Skip to content

fix CVE-2021-23437 in Pillow v7 and v8 + update to Pillow v8.3.2 in easyconfigs using a 2021b toolchain #14765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
boegel merged 2 commits into from
Jan 19, 2022
Merged

fix CVE-2021-23437 in Pillow v7 and v8 + update to Pillow v8.3.2 in easyconfigs using a 2021b toolchain #14765

boegel merged 2 commits into from
Jan 19, 2022

Conversation

@lexming
Copy link
Contributor

@lexming lexming commented Jan 18, 2022
edited
Loading

(created using eb --new-pr)

Fix for CVE-2021-23437 for recent versions of Pillow.

The fix landed upstream in version 8.3.2, therefore I propose to upgrade the version of Pillow in GCCcore/11.2.0 from 8.3.1 to 8.3.2.

For older toolchains we can backport the fix. This PR patches all Pillow easyconfigs since v7.0

@boegelbot

This comment has been minimized.

Sign in to view
@easybuilders easybuilders deleted a comment from boegelbot Jan 18, 2022
@easybuilders easybuilders deleted a comment from boegelbot Jan 18, 2022
@lexming
Copy link
Contributor Author

lexming commented Jan 18, 2022

@boegelbot: please test @ generoso

@boegelbot
Copy link
Collaborator

boegelbot commented Jan 18, 2022

@lexming: Request for testing this PR well received on login1

PR test command 'EB_PR=14765 EB_ARGS= /opt/software/slurm/bin/sbatch --job-name test_PR_14765 --ntasks=4 ~/boegelbot/eb_from_pr_upload_generoso.sh' executed!

  • exit code: 0
  • output:
Submitted batch job 7897

Test results coming soon (I hope)...

Details

- notification for comment with ID 1015693424 processed

Message to humans: this is just bookkeeping information for me,
it is of no use to you (unless you think I have a bug, which I don't).

@boegelbot
Copy link
Collaborator

boegelbot commented Jan 18, 2022

Test report by @boegelbot
SUCCESS
Build succeeded for 7 out of 7 (7 easyconfigs in total)
cns1 - Linux rocky linux 8.4, x86_64, Intel(R) Xeon(R) CPU E5-2667 v3 @ 3.20GHz (haswell), Python 3.6.8
See https://gist.github.com/5748ab680f528f5f0936d2389b60e196 for a full test report.

@SebastianAchilles SebastianAchilles added this to the 4.5.2 milestone Jan 18, 2022
@SebastianAchilles
Copy link
Member

SebastianAchilles commented Jan 18, 2022

Test report by @SebastianAchilles
SUCCESS
Build succeeded for 7 out of 7 (7 easyconfigs in total)
skylake-rocky8-eb - Linux rocky linux 8.5, x86_64, Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz (skylake), Python 3.6.8
See https://gist.github.com/0f709711b52ebe5b0a6ab065698966ac for a full test report.

@boegel boegel changed the title fix CVE-2021-23437 in Pillow v7 and v8 fix CVE-2021-23437 in Pillow v7 and v8 + update to Pillow v8.3.2 in easyconfigs using a 2021b toolchain Jan 18, 2022
boegel
boegel approved these changes Jan 18, 2022
View reviewed changes
Copy link
Member

@boegel boegel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@SebastianAchilles
Copy link
Member

SebastianAchilles commented Jan 18, 2022

Test report by @SebastianAchilles
SUCCESS
Build succeeded for 7 out of 7 (7 easyconfigs in total)
jsfc01.int.jusuf.sebastian.cluster - Linux rocky linux 8.4, x86_64, AMD EPYC 7742 64-Core Processor (zen2), Python 3.6.8
See https://gist.github.com/987fc2dcc288bd8f662e1f02964276ec for a full test report.

boegel
boegel approved these changes Jan 18, 2022
View reviewed changes
Copy link
Member

@boegel boegel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@boegel
Copy link
Member

boegel commented Jan 18, 2022

Test report by @boegel
SUCCESS
Build succeeded for 7 out of 7 (7 easyconfigs in total)
node3114.skitty.os - Linux centos linux 7.9.2009, x86_64, Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz (skylake_avx512), Python 3.6.8
See https://gist.github.com/752ffb5d6f063f987a112001b421ab94 for a full test report.

@lexming
Copy link
Contributor Author

lexming commented Jan 19, 2022

Test report by @lexming
SUCCESS
Build succeeded for 7 out of 7 (7 easyconfigs in total)
node306.hydra.os - Linux centos linux 7.9.2009, x86_64, Intel(R) Xeon(R) Gold 6148 CPU @ 2.40GHz, Python 2.7.5
See https://gist.github.com/8576ce833d87a716c8da19e6fd75f108 for a full test report.

@boegel
Copy link
Member

boegel commented Jan 19, 2022

Going in, thanks @lexming!

@boegel boegel merged commit 90c1099 into easybuilders:develop Jan 19, 2022
@lexming lexming deleted the 20220118180001_new_pr_Pillow700 branch January 19, 2022 08:30
@boegel boegel added the change label Jan 19, 2022
This was referenced Jan 19, 2022
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@boegel boegel boegel approved these changes

Assignees

No one assigned

Labels

bug fix change update

Projects

None yet

Milestone

4.5.2

Development

Successfully merging this pull request may close these issues.

4 participants

@lexming @boegelbot @SebastianAchilles @boegel