| Message ID | 20220601122527.19987-1-ranjitsinhrathod1991@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-python,dunfell,1/9] python3-pillow: Upgrade 6.2.1 -> 7.2.0 | expand |
On 6/1/22 05:25, Ranjitsinh Rathod wrote: > From: Leon Anavi <leon.anavi@konsulko.com> > > Upgrade to release 7.2.0: > > - Do not convert I;16 images when showing PNGs > - Fixed ICNS file pointer saving > - Fixed loading non-RGBA mode APNGs with dispose background > - Deprecated _showxv > - Deprecate Image.show(command="...") > - Updated JPEG magic number > - Change STRIPBYTECOUNTS to LONG if necessary when saving > - Write JFIF header when saving JPEG > - Replaced tiff_jpeg with jpeg compression when saving TIFF images > - Writing TIFF tags: improved BYTE, added UNDEFINED > - Consider transparency when pasting text on an RGBA image > - Added method argument to single frame WebP saving > - Use ImageFileDirectory_v2 in Image.Exif > - Corrected reading EXIF metadata without prefix > - Fixed drawing a jointed line with a sequence of numeric values > - Added support for 1-D NumPy arrays > - Parse orientation from XMP tags > - Speed up text layout by not rendering glyphs > - Fixed ZeroDivisionError in Image.thumbnail > - Replaced TiffImagePlugin DEBUG with logging > - Fix repeatedly loading .gbr > - JPEG: Truncate icclist instead of setting to None > - Fixes default offset for Exif > - Fixed bug when unpickling TIFF images > - Fix pickling WebP > - Replace IOError and WindowsError aliases with OSError This appears to be more than a bug fix only update. This series of changes are not suited for a stable release. Thanks for thinking about this LTS release. -armin > > License-Update: Word wrap and updated copyright year. > > Conflicts: > meta-python/recipes-devtools/python/python3-pillow_7.2.0.bb > Conflicts due to extra parameter protocol=https in SRC_URI > > Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> > Acked-by: Trevor Gamblin <trevor.gamblin@windriver.com> > Signed-off-by: Khem Raj <raj.khem@gmail.com> > (cherry picked from commit 995fc86b298d5b09fdd6288b9e9f4211feea3b18) > Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> > Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> > --- > .../0001-explicitly-set-compile-options.patch | 19 +++++++++++-------- > ...illow_6.2.1.bb => python3-pillow_7.2.0.bb} | 6 +++--- > 2 files changed, 14 insertions(+), 11 deletions(-) > rename meta-python/recipes-devtools/python/{python3-pillow_6.2.1.bb => python3-pillow_7.2.0.bb} (78%) > > diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch > index 35aee42145..005fea5c66 100644 > --- a/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch > +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch > @@ -1,6 +1,6 @@ > -From 862a981ce462cd83a99e3db9faeeda1f8c64983f Mon Sep 17 00:00:00 2001 > -From: Hongxu Jia <hongxu.jia@windriver.com> > -Date: Mon, 18 Mar 2019 23:23:55 -0400 > +From 27bfa4028453dc79a72569823e97da8fd1994ffc Mon Sep 17 00:00:00 2001 > +From: Leon Anavi <leon.anavi@konsulko.com> > +Date: Tue, 1 Sep 2020 11:53:53 +0000 > Subject: [PATCH] explicitly set compile options > > OE does not support to install egg package, so > @@ -10,19 +10,19 @@ explicitly set build_ext options for oe-core's > Upstream-Status: Inappropriate [oe specific] > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > - > +Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> > --- > setup.cfg | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/setup.cfg b/setup.cfg > -index 1c6ebc84..1ccc3d69 100644 > +index 19979cf7..ed27dfe1 100644 > --- a/setup.cfg > +++ b/setup.cfg > -@@ -13,3 +13,15 @@ multi_line_output = 3 > - > +@@ -11,3 +11,15 @@ multi_line_output = 3 > [tool:pytest] > - addopts = -rs > + addopts = -ra --color=yes > + testpaths = Tests > + > +[build_ext] > +disable-platform-guessing = 1 > @@ -35,3 +35,6 @@ index 1c6ebc84..1ccc3d69 100644 > +disable-webp = 1 > +disable-webpmux = 1 > +disable-imagequant = 1 > +-- > +2.17.1 > + > diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb b/meta-python/recipes-devtools/python/python3-pillow_7.2.0.bb > similarity index 78% > rename from meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb > rename to meta-python/recipes-devtools/python/python3-pillow_7.2.0.bb > index 80b7e941ae..28aaff8060 100644 > --- a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb > +++ b/meta-python/recipes-devtools/python/python3-pillow_7.2.0.bb > @@ -3,13 +3,13 @@ Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and \ > Contributors." > HOMEPAGE = "https://pillow.readthedocs.io" > LICENSE = "MIT" > -LIC_FILES_CHKSUM = "file://LICENSE;md5=55c0f320370091249c1755c0d2b48e89" > +LIC_FILES_CHKSUM = "file://LICENSE;md5=ea2dc3f5611e69058503d4b940049d03" > > -SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https \ > +SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=7.2.x;protocol=https \ > file://0001-support-cross-compiling.patch \ > file://0001-explicitly-set-compile-options.patch \ > " > -SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6" > +SRCREV ?= "2bd74943fb9f320def6c066e732b701d1c15f677" > > > inherit setuptools3
Hi Armin, I understand that we are not upgrading versions on the LTS branch, but this series of upgrades fixing the below CVEs. CVE-2019 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2019 ) -19911 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -10177 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -10378 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -10379 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -10994 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -11538 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -35653 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -35654 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -35655 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -5310 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -5311 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -5312 CVE-2020 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2020 ) -5313 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -23437 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -25287 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -25288 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -25289 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -25290 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -25291 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -25292 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -25293 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -27921 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -27922 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -27923 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -28675 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -28676 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -28677 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -28678 CVE-2021 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2021 ) -34552 CVE-2022 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2022 ) -22815 CVE-2022 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2022 ) -22816 CVE-2022 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2022 ) -22817 CVE-2022 ( https://asc.bmwgroup.net/mgujira/browse/CVE-2022 ) -24303 To solve these many CVEs by applying a patch would be really tough and maintaining patches too. What is your opinion here? Thanks, Ranjitsinh Rathod
CVE-2019-19911 CVE-2020-10177 CVE-2020-10378 CVE-2020-10379 CVE-2020-10994 CVE-2020-11538 CVE-2020-35653 CVE-2020-35654 CVE-2020-35655 CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 CVE-2021-23437 CVE-2021-25287 CVE-2021-25288 CVE-2021-25289 CVE-2021-25290 CVE-2021-25291 CVE-2021-25292 CVE-2021-25293 CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678 CVE-2021-34552 CVE-2022-22815 CVE-2022-22816 CVE-2022-22817 CVE-2022-24303 above is the exact CVE list. Thanks, Ranjitsinh Rathod
What changes are there in new version is there anything of concern ? Sometimes we may be fine to bump a revision of it only contains smaller fixes On Wed, Jun 1, 2022 at 11:30 PM Ranjitsinh Rathod < ranjitsinhrathod1991@gmail.com> wrote: > Hi Armin, > > I understand that we are not upgrading versions on the LTS branch, but > this series of upgrades fixing the below CVEs. > CVE-2019 <https://asc.bmwgroup.net/mgujira/browse/CVE-2019>-19911 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-10177 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-10378 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-10379 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-10994 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-11538 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-35653 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-35654 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-35655 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-5310 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-5311 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-5312 CVE-2020 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2020>-5313 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-23437 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-25287 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-25288 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-25289 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-25290 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-25291 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-25292 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-25293 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-27921 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-27922 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-27923 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-28675 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-28676 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-28677 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-28678 CVE-2021 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2021>-34552 CVE-2022 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2022>-22815 CVE-2022 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2022>-22816 CVE-2022 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2022>-22817 CVE-2022 > <https://asc.bmwgroup.net/mgujira/browse/CVE-2022>-24303 > > To solve these many CVEs by applying a patch would be really tough and > maintaining patches too. What is your opinion here? > > Thanks, > Ranjitsinh Rathod > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#97380): > https://lists.openembedded.org/g/openembedded-devel/message/97380 > Mute This Topic: https://lists.openembedded.org/mt/91473921/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hi Khem, I have sent the below patches for the upgrade python3-pillow to 9.0.1 https://lists.openembedded.org/g/openembedded-devel/message/97359 https://lists.openembedded.org/g/openembedded-devel/message/97360 https://lists.openembedded.org/g/openembedded-devel/message/97361 https://lists.openembedded.org/g/openembedded-devel/message/97362 https://lists.openembedded.org/g/openembedded-devel/message/97363 https://lists.openembedded.org/g/openembedded-devel/message/97364 https://lists.openembedded.org/g/openembedded-devel/message/97365 https://lists.openembedded.org/g/openembedded-devel/message/97366 https://lists.openembedded.org/g/openembedded-devel/message/97367 I have cherry-picked those from the master to fix all the CVEs mentioned in earlier thread. Also, each commit message has changelog included $ git log origin/dunfell..upstream/master --oneline meta-python/recipes-devtools/python | grep "python3-pillow: " 91e1461a28 python3-pillow: upgrade 9.0.0 -> 9.0.1 b56940049d python3-pillow: fix wheel build f41b3757dd python3-pillow: Upgrade 8.3.2 -> 9.0.0 4b9bceea4c python3-pillow: upgrade 8.3.1 -> 8.3.2 a5fc60071f python3-pillow: Upgrade 8.2.0 -> 8.3.1 0fc9235bbb python3-pillow: Upgrade 8.1.2 -> 8.2.0 bb0789998e python3-pillow: 8.1.0 -> 8.1.2 ae76da9210 python3-pillow: Upgrade 7.2.0 -> 8.1.0 995fc86b29 python3-pillow: Upgrade 6.2.1 -> 7.2.0 Thanks, Ranjitsinh Rathod
diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch index 35aee42145..005fea5c66 100644 --- a/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch @@ -1,6 +1,6 @@ -From 862a981ce462cd83a99e3db9faeeda1f8c64983f Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Mon, 18 Mar 2019 23:23:55 -0400 +From 27bfa4028453dc79a72569823e97da8fd1994ffc Mon Sep 17 00:00:00 2001 +From: Leon Anavi <leon.anavi@konsulko.com> +Date: Tue, 1 Sep 2020 11:53:53 +0000 Subject: [PATCH] explicitly set compile options OE does not support to install egg package, so @@ -10,19 +10,19 @@ explicitly set build_ext options for oe-core's Upstream-Status: Inappropriate [oe specific] Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> - +Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> --- setup.cfg | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/setup.cfg b/setup.cfg -index 1c6ebc84..1ccc3d69 100644 +index 19979cf7..ed27dfe1 100644 --- a/setup.cfg +++ b/setup.cfg -@@ -13,3 +13,15 @@ multi_line_output = 3 - +@@ -11,3 +11,15 @@ multi_line_output = 3 [tool:pytest] - addopts = -rs + addopts = -ra --color=yes + testpaths = Tests + +[build_ext] +disable-platform-guessing = 1 @@ -35,3 +35,6 @@ index 1c6ebc84..1ccc3d69 100644 +disable-webp = 1 +disable-webpmux = 1 +disable-imagequant = 1 +-- +2.17.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb b/meta-python/recipes-devtools/python/python3-pillow_7.2.0.bb similarity index 78% rename from meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb rename to meta-python/recipes-devtools/python/python3-pillow_7.2.0.bb index 80b7e941ae..28aaff8060 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_7.2.0.bb @@ -3,13 +3,13 @@ Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and \ Contributors." HOMEPAGE = "https://pillow.readthedocs.io" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=55c0f320370091249c1755c0d2b48e89" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ea2dc3f5611e69058503d4b940049d03" -SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https \ +SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=7.2.x;protocol=https \ file://0001-support-cross-compiling.patch \ file://0001-explicitly-set-compile-options.patch \ " -SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6" +SRCREV ?= "2bd74943fb9f320def6c066e732b701d1c15f677" inherit setuptools3