From unknown Thu Sep 11 06:31:35 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#22858 <22858@debbugs.gnu.org> To: bug#22858 <22858@debbugs.gnu.org> Subject: Status: Patch security vulnerability in python-pillow Reply-To: bug#22858 <22858@debbugs.gnu.org> Date: Thu, 11 Sep 2025 13:31:35 +0000 retitle 22858 Patch security vulnerability in python-pillow reassign 22858 guix submitter 22858 Christopher Allan Webber severity 22858 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 29 15:10:47 2016 Received: (at submit) by debbugs.gnu.org; 29 Feb 2016 20:10:47 +0000 Received: from localhost ([127.0.0.1]:54094 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaU9X-0005MN-4s for submit@debbugs.gnu.org; Mon, 29 Feb 2016 15:10:47 -0500 Received: from eggs.gnu.org ([208.118.235.92]:34007) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaU9U-0005M9-Ow for submit@debbugs.gnu.org; Mon, 29 Feb 2016 15:10:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aaU9O-0006fo-If for submit@debbugs.gnu.org; Mon, 29 Feb 2016 15:10:39 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:52499) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aaU9O-0006fk-G1 for submit@debbugs.gnu.org; Mon, 29 Feb 2016 15:10:38 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53210) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aaU9N-0001m5-64 for bug-guix@gnu.org; Mon, 29 Feb 2016 15:10:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aaU9M-0006fR-8Z for bug-guix@gnu.org; Mon, 29 Feb 2016 15:10:37 -0500 Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:37606) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aaU9M-0006fJ-0C for bug-guix@gnu.org; Mon, 29 Feb 2016 15:10:36 -0500 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 665AF26675 for ; Mon, 29 Feb 2016 15:10:34 -0500 (EST) User-agent: mu4e 0.9.13; emacs 24.5.1 From: Christopher Allan Webber To: bug-guix@gnu.org Subject: Patch security vulnerability in python-pillow Date: Mon, 29 Feb 2016 12:10:33 -0800 Message-ID: <87twkrl1l2.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) See: https://lwn.net/Articles/677914/ > Package : pillow > CVE ID : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533 > > Multiple security vulnerabilities have been found in Pillow, a Python > imaging library, which may result in denial of service or the execution > of arbitrary code if a malformed FLI, PCD or Tiff files is processed. > > For the oldstable distribution (wheezy), this problem has been fixed > in version 1.1.7-4+deb7u2 of the python-imaging source package. > > For the stable distribution (jessie), this problem has been fixed in > version 2.6.1-2+deb8u2. > > For the testing distribution (stretch), this problem has been fixed > in version 3.1.1-1. > > For the unstable distribution (sid), this problem has been fixed in > version 3.1.1-1. > > We recommend that you upgrade your pillow packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ I'm trying to figure out where the patches for this are, but I can't find them. I expected them to maybe be here, but I don't see them here: http://sources.debian.net/patches/pillow/3.1.1-1/ From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 29 16:47:27 2016 Received: (at 22858) by debbugs.gnu.org; 29 Feb 2016 21:47:27 +0000 Received: from localhost ([127.0.0.1]:54205 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaVf5-0001DQ-Gl for submit@debbugs.gnu.org; Mon, 29 Feb 2016 16:47:27 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:55605) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaVf3-0001DH-Gy for 22858@debbugs.gnu.org; Mon, 29 Feb 2016 16:47:26 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 05E5A20B55; Mon, 29 Feb 2016 16:47:24 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute1.internal (MEProxy); Mon, 29 Feb 2016 16:47:25 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=9mLgB 9RK2+FW76ku1ILbVxeMDvk=; b=HwkVmZrowX4OiyIGzdrSkRN7XtUyjkgE6GmHg jevw7CGQGEuFjAvw2eIFyR75lGV8uhEmKHcob50Q6ZXTDcRNyys+fSUgIcDdJJ46 QmEfzNOCMg1fWPBPLnixSN9SzlREm8310bsh7gRVWVzZGo1YR50b5lxF9Mtoc10e Iz94yY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=9mLgB9RK2+FW76ku1ILbVxeMDvk=; b=fcEsr Dy2o2T/C+85pBKybpw+VqGiIVdmFIfXUPXMo6yCQvcBwDJp4hBmqpcVDomSUdsjf VfR8tMs7wSQDKIudOEDTRi/1MSSGVzqZHjevQSr/BbJsJmuBkwLpjONPoY1asPXq 2lb7+R1QjASpmW5blB4ivmLefRWMhEbEQfUO34= X-Sasl-enc: sgwjPAZsqmPUvO0nUBTEO+QS/XFQRkVERHiRsfkwrKmC 1456782444 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id AFF8AC0001A; Mon, 29 Feb 2016 16:47:24 -0500 (EST) Date: Mon, 29 Feb 2016 16:47:24 -0500 From: Leo Famulari To: Christopher Allan Webber Subject: Re: bug#22858: Patch security vulnerability in python-pillow Message-ID: <20160229214724.GA23259@jasmine> References: <87twkrl1l2.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87twkrl1l2.fsf@dustycloud.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 22858 Cc: 22858@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Mon, Feb 29, 2016 at 12:10:33PM -0800, Christopher Allan Webber wrote: > See: https://lwn.net/Articles/677914/ > > > Package : pillow > > CVE ID : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533 > > > > Multiple security vulnerabilities have been found in Pillow, a Python > > imaging library, which may result in denial of service or the execution > > of arbitrary code if a malformed FLI, PCD or Tiff files is processed. > > > > For the oldstable distribution (wheezy), this problem has been fixed > > in version 1.1.7-4+deb7u2 of the python-imaging source package. > > > > For the stable distribution (jessie), this problem has been fixed in > > version 2.6.1-2+deb8u2. > > > > For the testing distribution (stretch), this problem has been fixed > > in version 3.1.1-1. > > > > For the unstable distribution (sid), this problem has been fixed in > > version 3.1.1-1. > > > > We recommend that you upgrade your pillow packages. > > > > Further information about Debian Security Advisories, how to apply > > these updates to your system and frequently asked questions can be > > found at: https://www.debian.org/security/ > > I'm trying to figure out where the patches for this are, but I can't > find them. I expected them to maybe be here, but I don't see them here: I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. When I did that, CVE-2016-2533 wasn't named yet, but my understanding is that the update does address it: https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be Python2-pil *is* vulnerable. However, it seems to have no users in our source tree. Should we remove it? From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 29 17:37:36 2016 Received: (at 22858) by debbugs.gnu.org; 29 Feb 2016 22:37:36 +0000 Received: from localhost ([127.0.0.1]:54238 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaWRb-0002Pq-TS for submit@debbugs.gnu.org; Mon, 29 Feb 2016 17:37:36 -0500 Received: from dustycloud.org ([50.116.34.160]:34388) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaWRa-0002Pj-7F for 22858@debbugs.gnu.org; Mon, 29 Feb 2016 17:37:34 -0500 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 0CC6626675; Mon, 29 Feb 2016 17:37:32 -0500 (EST) References: <87twkrl1l2.fsf@dustycloud.org> <20160229214724.GA23259@jasmine> User-agent: mu4e 0.9.13; emacs 24.5.1 From: Christopher Allan Webber To: Leo Famulari Subject: Re: bug#22858: Patch security vulnerability in python-pillow In-reply-to: <20160229214724.GA23259@jasmine> Date: Mon, 29 Feb 2016 14:37:32 -0800 Message-ID: <87si0bkus3.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 22858 Cc: 22858@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --=-=-= Content-Type: text/plain Leo Famulari writes: >> I'm trying to figure out where the patches for this are, but I can't >> find them. I expected them to maybe be here, but I don't see them here: > > I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. > > When I did that, CVE-2016-2533 wasn't named yet, but my understanding is > that the update does address it: > https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be > > Python2-pil *is* vulnerable. However, it seems to have no users in our > source tree. Should we remove it? I think so. Here's a patch to remove it. Look good? (Not sure if this needs a review or not :)) - Chris --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-Remove-python2-pil.patch >From cbeb28d364bf2df3ef95c547b80830611254fd5c Mon Sep 17 00:00:00 2001 From: Christopher Allan Webber Date: Mon, 29 Feb 2016 14:36:01 -0800 Subject: [PATCH] gnu: Remove python2-pil. * gnu/packages/python.scm (python2-pil): Remove variable. It is vulnerable to CVE-2016-2533, and python2-pillow provides equivalent functionality, so this package can be cleanly removed. --- gnu/packages/python.scm | 61 ------------------------------------------------- 1 file changed, 61 deletions(-) diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 812aeb0..4f34537 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -4596,67 +4596,6 @@ converts incoming documents to Unicode and outgoing documents to UTF-8.") (strip-python2-variant python-beautifulsoup4))) (native-inputs `(("python2-setuptools" ,python2-setuptools))))) -(define-public python2-pil - (package - (name "python2-pil") - (version "1.1.7") - (source - (origin - (method url-fetch) - (uri (string-append - "http://effbot.org/downloads/Imaging-" - version ".tar.gz")) - (sha256 - (base32 - "04aj80jhfbmxqzvmq40zfi4z3cw6vi01m3wkk6diz3lc971cfnw9")) - (modules '((guix build utils))) - (snippet - ;; Adapt to newer freetype. As the package is unmaintained upstream, - ;; there is no use in creating a patch and reporting it. - '(substitute* "_imagingft.c" - (("freetype/") - "freetype2/"))))) - (build-system python-build-system) - (inputs - `(("freetype" ,freetype) - ("libjpeg" ,libjpeg) - ("libtiff" ,libtiff) - ("python-setuptools" ,python-setuptools) - ("zlib" ,zlib))) - (arguments - ;; Only the fork python-pillow works with Python 3. - `(#:python ,python-2 - #:tests? #f ; no check target - #:phases - (alist-cons-before - 'build 'configure - ;; According to README and setup.py, manual configuration is - ;; the preferred way of "searching" for inputs. - ;; lcms is not found, TCL_ROOT refers to the unavailable tkinter. - (lambda* (#:key inputs #:allow-other-keys) - (let ((jpeg (assoc-ref inputs "libjpeg")) - (zlib (assoc-ref inputs "zlib")) - (tiff (assoc-ref inputs "libtiff")) - (freetype (assoc-ref inputs "freetype"))) - (substitute* "setup.py" - (("JPEG_ROOT = None") - (string-append "JPEG_ROOT = libinclude(\"" jpeg "\")")) - (("ZLIB_ROOT = None") - (string-append "ZLIB_ROOT = libinclude(\"" zlib "\")")) - (("TIFF_ROOT = None") - (string-append "TIFF_ROOT = libinclude(\"" tiff "\")")) - (("FREETYPE_ROOT = None") - (string-append "FREETYPE_ROOT = libinclude(\"" - freetype "\")"))))) - %standard-phases))) - (home-page "http://www.pythonware.com/products/pil/") - (synopsis "Python Imaging Library") - (description "The Python Imaging Library (PIL) adds image processing -capabilities to the Python interpreter.") - (license (x11-style - "file://README" - "See 'README' in the distribution.")))) - (define-public python2-cssutils (package (name "python2-cssutils") -- 2.6.3 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 29 18:04:07 2016 Received: (at 22858-done) by debbugs.gnu.org; 29 Feb 2016 23:04:07 +0000 Received: from localhost ([127.0.0.1]:54275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaWrH-000357-C6 for submit@debbugs.gnu.org; Mon, 29 Feb 2016 18:04:07 -0500 Received: from dustycloud.org ([50.116.34.160]:34494) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aaWrF-00034z-Nj for 22858-done@debbugs.gnu.org; Mon, 29 Feb 2016 18:04:06 -0500 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 24AFF26675; Mon, 29 Feb 2016 18:04:04 -0500 (EST) References: <87twkrl1l2.fsf@dustycloud.org> <20160229214724.GA23259@jasmine> <87si0bkus3.fsf@dustycloud.org> User-agent: mu4e 0.9.13; emacs 24.5.1 From: Christopher Allan Webber To: Leo Famulari Subject: Re: bug#22858: Patch security vulnerability in python-pillow In-reply-to: <87si0bkus3.fsf@dustycloud.org> Date: Mon, 29 Feb 2016 15:04:04 -0800 Message-ID: <87povfktjv.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 22858-done Cc: 22858-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Christopher Allan Webber writes: > Leo Famulari writes: > >>> I'm trying to figure out where the patches for this are, but I can't >>> find them. I expected them to maybe be here, but I don't see them here: >> >> I updated python-pillow to 3.1.1 with 16095d2729, fixing these issues. >> >> When I did that, CVE-2016-2533 wasn't named yet, but my understanding is >> that the update does address it: >> https://github.com/python-pillow/Pillow/commits/e5324bd3b4195d68d4a066b16d912fca30d3c4be >> >> Python2-pil *is* vulnerable. However, it seems to have no users in our >> source tree. Should we remove it? > > I think so. Here's a patch to remove it. Look good? (Not sure if this > needs a review or not :)) > > - Chris Leo gave me some comments on the description on IRC, so I changed those and pushed! From unknown Thu Sep 11 06:31:35 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 29 Mar 2016 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator