Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[22.05] python3Packages.pillow: add patch for CVE-2022-45198, test for CVE-2022-45199 #202062

Merged
merged 1 commit into from
Nov 27, 2022
Merged

[22.05] python3Packages.pillow: add patch for CVE-2022-45198, test for CVE-2022-45199 #202062

merged 1 commit into from
Nov 27, 2022

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Nov 20, 2022
edited
Loading

Description of changes

https://nvd.nist.gov/vuln/detail/CVE-2022-45198

9.1.0 doesn't actually appear vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2022-45199, but I've included the test part of that patch anyway to "prove" as much.

Both already addressed in unstable.

Successfully built passthru.tests on indicated platforms.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@risicle risicle added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 20, 2022
@risicle risicle changed the title python3Packages.pillow: add patch for CVE-2022-45198, test for CVE-2022-45199 [22.05] python3Packages.pillow: add patch for CVE-2022-45198, test for CVE-2022-45199 Nov 20, 2022
@risicle
Copy link
Contributor Author

risicle commented Nov 20, 2022

Oh forgot this needs to be staging-bound...

@risicle risicle force-pushed the ris-pillow-CVE-2022-45198-r22.05 branch from d4fe281 to e39f152 Compare November 20, 2022 17:32
@risicle risicle changed the base branch from release-22.05 to staging-22.05 November 20, 2022 17:32
@risicle
python3Packages.pillow: add patch for CVE-2022-45198, test for CVE-20…
4f441f3 
…22-45199

resurrect mechanism from 20.09 (17a7154)
to fetch binary parts of patches needed for tests.
@risicle risicle force-pushed the ris-pillow-CVE-2022-45198-r22.05 branch from e39f152 to 4f441f3 Compare November 20, 2022 17:33
@risicle risicle marked this pull request as ready for review November 20, 2022 20:55
@mweinelt mweinelt merged commit 1c9ac74 into NixOS:staging-22.05 Nov 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mweinelt mweinelt mweinelt left review comments

@cillianderoiste cillianderoiste Awaiting requested review from cillianderoiste

@prikhi prikhi Awaiting requested review from prikhi

@SuperSandro2000 SuperSandro2000 Awaiting requested review from SuperSandro2000

@FRidh FRidh Awaiting requested review from FRidh FRidh is a code owner

@jonringer jonringer Awaiting requested review from jonringer

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: python 10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 2501-5000
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@risicle @mweinelt @SuperSandro2000