Bug 255361 - graphics/py-pillow: Update to 8.2.0 (fixes security vulnerabilities)
Summary: graphics/py-pillow: Update to 8.2.0 (fixes security vulnerabilities)
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Thierry Thomas
URL: https://github.com/python-pillow/Pill...
Keywords: security
Depends on: 255360
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-24 10:23 UTC by Thierry Thomas
Modified: 2021-05-14 00:10 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly?


Attachments
Upgrade py-pillow to 8.2.0 (4.00 KB, patch)
2021-04-24 10:23 UTC, Thierry Thomas
no flags Details | Diff
Poudriere log. (10.13 KB, application/x-bzip)
2021-04-24 13:42 UTC, Thierry Thomas
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Thomas freebsd_committer 2021-04-24 10:23:56 UTC
Created attachment 224398 [details]
Upgrade py-pillow to 8.2.0

- Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0>

- Security fixes described at <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1>

- Since I´m there, add newer optional dependencies.

Security: CVE-2021-25287, CVE-2021-25288, CVE-2021-28675,CVE-2021-28676, CVE-2021-28677, CVE-2021-28678
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-24 10:29:03 UTC
Thanks for this Thierry

I'm not going to be able to commit this any time soon (svn->git migration), so would appreciate someone to take this to resolution (vuxml + mfh)

Kai has experience with QA'ing the last Pillow update, and may be able to provide advice on that
Comment 2 Thierry Thomas freebsd_committer 2021-04-24 13:26:41 UTC
Patch has been included.
Comment 3 Thierry Thomas freebsd_committer 2021-04-24 13:42:32 UTC
Created attachment 224400 [details]
Poudriere log.

Since you added "needs-qa" I'm joining a poudriere log.
Comment 4 Thierry Thomas freebsd_committer 2021-04-24 13:43:23 UTC
Remove needs-qa.

BTW, I modified the test target and its dependencies, and all tests pass.
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-25 00:08:45 UTC
(In reply to Thierry Thomas from comment #2)

 - needs-patch is/was for VuXML
 - While I lean towards OPTIONS enabled by default, XCB / RACQ are pretty heavy. Should they be default?
 - Main QA consideration is reverse dependents (in particular those ports with <X in their dep lines. If ports don't declare/reflect the max version (and tons dont), these will fail at run time.
Comment 6 commit-hook freebsd_committer 2021-05-12 10:10:10 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b1fa93c1a77c2d06b6c80cd4dc4ec6105e2f06d8

commit b1fa93c1a77c2d06b6c80cd4dc4ec6105e2f06d8
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-05-12 08:37:22 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-05-12 10:09:17 +0000

    security/vuxml: add vunerabilities fixed in 8.2.0

    PR:             255361

 security/vuxml/vuln.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-13 00:46:06 UTC
@Thierry To be explicit, this is reassign/clear to commit pending QA (comment 5)

If you need help, @dbaio may be able to assist
Comment 8 Thierry Thomas freebsd_committer 2021-05-13 20:08:13 UTC
(In reply to Kubilay Kocak from comment #5)

It does not break the dependent ports.
Comment 9 Thierry Thomas freebsd_committer 2021-05-13 20:09:10 UTC
Committed, thanks!
Comment 10 commit-hook freebsd_committer 2021-05-13 20:10:03 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=553bcea9dbe91208a9c8bf265e0d8e1172094ffe

commit 553bcea9dbe91208a9c8bf265e0d8e1172094ffe
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-04-24 10:10:42 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-05-13 20:05:25 +0000

    graphics/py-pillow: upgrade to 8.2.0 + fix vulnerabilities

    - Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0>

    - Security fixes described at
    <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1>

    - Since I´m there, add newer optional dependencies.

    Security:       CVE-2021-25287
    Security:       CVE-2021-25288
    Security:       CVE-2021-28675
    Security:       CVE-2021-28676
    Security:       CVE-2021-28677
    Security:       CVE-2021-28678

    PR:             255361
    Approved by:    koobs (maintainer)

 graphics/py-pillow/Makefile | 23 ++++++++++++++++-------
 graphics/py-pillow/distinfo |  6 +++---
 2 files changed, 19 insertions(+), 10 deletions(-)
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-14 00:10:30 UTC
^Triage: Re-open pending MFH