GNU bug report logs - #22858
Patch security vulnerability in python-pillow

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 22858 in the body.
You can then email your comments to 22858 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Christopher Allan Webber <cwebber <at> dustycloud.org>
To: bug-guix <at> gnu.org
Subject: Patch security vulnerability in python-pillow
Date: Mon, 29 Feb 2016 12:10:33 -0800

See: https://lwn.net/Articles/677914/

> Package        : pillow
> CVE ID         : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533 
> 
> Multiple security vulnerabilities have been found in Pillow, a Python
> imaging library, which may result in denial of service or the execution
> of arbitrary code if a malformed FLI, PCD or Tiff files is processed.
> 
> For the oldstable distribution (wheezy), this problem has been fixed
> in version 1.1.7-4+deb7u2 of the python-imaging source package.
> 
> For the stable distribution (jessie), this problem has been fixed in
> version 2.6.1-2+deb8u2.
> 
> For the testing distribution (stretch), this problem has been fixed
> in version 3.1.1-1.
> 
> For the unstable distribution (sid), this problem has been fixed in
> version 3.1.1-1.
> 
> We recommend that you upgrade your pillow packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/

I'm trying to figure out where the patches for this are, but I can't
find them.  I expected them to maybe be here, but I don't see them here:

  http://sources.debian.net/patches/pillow/3.1.1-1/

Message #8 received at 22858 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Allan Webber <cwebber <at> dustycloud.org>
Cc: 22858 <at> debbugs.gnu.org
Subject: Re: bug#22858: Patch security vulnerability in python-pillow
Date: Mon, 29 Feb 2016 16:47:24 -0500

On Mon, Feb 29, 2016 at 12:10:33PM -0800, Christopher Allan Webber wrote:
> See: https://lwn.net/Articles/677914/
> 
> > Package        : pillow
> > CVE ID         : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533 
> > 
> > Multiple security vulnerabilities have been found in Pillow, a Python
> > imaging library, which may result in denial of service or the execution
> > of arbitrary code if a malformed FLI, PCD or Tiff files is processed.
> > 
> > For the oldstable distribution (wheezy), this problem has been fixed
> > in version 1.1.7-4+deb7u2 of the python-imaging source package.
> > 
> > For the stable distribution (jessie), this problem has been fixed in
> > version 2.6.1-2+deb8u2.
> > 
> > For the testing distribution (stretch), this problem has been fixed
> > in version 3.1.1-1.
> > 
> > For the unstable distribution (sid), this problem has been fixed in
> > version 3.1.1-1.
> > 
> > We recommend that you upgrade your pillow packages.
> > 
> > Further information about Debian Security Advisories, how to apply
> > these updates to your system and frequently asked questions can be
> > found at: https://www.debian.org/security/
> 
> I'm trying to figure out where the patches for this are, but I can't
> find them.  I expected them to maybe be here, but I don't see them here:

I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.

When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
that the update does address it:
https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be

Python2-pil *is* vulnerable. However, it seems to have no users in our
source tree. Should we remove it?

Message #11 received at 22858 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Allan Webber <cwebber <at> dustycloud.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 22858 <at> debbugs.gnu.org
Subject: Re: bug#22858: Patch security vulnerability in python-pillow
Date: Mon, 29 Feb 2016 14:37:32 -0800

[Message part 1 (text/plain, inline)]

Leo Famulari writes:

>> I'm trying to figure out where the patches for this are, but I can't
>> find them.  I expected them to maybe be here, but I don't see them here:
>
> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.
>
> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
> that the update does address it:
> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be
>
> Python2-pil *is* vulnerable. However, it seems to have no users in our
> source tree. Should we remove it?

I think so.  Here's a patch to remove it.  Look good?  (Not sure if this
needs a review or not :))

 - Chris

[0001-gnu-Remove-python2-pil.patch (text/x-patch, inline)]

From cbeb28d364bf2df3ef95c547b80830611254fd5c Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber <at> dustycloud.org>
Date: Mon, 29 Feb 2016 14:36:01 -0800
Subject: [PATCH] gnu: Remove python2-pil.

* gnu/packages/python.scm (python2-pil): Remove variable.  It is vulnerable to
  CVE-2016-2533, and python2-pillow provides equivalent functionality, so this
  package can be cleanly removed.
---
 gnu/packages/python.scm | 61 -------------------------------------------------
 1 file changed, 61 deletions(-)

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 812aeb0..4f34537 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -4596,67 +4596,6 @@ converts incoming documents to Unicode and outgoing documents to UTF-8.")
               (strip-python2-variant python-beautifulsoup4)))
     (native-inputs `(("python2-setuptools" ,python2-setuptools)))))
 
-(define-public python2-pil
-  (package
-    (name "python2-pil")
-    (version "1.1.7")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append
-              "http://effbot.org/downloads/Imaging-"
-              version ".tar.gz"))
-        (sha256
-          (base32
-            "04aj80jhfbmxqzvmq40zfi4z3cw6vi01m3wkk6diz3lc971cfnw9"))
-       (modules '((guix build utils)))
-       (snippet
-        ;; Adapt to newer freetype. As the package is unmaintained upstream,
-        ;; there is no use in creating a patch and reporting it.
-        '(substitute* "_imagingft.c"
-           (("freetype/")
-            "freetype2/")))))
-    (build-system python-build-system)
-    (inputs
-      `(("freetype" ,freetype)
-        ("libjpeg" ,libjpeg)
-        ("libtiff" ,libtiff)
-        ("python-setuptools" ,python-setuptools)
-        ("zlib" ,zlib)))
-    (arguments
-     ;; Only the fork python-pillow works with Python 3.
-     `(#:python ,python-2
-       #:tests? #f ; no check target
-       #:phases
-         (alist-cons-before
-          'build 'configure
-          ;; According to README and setup.py, manual configuration is
-          ;; the preferred way of "searching" for inputs.
-          ;; lcms is not found, TCL_ROOT refers to the unavailable tkinter.
-          (lambda* (#:key inputs #:allow-other-keys)
-            (let ((jpeg (assoc-ref inputs "libjpeg"))
-                  (zlib (assoc-ref inputs "zlib"))
-                  (tiff (assoc-ref inputs "libtiff"))
-                  (freetype (assoc-ref inputs "freetype")))
-              (substitute* "setup.py"
-                (("JPEG_ROOT = None")
-                 (string-append "JPEG_ROOT = libinclude(\"" jpeg "\")"))
-                (("ZLIB_ROOT = None")
-                 (string-append "ZLIB_ROOT = libinclude(\"" zlib "\")"))
-                (("TIFF_ROOT = None")
-                 (string-append "TIFF_ROOT = libinclude(\"" tiff "\")"))
-                (("FREETYPE_ROOT = None")
-                 (string-append "FREETYPE_ROOT = libinclude(\""
-                                freetype "\")")))))
-          %standard-phases)))
-    (home-page "http://www.pythonware.com/products/pil/")
-    (synopsis "Python Imaging Library")
-    (description "The Python Imaging Library (PIL) adds image processing
-capabilities to the Python interpreter.")
-    (license (x11-style
-               "file://README"
-               "See 'README' in the distribution."))))
-
 (define-public python2-cssutils
   (package
     (name "python2-cssutils")
-- 
2.6.3

Message #16 received at 22858-done <at> debbugs.gnu.org (full text, mbox):

From: Christopher Allan Webber <cwebber <at> dustycloud.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 22858-done <at> debbugs.gnu.org
Subject: Re: bug#22858: Patch security vulnerability in python-pillow
Date: Mon, 29 Feb 2016 15:04:04 -0800

Christopher Allan Webber writes:

> Leo Famulari writes:
>
>>> I'm trying to figure out where the patches for this are, but I can't
>>> find them.  I expected them to maybe be here, but I don't see them here:
>>
>> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues.
>>
>> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is
>> that the update does address it:
>> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be
>>
>> Python2-pil *is* vulnerable. However, it seems to have no users in our
>> source tree. Should we remove it?
>
> I think so.  Here's a patch to remove it.  Look good?  (Not sure if this
> needs a review or not :))
>
>  - Chris

Leo gave me some comments on the description on IRC, so I changed those
and pushed!

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.