bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

* bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293
@ 2021-03-19 10:37 Léo Le Bouter via Bug reports for GNU Guix
  2022-03-23  2:57 ` Maxim Cournoyer
  0 siblings, 1 reply; 4+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-19 10:37 UTC (permalink / raw)
  To: 47259

[-- Attachment #1: Type: text/plain, Size: 462 bytes --]

Hello!

pillow-simd is a fork of pillow (
https://github.com/uploadcare/pillow-simd), it's currently still at
version 7.x and it does not seem like it backports security patches
from pillow.

$ ./pre-inst-env guix refresh -l python-pillow-simd
No dependents other than itself: python-pillow-simd@7.1.2

Do we remove it? Do we want to commit to backporting/applying all fixes
from python-pillow back in python-pillow-simd ourselves (I don't)?

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293
  2021-03-19 10:37 bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293 Léo Le Bouter via Bug reports for GNU Guix
@ 2022-03-23  2:57 ` Maxim Cournoyer
  2022-03-23 12:39   ` Maxime Devos
  0 siblings, 1 reply; 4+ messages in thread
From: Maxim Cournoyer @ 2022-03-23  2:57 UTC (permalink / raw)
  To: Léo Le Bouter; +Cc: 47259-done

Hi Léo,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> Hello!
>
> pillow-simd is a fork of pillow (
> https://github.com/uploadcare/pillow-simd), it's currently still at
> version 7.x and it does not seem like it backports security patches
> from pillow.

Thanks for the heads-up; our package is currently at 9.0.0, and I've
just updated it to 9.0.0.post1.

Closing.

Maxim




^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293
  2022-03-23  2:57 ` Maxim Cournoyer
@ 2022-03-23 12:39   ` Maxime Devos
  2022-03-23 16:13     ` Maxim Cournoyer
  0 siblings, 1 reply; 4+ messages in thread
From: Maxime Devos @ 2022-03-23 12:39 UTC (permalink / raw)
  To: Maxim Cournoyer, Léo Le Bouter; +Cc: 47259-done

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
> Léo Le Bouter <lle-bout@zaclys.net> writes:
> 
> > Hello!
> > 
> > pillow-simd is a fork of pillow (
> > https://github.com/uploadcare/pillow-simd), it's currently still at
> > version 7.x and it does not seem like it backports security patches
> > from pillow.
> 
> Thanks for the heads-up; our package is currently at 9.0.0, and I've
> just updated it to 9.0.0.post1.

Something went wrong
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
the version in the version field contains a "v" prefix which is dropped
in Guix.
Additionally, the package name is missing from the commit message,
though that cannot be corrected retroactively.

WDYT of removing the "v", and changing the "commit" field to

  (commit (string-append "v" version))

?

Greetings,
Maxime.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293
  2022-03-23 12:39   ` Maxime Devos
@ 2022-03-23 16:13     ` Maxim Cournoyer
  0 siblings, 0 replies; 4+ messages in thread
From: Maxim Cournoyer @ 2022-03-23 16:13 UTC (permalink / raw)
  To: Maxime Devos; +Cc: 47259-done

Hi,

Maxime Devos <maximedevos@telenet.be> writes:

> Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
>> Léo Le Bouter <lle-bout@zaclys.net> writes:
>> 
>> > Hello!
>> > 
>> > pillow-simd is a fork of pillow (
>> > https://github.com/uploadcare/pillow-simd), it's currently still at
>> > version 7.x and it does not seem like it backports security patches
>> > from pillow.
>> 
>> Thanks for the heads-up; our package is currently at 9.0.0, and I've
>> just updated it to 9.0.0.post1.
>
> Something went wrong
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
> the version in the version field contains a "v" prefix which is dropped
> in Guix.
> Additionally, the package name is missing from the commit message,
> though that cannot be corrected retroactively.

Hum, apologies, it must have been late :-).

> WDYT of removing the "v", and changing the "commit" field to
>
>   (commit (string-append "v" version))
>

I see that Nicholas has already fixed it; thank you!

Maxim




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-03-23 16:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-19 10:37 bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293 Léo Le Bouter via Bug reports for GNU Guix
2022-03-23  2:57 ` Maxim Cournoyer
2022-03-23 12:39   ` Maxime Devos
2022-03-23 16:13     ` Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).