Bug 207053

Summary: graphics/py-pillow: Backport security fixes from 3.1.1.
Product: Ports & Packages Reporter: Raphael Kubo da Costa <rakuco>
Component: Individual Port(s)Assignee: Kubilay Kocak <koobs>
Status: Closed FIXED    
Severity: Affects Many People CC: ports-secteam
Priority: Normal Keywords: patch, security
Version: LatestFlags: koobs: maintainer-feedback+
koobs: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Proposed patch none

Description Raphael Kubo da Costa freebsd_committer freebsd_triage 2016-02-09 10:44:18 UTC 
Created attachment 166794 [details]
Proposed patch

The attached patch backports 4 security fixes (including 2 CVEs) released as part of Pillow 3.1.1:
* https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e
* https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec
* https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798
* https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4

Since the port is a few releases behind 3.1.x, I've found it safer to backport the commits instead of updating the port. I've already documented those vulnerabilities in vuln.xml.

Some of the patches added to files/ do not correspond to their respective upstream commits because I couldn't get `make makepatch' to produce a diff for the binary images added with some tests.
Comment 1 Raphael Kubo da Costa freebsd_committer freebsd_triage 2016-02-11 09:34:24 UTC 
ping koobs
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-02-13 03:27:27 UTC 
Thank you Raphael, if these changes pass QA, I'm happy to approve:

* portlint
* poudriere testport
* make test (unit tests)
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-02-13 10:51:15 UTC 
A commit references this bug:

Author: koobs
Date: Sat Feb 13 10:51:09 UTC 2016
New revision: 408782
URL: https://svnweb.freebsd.org/changeset/ports/408782

Log:
  graphics/py-pillow: Backport security fixes

  Backport security fixes from 3.1.1 release, resolving the following
  vulnerabilities:

   * CVE-2016-0775: Buffer overflow in FLI decoding code
   * CVE-2016-0740: Buffer overflow in TIFF decoding code
   * Integer overflow in Resample.c [1]
   * Buffer overflow in PCD decoder [2]

  [1] https://github.com/python-pillow/Pillow/issues/1710
  [2] https://github.com/python-pillow/Pillow/issues/568

  PR:		207053
  Submitted by:	rakuco
  MFH:		2016Q1
  Security:	a8de962a-cf15-11e5-805c-5453ed2e2b49

Changes:
  head/graphics/py-pillow/Makefile
  head/graphics/py-pillow/files/
  head/graphics/py-pillow/files/patch-CVE-2016-0740
  head/graphics/py-pillow/files/patch-CVE-2016-0775
  head/graphics/py-pillow/files/patch-libImaging-PcdDecode.c
  head/graphics/py-pillow/files/patch-libImaging-Resample.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-02-13 10:55:17 UTC 
A commit references this bug:

Author: koobs
Date: Sat Feb 13 10:54:52 UTC 2016
New revision: 408783
URL: https://svnweb.freebsd.org/changeset/ports/408783

Log:
  MFH: r408782 graphics/py-pillow: Backport security fixes

  Backport security fixes from 3.1.1 release, resolving the following
  vulnerabilities:

   * CVE-2016-0775: Buffer overflow in FLI decoding code
   * CVE-2016-0740: Buffer overflow in TIFF decoding code
   * Integer overflow in Resample.c [1]
   * Buffer overflow in PCD decoder [2]

  [1] https://github.com/python-pillow/Pillow/issues/1710
  [2] https://github.com/python-pillow/Pillow/issues/568

  PR:		207053
  Submitted by:	rakuco
  Security:	a8de962a-cf15-11e5-805c-5453ed2e2b49

  Approved by:	ports-secteam (security)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/graphics/py-pillow/Makefile
  branches/2016Q1/graphics/py-pillow/files/
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2016-02-13 10:56:42 UTC 
Committed to HEAD and quarterly branch (2016Q1)

Thank you for taking care of this Raphael