* bug#22858: Patch security vulnerability in python-pillow
@ 2016-02-29 20:10 Christopher Allan Webber
2016-02-29 21:47 ` Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Christopher Allan Webber @ 2016-02-29 20:10 UTC (permalink / raw)
To: 22858
See: https://lwn.net/Articles/677914/
> Package : pillow
> CVE ID : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533
>
> Multiple security vulnerabilities have been found in Pillow, a Python
> imaging library, which may result in denial of service or the execution
> of arbitrary code if a malformed FLI, PCD or Tiff files is processed.
>
> For the oldstable distribution (wheezy), this problem has been fixed
> in version 1.1.7-4+deb7u2 of the python-imaging source package.
>
> For the stable distribution (jessie), this problem has been fixed in
> version 2.6.1-2+deb8u2.
>
> For the testing distribution (stretch), this problem has been fixed
> in version 3.1.1-1.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 3.1.1-1.
>
> We recommend that you upgrade your pillow packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
I'm trying to figure out where the patches for this are, but I can't
find them. I expected them to maybe be here, but I don't see them here:
http://sources.debian.net/patches/pillow/3.1.1-1/
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#22858: Patch security vulnerability in python-pillow 2016-02-29 20:10 bug#22858: Patch security vulnerability in python-pillow Christopher Allan Webber @ 2016-02-29 21:47 ` Leo Famulari 2016-02-29 22:37 ` Christopher Allan Webber 0 siblings, 1 reply; 4+ messages in thread From: Leo Famulari @ 2016-02-29 21:47 UTC (permalink / raw) To: Christopher Allan Webber; +Cc: 22858 On Mon, Feb 29, 2016 at 12:10:33PM -0800, Christopher Allan Webber wrote: > See: https://lwn.net/Articles/677914/ > > > Package : pillow > > CVE ID : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533 > > > > Multiple security vulnerabilities have been found in Pillow, a Python > > imaging library, which may result in denial of service or the execution > > of arbitrary code if a malformed FLI, PCD or Tiff files is processed. > > > > For the oldstable distribution (wheezy), this problem has been fixed > > in version 1.1.7-4+deb7u2 of the python-imaging source package. > > > > For the stable distribution (jessie), this problem has been fixed in > > version 2.6.1-2+deb8u2. > > > > For the testing distribution (stretch), this problem has been fixed > > in version 3.1.1-1. > > > > For the unstable distribution (sid), this problem has been fixed in > > version 3.1.1-1. > > > > We recommend that you upgrade your pillow packages. > > > > Further information about Debian Security Advisories, how to apply > > these updates to your system and frequently asked questions can be > > found at: https://www.debian.org/security/ > > I'm trying to figure out where the patches for this are, but I can't > find them. I expected them to maybe be here, but I don't see them here: I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. When I did that, CVE-2016-2533 wasn't named yet, but my understanding is that the update does address it: https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be Python2-pil *is* vulnerable. However, it seems to have no users in our source tree. Should we remove it? ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#22858: Patch security vulnerability in python-pillow 2016-02-29 21:47 ` Leo Famulari @ 2016-02-29 22:37 ` Christopher Allan Webber 2016-02-29 23:04 ` Christopher Allan Webber 0 siblings, 1 reply; 4+ messages in thread From: Christopher Allan Webber @ 2016-02-29 22:37 UTC (permalink / raw) To: Leo Famulari; +Cc: 22858 [-- Attachment #1: Type: text/plain, Size: 670 bytes --] Leo Famulari writes: >> I'm trying to figure out where the patches for this are, but I can't >> find them. I expected them to maybe be here, but I don't see them here: > > I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. > > When I did that, CVE-2016-2533 wasn't named yet, but my understanding is > that the update does address it: > https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be > > Python2-pil *is* vulnerable. However, it seems to have no users in our > source tree. Should we remove it? I think so. Here's a patch to remove it. Look good? (Not sure if this needs a review or not :)) - Chris [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-gnu-Remove-python2-pil.patch --] [-- Type: text/x-patch, Size: 3477 bytes --] From cbeb28d364bf2df3ef95c547b80830611254fd5c Mon Sep 17 00:00:00 2001 From: Christopher Allan Webber <cwebber@dustycloud.org> Date: Mon, 29 Feb 2016 14:36:01 -0800 Subject: [PATCH] gnu: Remove python2-pil. * gnu/packages/python.scm (python2-pil): Remove variable. It is vulnerable to CVE-2016-2533, and python2-pillow provides equivalent functionality, so this package can be cleanly removed. --- gnu/packages/python.scm | 61 ------------------------------------------------- 1 file changed, 61 deletions(-) diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 812aeb0..4f34537 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -4596,67 +4596,6 @@ converts incoming documents to Unicode and outgoing documents to UTF-8.") (strip-python2-variant python-beautifulsoup4))) (native-inputs `(("python2-setuptools" ,python2-setuptools))))) -(define-public python2-pil - (package - (name "python2-pil") - (version "1.1.7") - (source - (origin - (method url-fetch) - (uri (string-append - "http://effbot.org/downloads/Imaging-" - version ".tar.gz")) - (sha256 - (base32 - "04aj80jhfbmxqzvmq40zfi4z3cw6vi01m3wkk6diz3lc971cfnw9")) - (modules '((guix build utils))) - (snippet - ;; Adapt to newer freetype. As the package is unmaintained upstream, - ;; there is no use in creating a patch and reporting it. - '(substitute* "_imagingft.c" - (("freetype/") - "freetype2/"))))) - (build-system python-build-system) - (inputs - `(("freetype" ,freetype) - ("libjpeg" ,libjpeg) - ("libtiff" ,libtiff) - ("python-setuptools" ,python-setuptools) - ("zlib" ,zlib))) - (arguments - ;; Only the fork python-pillow works with Python 3. - `(#:python ,python-2 - #:tests? #f ; no check target - #:phases - (alist-cons-before - 'build 'configure - ;; According to README and setup.py, manual configuration is - ;; the preferred way of "searching" for inputs. - ;; lcms is not found, TCL_ROOT refers to the unavailable tkinter. - (lambda* (#:key inputs #:allow-other-keys) - (let ((jpeg (assoc-ref inputs "libjpeg")) - (zlib (assoc-ref inputs "zlib")) - (tiff (assoc-ref inputs "libtiff")) - (freetype (assoc-ref inputs "freetype"))) - (substitute* "setup.py" - (("JPEG_ROOT = None") - (string-append "JPEG_ROOT = libinclude(\"" jpeg "\")")) - (("ZLIB_ROOT = None") - (string-append "ZLIB_ROOT = libinclude(\"" zlib "\")")) - (("TIFF_ROOT = None") - (string-append "TIFF_ROOT = libinclude(\"" tiff "\")")) - (("FREETYPE_ROOT = None") - (string-append "FREETYPE_ROOT = libinclude(\"" - freetype "\")"))))) - %standard-phases))) - (home-page "http://www.pythonware.com/products/pil/") - (synopsis "Python Imaging Library") - (description "The Python Imaging Library (PIL) adds image processing -capabilities to the Python interpreter.") - (license (x11-style - "file://README" - "See 'README' in the distribution.")))) - (define-public python2-cssutils (package (name "python2-cssutils") -- 2.6.3 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* bug#22858: Patch security vulnerability in python-pillow 2016-02-29 22:37 ` Christopher Allan Webber @ 2016-02-29 23:04 ` Christopher Allan Webber 0 siblings, 0 replies; 4+ messages in thread From: Christopher Allan Webber @ 2016-02-29 23:04 UTC (permalink / raw) To: Leo Famulari; +Cc: 22858-done Christopher Allan Webber writes: > Leo Famulari writes: > >>> I'm trying to figure out where the patches for this are, but I can't >>> find them. I expected them to maybe be here, but I don't see them here: >> >> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. >> >> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is >> that the update does address it: >> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be >> >> Python2-pil *is* vulnerable. However, it seems to have no users in our >> source tree. Should we remove it? > > I think so. Here's a patch to remove it. Look good? (Not sure if this > needs a review or not :)) > > - Chris Leo gave me some comments on the description on IRC, so I changed those and pushed! ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-02-29 23:05 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-02-29 20:10 bug#22858: Patch security vulnerability in python-pillow Christopher Allan Webber 2016-02-29 21:47 ` Leo Famulari 2016-02-29 22:37 ` Christopher Allan Webber 2016-02-29 23:04 ` Christopher Allan Webber
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.