GNU bug report logs - #47259
python-pillow-simd package vulnerable to at least CVE-2021-25293

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 19 Mar 2021 10:38:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #18 received at 47259-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Maxime Devos <maximedevos <at> telenet.be>
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>,
 47259-done <at> debbugs.gnu.org
Subject: Re: bug#47259: python-pillow-simd package vulnerable to at least
 CVE-2021-25293
Date: Wed, 23 Mar 2022 12:13:32 -0400

Hi,

Maxime Devos <maximedevos <at> telenet.be> writes:

> Maxim Cournoyer schreef op di 22-03-2022 om 22:57 [-0400]:
>> Léo Le Bouter <lle-bout <at> zaclys.net> writes:
>> 
>> > Hello!
>> > 
>> > pillow-simd is a fork of pillow (
>> > https://github.com/uploadcare/pillow-simd), it's currently still at
>> > version 7.x and it does not seem like it backports security patches
>> > from pillow.
>> 
>> Thanks for the heads-up; our package is currently at 9.0.0, and I've
>> just updated it to 9.0.0.post1.
>
> Something went wrong
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4a828263791ebb8ed8f8104e015a8f467008fc76>:
> the version in the version field contains a "v" prefix which is dropped
> in Guix.
> Additionally, the package name is missing from the commit message,
> though that cannot be corrected retroactively.

Hum, apologies, it must have been late :-).

> WDYT of removing the "v", and changing the "commit" field to
>
>   (commit (string-append "v" version))
>

I see that Nicholas has already fixed it; thank you!

Maxim
This bug report was last modified 3 years and 117 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.