Created attachment 166794 [details] Proposed patch The attached patch backports 4 security fixes (including 2 CVEs) released as part of Pillow 3.1.1: * https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e * https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec * https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798 * https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 Since the port is a few releases behind 3.1.x, I've found it safer to backport the commits instead of updating the port. I've already documented those vulnerabilities in vuln.xml. Some of the patches added to files/ do not correspond to their respective upstream commits because I couldn't get `make makepatch' to produce a diff for the binary images added with some tests.
ping koobs
Thank you Raphael, if these changes pass QA, I'm happy to approve: * portlint * poudriere testport * make test (unit tests)
A commit references this bug: Author: koobs Date: Sat Feb 13 10:51:09 UTC 2016 New revision: 408782 URL: https://svnweb.freebsd.org/changeset/ports/408782 Log: graphics/py-pillow: Backport security fixes Backport security fixes from 3.1.1 release, resolving the following vulnerabilities: * CVE-2016-0775: Buffer overflow in FLI decoding code * CVE-2016-0740: Buffer overflow in TIFF decoding code * Integer overflow in Resample.c [1] * Buffer overflow in PCD decoder [2] [1] https://github.com/python-pillow/Pillow/issues/1710 [2] https://github.com/python-pillow/Pillow/issues/568 PR: 207053 Submitted by: rakuco MFH: 2016Q1 Security: a8de962a-cf15-11e5-805c-5453ed2e2b49 Changes: head/graphics/py-pillow/Makefile head/graphics/py-pillow/files/ head/graphics/py-pillow/files/patch-CVE-2016-0740 head/graphics/py-pillow/files/patch-CVE-2016-0775 head/graphics/py-pillow/files/patch-libImaging-PcdDecode.c head/graphics/py-pillow/files/patch-libImaging-Resample.c
A commit references this bug: Author: koobs Date: Sat Feb 13 10:54:52 UTC 2016 New revision: 408783 URL: https://svnweb.freebsd.org/changeset/ports/408783 Log: MFH: r408782 graphics/py-pillow: Backport security fixes Backport security fixes from 3.1.1 release, resolving the following vulnerabilities: * CVE-2016-0775: Buffer overflow in FLI decoding code * CVE-2016-0740: Buffer overflow in TIFF decoding code * Integer overflow in Resample.c [1] * Buffer overflow in PCD decoder [2] [1] https://github.com/python-pillow/Pillow/issues/1710 [2] https://github.com/python-pillow/Pillow/issues/568 PR: 207053 Submitted by: rakuco Security: a8de962a-cf15-11e5-805c-5453ed2e2b49 Approved by: ports-secteam (security) Changes: _U branches/2016Q1/ branches/2016Q1/graphics/py-pillow/Makefile branches/2016Q1/graphics/py-pillow/files/
Committed to HEAD and quarterly branch (2016Q1) Thank you for taking care of this Raphael