From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Allan Webber Subject: bug#22858: Patch security vulnerability in python-pillow Date: Mon, 29 Feb 2016 15:04:04 -0800 Message-ID: <87povfktjv.fsf@dustycloud.org> References: <87twkrl1l2.fsf@dustycloud.org> <20160229214724.GA23259@jasmine> <87si0bkus3.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40500) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aaWsE-0003jO-SX for bug-guix@gnu.org; Mon, 29 Feb 2016 18:05:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aaWsA-0001nf-3Y for bug-guix@gnu.org; Mon, 29 Feb 2016 18:05:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:57148) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aaWsA-0001na-0K for bug-guix@gnu.org; Mon, 29 Feb 2016 18:05:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1aaWs9-00036T-O7 for bug-guix@gnu.org; Mon, 29 Feb 2016 18:05:01 -0500 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: In-reply-to: <87si0bkus3.fsf@dustycloud.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Leo Famulari Cc: 22858-done@debbugs.gnu.org Christopher Allan Webber writes: > Leo Famulari writes: > >>> I'm trying to figure out where the patches for this are, but I can't >>> find them. I expected them to maybe be here, but I don't see them here: >> >> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. >> >> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is >> that the update does address it: >> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be >> >> Python2-pil *is* vulnerable. However, it seems to have no users in our >> source tree. Should we remove it? > > I think so. Here's a patch to remove it. Look good? (Not sure if this > needs a review or not :)) > > - Chris Leo gave me some comments on the description on IRC, so I changed those and pushed!