Created attachment 224398 [details] Upgrade py-pillow to 8.2.0 - Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0> - Security fixes described at <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1> - Since I´m there, add newer optional dependencies. Security: CVE-2021-25287, CVE-2021-25288, CVE-2021-28675,CVE-2021-28676, CVE-2021-28677, CVE-2021-28678
Thanks for this Thierry I'm not going to be able to commit this any time soon (svn->git migration), so would appreciate someone to take this to resolution (vuxml + mfh) Kai has experience with QA'ing the last Pillow update, and may be able to provide advice on that
Patch has been included.
Created attachment 224400 [details] Poudriere log. Since you added "needs-qa" I'm joining a poudriere log.
Remove needs-qa. BTW, I modified the test target and its dependencies, and all tests pass.
(In reply to Thierry Thomas from comment #2) - needs-patch is/was for VuXML - While I lean towards OPTIONS enabled by default, XCB / RACQ are pretty heavy. Should they be default? - Main QA consideration is reverse dependents (in particular those ports with <X in their dep lines. If ports don't declare/reflect the max version (and tons dont), these will fail at run time.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b1fa93c1a77c2d06b6c80cd4dc4ec6105e2f06d8 commit b1fa93c1a77c2d06b6c80cd4dc4ec6105e2f06d8 Author: Thierry Thomas <thierry@FreeBSD.org> AuthorDate: 2021-05-12 08:37:22 +0000 Commit: Thierry Thomas <thierry@FreeBSD.org> CommitDate: 2021-05-12 10:09:17 +0000 security/vuxml: add vunerabilities fixed in 8.2.0 PR: 255361 security/vuxml/vuln.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
@Thierry To be explicit, this is reassign/clear to commit pending QA (comment 5) If you need help, @dbaio may be able to assist
(In reply to Kubilay Kocak from comment #5) It does not break the dependent ports.
Committed, thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=553bcea9dbe91208a9c8bf265e0d8e1172094ffe commit 553bcea9dbe91208a9c8bf265e0d8e1172094ffe Author: Thierry Thomas <thierry@FreeBSD.org> AuthorDate: 2021-04-24 10:10:42 +0000 Commit: Thierry Thomas <thierry@FreeBSD.org> CommitDate: 2021-05-13 20:05:25 +0000 graphics/py-pillow: upgrade to 8.2.0 + fix vulnerabilities - Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0> - Security fixes described at <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1> - Since I´m there, add newer optional dependencies. Security: CVE-2021-25287 Security: CVE-2021-25288 Security: CVE-2021-28675 Security: CVE-2021-28676 Security: CVE-2021-28677 Security: CVE-2021-28678 PR: 255361 Approved by: koobs (maintainer) graphics/py-pillow/Makefile | 23 ++++++++++++++++------- graphics/py-pillow/distinfo | 6 +++--- 2 files changed, 19 insertions(+), 10 deletions(-)
^Triage: Re-open pending MFH
@Thierry has this been merged?
(In reply to Kubilay Kocak from comment #12) I don't think so, but don't hesitate to MFH it. Warning: it should be MFH together with libraqm: https://cgit.freebsd.org/ports/commit/?id=0ac1997e2f6fdda0e8442a2deef01dadf0089da1 and https://cgit.freebsd.org/ports/commit/?id=dfe43fda12c875be6dc302e0ae7cbafc6be22c20
(In reply to Thierry Thomas from comment #13) I don't have a git env ready for ports work yet. If you can take care of it that would be great. Otherwise Danilo or ports-secteam may have cycles. Are those two commits the complete set that require merging?
Created attachment 226012 [details] Patch for 2021Q2 without raqm To simplify, I suggest the attached patch: this the MFH, but raqm is disabled by force. Unfortunately, I have no machine with Python-3.7 to test it.
(In reply to Thierry Thomas from comment #15) Disable RAQM because its a new feature and dependency in main commit? If so this looks fine to merge. You're lead on this having resolved the issue (and thank you)
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0d89189719750ec21a542236de9611791ac08713 commit 0d89189719750ec21a542236de9611791ac08713 Author: Thierry Thomas <thierry@FreeBSD.org> AuthorDate: 2021-04-24 10:10:42 +0000 Commit: Thierry Thomas <thierry@FreeBSD.org> CommitDate: 2021-06-26 16:05:24 +0000 graphics/py-pillow: upgrade to 8.2.0 + fix vulnerabilities - Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0> - Security fixes described at <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1> - Since I´m there, add newer optional dependencies. Security: CVE-2021-25287 Security: CVE-2021-25288 Security: CVE-2021-28675 Security: CVE-2021-28676 Security: CVE-2021-28677 Security: CVE-2021-28678 PR: 255361 Approved by: koobs (maintainer) (cherry picked from commit 553bcea9dbe91208a9c8bf265e0d8e1172094ffe but disable RAQM) graphics/py-pillow/Makefile | 21 +++++++++++++-------- graphics/py-pillow/distinfo | 6 +++--- 2 files changed, 16 insertions(+), 11 deletions(-)
Getting pkg-fallout on quarterly after merge: =======================<phase: configure >============================ ===> Configuring for py37-pillow-8.2.0 running config =========================================================================== =======================<phase: build >============================ ===> Building for py37-pillow-8.2.0 usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...] or: setup.py --help [cmd1 cmd2 ...] or: setup.py --help-commands or: setup.py cmd --help error: option --disable-raqm not recognized *** Error code 1
Sorry, I do not understand: - on the branch main, with the default Python 3.8, when the option RAQM is deselected, we have $ make -V PYDISTUTILS_BUILDARGS --enable-freetype --enable-jpeg --enable-jpeg2000 --enable-lcms --enable-zlib --disable-raqm --enable-tiff --include-dirs=/usr/local/include/tcl8.6:/usr/local/include/tk8.6 --enable-webp --enable-webpmux --enable-xcb saveopts and pillow is built without raqm as expected. - what could differ on 2021Q2 so that this option get unrecognized?
(In reply to Thierry Thomas from comment #20) It seems that the order of the options is important. Applying the following fix should remedy the issue: > -PYDISTUTILS_BUILDARGS+= saveopts --disable-raqm > +PYDISTUTILS_BUILDARGS+= --disable-raqm saveopts
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ae162bd989359e2e599a2b9cb58da87bdec05fab commit ae162bd989359e2e599a2b9cb58da87bdec05fab Author: Thierry Thomas <thierry@FreeBSD.org> AuthorDate: 2021-06-27 17:19:56 +0000 Commit: Thierry Thomas <thierry@FreeBSD.org> CommitDate: 2021-06-27 17:19:56 +0000 graphics/py-pillow: fix build As koobs@ reported, my previous commit was bad: error: option --disable-raqm not recognized PR: 255361 Reported by: kai@ graphics/py-pillow/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Created attachment 230821 [details] Updated patch to upgrade to 9.0.0 Version 9.0.0 has been released upstream. I've attached a proposed patch that seems to work.
Assign to the maintainer.
Created attachment 231589 [details] [patch] update graphics/py-pillow to 9.0.1 (In reply to george from comment #23) 9.0.1 was released Feb 2, and it addresses a couple more CVEs. Currently graphics/py-pillow (still at 8.2.0) is failing to build because of security vulnerabilities (see Dec 27, 2021, vuxml commit ports/4019e413fc137877e4e4cd60ec01f19be4deb028). Jan 25, 2022, PORTREVISION bump is triggering rebuild attempts for any systems that had py-pillow installed before the vuxml change. Attached patch updates to 9.0.1 QA: - poudriere testport (ok) - portlint / portclippy (ok, no errors, no new warnings / suggestions) - make test (ok)
freebsd13-p7, when make install py38-pillow port, it reminds me: py38-pillow-8.2.0_1 is vulnerable: Pillow -- Regular Expression Denial of Service (ReDoS) CVE: CVE-2021-23437 WWW: https://vuxml.FreeBSD.org/freebsd/ed8a4215-675c-11ec-8dd4-a0f3c100ae18.html 1 problem(s) in 1 installed package(s) found. => Please update your ports tree and try again. => Note: Vulnerable ports are marked as such even if there is no update available. => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes' *** Error code 1
Maintainer reset.
^Triage: assign to current maintainer.
It seems to me that this bug should closed as fixed, overcome by events since the current version of py-pillow in the ports tree is version 10.0.1. But apparently I don't have permission to close the bug.