> > https://github.com/uploadcare/pillow-simd), it's currently still at
>> > version 7.x and it does not seem like it backports security patches
>> > from pillow.
>>
>> Thanks for the heads-up; our package is currently at 9.0.0, and I've
>> just updated it to 9.0.0.post1.
>
> Something went wrong
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
> the version in the version field contains a "v" prefix which is dropped
> in Guix.
> Additionally, the package name is missing from the commit message,
> though that cannot be corrected retroactively.
Hum, apologies, it must have been late :-).
> WDYT of removing the "v", and changing the "commit" field to
>
> (commit (string-append "v" version))
>
I see that Nicholas has already fixed it; thank you!
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 21 Apr 2022 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 342 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.