Created attachment 208332 [details] py-pillow-6.2.0.patch Hi Kubilay, attached is the patch that updates graphics/py-pillow to 6.2.0. Previous releases <= 6.1.0 are vulnerable with a medium exploitation score (see CVE-2019-16865 and the GitHub issue for further info). QA: ~~ poudriere (11.3-RELEASE amd64) for each py27 + py36 flavor -> OK Will do the usual QA in the next few hours and update this PR then. An entry for the VuXML will follow shortly.
A commit references this bug: Author: kai Date: Tue Oct 15 14:43:02 UTC 2019 New revision: 514534 URL: https://svnweb.freebsd.org/changeset/ports/514534 Log: security/vuxml: Document graphics/py-pillow issue PR: 241268 Security: CVE-2019-16865 Changes: head/security/vuxml/vuln.xml
Here's an overview of the QA: - poudriere (11.2-, 11.3-, 12.0-RELEASE, 13.0-CURRENT@r353466 amd64 + i386) for each py27 + py36 flavor -> OK - "Mini Exp-Run" against all consumers of graphics/py-pillow -> OK - Results of "make test" for py27 (see also note about the warnings further down): > ============ 1246 passed, 132 skipped, 4 warnings in 25.81 seconds ============== - Results of "make test" for py36 (see also note about the warnings further down): > ============ 1247 passed, 131 skipped, 4 warnings in 24.87 seconds ============= Note about the warnings via "make test": The Pillow 6.2.0 release introduces tests to the test suite that try to catch buffer overruns. Such test emits following warning: > Tests/test_file_tiff.py::TestFileTiff::test_string_dimension > /wrkdirs/usr/ports/graphics/py-pillow/work-py36/Pillow-6.2.0/src/PIL/TiffImagePlugin.py:784: UserWarning: Possibly corrupt EXIF data. Expecting to read 8587444226 bytes but only got 481. > Skipping tag 63749 @koobs: Can you give me your approval please, if you have no objections about it? I'll commit the changes then tonight.
A commit references this bug: Author: kai Date: Sat Oct 19 11:43:15 UTC 2019 New revision: 514792 URL: https://svnweb.freebsd.org/changeset/ports/514792 Log: graphics/py-pillow: Update to 6.2.0 Release Notes: * https://pillow.readthedocs.io/en/latest/releasenotes/index.html Detailed Changelog: * https://github.com/python-pillow/Pillow/blob/6.2.0/CHANGES.rst PR: 241268 Approved by: koobs (maintainer) MFH: 2019Q4 Security: 998ca824-ef55-11e9-b81f-3085a9a95629 Changes: head/graphics/py-pillow/Makefile head/graphics/py-pillow/distinfo
A commit references this bug: Author: kai Date: Sun Oct 20 18:41:18 UTC 2019 New revision: 515065 URL: https://svnweb.freebsd.org/changeset/ports/515065 Log: MFH: r514792 graphics/py-pillow: Update to 6.2.0 Release Notes: * https://pillow.readthedocs.io/en/latest/releasenotes/index.html Detailed Changelog: * https://github.com/python-pillow/Pillow/blob/6.2.0/CHANGES.rst PR: 241268 Approved by: koobs (maintainer) Security: 998ca824-ef55-11e9-b81f-3085a9a95629 Approved by: ports-secteam (miwi) Changes: _U branches/2019Q4/ branches/2019Q4/graphics/py-pillow/Makefile branches/2019Q4/graphics/py-pillow/distinfo
Committed to the head and 2019Q4 branches, all done!