Bug 255361 - graphics/py-pillow: Update to 8.2.0 (fixes security vulnerabilities)
Summary: graphics/py-pillow: Update to 8.2.0 (fixes security vulnerabilities)
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Thierry Thomas
URL: https://github.com/python-pillow/Pill...
Keywords: security
Depends on: 255360
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-24 10:23 UTC by Thierry Thomas
Modified: 2021-06-27 17:24 UTC (History)
5 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly?


Attachments
Upgrade py-pillow to 8.2.0 (4.00 KB, patch)
2021-04-24 10:23 UTC, Thierry Thomas
no flags Details | Diff
Poudriere log. (10.13 KB, application/x-bzip)
2021-04-24 13:42 UTC, Thierry Thomas
no flags Details
Patch for 2021Q2 without raqm (3.70 KB, patch)
2021-06-23 14:04 UTC, Thierry Thomas
thierry: maintainer-approval? (koobs)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Thomas freebsd_committer 2021-04-24 10:23:56 UTC
Created attachment 224398 [details]
Upgrade py-pillow to 8.2.0

- Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0>

- Security fixes described at <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1>

- Since I´m there, add newer optional dependencies.

Security: CVE-2021-25287, CVE-2021-25288, CVE-2021-28675,CVE-2021-28676, CVE-2021-28677, CVE-2021-28678
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-24 10:29:03 UTC
Thanks for this Thierry

I'm not going to be able to commit this any time soon (svn->git migration), so would appreciate someone to take this to resolution (vuxml + mfh)

Kai has experience with QA'ing the last Pillow update, and may be able to provide advice on that
Comment 2 Thierry Thomas freebsd_committer 2021-04-24 13:26:41 UTC
Patch has been included.
Comment 3 Thierry Thomas freebsd_committer 2021-04-24 13:42:32 UTC
Created attachment 224400 [details]
Poudriere log.

Since you added "needs-qa" I'm joining a poudriere log.
Comment 4 Thierry Thomas freebsd_committer 2021-04-24 13:43:23 UTC
Remove needs-qa.

BTW, I modified the test target and its dependencies, and all tests pass.
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-25 00:08:45 UTC
(In reply to Thierry Thomas from comment #2)

 - needs-patch is/was for VuXML
 - While I lean towards OPTIONS enabled by default, XCB / RACQ are pretty heavy. Should they be default?
 - Main QA consideration is reverse dependents (in particular those ports with <X in their dep lines. If ports don't declare/reflect the max version (and tons dont), these will fail at run time.
Comment 6 commit-hook freebsd_committer 2021-05-12 10:10:10 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b1fa93c1a77c2d06b6c80cd4dc4ec6105e2f06d8

commit b1fa93c1a77c2d06b6c80cd4dc4ec6105e2f06d8
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-05-12 08:37:22 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-05-12 10:09:17 +0000

    security/vuxml: add vunerabilities fixed in 8.2.0

    PR:             255361

 security/vuxml/vuln.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-13 00:46:06 UTC
@Thierry To be explicit, this is reassign/clear to commit pending QA (comment 5)

If you need help, @dbaio may be able to assist
Comment 8 Thierry Thomas freebsd_committer 2021-05-13 20:08:13 UTC
(In reply to Kubilay Kocak from comment #5)

It does not break the dependent ports.
Comment 9 Thierry Thomas freebsd_committer 2021-05-13 20:09:10 UTC
Committed, thanks!
Comment 10 commit-hook freebsd_committer 2021-05-13 20:10:03 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=553bcea9dbe91208a9c8bf265e0d8e1172094ffe

commit 553bcea9dbe91208a9c8bf265e0d8e1172094ffe
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-04-24 10:10:42 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-05-13 20:05:25 +0000

    graphics/py-pillow: upgrade to 8.2.0 + fix vulnerabilities

    - Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0>

    - Security fixes described at
    <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1>

    - Since I´m there, add newer optional dependencies.

    Security:       CVE-2021-25287
    Security:       CVE-2021-25288
    Security:       CVE-2021-28675
    Security:       CVE-2021-28676
    Security:       CVE-2021-28677
    Security:       CVE-2021-28678

    PR:             255361
    Approved by:    koobs (maintainer)

 graphics/py-pillow/Makefile | 23 ++++++++++++++++-------
 graphics/py-pillow/distinfo |  6 +++---
 2 files changed, 19 insertions(+), 10 deletions(-)
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-14 00:10:30 UTC
^Triage: Re-open pending MFH
Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-21 03:41:04 UTC
@Thierry has this been merged?
Comment 13 Thierry Thomas freebsd_committer 2021-06-21 15:17:13 UTC
(In reply to Kubilay Kocak from comment #12)

I don't think so, but don't hesitate to MFH it.

Warning: it should be MFH together with libraqm:

https://cgit.freebsd.org/ports/commit/?id=0ac1997e2f6fdda0e8442a2deef01dadf0089da1
and
https://cgit.freebsd.org/ports/commit/?id=dfe43fda12c875be6dc302e0ae7cbafc6be22c20
Comment 14 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-22 02:38:33 UTC
(In reply to Thierry Thomas from comment #13)

I don't have a git env ready for ports work yet. If you can take care of it that would be great.

Otherwise Danilo or ports-secteam may have cycles. Are those two commits the complete set that require merging?
Comment 15 Thierry Thomas freebsd_committer 2021-06-23 14:04:54 UTC
Created attachment 226012 [details]
Patch for 2021Q2 without raqm

To simplify, I suggest the attached patch: this the MFH, but raqm is disabled by force.

Unfortunately, I have no machine with Python-3.7 to test it.
Comment 16 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-26 02:15:09 UTC
(In reply to Thierry Thomas from comment #15)

Disable RAQM because its a new feature and dependency in main commit? If so this looks fine to merge. You're lead on this having resolved the issue (and thank you)
Comment 17 commit-hook freebsd_committer 2021-06-26 16:07:20 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0d89189719750ec21a542236de9611791ac08713

commit 0d89189719750ec21a542236de9611791ac08713
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-04-24 10:10:42 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-06-26 16:05:24 +0000

    graphics/py-pillow: upgrade to 8.2.0 + fix vulnerabilities

    - Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0>

    - Security fixes described at
    <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1>

    - Since I´m there, add newer optional dependencies.

    Security:       CVE-2021-25287
    Security:       CVE-2021-25288
    Security:       CVE-2021-28675
    Security:       CVE-2021-28676
    Security:       CVE-2021-28677
    Security:       CVE-2021-28678

    PR:             255361
    Approved by:    koobs (maintainer)

    (cherry picked from commit 553bcea9dbe91208a9c8bf265e0d8e1172094ffe but
    disable RAQM)

 graphics/py-pillow/Makefile | 21 +++++++++++++--------
 graphics/py-pillow/distinfo |  6 +++---
 2 files changed, 16 insertions(+), 11 deletions(-)
Comment 18 Thierry Thomas freebsd_committer 2021-06-26 16:34:58 UTC
Committed, thanks!
Comment 19 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-27 01:21:28 UTC
Getting pkg-fallout on quarterly after merge:

=======================<phase: configure      >============================
===>  Configuring for py37-pillow-8.2.0
running config
===========================================================================
=======================<phase: build          >============================
===>  Building for py37-pillow-8.2.0
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
   or: setup.py --help [cmd1 cmd2 ...]
   or: setup.py --help-commands
   or: setup.py cmd --help

error: option --disable-raqm not recognized
*** Error code 1
Comment 20 Thierry Thomas freebsd_committer 2021-06-27 14:33:32 UTC
Sorry, I do not understand:

- on the branch main, with the default Python 3.8, when the option RAQM is deselected, we have

$ make -V PYDISTUTILS_BUILDARGS
--enable-freetype --enable-jpeg --enable-jpeg2000 --enable-lcms --enable-zlib --disable-raqm --enable-tiff --include-dirs=/usr/local/include/tcl8.6:/usr/local/include/tk8.6 --enable-webp --enable-webpmux --enable-xcb saveopts

and pillow is built without raqm as expected.

- what could differ on 2021Q2 so that this option get unrecognized?
Comment 21 Kai Knoblich freebsd_committer 2021-06-27 17:07:47 UTC
(In reply to Thierry Thomas from comment #20)

It seems that the order of the options is important. Applying the following fix should remedy the issue:

> -PYDISTUTILS_BUILDARGS+=                saveopts --disable-raqm
> +PYDISTUTILS_BUILDARGS+=                --disable-raqm saveopts
Comment 22 commit-hook freebsd_committer 2021-06-27 17:24:23 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ae162bd989359e2e599a2b9cb58da87bdec05fab

commit ae162bd989359e2e599a2b9cb58da87bdec05fab
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-06-27 17:19:56 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-06-27 17:19:56 +0000

    graphics/py-pillow: fix build

    As koobs@ reported, my previous commit was bad:

    error: option --disable-raqm not recognized

    PR:             255361
    Reported by:    kai@

 graphics/py-pillow/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)