From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 30 08:48:17 2023
Received: (at submit) by debbugs.gnu.org; 30 Jan 2023 13:48:17 +0000
Received: from localhost ([127.0.0.1]:46721 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pMUW9-0001SR-0w
	for submit@debbugs.gnu.org; Mon, 30 Jan 2023 08:48:17 -0500
Received: from lists.gnu.org ([209.51.188.17]:57432)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@ngraves.fr>) id 1pMUW7-0001SB-CN
 for submit@debbugs.gnu.org; Mon, 30 Jan 2023 08:48:15 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@ngraves.fr>)
 id 1pMUW7-00049u-37
 for guix-patches@gnu.org; Mon, 30 Jan 2023 08:48:15 -0500
Received: from 7.mo561.mail-out.ovh.net ([46.105.57.200])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@ngraves.fr>)
 id 1pMUW5-0003dn-CB
 for guix-patches@gnu.org; Mon, 30 Jan 2023 08:48:14 -0500
Received: from director9.ghost.mail-out.ovh.net (unknown [10.109.146.137])
 by mo561.mail-out.ovh.net (Postfix) with ESMTP id DF919251CB
 for <guix-patches@gnu.org>; Mon, 30 Jan 2023 13:48:02 +0000 (UTC)
Received: from ghost-submission-6684bf9d7b-zt7tr (unknown [10.110.171.110])
 by director9.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 45A6D1FE31;
 Mon, 30 Jan 2023 13:48:01 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.108])
 by ghost-submission-6684bf9d7b-zt7tr with ESMTPSA
 id kvN6FJHK12PKvwAA0FRNWA
 (envelope-from <ngraves@ngraves.fr>); Mon, 30 Jan 2023 13:48:01 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-108S002d74979ff-edc4-4b2f-8fad-b0fab9af3dfd,
 D48926C27BFE9288161F66A0B043832F93AC6A43) smtp.auth=ngraves@ngraves.fr
X-OVh-ClientIp: 81.67.140.142
From: Nicolas Graves <ngraves@ngraves.fr>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Date: Mon, 30 Jan 2023 14:47:51 +0100
Message-Id: <20230130134751.30647-1-ngraves@ngraves.fr>
X-Mailer: git-send-email 2.39.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Ovh-Tracer-Id: 14596729343498445538
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvhedrudefvddgheejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepkeffgeetfffgffejgeejvdffgfdtvdeuueetgfefuedvjeegvdegjeejveeuueevnecukfhppeduvdejrddtrddtrddupdefjedrheelrddugedvrddutdeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpeeonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqedpnhgspghrtghpthhtohepuddprhgtphhtthhopehguhhigidqphgrthgthhgvshesghhnuhdrohhrghdpoffvtefjohhsthepmhhoheeiuddpmhhouggvpehsmhhtphhouhht
Received-SPF: pass client-ip=46.105.57.200; envelope-from=ngraves@ngraves.fr;
 helo=7.mo561.mail-out.ovh.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
 RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: ngraves@ngraves.fr
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

* gnu/packages/python-xyz.scm (python-pillow): Update to 9.3.0.
---
 gnu/packages/python-xyz.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index b14c4ff0f3..9df636c7e0 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -7591,13 +7591,13 @@ (define-public python-pikepdf
 (define-public python-pillow
   (package
     (name "python-pillow")
-    (version "9.2.0")
+    (version "9.3.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "Pillow" version))
               (sha256
                (base32
-                "011wgm1mssjchpva9wsi2a07im9czyjvik137xlp5f0g7vykdrkm"))
+                "03vn7s6rq943knjglm6w82clbmvd8bya1yc0sw402mksalma4df9"))
               (modules '((guix build utils)))
               (snippet '(begin
                           (delete-file-recursively "src/thirdparty")))))
-- 
2.39.1





From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 04 10:57:20 2023
Received: (at 61172) by debbugs.gnu.org; 4 Feb 2023 15:57:20 +0000
Received: from localhost ([127.0.0.1]:43263 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pOKum-0006nu-AM
	for submit@debbugs.gnu.org; Sat, 04 Feb 2023 10:57:20 -0500
Received: from mout-p-202.mailbox.org ([80.241.56.172]:41414)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lars@6xq.net>) id 1pOKui-0006nY-5z
 for 61172@debbugs.gnu.org; Sat, 04 Feb 2023 10:57:19 -0500
Received: from smtp102.mailbox.org (smtp102.mailbox.org
 [IPv6:2001:67c:2050:b231:465::102])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4P8HGB5Y1kz9sWV;
 Sat,  4 Feb 2023 16:57:06 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6xq.net; s=MBO0001;
 t=1675526226;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=uxRcKzN1YrFi1Z5UqJK/4zSDG5j3TUZMUD9NDrM9ybM=;
 b=fKRVeoUCsR/CXy/Xik8G0dKkxWOJxBkmgtQSM2FJ2iMAtMV9E0HHhpQTnvWBWVMe18hzYK
 ICWXx0lwIKiXzy0q3bs7kwSeP4HJMw5Z27SsR/LpCHbNTwThMjc0PpyCDrtRDDRQbAzHZf
 cfpQ0cWt10P1FGFVLTDpH9MCcBQWFkCJyF0lwGySoG9btgRo4hhJ/RG9T795849i36SCH4
 dLUsDaqM1Wel4XISbKj0FS+bj6g7EaWere1A986/IULR0/1GgUlhhBiAOBoBnVnjHenMNf
 XW/Uai5Qa28266xYn0QKvTFUfvFoEVcPi4jb5FSCpLMF1p1jjVqG6GY3BR45Hg==
Date: Sat, 4 Feb 2023 16:57:04 +0100
From: Lars-Dominik Braun <lars@6xq.net>
To: Nicolas Graves <ngraves@ngraves.fr>
Subject: Re: [Nicolas Graves via Guix-patches via] [bug#61172] [PATCH] gnu:
 python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Message-ID: <Y96AUKgxt2w8fvji@philomena>
References: <20230130134751.30647-1-ngraves@ngraves.fr>
 <87mt5vuaru.fsf@ngraves.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87mt5vuaru.fsf@ngraves.fr>
X-Rspamd-Queue-Id: 4P8HGB5Y1kz9sWV
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61172
Cc: 61172@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi,

it’s nothing we can merge to master unfortunately, because it causes
quite a few number of rebuilds. Do you know whether Python packages
are graftable? I never tried that.

Lars





From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 05 06:54:29 2023
Received: (at 61172) by debbugs.gnu.org; 5 Feb 2023 11:54:30 +0000
Received: from localhost ([127.0.0.1]:44209 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pOdbJ-0006mB-Hc
	for submit@debbugs.gnu.org; Sun, 05 Feb 2023 06:54:29 -0500
Received: from new4-smtp.messagingengine.com ([66.111.4.230]:47703)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pOdbB-0006lm-Cl
 for 61172@debbugs.gnu.org; Sun, 05 Feb 2023 06:54:27 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailnew.nyi.internal (Postfix) with ESMTP id 79F3E581D5F;
 Sun,  5 Feb 2023 06:54:14 -0500 (EST)
Received: from imap48 ([10.202.2.98])
 by compute5.internal (MEProxy); Sun, 05 Feb 2023 06:54:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-transfer-encoding:content-type:date:date:from
 :from:in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1675598054;
 x=1675605254; bh=LW0prX8kClKTnE904j8/2B9BRAnWSxP6rCd+i5n1Bho=; b=
 lksQYo5brKy0QVUD6TrLl4euKXOUrqQQWC+PkJtLi+LPRGAFlYcN2WP/4rDE5G2q
 rxFlQWzDeXQcpgNyjO7wiczn2QzyuHl4vcPJcLWiLDipjk92B6XeQzBCA5xXRG1W
 n5JYXPm0ocS2epcmbBnkZYE+c14r30YdCaLaZMhD/44=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1675598054; x=
 1675605254; bh=LW0prX8kClKTnE904j8/2B9BRAnWSxP6rCd+i5n1Bho=; b=g
 ISckTqAG6EnCcQbeKAztBRFJGyNqNilpmGr+9IXTbTGeDiQcRv5Ax5Mdc023ZtTs
 0uBXa9hsIpgJ9d+DMRh482i9pUk/CJSlOIpNgEIO+VgVPkHVShVc0HG1Odqn+JIg
 BdiqXnHE4Br6yLZqNVvPTEV8JBgu4RUQ3YgtnY3Ig3oPydAJt6Qln+W8/VkS+a36
 syAAuUm9/Ea2AllCsjwoa770yaVzxYRsipG56WJbTyASy+druBOXWzsAGfvklhgR
 KiuLIxIBDpYd1/dNXJre357O6pWqypc8YKL89sv+CQ334QFVV1haqpPtZ61ENXa+
 bTpmO1gMVLlX4WAoowNNg==
X-ME-Sender: <xms:5ZjfY81Ijyfyx2PfBEE-c4aICAeNRYw2mwhSMdNDi-RjY-pCDNuw5w>
 <xme:5ZjfY3FJXL7bDqo-uncgH-bAGDebAE0Nq6_WIvc7K5c3zgfW9Up4nGWBh4AHSTijR
 NeJn_o_vz0tf3A9eA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudeggedgfeefucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepofgfggfkjghffffhvfevufgtgfesthhqredtreerjeenucfhrhhomhepfdfn
 vghoucfhrghmuhhlrghrihdfuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecugg
 ftrfgrthhtvghrnhepjedvleefhfeuueeguddtheelgfeuueevieelveefudeglefhhffh
 kefhgefhkedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh
 homheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:5ZjfY04j06AgXg0ABCcqtsCxOobCjh5t7JniiLC0aKqZgxAz_Z5zmw>
 <xmx:5ZjfY12IaaCabk2p_m7Uf-lhBGEpYglBFdwvM67rTXRXDHntXTla9w>
 <xmx:5ZjfY_FhcrUbnrOuv99UpU5_Ib2eH1lp-Y8w7dcRLul9KgPDIRwlSA>
 <xmx:5pjfYyMcuJJ70gv9EqWRgsIo0d-UVnKQXRz00CtTi9SjE7pGfvUKtg>
Feedback-ID: i819c4023:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id E00D731A0063; Sun,  5 Feb 2023 06:54:13 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-107-g82c3c54364-fm-20230131.002-g82c3c543
Mime-Version: 1.0
Message-Id: <f6812f8e-7d49-441b-83f0-9cc52bafb29a@app.fastmail.com>
In-Reply-To: <Y96AUKgxt2w8fvji@philomena>
References: <20230130134751.30647-1-ngraves@ngraves.fr>
 <87mt5vuaru.fsf@ngraves.fr> <Y96AUKgxt2w8fvji@philomena>
Date: Sun, 05 Feb 2023 12:53:53 +0100
From: "Leo Famulari" <leo@famulari.name>
To: "Lars-Dominik Braun" <lars@6xq.net>, "Nicolas Graves" <ngraves@ngraves.fr>
Subject: Re: [bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172]
 [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61172
Cc: 61172@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sat, Feb 4, 2023, at 16:57, Lars-Dominik Braun wrote:
> Hi,
>
> it=E2=80=99s nothing we can merge to master unfortunately, because it =
causes
> quite a few number of rebuilds. Do you know whether Python packages
> are graftable? I never tried that.


Unless something has changed recently (possible, I haven't paid close at=
tention), yes, it's possible to graft Python packages.

Additionally, we can attempt a rapid rebuilding of pillow's dependents, =
perhaps along with a few other "ungrafting" changes. We are aiming to do=
 the graft->ungraft cycles more quickly than previously.




From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 12 03:32:06 2023
Received: (at 61172) by debbugs.gnu.org; 12 Feb 2023 08:32:06 +0000
Received: from localhost ([127.0.0.1]:43982 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pR7mH-0007m0-5v
	for submit@debbugs.gnu.org; Sun, 12 Feb 2023 03:32:06 -0500
Received: from mout-p-101.mailbox.org ([80.241.56.151]:49590)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lars@6xq.net>) id 1pR7mC-0007lT-3v
 for 61172@debbugs.gnu.org; Sun, 12 Feb 2023 03:32:03 -0500
Received: from smtp202.mailbox.org (smtp202.mailbox.org
 [IPv6:2001:67c:2050:b231:465::202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4PF10l5vqQz9scW;
 Sun, 12 Feb 2023 09:31:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6xq.net; s=MBO0001;
 t=1676190711;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=ylfv3AHbVXJEyYqGIKo3H5YUejTDM+vg5GihQQMwNYk=;
 b=mxRfk0RxwVqlb/8Sw27BW3QfonGufub3EygyFj82j0ZJ6xa7U3vDqN4x/oFiLJnZ33c+nX
 jOP6nVcXQRaGc/YnraZm7HxVvwktJCP8KNeV4ZYfjHSYLvYRB1MRmEN2BuW84I41uCBR29
 BVSQvVeHQGNp9lbBwYq8f/Bm1RiV/OneCH0phqzM0lE7nBwpoYyo5SeX96ORT5mK4eU6U8
 iOdTud3khUhn0Si2zF+5UQn/sKD2Xl0zoGpi/0jqa/8oyF8az+0L1YyzXwmn1cadhYqssu
 YppCQJyACSsWkldrb8vmSsZC4zD1P2St0dXFmYOxJAHwIi/YthsRTE9aviRpUQ==
Date: Sun, 12 Feb 2023 09:31:45 +0100
From: Lars-Dominik Braun <lars@6xq.net>
To: Leo Famulari <leo@famulari.name>
Subject: Re: [bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172]
 [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
Message-ID: <Y+ij8RWOxLUM54Ko@noor.fritz.box>
References: <20230130134751.30647-1-ngraves@ngraves.fr>
 <87mt5vuaru.fsf@ngraves.fr> <Y96AUKgxt2w8fvji@philomena>
 <f6812f8e-7d49-441b-83f0-9cc52bafb29a@app.fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="svccWSOucYQZMEze"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <f6812f8e-7d49-441b-83f0-9cc52bafb29a@app.fastmail.com>
X-Rspamd-Queue-Id: 4PF10l5vqQz9scW
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61172
Cc: 61172@debbugs.gnu.org, Nicolas Graves <ngraves@ngraves.fr>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--svccWSOucYQZMEze
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Hi,

> Unless something has changed recently (possible, I haven't paid close attention), yes, it's possible to graft Python packages.
that was my feeling too. Attached is a patch that only applies the CVE
fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
should re-build packages, so they can run their test-suites.

> Additionally, we can attempt a rapid rebuilding of pillow's dependents, perhaps along with a few other "ungrafting" changes. We are aiming to do the graft->ungraft cycles more quickly than previously.
Do we have a branch for that already?

Lars


--svccWSOucYQZMEze
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment;
	filename="0001-gnu-python-pillow-Fix-CVE-2022-45199.patch"

>From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <lars@6xq.net>
Date: Sat, 11 Feb 2023 14:47:59 +0100
Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.

Fixes: <https://issues.guix.gnu.org/issue/61172>

* gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable.
(python-pillow): Add replacement.
* gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
* gnu/local.mk: Register it.
---
 gnu/local.mk                                  |  1 +
 .../python-pillow-CVE-2022-45199.patch        | 36 +++++++++++++++++++
 gnu/packages/python-xyz.scm                   |  5 +++
 3 files changed, 42 insertions(+)
 create mode 100644 gnu/packages/patches/python-pillow-CVE-2022-45199.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b432a95026..4b72416d3c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1732,6 +1732,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-peachpy-determinism.patch	\
   %D%/packages/patches/python-pep8-stdlib-tokenize-compat.patch \
   %D%/packages/patches/python-piexif-fix-tests-with-pillow-7.2.patch	\
+  %D%/packages/patches/python-pillow-CVE-2022-45199.patch	\
   %D%/packages/patches/python-pyfakefs-remove-bad-test.patch	\
   %D%/packages/patches/python-pyflakes-test-location.patch	\
   %D%/packages/patches/python2-pyopenssl-openssl-compat.patch	\
diff --git a/gnu/packages/patches/python-pillow-CVE-2022-45199.patch b/gnu/packages/patches/python-pillow-CVE-2022-45199.patch
new file mode 100644
index 0000000000..3b01d3a8f4
--- /dev/null
+++ b/gnu/packages/patches/python-pillow-CVE-2022-45199.patch
@@ -0,0 +1,36 @@
+From 13f2c5ae14901c89c38f898496102afd9daeaf6d Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Fri, 28 Oct 2022 14:11:25 +0200
+Subject: [PATCH 1/5] Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
+
+A large value in the SAMPLESPERPIXEL tag could lead to a memory and
+runtime DOS in TiffImagePlugin.py when setting up the context for
+image decoding.
+
+diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
+index 04a63bd2b44..46166fc6335 100644
+--- a/src/PIL/TiffImagePlugin.py
++++ b/src/PIL/TiffImagePlugin.py
+@@ -257,6 +257,8 @@
+     (MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
+ }
+ 
++MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
++
+ PREFIXES = [
+     b"MM\x00\x2A",  # Valid TIFF header with big-endian byte order
+     b"II\x2A\x00",  # Valid TIFF header with little-endian byte order
+@@ -1396,6 +1398,12 @@ def _setup(self):
+             SAMPLESPERPIXEL,
+             3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
+         )
++
++        if samples_per_pixel > MAX_SAMPLESPERPIXEL:
++            # DOS check, samples_per_pixel can be a Long, and we extend the tuple below
++            logger.error("More samples per pixel than can be decoded: %s", samples_per_pixel)
++            raise SyntaxError("Invalid value for samples per pixel")
++
+         if samples_per_pixel < bps_actual_count:
+             # If a file has more values in bps_tuple than expected,
+             # remove the excess.
+
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index 15f1a80fed..bfc3afd5db 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -7589,6 +7589,7 @@ (define-public python-pillow
   (package
     (name "python-pillow")
     (version "9.2.0")
+    (replacement python-pillow/security-fixes)
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "Pillow" version))
@@ -7636,6 +7637,10 @@ (define-public python-pillow
               "http://www.pythonware.com/products/pil/license.htm"
               "The PIL Software License"))))
 
+(define-public python-pillow/security-fixes
+  (package-with-patches python-pillow
+                        (search-patches "python-pillow-CVE-2022-45199.patch")))
+
 (define-public python-pillow-2.9
   (package
     (inherit python-pillow)
-- 
2.39.1


--svccWSOucYQZMEze--




From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 16 07:30:19 2023
Received: (at 61172) by debbugs.gnu.org; 16 Mar 2023 11:30:19 +0000
Received: from localhost ([127.0.0.1]:41384 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pcloJ-0003NY-IU
	for submit@debbugs.gnu.org; Thu, 16 Mar 2023 07:30:19 -0400
Received: from eggs.gnu.org ([209.51.188.92]:60402)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1pcloH-00030X-JW
 for 61172@debbugs.gnu.org; Thu, 16 Mar 2023 07:30:17 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1pclo9-0000zi-Sy; Thu, 16 Mar 2023 07:30:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=iRsbWiDpmfcDXfIqT4jNycjCp3pJ98ZW04GH8TuarT0=; b=PujRCFBmX90J0P4kp+9r
 s9CiHk3YW7rxPucoSCx0DmgD7EzMf+VGFKOcTAyG0gjSnj2x+T0hpXbSZDqqBTyQyvzJLyIEqvM+Y
 jYgYwwh+5lFvOAWSRg+nQ4JMLa8bRXx74uw250sENKfR1WOUjwU2st7dPNyrmKfu/MbK0vK/C8jzA
 I/XuiQdp6bk7UA/Oi7uURmWlk847wYozDwQD6BD6ITJ2bwMp4WlLF75c9aiiLLtRYlKtYixpXl+OX
 m+8jfO/C/tmPVYRaqNCb9BuC2f8tOmtC7W6n/Qd92xM7srXsBI4SvlA7Wasoc6snG3FGSYulN0cD7
 2g47FrVs1hu9iA==;
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1pclo9-0000Y7-FG; Thu, 16 Mar 2023 07:30:09 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Lars-Dominik Braun <lars@6xq.net>
Subject: Re: bug#61172: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes
 CVE-2022-45199].
References: <20230130134751.30647-1-ngraves@ngraves.fr>
 <87mt5vuaru.fsf@ngraves.fr> <Y96AUKgxt2w8fvji@philomena>
 <f6812f8e-7d49-441b-83f0-9cc52bafb29a@app.fastmail.com>
 <Y+ij8RWOxLUM54Ko@noor.fritz.box>
Date: Thu, 16 Mar 2023 12:30:07 +0100
In-Reply-To: <Y+ij8RWOxLUM54Ko@noor.fritz.box> (Lars-Dominik Braun's message
 of "Sun, 12 Feb 2023 09:31:45 +0100")
Message-ID: <87mt4dexxc.fsf_-_@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 61172
Cc: 61172@debbugs.gnu.org, Nicolas Graves <ngraves@ngraves.fr>,
 Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Lars-Dominik Braun <lars@6xq.net> skribis:

>> Unless something has changed recently (possible, I haven't paid close at=
tention), yes, it's possible to graft Python packages.
> that was my feeling too. Attached is a patch that only applies the CVE
> fix. I=E2=80=99m not comfortable bumping Pillow to 9.3 just like that. We
> should re-build packages, so they can run their test-suites.
>
>> Additionally, we can attempt a rapid rebuilding of pillow's dependents, =
perhaps along with a few other "ungrafting" changes. We are aiming to do th=
e graft->ungraft cycles more quickly than previously.
> Do we have a branch for that already?

There=E2=80=99s =E2=80=98core-updates=E2=80=99.

Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
ungrafting patch right away on =E2=80=98core-updates=E2=80=99 (I think Leo =
had something
even smarter in mind, I forgot the details).

>>>From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
> From: Lars-Dominik Braun <lars@6xq.net>
> Date: Sat, 11 Feb 2023 14:47:59 +0100
> Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.
>
> Fixes: <https://issues.guix.gnu.org/issue/61172>
>
> * gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variabl=
e.
> (python-pillow): Add replacement.
> * gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
> * gnu/local.mk: Register it.

LGTM, please push!

Thanks,
Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 19 06:50:09 2023
Received: (at 61172-done) by debbugs.gnu.org; 19 Mar 2023 10:50:09 +0000
Received: from localhost ([127.0.0.1]:49503 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pdqc5-0004zw-9s
	for submit@debbugs.gnu.org; Sun, 19 Mar 2023 06:50:09 -0400
Received: from mout-p-201.mailbox.org ([80.241.56.171]:55282)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lars@6xq.net>) id 1pdqc3-0004zI-18
 for 61172-done@debbugs.gnu.org; Sun, 19 Mar 2023 06:50:07 -0400
Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4PfZPz54NKz9sb6;
 Sun, 19 Mar 2023 11:49:59 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6xq.net; s=MBO0001;
 t=1679222999;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=2OK0ZS1zk02hlXMECNZ6Nld1uLhAs5JE+BlYuWk5KNs=;
 b=BeWmytWdbiw57fad6y/CUCyJnpO4DfFz/IIlzM8MoGqoL4IrC84d14mjfm3o0DEGD1Sy76
 LWZxQQwlnx79PH9kpBRP6knv4U/GYteRh/sj4mxKFtbHiaZfgojwjiDUP6kTkNn0OLaZ63
 R+q8y/3fdZF096Wh+v+ZooJT1GUNExW5/3egWYVE9Qwe3S9EJY4j/5AkDKlBS0ogPyPjTW
 uUCAMxWt8u/+Sj22GRIzKFe7t49ZsEpv8MRMq1K4J0aOSUG9NH52P93il0K1r7LlInUAdn
 bdKADi0seIYY7ThqL640s8QgIkRr1ZYpWCmeIbLEoCBXXH0TbYN+nFcZx8jp/Q==
Date: Sun, 19 Mar 2023 11:49:55 +0100
From: Lars-Dominik Braun <lars@6xq.net>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Subject: Re: bug#61172: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes
 CVE-2022-45199].
Message-ID: <ZBbo05XCPmk4y9Fm@noor.fritz.box>
References: <20230130134751.30647-1-ngraves@ngraves.fr>
 <87mt5vuaru.fsf@ngraves.fr> <Y96AUKgxt2w8fvji@philomena>
 <f6812f8e-7d49-441b-83f0-9cc52bafb29a@app.fastmail.com>
 <Y+ij8RWOxLUM54Ko@noor.fritz.box> <87mt4dexxc.fsf_-_@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87mt4dexxc.fsf_-_@gnu.org>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61172-done
Cc: 61172-done@debbugs.gnu.org, Nicolas Graves <ngraves@ngraves.fr>,
 Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi,

> LGTM, please push!

c16add7fd9783db46bb5b308a885af62f0299e61 gnu: python-pillow: Fix CVE-2022-45199.

But to ungraft we have to merge master into core-updates first. Not
really on my agenda right now.

Cheers,
Lars





From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 19 13:14:40 2023
Received: (at 61172) by debbugs.gnu.org; 19 Mar 2023 17:14:40 +0000
Received: from localhost ([127.0.0.1]:52627 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pdwcB-0001IZ-ST
	for submit@debbugs.gnu.org; Sun, 19 Mar 2023 13:14:40 -0400
Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:32791)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1pdwcA-0001IM-AD
 for 61172@debbugs.gnu.org; Sun, 19 Mar 2023 13:14:38 -0400
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47])
 by mailout.west.internal (Postfix) with ESMTP id 05D5532008FB;
 Sun, 19 Mar 2023 13:14:29 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute6.internal (MEProxy); Sun, 19 Mar 2023 13:14:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:cc:content-transfer-encoding:content-type:content-type
 :date:date:from:from:in-reply-to:in-reply-to:message-id
 :mime-version:references:reply-to:sender:subject:subject:to:to;
 s=mesmtp; t=1679246069; x=1679332469; bh=0CDS/mGUUciK9GXJRcyuIC
 sPYI7RzeJ7kPAbXC6vv6M=; b=kt/0yxXDOBnojWTFcwQoJQefKsLGYmAl1tuE+k
 MPn+ncfBUCSfL+mgJF0TXB6veyovAJrxCaU1jNg7HcsefkX0v7pWuSYX/LBGNZOB
 Y5MQdenfVwft6xKqabj5iXljzKnSmATZQctHYZhraMePFcl127z5IPgJZQ5FVfbX
 5+Z8g=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:content-type:date:date:feedback-id:feedback-id
 :from:from:in-reply-to:in-reply-to:message-id:mime-version
 :references:reply-to:sender:subject:subject:to:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=
 1679246069; x=1679332469; bh=0CDS/mGUUciK9GXJRcyuICsPYI7RzeJ7kPA
 bXC6vv6M=; b=i7m/DDLzaouo/+Tl+Yo2Xqfkb9IIp4mnzQDS+GVCR0keSlj4LD/
 ceCtVjk+AfGn0tdFLnwKucts06228O1X2JRCcaua1LF6PH1SK9y56eAyOBdbd4SF
 h3id6P7j0yiIBoDfiUb8MqpT0InKgJQ1ST/vZTw14QgA3KDDfn1Q45jNbezs3qGN
 tY1+rc1kFaMiFnPhESomWMK0WWl37SEmpYFpC6BkDfEjWdwDBHpVIC70FKoJ4UUe
 AXVBfBs6hKM0Bg9yTal2jYl7AybUDS3RQ+1SGCG13LUXG+qaShEy+lr+fb17WNUY
 CdMB6KgFnwCSBGv+OT6BUmUmMRFTsCzM1ig==
X-ME-Sender: <xms:9EIXZOpJycCKE577fVk3p_Kk9ik21Vx_WLpxnttTsCN_qetaYRshKg>
 <xme:9EIXZMrQykX3Is4x-8Mxj5gKeCa7DM2ODDw5-ReR85r_gaXklpD9vvbo5ITOzwLiV
 -N8CNVdiNsMEUMUDA>
X-ME-Received: <xmr:9EIXZDO6iIwyQHjx5r4yhVHQOyWueAThA1LzlDXya-rdltIx1JQrAp3Y4Cb3JbNQLA1I4MyYSq2b2iO01TTEgy8y>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdefiedguddtvdcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvvefukfhfgggtugfgjgesthekredttddtjeenucfhrhhomhepnfgv
 ohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrf
 grthhtvghrnhepkedtieegheetfeehkeegffehtdevuefgkeeikeejueekvddvhfetveek
 veegueeinecuffhomhgrihhnpehgnhhurdhorhhgnecuvehluhhsthgvrhfuihiivgeptd
 enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:9UIXZN6FaNNhJalYvjSjKgrtQjp0Js5GT34wAymkdPpvC0w-Wfdldg>
 <xmx:9UIXZN43shT1JqXynyId9CIuqQAeE4o3xLETKr7HaY5o5UW20R9a3A>
 <xmx:9UIXZNjZoXNPiqNuhEnuqI_ByXTWzHKmn2m8XZbYH2usSDTG0xl2gQ>
 <xmx:9UIXZNEijQ1WLpe639-1aAF2p0adUkqFO0oqntvtkxJUhUqUs7DYqg>
Feedback-ID: i819c4023:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun,
 19 Mar 2023 13:14:28 -0400 (EDT)
Date: Sun, 19 Mar 2023 13:14:26 -0400
From: Leo Famulari <leo@famulari.name>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Subject: Re: bug#61172: [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes
 CVE-2022-45199].
Message-ID: <ZBdC8mOLV6nebAaF@jasmine.lan>
References: <20230130134751.30647-1-ngraves@ngraves.fr>
 <87mt5vuaru.fsf@ngraves.fr> <Y96AUKgxt2w8fvji@philomena>
 <f6812f8e-7d49-441b-83f0-9cc52bafb29a@app.fastmail.com>
 <Y+ij8RWOxLUM54Ko@noor.fritz.box> <87mt4dexxc.fsf_-_@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87mt4dexxc.fsf_-_@gnu.org>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 61172
Cc: 61172@debbugs.gnu.org, Nicolas Graves <ngraves@ngraves.fr>,
 Lars-Dominik Braun <lars@6xq.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Thu, Mar 16, 2023 at 12:30:07PM +0100, Ludovic Courtès wrote:
> Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
> ungrafting patch right away on ‘core-updates’ (I think Leo had something
> even smarter in mind, I forgot the details).

I think we should try to do frequent ungrafting branches, at least for
non-core packages like python-pillow. We have the build capacity.

The Cuirass web interface is not as helpful or detailed as that of
qa.guix.gnu.org, and QA cannot currently build such large changes, but
we should still create and try to build these branches. 




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 04 07:52:11 2023
Received: (at 61172) by debbugs.gnu.org; 4 Apr 2023 11:52:12 +0000
Received: from localhost ([127.0.0.1]:46717 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pjfCt-0000R8-LN
	for submit@debbugs.gnu.org; Tue, 04 Apr 2023 07:52:11 -0400
Received: from mail-wr1-f53.google.com ([209.85.221.53]:41257)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@gmail.com>) id 1pjfCq-0000PC-6X
 for 61172@debbugs.gnu.org; Tue, 04 Apr 2023 07:52:08 -0400
Received: by mail-wr1-f53.google.com with SMTP id
 ffacd0b85a97d-2d17b1b21f1so676416f8f.1
 for <61172@debbugs.gnu.org>; Tue, 04 Apr 2023 04:52:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1680609122;
 h=mime-version:message-id:date:references:in-reply-to:subject:cc:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=rl6qQKXEyDMr1lH5xaWsKVJHL/UZThwgjsYBHqjgRHQ=;
 b=QDupm0F9TJZnMXK5iGIAyQRDHvXddsGm1Y13ZdWzf0Y2MQk3e91t656IuImNsDAg82
 u9j818/FqfA6cMmCwc01xrqv+A5qtCtDlea4xPdsdsZWQvS2XLLXcPIvZkfnbRO5tVch
 cjSrzfzKlpLd9bqY8gyIDdY+2RYFyo4KmU8ebl57CbWNy2pooZQyu6E0cl0VuBEmQ7rP
 ZauT1MEcPg3Gkl5m9BE6QTGerIBu709gip+sm6mgfCvCYDa46gVu27AMBfGduZm/N/6s
 HCxzwDVB/mgJCTRcj7Gq5I8LozxwB1z347pVRFIM2Sl3qQxPmJYPxpzkA6BmWNQkrIus
 dUBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1680609122;
 h=mime-version:message-id:date:references:in-reply-to:subject:cc:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=rl6qQKXEyDMr1lH5xaWsKVJHL/UZThwgjsYBHqjgRHQ=;
 b=MFWMsabVhy1H8FCiRY1TZOrsHEJr7CXgdBe6ziyM9NwFCMsIC19VItPkj2Hitz8cBs
 reGZO/2WbJJ8dKJBO8f+JLSTiad8QTWqgCtZXiQLhSx0n6hTeD1CRU0GPRG5RhTzr3cr
 uP0q4bc3kOX1cptTGcbqkJMjSfXdLhW4DDatj0g+Kg0VkBItbCyCLayTWI4aSESJ8Jiu
 cZq+7zEGvAdqrqGTRRdrYo3lnFSrf97oIHXbsog4cVgRhXC57NEIyTtDyQb54KUlciqj
 KfyJ9JxBfbdV1jAyzKkUJSNdTlAqKmZtB9pK9ItgJVUNfrz9N6Db9k/sd3zcmnqVWEYb
 h0yA==
X-Gm-Message-State: AAQBX9fcW0rYRF1SoywVOMNpDrwZamgCS0cCU5sOesc5PXD854ePiTV+
 cFc5d0Xuya8mCRvzeOOQD+I=
X-Google-Smtp-Source: AKy350bSfp/MpUIfLrHItJeNKXxYnPsXd+2hsVBo210W/k1F1e+dSbFPTcrwLzqNRbrNvD1Jfb235Q==
X-Received: by 2002:a05:600c:3ba6:b0:3ef:7bc5:4e14 with SMTP id
 n38-20020a05600c3ba600b003ef7bc54e14mr2124620wms.4.1680609122572; 
 Tue, 04 Apr 2023 04:52:02 -0700 (PDT)
Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e])
 by smtp.gmail.com with ESMTPSA id
 iz5-20020a05600c554500b003ef67ac3846sm22137581wmb.24.2023.04.04.04.52.02
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 04 Apr 2023 04:52:02 -0700 (PDT)
From: Simon Tournier <zimon.toutoune@gmail.com>
To: Lars-Dominik Braun <lars@6xq.net>, Leo Famulari <leo@famulari.name>
Subject: Re: [bug#61172] [Nicolas Graves via Guix-patches via] [bug#61172]
 [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].
In-Reply-To: <Y+ij8RWOxLUM54Ko@noor.fritz.box>
References: <20230130134751.30647-1-ngraves@ngraves.fr>
 <87mt5vuaru.fsf@ngraves.fr> <Y96AUKgxt2w8fvji@philomena>
 <f6812f8e-7d49-441b-83f0-9cc52bafb29a@app.fastmail.com>
 <Y+ij8RWOxLUM54Ko@noor.fritz.box>
Date: Tue, 04 Apr 2023 13:34:42 +0200
Message-ID: <86r0szubhp.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 61172
Cc: 61172@debbugs.gnu.org, Nicolas Graves <ngraves@ngraves.fr>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

On Sun, 12 Feb 2023 at 09:31, Lars-Dominik Braun <lars@6xq.net> wrote:

> +(define-public python-pillow/security-fixes

This package should not be publicly exposed but hidden.  Otherwise an
ambiguity is raised: two packages are installable from the CLI with the
exact same version.

Cheers,
simon




From unknown Sat Aug 16 16:12:58 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Wed, 03 May 2023 11:24:09 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator