Bug 255361 - graphics/py-pillow: Update to 8.2.0 (fixes security vulnerabilities)
Summary: graphics/py-pillow: Update to 8.2.0 (fixes security vulnerabilities)
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Po-Chuan Hsieh
URL: https://github.com/python-pillow/Pill...
Keywords: security
Depends on: 255360
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-24 10:23 UTC by Thierry Thomas
Modified: 2024-01-19 17:42 UTC (History)
11 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly?


Attachments
Upgrade py-pillow to 8.2.0 (4.00 KB, patch)
2021-04-24 10:23 UTC, Thierry Thomas
no flags Details | Diff
Poudriere log. (10.13 KB, application/x-bzip)
2021-04-24 13:42 UTC, Thierry Thomas
no flags Details
Patch for 2021Q2 without raqm (3.70 KB, patch)
2021-06-23 14:04 UTC, Thierry Thomas
thierry: maintainer-approval? (koobs)
Details | Diff
Updated patch to upgrade to 9.0.0 (844 bytes, patch)
2022-01-08 15:35 UTC, George Mitchell
no flags Details | Diff
[patch] update graphics/py-pillow to 9.0.1 (979 bytes, patch)
2022-02-06 21:18 UTC, John Hein
jcfyecrayz: maintainer-approval? (koobs)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Thomas freebsd_committer freebsd_triage 2021-04-24 10:23:56 UTC
Created attachment 224398 [details]
Upgrade py-pillow to 8.2.0

- Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0>

- Security fixes described at <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1>

- Since I´m there, add newer optional dependencies.

Security: CVE-2021-25287, CVE-2021-25288, CVE-2021-28675,CVE-2021-28676, CVE-2021-28677, CVE-2021-28678
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-24 10:29:03 UTC
Thanks for this Thierry

I'm not going to be able to commit this any time soon (svn->git migration), so would appreciate someone to take this to resolution (vuxml + mfh)

Kai has experience with QA'ing the last Pillow update, and may be able to provide advice on that
Comment 2 Thierry Thomas freebsd_committer freebsd_triage 2021-04-24 13:26:41 UTC
Patch has been included.
Comment 3 Thierry Thomas freebsd_committer freebsd_triage 2021-04-24 13:42:32 UTC
Created attachment 224400 [details]
Poudriere log.

Since you added "needs-qa" I'm joining a poudriere log.
Comment 4 Thierry Thomas freebsd_committer freebsd_triage 2021-04-24 13:43:23 UTC
Remove needs-qa.

BTW, I modified the test target and its dependencies, and all tests pass.
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-04-25 00:08:45 UTC
(In reply to Thierry Thomas from comment #2)

 - needs-patch is/was for VuXML
 - While I lean towards OPTIONS enabled by default, XCB / RACQ are pretty heavy. Should they be default?
 - Main QA consideration is reverse dependents (in particular those ports with <X in their dep lines. If ports don't declare/reflect the max version (and tons dont), these will fail at run time.
Comment 6 commit-hook freebsd_committer freebsd_triage 2021-05-12 10:10:10 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b1fa93c1a77c2d06b6c80cd4dc4ec6105e2f06d8

commit b1fa93c1a77c2d06b6c80cd4dc4ec6105e2f06d8
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-05-12 08:37:22 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-05-12 10:09:17 +0000

    security/vuxml: add vunerabilities fixed in 8.2.0

    PR:             255361

 security/vuxml/vuln.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-13 00:46:06 UTC
@Thierry To be explicit, this is reassign/clear to commit pending QA (comment 5)

If you need help, @dbaio may be able to assist
Comment 8 Thierry Thomas freebsd_committer freebsd_triage 2021-05-13 20:08:13 UTC
(In reply to Kubilay Kocak from comment #5)

It does not break the dependent ports.
Comment 9 Thierry Thomas freebsd_committer freebsd_triage 2021-05-13 20:09:10 UTC
Committed, thanks!
Comment 10 commit-hook freebsd_committer freebsd_triage 2021-05-13 20:10:03 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=553bcea9dbe91208a9c8bf265e0d8e1172094ffe

commit 553bcea9dbe91208a9c8bf265e0d8e1172094ffe
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-04-24 10:10:42 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-05-13 20:05:25 +0000

    graphics/py-pillow: upgrade to 8.2.0 + fix vulnerabilities

    - Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0>

    - Security fixes described at
    <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1>

    - Since I´m there, add newer optional dependencies.

    Security:       CVE-2021-25287
    Security:       CVE-2021-25288
    Security:       CVE-2021-28675
    Security:       CVE-2021-28676
    Security:       CVE-2021-28677
    Security:       CVE-2021-28678

    PR:             255361
    Approved by:    koobs (maintainer)

 graphics/py-pillow/Makefile | 23 ++++++++++++++++-------
 graphics/py-pillow/distinfo |  6 +++---
 2 files changed, 19 insertions(+), 10 deletions(-)
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-14 00:10:30 UTC
^Triage: Re-open pending MFH
Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-21 03:41:04 UTC
@Thierry has this been merged?
Comment 13 Thierry Thomas freebsd_committer freebsd_triage 2021-06-21 15:17:13 UTC
(In reply to Kubilay Kocak from comment #12)

I don't think so, but don't hesitate to MFH it.

Warning: it should be MFH together with libraqm:

https://cgit.freebsd.org/ports/commit/?id=0ac1997e2f6fdda0e8442a2deef01dadf0089da1
and
https://cgit.freebsd.org/ports/commit/?id=dfe43fda12c875be6dc302e0ae7cbafc6be22c20
Comment 14 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-22 02:38:33 UTC
(In reply to Thierry Thomas from comment #13)

I don't have a git env ready for ports work yet. If you can take care of it that would be great.

Otherwise Danilo or ports-secteam may have cycles. Are those two commits the complete set that require merging?
Comment 15 Thierry Thomas freebsd_committer freebsd_triage 2021-06-23 14:04:54 UTC
Created attachment 226012 [details]
Patch for 2021Q2 without raqm

To simplify, I suggest the attached patch: this the MFH, but raqm is disabled by force.

Unfortunately, I have no machine with Python-3.7 to test it.
Comment 16 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-26 02:15:09 UTC
(In reply to Thierry Thomas from comment #15)

Disable RAQM because its a new feature and dependency in main commit? If so this looks fine to merge. You're lead on this having resolved the issue (and thank you)
Comment 17 commit-hook freebsd_committer freebsd_triage 2021-06-26 16:07:20 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0d89189719750ec21a542236de9611791ac08713

commit 0d89189719750ec21a542236de9611791ac08713
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-04-24 10:10:42 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-06-26 16:05:24 +0000

    graphics/py-pillow: upgrade to 8.2.0 + fix vulnerabilities

    - Release notes at <https://github.com/python-pillow/Pillow/releases/tag/8.2.0>

    - Security fixes described at
    <https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1>

    - Since I´m there, add newer optional dependencies.

    Security:       CVE-2021-25287
    Security:       CVE-2021-25288
    Security:       CVE-2021-28675
    Security:       CVE-2021-28676
    Security:       CVE-2021-28677
    Security:       CVE-2021-28678

    PR:             255361
    Approved by:    koobs (maintainer)

    (cherry picked from commit 553bcea9dbe91208a9c8bf265e0d8e1172094ffe but
    disable RAQM)

 graphics/py-pillow/Makefile | 21 +++++++++++++--------
 graphics/py-pillow/distinfo |  6 +++---
 2 files changed, 16 insertions(+), 11 deletions(-)
Comment 18 Thierry Thomas freebsd_committer freebsd_triage 2021-06-26 16:34:58 UTC
Committed, thanks!
Comment 19 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-27 01:21:28 UTC
Getting pkg-fallout on quarterly after merge:

=======================<phase: configure      >============================
===>  Configuring for py37-pillow-8.2.0
running config
===========================================================================
=======================<phase: build          >============================
===>  Building for py37-pillow-8.2.0
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
   or: setup.py --help [cmd1 cmd2 ...]
   or: setup.py --help-commands
   or: setup.py cmd --help

error: option --disable-raqm not recognized
*** Error code 1
Comment 20 Thierry Thomas freebsd_committer freebsd_triage 2021-06-27 14:33:32 UTC
Sorry, I do not understand:

- on the branch main, with the default Python 3.8, when the option RAQM is deselected, we have

$ make -V PYDISTUTILS_BUILDARGS
--enable-freetype --enable-jpeg --enable-jpeg2000 --enable-lcms --enable-zlib --disable-raqm --enable-tiff --include-dirs=/usr/local/include/tcl8.6:/usr/local/include/tk8.6 --enable-webp --enable-webpmux --enable-xcb saveopts

and pillow is built without raqm as expected.

- what could differ on 2021Q2 so that this option get unrecognized?
Comment 21 Kai Knoblich freebsd_committer freebsd_triage 2021-06-27 17:07:47 UTC
(In reply to Thierry Thomas from comment #20)

It seems that the order of the options is important. Applying the following fix should remedy the issue:

> -PYDISTUTILS_BUILDARGS+=                saveopts --disable-raqm
> +PYDISTUTILS_BUILDARGS+=                --disable-raqm saveopts
Comment 22 commit-hook freebsd_committer freebsd_triage 2021-06-27 17:24:23 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ae162bd989359e2e599a2b9cb58da87bdec05fab

commit ae162bd989359e2e599a2b9cb58da87bdec05fab
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-06-27 17:19:56 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-06-27 17:19:56 +0000

    graphics/py-pillow: fix build

    As koobs@ reported, my previous commit was bad:

    error: option --disable-raqm not recognized

    PR:             255361
    Reported by:    kai@

 graphics/py-pillow/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 23 George Mitchell 2022-01-08 15:35:21 UTC
Created attachment 230821 [details]
Updated patch to upgrade to 9.0.0

Version 9.0.0 has been released upstream.  I've attached a proposed patch that seems to work.
Comment 24 Thierry Thomas freebsd_committer freebsd_triage 2022-01-08 15:45:39 UTC
Assign to the maintainer.
Comment 25 John Hein 2022-02-06 21:18:42 UTC
Created attachment 231589 [details]
[patch] update graphics/py-pillow to 9.0.1

(In reply to george from comment #23)
9.0.1 was released Feb 2, and it addresses a couple more CVEs.

Currently graphics/py-pillow (still at 8.2.0) is failing to build because of security vulnerabilities (see Dec 27, 2021, vuxml commit ports/4019e413fc137877e4e4cd60ec01f19be4deb028). Jan 25, 2022, PORTREVISION bump is triggering rebuild attempts for any systems that had py-pillow installed before the vuxml change.

Attached patch updates to 9.0.1

QA:
 - poudriere testport (ok)
 - portlint / portclippy (ok, no errors, no new warnings / suggestions)
 - make test (ok)
Comment 26 lbfoo 2022-02-19 03:40:42 UTC
freebsd13-p7, when make install py38-pillow port, it reminds me:

py38-pillow-8.2.0_1 is vulnerable:
  Pillow -- Regular Expression Denial of Service (ReDoS)
  CVE: CVE-2021-23437
  WWW: https://vuxml.FreeBSD.org/freebsd/ed8a4215-675c-11ec-8dd4-a0f3c100ae18.html

1 problem(s) in 1 installed package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1
Comment 27 Rene Ladan freebsd_committer freebsd_triage 2022-03-07 19:55:13 UTC
Maintainer reset.
Comment 28 Mark Linimon freebsd_committer freebsd_triage 2024-01-19 15:41:23 UTC
^Triage: assign to current maintainer.
Comment 29 George Mitchell 2024-01-19 17:42:40 UTC
It seems to me that this bug should closed as fixed, overcome by events since the current version of py-pillow in the ports tree is version 10.0.1.  But apparently I don't have permission to close the bug.