Created attachment 166795 [details] Proposed patch Pillow 3.1.1 was released a few days ago (https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html), and some of the security fixes in that release also apply to PIL: * https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec * https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 This patch backports them to graphics/py-imaging. I've already documented them in security/vuxml.
ping
There are no longer any ports that depend on py-imaging; perhaps it's time to remove it as well. Do you have a use case for py-imaging?
I don't, I just sent this patch because the vulnerabilities I mentioned also affected py-imaging. If you'd like to deprecate the port and mark it to expire in, say, 1 month, we could certainly do that too. In any case, it'd be good to have this patch in until then (and also because the port will remain present in the 2016Q1 branch).
Sounds fine to me. Note that someone with appropriate permissions has to set maintainer-approval? on your patch in order for me to set maintainer-approval+.
A commit references this bug: Author: rakuco Date: Thu Feb 11 17:11:09 UTC 2016 New revision: 408690 URL: https://svnweb.freebsd.org/changeset/ports/408690 Log: Backport two Pillow security fixes. Pillow 3.1.1 was released a few days ago [1], and some of the security fixes in that release also apply to PIL: * https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec * https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 [1] https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html PR: 207054 Approved by: mainland@apeiron.net (maintainer) Security: a8de962a-cf15-11e5-805c-5453ed2e2b49 Security: 6ea60e00-cf13-11e5-805c-5453ed2e2b49 Security: CVE-2016-0775 Changes: head/graphics/py-imaging/Makefile head/graphics/py-imaging/files/patch-CVE-2016-0775 head/graphics/py-imaging/files/patch-libImaging-PcdDecode.c
A commit references this bug: Author: rakuco Date: Thu Feb 11 17:12:12 UTC 2016 New revision: 408691 URL: https://svnweb.freebsd.org/changeset/ports/408691 Log: MFH: r408690 Backport two Pillow security fixes. Pillow 3.1.1 was released a few days ago [1], and some of the security fixes in that release also apply to PIL: * https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec * https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 [1] https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html PR: 207054 Approved by: mainland@apeiron.net (maintainer) Security: a8de962a-cf15-11e5-805c-5453ed2e2b49 Security: 6ea60e00-cf13-11e5-805c-5453ed2e2b49 Security: CVE-2016-0775 Approved by: portmgr blanket approval Changes: _U branches/2016Q1/ branches/2016Q1/graphics/py-imaging/Makefile branches/2016Q1/graphics/py-imaging/files/patch-CVE-2016-0775 branches/2016Q1/graphics/py-imaging/files/patch-libImaging-PcdDecode.c
Thanks for the review! I'm going to send a separate patch to deprecate the port now.