Bug 243336

Summary: graphics/py-pillow: Update to 6.2.2
Product: Ports & Packages Reporter: Po-Chuan Hsieh <sunpoet>
Component: Individual Port(s)Assignee: Kai Knoblich <kai>
Status: Closed FIXED    
Severity: Affects Many People CC: koobs, python
Priority: Normal Keywords: security
Version: LatestFlags: koobs: maintainer-feedback+
kai: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://github.com/python-pillow/Pillow/blob/6.2.2/CHANGES.rst
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243665
Attachments:
Description Flags
6.2.2 & 7.0.0 none

Description Po-Chuan Hsieh freebsd_committer freebsd_triage 2020-01-13 18:49:23 UTC 
Update to 6.2.1

Changes:        https://github.com/python-pillow/Pillow/blob/master/CHANGES.rst
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-14 02:31:04 UTC 
@Sunpoet Can you include the proposed patch as an attachment please

Upstream also now has 6.2.2 (last version supporting 2.x), which includes several security fixes (MFH). We also need a VuXML entry patch

We also need to plan and coordinate at a date in the near future copying pillow -> pillow6, to enable the upgrade of pillow to 7.x (supporting 3.x only), which is already out:

https://github.com/python-pillow/Pillow/blob/7.0.0/CHANGES.rst

If someone could attach a (separate) patch updating the main port to 7.x and updating all existing consumers of pillow -> pillo6 6, this would go a long way
Comment 2 Po-Chuan Hsieh freebsd_committer freebsd_triage 2020-01-23 03:31:26 UTC 
Created attachment 210978 [details]
6.2.2 & 7.0.0

Run "svn cp graphics/py-pillow graphics/py-pillow6" before applying the patch.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-23 11:22:54 UTC 
Kai has the lead.

Thank you for the patch update Sunpoet
Comment 4 Kai Knoblich freebsd_committer freebsd_triage 2020-01-24 11:16:08 UTC 
I'd do a small change in favor to MFH'ing the 6.2.2 release (which is security related):

1. Update graphics/py-pillow to 6.2.2

2. MFH'ing it to 2020Q1

3. Repocopy graphics/py-pillow to graphics/py-pillow6 with all required changes

4. Update graphics/py-pillow to 7.0 and adjust its consumers

Once steps 1 and 2 are done we can fully work on the planning and introduction of the 7.0 release.

I'm going to add a VuXML entry tonight and commit the 6.2.2 update to /head during the upcoming weekend.

@koobs: I assume the update of graphics/py-pillow 6.2.2 has your approval?
Comment 5 commit-hook freebsd_committer freebsd_triage 2020-01-24 22:20:13 UTC 
A commit references this bug:

Author: kai
Date: Fri Jan 24 22:20:01 UTC 2020
New revision: 523993
URL: https://svnweb.freebsd.org/changeset/ports/523993

Log:
  security/vuxml: Document graphics/py-pillow issues

  PR:		243336
  Security:	CVE-2019-19911
  		CVE-2020-5310
  		CVE-2020-5311
  		CVE-2020-5312
  		CVE-2020-5313

Changes:
  head/security/vuxml/vuln.xml
Comment 6 Kai Knoblich freebsd_committer freebsd_triage 2020-01-24 22:52:53 UTC 
QA for the 6.2.2 update is fine:

py37, py38:

> ==== 1250 passed, 130 skipped, 4 warnings in 23.17 seconds ====

py36:

> ==== 1249 passed, 131 skipped, 4 warnings in 23.26 seconds ====

py27, py35:

> ==== 1248 passed, 132 skipped, 4 warnings in 25.00 seconds ====


Building against all consumers was also fine (11.3-RELEASE amd64 py27/py35/py36/py37/py38).
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-25 02:36:00 UTC 
(In reply to Kai Knoblich from comment #4)

 * Yep, lets get the security update in first and merged
 * Everything is approved contingent on QA passing
 * If you'd like to track the pillow 7.x work in a separate issue, just create one and add it to this issues See Also so people can follow
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-01-25 09:54:08 UTC 
A commit references this bug:

Author: kai
Date: Sat Jan 25 09:54:05 UTC 2020
New revision: 524023
URL: https://svnweb.freebsd.org/changeset/ports/524023

Log:
  graphics/py-pillow: Update to 6.2.2

  Changelogs since 6.2.0:

  https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
  https://pillow.readthedocs.io/en/stable/releasenotes/6.2.1.html

  PR:		243336
  Submitted by:	sunpoet
  Approved by:	koobs (maintainer)
  MFH:		2020Q1
  Security:	0700e76c-3eb0-11ea-8478-3085a9a95629

Changes:
  head/graphics/py-pillow/Makefile
  head/graphics/py-pillow/distinfo
Comment 9 commit-hook freebsd_committer freebsd_triage 2020-01-25 21:36:15 UTC 
A commit references this bug:

Author: kai
Date: Sat Jan 25 21:35:27 UTC 2020
New revision: 524135
URL: https://svnweb.freebsd.org/changeset/ports/524135

Log:
  MFH: r524023

  graphics/py-pillow: Update to 6.2.2

  Changelogs since 6.2.0:

  https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
  https://pillow.readthedocs.io/en/stable/releasenotes/6.2.1.html

  PR:		243336
  Submitted by:	sunpoet
  Approved by:	koobs (maintainer)
  Security:	0700e76c-3eb0-11ea-8478-3085a9a95629

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2020Q1/
  branches/2020Q1/graphics/py-pillow/Makefile
  branches/2020Q1/graphics/py-pillow/distinfo
Comment 10 Kai Knoblich freebsd_committer freebsd_triage 2020-01-28 09:35:28 UTC 
(In reply to Kubilay Kocak from comment #7)

Ok, I close this issue as Pillow 6.2.2 is available in the /head and the 2020Q1 branches.

We continue steps 3 and 4 from comment #4 in an separate issue (bug #243665) for the sake of brevity.