[bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[Nicolas Graves via Guix-patches via]

* gnu/packages/python-xyz.scm (python-pillow): Update to 9.3.0.
---
 gnu/packages/python-xyz.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index b14c4ff0f3..9df636c7e0 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -7591,13 +7591,13 @@ (define-public python-pikepdf
 (define-public python-pillow
   (package
     (name "python-pillow")
-    (version "9.2.0")
+    (version "9.3.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "Pillow" version))
               (sha256
                (base32
-                "011wgm1mssjchpva9wsi2a07im9czyjvik137xlp5f0g7vykdrkm"))
+                "03vn7s6rq943knjglm6w82clbmvd8bya1yc0sw402mksalma4df9"))
               (modules '((guix build utils)))
               (snippet '(begin
                           (delete-file-recursively "src/thirdparty")))))
-- 
2.39.1

[bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[Lars-Dominik Braun]

Hi,

it’s nothing we can merge to master unfortunately, because it causes
quite a few number of rebuilds. Do you know whether Python packages
are graftable? I never tried that.

Lars

[bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[Leo Famulari]

On Sat, Feb 4, 2023, at 16:57, Lars-Dominik Braun wrote:
> Hi,
>
> it’s nothing we can merge to master unfortunately, because it causes
> quite a few number of rebuilds. Do you know whether Python packages
> are graftable? I never tried that.


Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.

Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.

[bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[Lars-Dominik Braun]

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

Hi,

> Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.
that was my feeling too. Attached is a patch that only applies the CVE
fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
should re-build packages, so they can run their test-suites.

> Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
Do we have a branch for that already?

Lars


[-- Attachment #2: 0001-gnu-python-pillow-Fix-CVE-2022-45199.patch --]
[-- Type: text/plain, Size: 4027 bytes --]

From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <lars@6xq.net>
Date: Sat, 11 Feb 2023 14:47:59 +0100
Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.

Fixes: <https://issues.guix.gnu.org/issue/61172>

* gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable.
(python-pillow): Add replacement.
* gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
* gnu/local.mk: Register it.
---
 gnu/local.mk                                  |  1 +
 .../python-pillow-CVE-2022-45199.patch        | 36 +++++++++++++++++++
 gnu/packages/python-xyz.scm                   |  5 +++
 3 files changed, 42 insertions(+)
 create mode 100644 gnu/packages/patches/python-pillow-CVE-2022-45199.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b432a95026..4b72416d3c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1732,6 +1732,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-peachpy-determinism.patch	\
   %D%/packages/patches/python-pep8-stdlib-tokenize-compat.patch \
   %D%/packages/patches/python-piexif-fix-tests-with-pillow-7.2.patch	\
+  %D%/packages/patches/python-pillow-CVE-2022-45199.patch	\
   %D%/packages/patches/python-pyfakefs-remove-bad-test.patch	\
   %D%/packages/patches/python-pyflakes-test-location.patch	\
   %D%/packages/patches/python2-pyopenssl-openssl-compat.patch	\
diff --git a/gnu/packages/patches/python-pillow-CVE-2022-45199.patch b/gnu/packages/patches/python-pillow-CVE-2022-45199.patch
new file mode 100644
index 0000000000..3b01d3a8f4
--- /dev/null
+++ b/gnu/packages/patches/python-pillow-CVE-2022-45199.patch
@@ -0,0 +1,36 @@
+From 13f2c5ae14901c89c38f898496102afd9daeaf6d Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Fri, 28 Oct 2022 14:11:25 +0200
+Subject: [PATCH 1/5] Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
+
+A large value in the SAMPLESPERPIXEL tag could lead to a memory and
+runtime DOS in TiffImagePlugin.py when setting up the context for
+image decoding.
+
+diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
+index 04a63bd2b44..46166fc6335 100644
+--- a/src/PIL/TiffImagePlugin.py
++++ b/src/PIL/TiffImagePlugin.py
+@@ -257,6 +257,8 @@
+     (MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
+ }
+ 
++MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
++
+ PREFIXES = [
+     b"MM\x00\x2A",  # Valid TIFF header with big-endian byte order
+     b"II\x2A\x00",  # Valid TIFF header with little-endian byte order
+@@ -1396,6 +1398,12 @@ def _setup(self):
+             SAMPLESPERPIXEL,
+             3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
+         )
++
++        if samples_per_pixel > MAX_SAMPLESPERPIXEL:
++            # DOS check, samples_per_pixel can be a Long, and we extend the tuple below
++            logger.error("More samples per pixel than can be decoded: %s", samples_per_pixel)
++            raise SyntaxError("Invalid value for samples per pixel")
++
+         if samples_per_pixel < bps_actual_count:
+             # If a file has more values in bps_tuple than expected,
+             # remove the excess.
+
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index 15f1a80fed..bfc3afd5db 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -7589,6 +7589,7 @@ (define-public python-pillow
   (package
     (name "python-pillow")
     (version "9.2.0")
+    (replacement python-pillow/security-fixes)
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "Pillow" version))
@@ -7636,6 +7637,10 @@ (define-public python-pillow
               "http://www.pythonware.com/products/pil/license.htm"
               "The PIL Software License"))))
 
+(define-public python-pillow/security-fixes
+  (package-with-patches python-pillow
+                        (search-patches "python-pillow-CVE-2022-45199.patch")))
+
 (define-public python-pillow-2.9
   (package
     (inherit python-pillow)
-- 
2.39.1

[bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[Ludovic Courtès]

Hi,

Lars-Dominik Braun <lars@6xq.net> skribis:

>> Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.
> that was my feeling too. Attached is a patch that only applies the CVE
> fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
> should re-build packages, so they can run their test-suites.
>
>> Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
> Do we have a branch for that already?

There’s ‘core-updates’.

Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
ungrafting patch right away on ‘core-updates’ (I think Leo had something
even smarter in mind, I forgot the details).

>>From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
> From: Lars-Dominik Braun <lars@6xq.net>
> Date: Sat, 11 Feb 2023 14:47:59 +0100
> Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.
>
> Fixes: <https://issues.guix.gnu.org/issue/61172>
>
> * gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable.
> (python-pillow): Add replacement.
> * gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
> * gnu/local.mk: Register it.

LGTM, please push!

Thanks,
Ludo’.

bug#61172: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[Lars-Dominik Braun]

Hi,

> LGTM, please push!

c16add7fd9783db46bb5b308a885af62f0299e61 gnu: python-pillow: Fix CVE-2022-45199.

But to ungraft we have to merge master into core-updates first. Not
really on my agenda right now.

Cheers,
Lars

[bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[Leo Famulari]

On Thu, Mar 16, 2023 at 12:30:07PM +0100, Ludovic Courtès wrote:
> Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
> ungrafting patch right away on ‘core-updates’ (I think Leo had something
> even smarter in mind, I forgot the details).

I think we should try to do frequent ungrafting branches, at least for
non-core packages like python-pillow. We have the build capacity.

The Cuirass web interface is not as helpful or detailed as that of
qa.guix.gnu.org, and QA cannot currently build such large changes, but
we should still create and try to build these branches. 

[bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].

[Simon Tournier]

Hi,

On Sun, 12 Feb 2023 at 09:31, Lars-Dominik Braun <lars@6xq.net> wrote:

> +(define-public python-pillow/security-fixes

This package should not be publicly exposed but hidden.  Otherwise an
ambiguity is raised: two packages are installable from the CLI with the
exact same version.

Cheers,
simon