Ubuntu
pillow package

Merge lp:~noskcaj/ubuntu/trusty/pillow/2.3.1 into lp:ubuntu/trusty/pillow

  1. Trusty (14.04)
  2. 2.3.1
  3. Merge into trusty
Proposed by Jackson Doak
Status: Needs review
Proposed branch: lp:~noskcaj/ubuntu/trusty/pillow/2.3.1
Merge into: lp:ubuntu/trusty/pillow
Diff against target: 264 lines (+57/-19)
15 files modified
.pc/no-lib64-hack.diff/setup.py (+1/-1)
.pc/toplevel-setup.py/setup.py (+1/-1)
.travis.yml (+1/-1)
CHANGES.rst (+5/-0)
PIL/EpsImagePlugin.py (+2/-1)
PIL/Image.py (+6/-3)
PIL/IptcImagePlugin.py (+2/-2)
PIL/JpegImagePlugin.py (+8/-4)
PIL/__init__.py (+1/-1)
PKG-INFO (+6/-1)
Pillow.egg-info/PKG-INFO (+6/-1)
_imaging.c (+1/-1)
debian/changelog (+15/-0)
debian/control (+1/-1)
setup.py (+1/-1)
To merge this branch: bzr merge lp:~noskcaj/ubuntu/trusty/pillow/2.3.1
Reviewer Review Type Date Requested Status
Sebastien Bacher Needs Information
Review via email: mp+212247@code.launchpad.net

Description of the change

New upstream bugfix release (CVE fix, nothing else)

To post a comment you must log in.
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks, could you give an url to download the upstream tarball? The source has no watch file nor upstream url in the control

review: Needs Information
Reply
Revision history for this message
Jackson Doak (noskcaj) wrote :

https://pypi.python.org/pypi/Pillow/2.3.1

On Mon, Mar 31, 2014 at 10:22 PM, Sebastien Bacher <email address hidden>wrote:

> Review: Needs Information
>
> Thanks, could you give an url to download the upstream tarball? The source
> has no watch file nor upstream url in the control
> --
>
> https://code.launchpad.net/~noskcaj/ubuntu/trusty/pillow/2.3.1/+merge/212247
> You are the owner of lp:~noskcaj/ubuntu/trusty/pillow/2.3.1.
>

Reply

Unmerged revisions

13. By Jackson Doak

* New upstream release.
  - Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933)

12. By Jackson Doak

* Merge with Debian; remaining changes:
  - Provide transitional packages.
* Build for python 3.4.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file '.pc/no-lib64-hack.diff/setup.py'
2--- .pc/no-lib64-hack.diff/setup.py 2014-02-04 15:02:06 +0000
3+++ .pc/no-lib64-hack.diff/setup.py 2014-03-21 21:22:46 +0000
4@@ -85,7 +85,7 @@
5
6
7 NAME = 'Pillow'
8-VERSION = '2.3.0'
9+VERSION = '2.3.1'
10 TCL_ROOT = None
11 JPEG_ROOT = None
12 ZLIB_ROOT = None
13
14=== modified file '.pc/toplevel-setup.py/setup.py'
15--- .pc/toplevel-setup.py/setup.py 2014-02-04 15:02:06 +0000
16+++ .pc/toplevel-setup.py/setup.py 2014-03-21 21:22:46 +0000
17@@ -85,7 +85,7 @@
18
19
20 NAME = 'Pillow'
21-VERSION = '2.3.0'
22+VERSION = '2.3.1'
23 TCL_ROOT = None
24 JPEG_ROOT = None
25 ZLIB_ROOT = None
26
27=== modified file '.travis.yml'
28--- .travis.yml 2014-02-04 15:02:06 +0000
29+++ .travis.yml 2014-03-21 21:22:46 +0000
30@@ -10,7 +10,7 @@
31 - 3.2
32 - 3.3
33
34-install: "sudo apt-get -qq install libfreetype6-dev liblcms2-dev libwebp-dev python-qt4 ghostscript""
35+install: "sudo apt-get -qq install libfreetype6-dev liblcms2-dev libwebp-dev python-qt4 ghostscript"
36
37 script:
38 - python setup.py clean
39
40=== modified file 'CHANGES.rst'
41--- CHANGES.rst 2014-02-04 15:02:06 +0000
42+++ CHANGES.rst 2014-03-21 21:22:46 +0000
43@@ -1,6 +1,11 @@
44 Changelog (Pillow)
45 ==================
46
47+2.3.1 (2014-03-14)
48+------------------
49+- Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933)
50+ [wiredfool]
51+
52 2.3.0 (2014-01-01)
53 ------------------
54
55
56=== modified file 'PIL/EpsImagePlugin.py'
57--- PIL/EpsImagePlugin.py 2014-02-04 15:02:06 +0000
58+++ PIL/EpsImagePlugin.py 2014-03-21 21:22:46 +0000
59@@ -67,7 +67,8 @@
60
61 import tempfile, os, subprocess
62
63- file = tempfile.mktemp()
64+ out_fd, file = tempfile.mkstemp()
65+ os.close(out_fd)
66
67 # Build ghostscript command
68 command = ["gs",
69
70=== modified file 'PIL/Image.py'
71--- PIL/Image.py 2014-02-04 15:02:06 +0000
72+++ PIL/Image.py 2014-03-21 21:22:46 +0000
73@@ -495,14 +495,17 @@
74 self.readonly = 0
75
76 def _dump(self, file=None, format=None):
77- import tempfile
78+ import tempfile, os
79 if not file:
80- file = tempfile.mktemp()
81+ f, file = tempfile.mkstemp(format or '')
82+ os.close(f)
83+
84 self.load()
85 if not format or format == "PPM":
86 self.im.save_ppm(file)
87 else:
88- file = file + "." + format
89+ if file.endswith(format):
90+ file = file + "." + format
91 self.save(file, format)
92 return file
93
94
95=== modified file 'PIL/IptcImagePlugin.py'
96--- PIL/IptcImagePlugin.py 2014-02-04 15:02:06 +0000
97+++ PIL/IptcImagePlugin.py 2014-03-21 21:22:46 +0000
98@@ -172,8 +172,8 @@
99 self.fp.seek(offset)
100
101 # Copy image data to temporary file
102- outfile = tempfile.mktemp()
103- o = open(outfile, "wb")
104+ o_fd, outfile = tempfile.mkstemp(text=False)
105+ o = os.fdopen(o_fd)
106 if encoding == "raw":
107 # To simplify access to the extracted file,
108 # prepend a PPM header
109
110=== modified file 'PIL/JpegImagePlugin.py'
111--- PIL/JpegImagePlugin.py 2013-11-11 23:48:20 +0000
112+++ PIL/JpegImagePlugin.py 2014-03-21 21:22:46 +0000
113@@ -344,13 +344,17 @@
114 # ALTERNATIVE: handle JPEGs via the IJG command line utilities
115
116 import tempfile, os
117- file = tempfile.mktemp()
118- os.system("djpeg %s >%s" % (self.filename, file))
119+ f, path = tempfile.mkstemp()
120+ os.close(f)
121+ if os.path.exists(self.filename):
122+ os.system("djpeg '%s' >'%s'" % (self.filename, path))
123+ else:
124+ raise ValueError("Invalid Filename")
125
126 try:
127- self.im = Image.core.open_ppm(file)
128+ self.im = Image.core.open_ppm(path)
129 finally:
130- try: os.unlink(file)
131+ try: os.unlink(path)
132 except: pass
133
134 self.mode = self.im.mode
135
136=== modified file 'PIL/__init__.py'
137--- PIL/__init__.py 2014-02-04 15:02:06 +0000
138+++ PIL/__init__.py 2014-03-21 21:22:46 +0000
139@@ -12,7 +12,7 @@
140 # ;-)
141
142 VERSION = '1.1.7' # PIL version
143-PILLOW_VERSION = '2.3.0' # Pillow
144+PILLOW_VERSION = '2.3.1' # Pillow
145
146 _plugins = ['ArgImagePlugin',
147 'BmpImagePlugin',
148
149=== modified file 'PKG-INFO'
150--- PKG-INFO 2014-02-04 15:02:06 +0000
151+++ PKG-INFO 2014-03-21 21:22:46 +0000
152@@ -1,6 +1,6 @@
153 Metadata-Version: 1.1
154 Name: Pillow
155-Version: 2.3.0
156+Version: 2.3.1
157 Summary: Python Imaging Library (Fork)
158 Home-page: http://python-imaging.github.io/
159 Author: Alex Clark (fork author)
160@@ -29,6 +29,11 @@
161 Changelog (Pillow)
162 ==================
163
164+ 2.3.1 (2014-03-14)
165+ ------------------
166+ - Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933)
167+ [wiredfool]
168+
169 2.3.0 (2014-01-01)
170 ------------------
171
172
173=== modified file 'Pillow.egg-info/PKG-INFO'
174--- Pillow.egg-info/PKG-INFO 2014-02-04 15:02:06 +0000
175+++ Pillow.egg-info/PKG-INFO 2014-03-21 21:22:46 +0000
176@@ -1,6 +1,6 @@
177 Metadata-Version: 1.1
178 Name: Pillow
179-Version: 2.3.0
180+Version: 2.3.1
181 Summary: Python Imaging Library (Fork)
182 Home-page: http://python-imaging.github.io/
183 Author: Alex Clark (fork author)
184@@ -29,6 +29,11 @@
185 Changelog (Pillow)
186 ==================
187
188+ 2.3.1 (2014-03-14)
189+ ------------------
190+ - Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933)
191+ [wiredfool]
192+
193 2.3.0 (2014-01-01)
194 ------------------
195
196
197=== added directory 'Tests/icc'
198=== added file 'Tests/icc/CMY.icm'
199Binary files Tests/icc/CMY.icm 1970-01-01 00:00:00 +0000 and Tests/icc/CMY.icm 2014-03-21 21:22:46 +0000 differ
200=== added file 'Tests/icc/YCC709.icm'
201Binary files Tests/icc/YCC709.icm 1970-01-01 00:00:00 +0000 and Tests/icc/YCC709.icm 2014-03-21 21:22:46 +0000 differ
202=== added file 'Tests/icc/sRGB.icm'
203Binary files Tests/icc/sRGB.icm 1970-01-01 00:00:00 +0000 and Tests/icc/sRGB.icm 2014-03-21 21:22:46 +0000 differ
204=== modified file '_imaging.c'
205--- _imaging.c 2014-02-04 15:02:06 +0000
206+++ _imaging.c 2014-03-21 21:22:46 +0000
207@@ -71,7 +71,7 @@
208 * See the README file for information on usage and redistribution.
209 */
210
211-#define PILLOW_VERSION "2.3.0"
212+#define PILLOW_VERSION "2.3.1"
213
214 #include "Python.h"
215
216
217=== modified file 'debian/changelog'
218--- debian/changelog 2014-02-04 14:51:27 +0000
219+++ debian/changelog 2014-03-21 21:22:46 +0000
220@@ -1,3 +1,18 @@
221+pillow (2.3.1-0ubuntu1) trusty; urgency=medium
222+
223+ * Merge with Debian; remaining changes:
224+ - Provide transitional packages.
225+ * New upstream release.
226+ - Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933)
227+
228+ -- Jackson Doak <noskcaj@ubuntu.com> Sat, 22 Mar 2014 07:55:09 +1100
229+
230+pillow (2.3.0-2) unstable; urgency=medium
231+
232+ * Build for python 3.4.
233+
234+ -- Matthias Klose <doko@debian.org> Wed, 12 Feb 2014 20:41:50 +0100
235+
236 pillow (2.3.0-1ubuntu1) trusty; urgency=medium
237
238 * Merge with Debian; remaining changes:
239
240=== modified file 'debian/control'
241--- debian/control 2014-02-04 14:51:27 +0000
242+++ debian/control 2014-03-21 21:22:46 +0000
243@@ -5,7 +5,7 @@
244 XSBC-Original-Maintainer: Matthias Klose <doko@debian.org>
245 Build-Depends: debhelper, tk-dev, dpkg-dev (>= 1.16.1~),
246 python-all-dev (>= 2.7.3-11~), python-all-dbg, python-setuptools,
247- python3-all-dev (>= 3.3), python3-all-dbg, python3-setuptools,
248+ python3-all-dev (>= 3.3.4), python3-all-dbg, python3-setuptools,
249 python-tk, python-tk-dbg, python3-tk, python3-tk-dbg (>= 3.3),
250 libsane-dev, libfreetype6-dev, libjpeg8-dev, zlib1g-dev, liblcms2-dev,
251 libwebp-dev
252
253=== modified file 'setup.py'
254--- setup.py 2014-02-04 15:02:06 +0000
255+++ setup.py 2014-03-21 21:22:46 +0000
256@@ -92,7 +92,7 @@
257
258
259 NAME = 'Pillow'
260-VERSION = '2.3.0'
261+VERSION = '2.3.1'
262 TCL_ROOT = None
263 JPEG_ROOT = None
264 ZLIB_ROOT = None

Subscribers

People subscribed via source and target branches

to all changes: