* bug#22858: Patch security vulnerability in python-pillow
@ 2016-02-29 20:10 Christopher Allan Webber
2016-02-29 21:47 ` Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Christopher Allan Webber @ 2016-02-29 20:10 UTC (permalink / raw)
To: 22858
See: https://lwn.net/Articles/677914/
> Package : pillow
> CVE ID : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533
>
> Multiple security vulnerabilities have been found in Pillow, a Python
> imaging library, which may result in denial of service or the execution
> of arbitrary code if a malformed FLI, PCD or Tiff files is processed.
>
> For the oldstable distribution (wheezy), this problem has been fixed
> in version 1.1.7-4+deb7u2 of the python-imaging source package.
>
> For the stable distribution (jessie), this problem has been fixed in
> version 2.6.1-2+deb8u2.
>
> For the testing distribution (stretch), this problem has been fixed
> in version 3.1.1-1.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 3.1.1-1.
>
> We recommend that you upgrade your pillow packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
I'm trying to figure out where the patches for this are, but I can't
find them. I expected them to maybe be here, but I don't see them here:
http://sources.debian.net/patches/pillow/3.1.1-1/
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#22858: Patch security vulnerability in python-pillow
2016-02-29 20:10 bug#22858: Patch security vulnerability in python-pillow Christopher Allan Webber
@ 2016-02-29 21:47 ` Leo Famulari
2016-02-29 22:37 ` Christopher Allan Webber
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2016-02-29 21:47 UTC (permalink / raw)
To: Christopher Allan Webber; +Cc: 22858
On Mon, Feb 29, 2016 at 12:10:33PM -0800, Christopher Allan Webber wrote:
> See: https://lwn.net/Articles/677914/
>
> > Package : pillow
> > CVE ID : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533
> >
> > Multiple security vulnerabilities have been found in Pillow, a Python
> > imaging library, which may result in denial of service or the execution
> > of arbitrary code if a malformed FLI, PCD or Tiff files is processed.
> >
> > For the oldstable distribution (wheezy), this problem has been fixed
> > in version 1.1.7-4+deb7u2 of the python-imaging source package.
> >
> > For the stable distribution (jessie), this problem has been fixed in
> > version 2.6.1-2+deb8u2.
> >
> > For the testing distribution (stretch), this problem has been fixed
> > in version 3.1.1-1.
> >
> > For the unstable distribution (sid), this problem has been fixed in
> > version 3.1.1-1.
> >
> > We recommend that you upgrade your pillow packages.
> >
> > Further information about Debian Security Advisories, how to apply
> > these updates to your system and frequently asked questions can be
> > found at: https://www.debian.org/security/
>
> I'm trying to figure out where the patches for this are, but I can't
> find them. I expected them to maybe be here, but I don't see them here:
I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.
When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
that the update does address it:
https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be
Python2-pil *is* vulnerable. However, it seems to have no users in our
source tree. Should we remove it?
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#22858: Patch security vulnerability in python-pillow
2016-02-29 21:47 ` Leo Famulari
@ 2016-02-29 22:37 ` Christopher Allan Webber
2016-02-29 23:04 ` Christopher Allan Webber
0 siblings, 1 reply; 4+ messages in thread
From: Christopher Allan Webber @ 2016-02-29 22:37 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22858
[-- Attachment #1: Type: text/plain, Size: 670 bytes --]
Leo Famulari writes:
>> I'm trying to figure out where the patches for this are, but I can't
>> find them. I expected them to maybe be here, but I don't see them here:
>
> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.
>
> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
> that the update does address it:
> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be
>
> Python2-pil *is* vulnerable. However, it seems to have no users in our
> source tree. Should we remove it?
I think so. Here's a patch to remove it. Look good? (Not sure if this
needs a review or not :))
- Chris
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-Remove-python2-pil.patch --]
[-- Type: text/x-patch, Size: 3477 bytes --]
From cbeb28d364bf2df3ef95c547b80830611254fd5c Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Mon, 29 Feb 2016 14:36:01 -0800
Subject: [PATCH] gnu: Remove python2-pil.
* gnu/packages/python.scm (python2-pil): Remove variable. It is vulnerable to
CVE-2016-2533, and python2-pillow provides equivalent functionality, so this
package can be cleanly removed.
---
gnu/packages/python.scm | 61 -------------------------------------------------
1 file changed, 61 deletions(-)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 812aeb0..4f34537 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -4596,67 +4596,6 @@ converts incoming documents to Unicode and outgoing documents to UTF-8.")
(strip-python2-variant python-beautifulsoup4)))
(native-inputs `(("python2-setuptools" ,python2-setuptools)))))
-(define-public python2-pil
- (package
- (name "python2-pil")
- (version "1.1.7")
- (source
- (origin
- (method url-fetch)
- (uri (string-append
- "http://effbot.org/downloads/Imaging-"
- version ".tar.gz"))
- (sha256
- (base32
- "04aj80jhfbmxqzvmq40zfi4z3cw6vi01m3wkk6diz3lc971cfnw9"))
- (modules '((guix build utils)))
- (snippet
- ;; Adapt to newer freetype. As the package is unmaintained upstream,
- ;; there is no use in creating a patch and reporting it.
- '(substitute* "_imagingft.c"
- (("freetype/")
- "freetype2/")))))
- (build-system python-build-system)
- (inputs
- `(("freetype" ,freetype)
- ("libjpeg" ,libjpeg)
- ("libtiff" ,libtiff)
- ("python-setuptools" ,python-setuptools)
- ("zlib" ,zlib)))
- (arguments
- ;; Only the fork python-pillow works with Python 3.
- `(#:python ,python-2
- #:tests? #f ; no check target
- #:phases
- (alist-cons-before
- 'build 'configure
- ;; According to README and setup.py, manual configuration is
- ;; the preferred way of "searching" for inputs.
- ;; lcms is not found, TCL_ROOT refers to the unavailable tkinter.
- (lambda* (#:key inputs #:allow-other-keys)
- (let ((jpeg (assoc-ref inputs "libjpeg"))
- (zlib (assoc-ref inputs "zlib"))
- (tiff (assoc-ref inputs "libtiff"))
- (freetype (assoc-ref inputs "freetype")))
- (substitute* "setup.py"
- (("JPEG_ROOT = None")
- (string-append "JPEG_ROOT = libinclude(\"" jpeg "\")"))
- (("ZLIB_ROOT = None")
- (string-append "ZLIB_ROOT = libinclude(\"" zlib "\")"))
- (("TIFF_ROOT = None")
- (string-append "TIFF_ROOT = libinclude(\"" tiff "\")"))
- (("FREETYPE_ROOT = None")
- (string-append "FREETYPE_ROOT = libinclude(\""
- freetype "\")")))))
- %standard-phases)))
- (home-page "http://www.pythonware.com/products/pil/")
- (synopsis "Python Imaging Library")
- (description "The Python Imaging Library (PIL) adds image processing
-capabilities to the Python interpreter.")
- (license (x11-style
- "file://README"
- "See 'README' in the distribution."))))
-
(define-public python2-cssutils
(package
(name "python2-cssutils")
--
2.6.3
^ permalink raw reply related [flat|nested] 4+ messages in thread* bug#22858: Patch security vulnerability in python-pillow
2016-02-29 22:37 ` Christopher Allan Webber
@ 2016-02-29 23:04 ` Christopher Allan Webber
0 siblings, 0 replies; 4+ messages in thread
From: Christopher Allan Webber @ 2016-02-29 23:04 UTC (permalink / raw)
To: Leo Famulari; +Cc: 22858-done
Christopher Allan Webber writes:
> Leo Famulari writes:
>
>>> I'm trying to figure out where the patches for this are, but I can't
>>> find them. I expected them to maybe be here, but I don't see them here:
>>
>> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.
>>
>> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
>> that the update does address it:
>> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be
>>
>> Python2-pil *is* vulnerable. However, it seems to have no users in our
>> source tree. Should we remove it?
>
> I think so. Here's a patch to remove it. Look good? (Not sure if this
> needs a review or not :))
>
> - Chris
Leo gave me some comments on the description on IRC, so I changed those
and pushed!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-02-29 23:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-29 20:10 bug#22858: Patch security vulnerability in python-pillow Christopher Allan Webber
2016-02-29 21:47 ` Leo Famulari
2016-02-29 22:37 ` Christopher Allan Webber
2016-02-29 23:04 ` Christopher Allan Webber
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).