From: "Ludovic Courtès" <ludo@gnu.org>
To: Lars-Dominik Braun <lars@6xq.net>
Cc: 61172@debbugs.gnu.org, Nicolas Graves <ngraves@ngraves.fr>,
Leo Famulari <leo@famulari.name>
Subject: [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Date: Thu, 16 Mar 2023 12:30:07 +0100 [thread overview]
Message-ID: <87mt4dexxc.fsf_-_@gnu.org> (raw)
In-Reply-To: <Y+ij8RWOxLUM54Ko@noor.fritz.box> (Lars-Dominik Braun's message of "Sun, 12 Feb 2023 09:31:45 +0100")
Hi,
Lars-Dominik Braun <lars@6xq.net> skribis:
>> Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.
> that was my feeling too. Attached is a patch that only applies the CVE
> fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
> should re-build packages, so they can run their test-suites.
>
>> Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
> Do we have a branch for that already?
There’s ‘core-updates’.
Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
ungrafting patch right away on ‘core-updates’ (I think Leo had something
even smarter in mind, I forgot the details).
>>From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
> From: Lars-Dominik Braun <lars@6xq.net>
> Date: Sat, 11 Feb 2023 14:47:59 +0100
> Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.
>
> Fixes: <https://issues.guix.gnu.org/issue/61172>
>
> * gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable.
> (python-pillow): Add replacement.
> * gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
> * gnu/local.mk: Register it.
LGTM, please push!
Thanks,
Ludo’.
next prev parent reply other threads:[~2023-03-16 11:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 13:47 [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199] Nicolas Graves via Guix-patches via
[not found] ` <87mt5vuaru.fsf@ngraves.fr>
2023-02-04 15:57 ` [bug#61172] [Nicolas Graves via Guix-patches via] " Lars-Dominik Braun
2023-02-05 11:53 ` Leo Famulari
2023-02-12 8:31 ` Lars-Dominik Braun
2023-03-16 11:30 ` Ludovic Courtès [this message]
2023-03-19 10:49 ` bug#61172: " Lars-Dominik Braun
2023-03-19 17:14 ` [bug#61172] " Leo Famulari
2023-04-04 11:34 ` [bug#61172] [Nicolas Graves via Guix-patches via] " Simon Tournier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mt4dexxc.fsf_-_@gnu.org \
--to=ludo@gnu.org \
--cc=61172@debbugs.gnu.org \
--cc=lars@6xq.net \
--cc=leo@famulari.name \
--cc=ngraves@ngraves.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).