GNU bug report logs - #47259
python-pillow-simd package vulnerable to at least CVE-2021-25293

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 19 Mar 2021 10:38:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #15 received at 47259-done <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Léo Le
 Bouter <lle-bout <at> zaclys.net>
Cc: 47259-done <at> debbugs.gnu.org
Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least
 CVE-2021-25293
Date: Wed, 23 Mar 2022 13:39:25 +0100

[Message part 1 (text/plain, inline)]
Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
> Léo Le Bouter <lle-bout <at> zaclys.net> writes:
> 
> > Hello!
> > 
> > pillow-simd is a fork of pillow (
> > https://github.com/uploadcare/pillow-simd), it's currently still at
> > version 7.x and it does not seem like it backports security patches
> > from pillow.
> 
> Thanks for the heads-up; our package is currently at 9.0.0, and I've
> just updated it to 9.0.0.post1.

Something went wrong
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
the version in the version field contains a "v" prefix which is dropped
in Guix.
Additionally, the package name is missing from the commit message,
though that cannot be corrected retroactively.

WDYT of removing the "v", and changing the "commit" field to

  (commit (string-append "v" version))

?

Greetings,
Maxime.


[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 117 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.