GNU bug report logs - #61172
[PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 61172 in the body.
You can then email your comments to 61172 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: guix-patches <at> gnu.org
Cc: ngraves <at> ngraves.fr
Subject: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Date: Mon, 30 Jan 2023 14:47:51 +0100

* gnu/packages/python-xyz.scm (python-pillow): Update to 9.3.0.
---
 gnu/packages/python-xyz.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index b14c4ff0f3..9df636c7e0 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -7591,13 +7591,13 @@ (define-public python-pikepdf
 (define-public python-pillow
   (package
     (name "python-pillow")
-    (version "9.2.0")
+    (version "9.3.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "Pillow" version))
               (sha256
                (base32
-                "011wgm1mssjchpva9wsi2a07im9czyjvik137xlp5f0g7vykdrkm"))
+                "03vn7s6rq943knjglm6w82clbmvd8bya1yc0sw402mksalma4df9"))
               (modules '((guix build utils)))
               (snippet '(begin
                           (delete-file-recursively "src/thirdparty")))))
-- 
2.39.1

Message #8 received at 61172 <at> debbugs.gnu.org (full text, mbox):

From: Lars-Dominik Braun <lars <at> 6xq.net>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 61172 <at> debbugs.gnu.org
Subject: Re: [Nicolas Graves via Guix-patches via] [bug#61172] [PATCH] gnu:
 python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Date: Sat, 4 Feb 2023 16:57:04 +0100

Hi,

it’s nothing we can merge to master unfortunately, because it causes
quite a few number of rebuilds. Do you know whether Python packages
are graftable? I never tried that.

Lars

Message #11 received at 61172 <at> debbugs.gnu.org (full text, mbox):

From: "Leo Famulari" <leo <at> famulari.name>
To: "Lars-Dominik Braun" <lars <at> 6xq.net>, "Nicolas Graves" <ngraves <at> ngraves.fr>
Cc: 61172 <at> debbugs.gnu.org
Subject: Re: [bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172]
 [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Date: Sun, 05 Feb 2023 12:53:53 +0100

On Sat, Feb 4, 2023, at 16:57, Lars-Dominik Braun wrote:
> Hi,
>
> it’s nothing we can merge to master unfortunately, because it causes
> quite a few number of rebuilds. Do you know whether Python packages
> are graftable? I never tried that.


Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.

Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.

Message #14 received at 61172 <at> debbugs.gnu.org (full text, mbox):

From: Lars-Dominik Braun <lars <at> 6xq.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: 61172 <at> debbugs.gnu.org, Nicolas Graves <ngraves <at> ngraves.fr>
Subject: Re: [bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172]
 [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Date: Sun, 12 Feb 2023 09:31:45 +0100

[Message part 1 (text/plain, inline)]

Hi,

> Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.
that was my feeling too. Attached is a patch that only applies the CVE
fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
should re-build packages, so they can run their test-suites.

> Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
Do we have a branch for that already?

Lars

[0001-gnu-python-pillow-Fix-CVE-2022-45199.patch (text/plain, attachment)]

Message #17 received at 61172 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Lars-Dominik Braun <lars <at> 6xq.net>
Cc: 61172 <at> debbugs.gnu.org, Nicolas Graves <ngraves <at> ngraves.fr>,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: bug#61172: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes
 CVE-2022-45199].
Date: Thu, 16 Mar 2023 12:30:07 +0100

Hi,

Lars-Dominik Braun <lars <at> 6xq.net> skribis:

>> Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.
> that was my feeling too. Attached is a patch that only applies the CVE
> fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
> should re-build packages, so they can run their test-suites.
>
>> Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
> Do we have a branch for that already?

There’s ‘core-updates’.

Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
ungrafting patch right away on ‘core-updates’ (I think Leo had something
even smarter in mind, I forgot the details).

>>From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
> From: Lars-Dominik Braun <lars <at> 6xq.net>
> Date: Sat, 11 Feb 2023 14:47:59 +0100
> Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.
>
> Fixes: <https://issues.guix.gnu.org/issue/61172>
>
> * gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable.
> (python-pillow): Add replacement.
> * gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
> * gnu/local.mk: Register it.

LGTM, please push!

Thanks,
Ludo’.

Message #22 received at 61172-done <at> debbugs.gnu.org (full text, mbox):

From: Lars-Dominik Braun <lars <at> 6xq.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 61172-done <at> debbugs.gnu.org, Nicolas Graves <ngraves <at> ngraves.fr>,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: bug#61172: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes
 CVE-2022-45199].
Date: Sun, 19 Mar 2023 11:49:55 +0100

Hi,

> LGTM, please push!

c16add7fd9783db46bb5b308a885af62f0299e61 gnu: python-pillow: Fix CVE-2022-45199.

But to ungraft we have to merge master into core-updates first. Not
really on my agenda right now.

Cheers,
Lars

Message #25 received at 61172 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 61172 <at> debbugs.gnu.org, Nicolas Graves <ngraves <at> ngraves.fr>,
 Lars-Dominik Braun <lars <at> 6xq.net>
Subject: Re: bug#61172: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes
 CVE-2022-45199].
Date: Sun, 19 Mar 2023 13:14:26 -0400

On Thu, Mar 16, 2023 at 12:30:07PM +0100, Ludovic Courtès wrote:
> Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
> ungrafting patch right away on ‘core-updates’ (I think Leo had something
> even smarter in mind, I forgot the details).

I think we should try to do frequent ungrafting branches, at least for
non-core packages like python-pillow. We have the build capacity.

The Cuirass web interface is not as helpful or detailed as that of
qa.guix.gnu.org, and QA cannot currently build such large changes, but
we should still create and try to build these branches. 

Message #28 received at 61172 <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Lars-Dominik Braun <lars <at> 6xq.net>, Leo Famulari <leo <at> famulari.name>
Cc: 61172 <at> debbugs.gnu.org, Nicolas Graves <ngraves <at> ngraves.fr>
Subject: Re: [bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172]
 [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Date: Tue, 04 Apr 2023 13:34:42 +0200

Hi,

On Sun, 12 Feb 2023 at 09:31, Lars-Dominik Braun <lars <at> 6xq.net> wrote:

> +(define-public python-pillow/security-fixes

This package should not be publicly exposed but hidden.  Otherwise an
ambiguity is raised: two packages are installable from the CLI with the
exact same version.

Cheers,
simon

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.