[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199]. |
|
Date: |
Thu, 16 Mar 2023 12:30:07 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi,
Lars-Dominik Braun <lars@6xq.net> skribis:
>> Unless something has changed recently (possible, I haven't paid close
>> attention), yes, it's possible to graft Python packages.
> that was my feeling too. Attached is a patch that only applies the CVE
> fix. I’m not comfortable bumping Pillow to 9.3 just like that. We
> should re-build packages, so they can run their test-suites.
>
>> Additionally, we can attempt a rapid rebuilding of pillow's dependents,
>> perhaps along with a few other "ungrafting" changes. We are aiming to do the
>> graft->ungraft cycles more quickly than previously.
> Do we have a branch for that already?
There’s ‘core-updates’.
Like Leo proposed at the Guix Days (IIRC), you can apply the subsequent
ungrafting patch right away on ‘core-updates’ (I think Leo had something
even smarter in mind, I forgot the details).
>>From 3e8db92d186a272257319335fe2f131ee824238d Mon Sep 17 00:00:00 2001
> From: Lars-Dominik Braun <lars@6xq.net>
> Date: Sat, 11 Feb 2023 14:47:59 +0100
> Subject: [PATCH] gnu: python-pillow: Fix CVE-2022-45199.
>
> Fixes: <https://issues.guix.gnu.org/issue/61172>
>
> * gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable.
> (python-pillow): Add replacement.
> * gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file.
> * gnu/local.mk: Register it.
LGTM, please push!
Thanks,
Ludo’.
- [bug#61172] [PATCH] gnu: python-pillow: Update to 9.3.0 [fixes CVE-2022-45199].,
Ludovic Courtès <=