From unknown Sat Aug 16 18:42:32 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293 Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 19 Mar 2021 10:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47259 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47259@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161615024327746 (code B ref -1); Fri, 19 Mar 2021 10:38:02 +0000 Received: (at submit) by debbugs.gnu.org; 19 Mar 2021 10:37:23 +0000 Received: from localhost ([127.0.0.1]:48901 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCVP-0007DS-4h for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:37:23 -0400 Received: from lists.gnu.org ([209.51.188.17]:45088) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCVN-0007DL-UZ for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:37:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52970) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNCVN-0007pC-Mz for bug-guix@gnu.org; Fri, 19 Mar 2021 06:37:21 -0400 Received: from mail.zaclys.net ([178.33.93.72]:59077) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNCVG-0006LM-TF for bug-guix@gnu.org; Fri, 19 Mar 2021 06:37:21 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12JAb9fj024589 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 19 Mar 2021 11:37:10 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12JAb9fj024589 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616150230; bh=LfPwn2aN4UDHDp52e7IP59SKaHCnPClsLQqbHhqII7I=; h=Subject:From:To:Date:From; b=ijf2NTjycZ8zvX45Ep0QpdhlORVcJo42KuoMnXeSjqaWjbutGt2FhI3nAkXm0hX5K p5vX2kRAuOZUKkMByP27Ed3gxdSEyrnkITF9W9TtB4V/jR4THflQeT8FluJNeLBT3X DdMWdtsC6x7xF5EuPpO4EcrZKSxnQgM/co2eK4sI= Message-ID: <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net> From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Date: Fri, 19 Mar 2021 11:37:09 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-DAPQS9E+YIbvLipdBdw8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-DAPQS9E+YIbvLipdBdw8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! pillow-simd is a fork of pillow ( https://github.com/uploadcare/pillow-simd), it's currently still at version 7.x and it does not seem like it backports security patches from pillow. $ ./pre-inst-env guix refresh -l python-pillow-simd No dependents other than itself: python-pillow-simd@7.1.2 Do we remove it? Do we want to commit to backporting/applying all fixes from python-pillow back in python-pillow-simd ourselves (I don't)? L=C3=A9o --=-DAPQS9E+YIbvLipdBdw8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUftUACgkQRaix6GvN EKYLoA/+KW+i8wvals9itmcRbJxnmkICe6qOqy8lYxm2i48jn6soZvYquQBa0IoV WKMKVpsuKG6iqWxDuBeufDWMnSCO95z9mQK5m/+dMsWW6hpu7FYNnfvTxJHZjZLG obYktCTXTde+XKbnzgj0F1vXpPVxKf1WY0ZHaMF/rSMLJ+ZS4gaZOzLr6Wr9ZPCU vBr3fIA+uBzUy7BOQNR3Ac87TEbB/JVYWMyB4hqmR61iBRPwMR5BJKxfbFXXAWmD esxDWL044034br6zPo0beW+FCfvH9JzVHudgPF+a2UV5uYmRr1FQbbaDje0+e09B WGBpYJh6cYSlh5HW8iIJ9qYNpXQG8+KNthQDKWrBmX57/Bt9oltIZ583Fz5d6NPU 4OQEZ9n+Dhyp15oYppXMb101BnUriiH0nCoeyEsJCMZA8NH2CTRazT3iKGDzq+yS jdsNlMAEMnlXgf4B/nC74vyfNLhgwPs53waGZZAGBLomye/H94zx3xHrRa31EWwK cTeg/x3cbVllHN21CuBNAt6PKEseip2cPKED4SSWqoeNEmh+Jdn6kitSa2em/07R oAiQ7MPBGvTU/LcTyPM8C7fWY8vvPySdNRpLp31n9j0CWReK8Yc3fo4Aibi6o3eZ ImLG+afXPD8O/apBEj5U3LCGAz7NHvI/hDa6na/heqG8C2BUf9w= =NKXC -----END PGP SIGNATURE----- --=-DAPQS9E+YIbvLipdBdw8-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 19 06:39:17 2021 Received: (at control) by debbugs.gnu.org; 19 Mar 2021 10:39:17 +0000 Received: from localhost ([127.0.0.1]:48906 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCXF-0007Gy-GO for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:39:17 -0400 Received: from mail.zaclys.net ([178.33.93.72]:52425) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCXD-0007Gl-DR for control@debbugs.gnu.org; Fri, 19 Mar 2021 06:39:15 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12JAd9tv024761 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 19 Mar 2021 11:39:09 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12JAd9tv024761 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616150349; bh=rPapwWj9Jc7YT4WYV940C3GFYVM50nVZKGEG9PCM/hc=; h=Subject:From:To:Date:From; b=K+ZoyV9o235xt1FKgVDwbIsYAOre4ef+On1ZHC3gE2ROhbPjHuOvq4DL26+SySiTs i3xdHJjsO76A7wjgB+3BGheVw7vQ2jWRr92maOI4gvmLHJ8c5pBDxzCAj3sEpMzJn/ vvzQrZThiYX8k+9aTHQGntD4Puh13bBP+5w/8ylk= Message-ID: Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: control@debbugs.gnu.org Date: Fri, 19 Mar 2021 11:39:09 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-tI9Ssdgf8BPcxPLB3vT9" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 2.8 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47259 + security quit Content analysis details: (2.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty 0.8 BODY_EMPTY No body text in message X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47259 + security quit Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 2.0 BLANK_SUBJECT Subject is present but empty 0.8 BODY_EMPTY No body text in message --=-tI9Ssdgf8BPcxPLB3vT9 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47259 + security quit --=-tI9Ssdgf8BPcxPLB3vT9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUf00ACgkQRaix6GvN EKajThAAw9OK11pgzkU/bGm7YdzlYiZpSXs5QeIH1re/Cnngb0O2K1Z7AgiEcPMf 2ai92WcMtnJVLxat+aRFpHj2iZA4cVt42Vxc+DNxOjkb/h6k035SnkBX5hPmsN2r b7Yah5W/wUqtcDEpmyWGlndso2zfQXiXamViTSmiXGZSjyqAVtzIqx4QKRp3+oVF Ntu2Gu88kT2HiEKz23luNon6MPS2OrHz2SJ4+si0JBIz4WFNRRfGa/uwDtvbUsyF FEUtLrOXWM6aHbF/Gl3MlNrl7U8MbiMNSoMSKaT41U8mmhlwWX4hePsK3ZVgiRUK EKB2bXG27Nym4Lzk3MwbejfePMCqDlKUKytn2k3RHfgCICpZrYedRU3zF6hXmvQL NcoePGwb2EijmLH1a7t9KMDocB/gsfWXfOZtiJAp/b1b7vk0SdmrHTJX2vhwFsBc bF3KdtBNkh5R8KS+aJ6v+A0NVSMQDJ/qK1KOiPP25si7OvAH0vnRh+CahrRDnk9z tXAVKoJw6Z+01QbDlLavAPh7LVqL7QAI0Ym540BB6SD1fGphDAeaZ7S0FG2wMf6a gFw/ZfzzPZn9h28IhZMgTwr3lQ9QQ/o+LOkoiisWZOkHLpJGHaKzlOYtpzQFcHzg 2+LCB9y7dBJPwhUuzo6sWiyNDfNct6HTw7Tx7eJEPcP24+4aPUw= =tpCq -----END PGP SIGNATURE----- --=-tI9Ssdgf8BPcxPLB3vT9-- From unknown Sat Aug 16 18:42:32 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: =?UTF-8?Q?L=C3=A9o?= Le Bouter Subject: bug#47259: closed (Re: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293) Message-ID: References: <87r16tz87g.fsf@gmail.com> <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net> X-Gnu-PR-Message: they-closed 47259 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 47259@debbugs.gnu.org Date: Wed, 23 Mar 2022 02:59:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1648004342-5046-1" This is a multi-part message in MIME format... ------------=_1648004342-5046-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #47259: python-pillow-simd package vulnerable to at least CVE-2021-25293 which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 47259@debbugs.gnu.org. --=20 47259: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D47259 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1648004342-5046-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 47259-done) by debbugs.gnu.org; 23 Mar 2022 02:58:05 +0000 Received: from localhost ([127.0.0.1]:42321 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nWrCH-0001IG-7w for submit@debbugs.gnu.org; Tue, 22 Mar 2022 22:58:05 -0400 Received: from mail-qk1-f174.google.com ([209.85.222.174]:37724) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nWrCF-0001Hl-7r for 47259-done@debbugs.gnu.org; Tue, 22 Mar 2022 22:58:03 -0400 Received: by mail-qk1-f174.google.com with SMTP id d142so175714qkc.4 for <47259-done@debbugs.gnu.org>; Tue, 22 Mar 2022 19:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=VLrzK2FcDjX4f3kG1SpDwPicfM7agtILalt6L/EMA1k=; b=q0MFZv+DX0u8d/9X7R+3xucLTu5ohuVw4GIvESVquN0PiQuOWDkmtLO3rISLCNbuaV nR/IXmp5JTvYzjx0byS0C1uz6kYnC2FbmMmsXjw52Lu7jY6xz23zXuCvZZr5U069oR0D mRd6X9azZFdMqDIBgnL7pTejdagtr9SeeOgPc6zC0PCACXeSteirrc4GUCvjL3a0Dp24 pawbqYXK0ABj+uKHGgO5Q8pFMpdTm3Sfp1s0Rvyvv3OUkhWK59VMq+I9BZAx0Iso3ryn sSOV0188j1MjvrLa4Yb9XLz638PsRjtOoTDP5Ne3Ta9noKMBbTfPZUDAbjRoBvyrjoYR eDag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=VLrzK2FcDjX4f3kG1SpDwPicfM7agtILalt6L/EMA1k=; b=1S5UO2TwjkW2lpGzeXj+4TkMafVvHJbVu7SgWiyFc90WjziN0679Dh+pMlG/3wG/tW 4VrTK2K0X9YGX74I/C4qvN1D0gBQV9V+RJ3uDisR7LlKVeSID717xlbFwLax4aoD3Mtl zBNNoK7Hlwrgp019NA2mzYV/9zNcC2ery+3Y93GgDMbBttdaqeFI1Uoxa0uOSMfkyR20 BDECDUknX1tfHUOYhBFQNBIviLQpgJyT0n8zsRWTJjYjccNiLMf5BBtICsrXPwK7TRuX dKal8BNRHM3gXVAV25h0hnCEyvXlbAvMjpTt9CXAojw2RgSooYsCZ9965o3M5k2HL0T+ f55w== X-Gm-Message-State: AOAM532qJar5KPRTU30b8pE8lOU5us/iHSpevzj+kHJSyun8o6jSuKaM KNpcyA22H31Yj4vSN9n3AURlOP/nn30= X-Google-Smtp-Source: ABdhPJxpOhbqfKmw3NgD9VmDD0SadC1ffEK5UsUrO2sLLh2YxAwoxrLxogLh0pk1ta97XXoxjV8U0A== X-Received: by 2002:a05:620a:4311:b0:67e:8a0f:4cd5 with SMTP id u17-20020a05620a431100b0067e8a0f4cd5mr8268097qko.363.1648004277421; Tue, 22 Mar 2022 19:57:57 -0700 (PDT) Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199]) by smtp.gmail.com with ESMTPSA id e20-20020ac84e54000000b002e06753cf70sm16434718qtw.6.2022.03.22.19.57.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Mar 2022 19:57:56 -0700 (PDT) From: Maxim Cournoyer To: =?utf-8?Q?L=C3=A9o?= Le Bouter Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293 References: <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net> Date: Tue, 22 Mar 2022 22:57:55 -0400 In-Reply-To: <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net> (=?utf-8?Q?=22L=C3=A9o?= Le Bouter"'s message of "Fri, 19 Mar 2021 11:37:09 +0100") Message-ID: <87r16tz87g.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 47259-done Cc: 47259-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi L=C3=A9o, L=C3=A9o Le Bouter writes: > Hello! > > pillow-simd is a fork of pillow ( > https://github.com/uploadcare/pillow-simd), it's currently still at > version 7.x and it does not seem like it backports security patches > from pillow. Thanks for the heads-up; our package is currently at 9.0.0, and I've just updated it to 9.0.0.post1. Closing. Maxim ------------=_1648004342-5046-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 19 Mar 2021 10:37:23 +0000 Received: from localhost ([127.0.0.1]:48901 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCVP-0007DS-4h for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:37:23 -0400 Received: from lists.gnu.org ([209.51.188.17]:45088) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNCVN-0007DL-UZ for submit@debbugs.gnu.org; Fri, 19 Mar 2021 06:37:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52970) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNCVN-0007pC-Mz for bug-guix@gnu.org; Fri, 19 Mar 2021 06:37:21 -0400 Received: from mail.zaclys.net ([178.33.93.72]:59077) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNCVG-0006LM-TF for bug-guix@gnu.org; Fri, 19 Mar 2021 06:37:21 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12JAb9fj024589 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 19 Mar 2021 11:37:10 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12JAb9fj024589 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616150230; bh=LfPwn2aN4UDHDp52e7IP59SKaHCnPClsLQqbHhqII7I=; h=Subject:From:To:Date:From; b=ijf2NTjycZ8zvX45Ep0QpdhlORVcJo42KuoMnXeSjqaWjbutGt2FhI3nAkXm0hX5K p5vX2kRAuOZUKkMByP27Ed3gxdSEyrnkITF9W9TtB4V/jR4THflQeT8FluJNeLBT3X DdMWdtsC6x7xF5EuPpO4EcrZKSxnQgM/co2eK4sI= Message-ID: <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net> Subject: python-pillow-simd package vulnerable to at least CVE-2021-25293 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Fri, 19 Mar 2021 11:37:09 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-DAPQS9E+YIbvLipdBdw8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-DAPQS9E+YIbvLipdBdw8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! pillow-simd is a fork of pillow ( https://github.com/uploadcare/pillow-simd), it's currently still at version 7.x and it does not seem like it backports security patches from pillow. $ ./pre-inst-env guix refresh -l python-pillow-simd No dependents other than itself: python-pillow-simd@7.1.2 Do we remove it? Do we want to commit to backporting/applying all fixes from python-pillow back in python-pillow-simd ourselves (I don't)? L=C3=A9o --=-DAPQS9E+YIbvLipdBdw8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUftUACgkQRaix6GvN EKYLoA/+KW+i8wvals9itmcRbJxnmkICe6qOqy8lYxm2i48jn6soZvYquQBa0IoV WKMKVpsuKG6iqWxDuBeufDWMnSCO95z9mQK5m/+dMsWW6hpu7FYNnfvTxJHZjZLG obYktCTXTde+XKbnzgj0F1vXpPVxKf1WY0ZHaMF/rSMLJ+ZS4gaZOzLr6Wr9ZPCU vBr3fIA+uBzUy7BOQNR3Ac87TEbB/JVYWMyB4hqmR61iBRPwMR5BJKxfbFXXAWmD esxDWL044034br6zPo0beW+FCfvH9JzVHudgPF+a2UV5uYmRr1FQbbaDje0+e09B WGBpYJh6cYSlh5HW8iIJ9qYNpXQG8+KNthQDKWrBmX57/Bt9oltIZ583Fz5d6NPU 4OQEZ9n+Dhyp15oYppXMb101BnUriiH0nCoeyEsJCMZA8NH2CTRazT3iKGDzq+yS jdsNlMAEMnlXgf4B/nC74vyfNLhgwPs53waGZZAGBLomye/H94zx3xHrRa31EWwK cTeg/x3cbVllHN21CuBNAt6PKEseip2cPKED4SSWqoeNEmh+Jdn6kitSa2em/07R oAiQ7MPBGvTU/LcTyPM8C7fWY8vvPySdNRpLp31n9j0CWReK8Yc3fo4Aibi6o3eZ ImLG+afXPD8O/apBEj5U3LCGAz7NHvI/hDa6na/heqG8C2BUf9w= =NKXC -----END PGP SIGNATURE----- --=-DAPQS9E+YIbvLipdBdw8-- ------------=_1648004342-5046-1-- From unknown Sat Aug 16 18:42:32 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293 Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 23 Mar 2022 12:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47259 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Maxim Cournoyer , =?UTF-8?Q?L=C3=A9o?= Le Bouter Cc: 47259-done@debbugs.gnu.org Received: via spool by 47259-done@debbugs.gnu.org id=D47259.164803917625060 (code D ref 47259); Wed, 23 Mar 2022 12:40:02 +0000 Received: (at 47259-done) by debbugs.gnu.org; 23 Mar 2022 12:39:36 +0000 Received: from localhost ([127.0.0.1]:43005 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nX0H1-0006W6-QD for submit@debbugs.gnu.org; Wed, 23 Mar 2022 08:39:35 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:42762) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nX0Gz-0006Vl-Ih for 47259-done@debbugs.gnu.org; Wed, 23 Mar 2022 08:39:34 -0400 Received: from [IPv6:2a02:2c40:200:b001::1:66ec] ([IPv6:2a02:2c40:200:b001::1:66ec]) by baptiste.telenet-ops.be with bizsmtp id 9ofW2700G48ECPd01ofXil; Wed, 23 Mar 2022 13:39:32 +0100 Message-ID: <7318489400ae1f00a40463e55f9637fe41d8e35e.camel@telenet.be> From: Maxime Devos Date: Wed, 23 Mar 2022 13:39:25 +0100 In-Reply-To: <87r16tz87g.fsf@gmail.com> References: <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net> <87r16tz87g.fsf@gmail.com> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-A5pgcYY+txTQiPrtxBq7" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1648039172; bh=37ZGnNKgive8iwBvgWUB57t3cFb3jhSEVoALYjYcpyE=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=f40xwS9qHYkt9umMxaWBQnwWPKt89bN5LNsTk8dL5WOihPBio33JRQacJpQbZUZNC bR35rJo6s8gM1nbrtahWc2AvWde6tr+nowMll4fB94Y833MPTZph5owHJUg8ZUvOgI 8oUYRC2SqUz6lBY8M0tIuhZJk7QtF94lKFSbv5VFbbbiol/omXBUfNHTdXCdyuxhhV tZ+F1Tz9lAT4Adhl8f3Uh5J2vN4AQeWWfjuRJks8jmKG5rWZkRHNM1B9s9gjXPmU1C q+kS2QG2wKvrU4hUymKZ8/lOJP0BcCFRuxnlV2VFmZjFtzg4wT2XrMQ79LwVojes6D ckfoEYo417/Tw== X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-A5pgcYY+txTQiPrtxBq7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]: > L=C3=A9o Le Bouter writes: >=20 > > Hello! > >=20 > > pillow-simd is a fork of pillow ( > > https://github.com/uploadcare/pillow-simd), it's currently still at > > version 7.x and it does not seem like it backports security patches > > from pillow. >=20 > Thanks for the heads-up; our package is currently at 9.0.0, and I've > just updated it to 9.0.0.post1. Something went wrong : the version in the version field contains a "v" prefix which is dropped in Guix. Additionally, the package name is missing from the commit message, though that cannot be corrected retroactively. WDYT of removing the "v", and changing the "commit" field to (commit (string-append "v" version)) ? Greetings, Maxime. --=-A5pgcYY+txTQiPrtxBq7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYjsU/RccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hLtAP9knKrXn3BJNf42ieAEYwPICxon nYbCbr12XhYfMfYU2wD7B0Q79YKMFWChESErmFJmteKARa0gXiD7h+OhQswoKQM= =RZwh -----END PGP SIGNATURE----- --=-A5pgcYY+txTQiPrtxBq7-- From unknown Sat Aug 16 18:42:32 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47259: python-pillow-simd package vulnerable to at least CVE-2021-25293 Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 23 Mar 2022 16:14:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47259 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Maxime Devos Cc: =?UTF-8?Q?L=C3=A9o?= Le Bouter , 47259-done@debbugs.gnu.org Received: via spool by 47259-done@debbugs.gnu.org id=D47259.164805202219846 (code D ref 47259); Wed, 23 Mar 2022 16:14:01 +0000 Received: (at 47259-done) by debbugs.gnu.org; 23 Mar 2022 16:13:42 +0000 Received: from localhost ([127.0.0.1]:45655 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nX3cD-0005A0-Rr for submit@debbugs.gnu.org; Wed, 23 Mar 2022 12:13:42 -0400 Received: from mail-qt1-f181.google.com ([209.85.160.181]:37732) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nX3cC-00059k-5d for 47259-done@debbugs.gnu.org; Wed, 23 Mar 2022 12:13:41 -0400 Received: by mail-qt1-f181.google.com with SMTP id t19so1548367qtc.4 for <47259-done@debbugs.gnu.org>; Wed, 23 Mar 2022 09:13:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=8d/+dGOB7/rMKOxW37ynJuOOSOxsGus6pZ0wcNEr+JQ=; b=Q9r0euliErkP24ac9KxmjU8TlwQp3haKQ+z7RuuY7axEf6qfAg63dlMvQInfTMkxVa nnujmTFEhHlLqojBfiHKr0dHcmCULJLQjkjDQmnaiU6JArbJDyB+0SJU2Aqws7WPPUWm 1P11d0OZRwmJG48RMqad3z1Y3JPCsi+H77B8wSpuJUO/u/3adXF0D4FAGLhBhUk4+N/2 4fnro3ittIAFAfl6mMja9eCI32S0bSEdbmK6Cc3TtTRL2YxtQGK0wK53X40vHuzhGKPu yMUNTR2Nd/pbJRarbo9xlLB+qoHjuRjMDpb/E2YxwO+aBhIM5OwGdJO0kBbYDePXJf8n uZPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=8d/+dGOB7/rMKOxW37ynJuOOSOxsGus6pZ0wcNEr+JQ=; b=Bqkv9QH8b8LW89bMNJjosrQFQ58zoBnCJmPNUO9WctDpgX8+M+kiVQftl942mIOO+b pJEe7Rfd2unaEByCFn5m1uk+1cmQHmF7ZyfgmK1NfjvFNXHoibk5Ufd2TISS9S/CwOJu x/jH4owbeIDDVPjLIxMuq9HIg0d1yOf5p7RHI6c+3MePOdb5G8ARNqaBr1CwKcMx8/Qi 6mA6P9T5U09p0V0U36pK0PpCgH8LAl6nwZSTwkPFadga80vTl31PfF0vdfs454e7wMUc SDRJwLN+On44CIGPvvaIiAa0WHWNWtispYPlQ2DuTljMeKYbtoQnh6cyAI1WTRLrzpGi 6Nxg== X-Gm-Message-State: AOAM533D4b9Up5Q/WwKTYs5/Yx8rZUzjgqadb6MrUznGL+jW3Ej8qUJY YDcU2i/Ir9lHiWsfuMIb5MQMADJdfPS70Q== X-Google-Smtp-Source: ABdhPJxiXt18i+ujcphjOlCisUX1cOKJynDMZ+97aBws5ZBW8qvuXBD4sOqFTc/xa7sCOtpJcBLoIw== X-Received: by 2002:a05:622a:294:b0:2e1:a763:dab4 with SMTP id z20-20020a05622a029400b002e1a763dab4mr434299qtw.467.1648052013898; Wed, 23 Mar 2022 09:13:33 -0700 (PDT) Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199]) by smtp.gmail.com with ESMTPSA id x6-20020a376306000000b0067b32a8568esm231426qkb.101.2022.03.23.09.13.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Mar 2022 09:13:33 -0700 (PDT) From: Maxim Cournoyer References: <932873dcc65d8416e419c95caf9ebb0536f2ae98.camel@zaclys.net> <87r16tz87g.fsf@gmail.com> <7318489400ae1f00a40463e55f9637fe41d8e35e.camel@telenet.be> Date: Wed, 23 Mar 2022 12:13:32 -0400 In-Reply-To: <7318489400ae1f00a40463e55f9637fe41d8e35e.camel@telenet.be> (Maxime Devos's message of "Wed, 23 Mar 2022 13:39:25 +0100") Message-ID: <87mthgy7df.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Maxime Devos writes: > Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]: >> L=C3=A9o Le Bouter writes: >>=20 >> > Hello! >> >=20 >> > pillow-simd is a fork of pillow ( >> > https://github.com/uploadcare/pillow-simd), it's currently still at >> > version 7.x and it does not seem like it backports security patches >> > from pillow. >>=20 >> Thanks for the heads-up; our package is currently at 9.0.0, and I've >> just updated it to 9.0.0.post1. > > Something went wrong > : > the version in the version field contains a "v" prefix which is dropped > in Guix. > Additionally, the package name is missing from the commit message, > though that cannot be corrected retroactively. Hum, apologies, it must have been late :-). > WDYT of removing the "v", and changing the "commit" field to > > (commit (string-append "v" version)) > I see that Nicholas has already fixed it; thank you! Maxim