Skip to content

Moved CVE images to pillow-depends#4929

Merged
hugovk merged 1 commit intopython-pillow:masterfrom
radarhere:crash
Sep 22, 2020
Merged

Moved CVE images to pillow-depends#4929
hugovk merged 1 commit intopython-pillow:masterfrom
radarhere:crash

Conversation

@radarhere
Copy link
Copy Markdown
Member

@radarhere radarhere commented Sep 22, 2020
edited
Loading

Resolves #4730. Alternative to #4869

The Pillow test suite contains several images to trigger past CVEs, for the purpose of ensuring that they do not recur. However, as the issue describes, antivirus software is not aware that Pillow is up-to-date and so these are no longer vulnerabilities.

This PR is part of moving those images to pillow-depends. python-pillow/pillow-depends#32 is the other part, and this PR fails without it.

This PR also changes the test so that it is run as part of the test suite, but skips the test if run locally without the test images.

This was referenced Sep 22, 2020
Merged
Closed
@nulano
Copy link
Copy Markdown
Contributor

nulano commented Sep 22, 2020

Would it make sense to put the test images in a subdirectory to make them easier to remove from a checked-out copy? All future CVE examples could be put in there as well.

For example Tests/images/cve/crash_1.tif, similarly to

Pillow/Tests/test_file_msp.py

Lines 10 to 11 in c236740

EXTRA_DIR = "Tests/images/picins"
YA_EXTRA_DIR = "Tests/images/msp"

Pillow/Tests/test_file_msp.py

Lines 59 to 61 in c236740

@pytest.mark.skipif(
not os.path.exists(EXTRA_DIR), reason="Extra image files not installed"
)

@hugovk
Copy link
Copy Markdown
Member

hugovk commented Sep 22, 2020

Yeah, we could put them in a cve subdir.

Normally we can't disclose CVE details until the fix is released and announced, but I expect we'd first put them in the main repo, and only move them to the other repo after someone reports a problem with their virus scanner?

Or let's keep it this way, and use a cve subdir if the need actually arises to be able easily delete them. Most people don't have test_images from the other repo anyway.

@nulano
Copy link
Copy Markdown
Contributor

nulano commented Sep 22, 2020

Normally we can't disclose CVE details until the fix is released and announced, but I expect we'd first put them in the main repo, and only move them to the other repo after someone reports a problem with their virus scanner?

Or let's keep it this way, and use a cve subdir if the need actually arises to be able easily delete them. Most people don't have test_images from the other repo anyway.

Fair points, I suppose these can be moved into a subdir if/when someone reports another file flagged by a virus scanner.

@hugovk
Copy link
Copy Markdown
Member

hugovk commented Sep 22, 2020

python-pillow/pillow-depends#32 is merged, and CIs restarted here.

@hugovk hugovk merged commit eb00829 into python-pillow:master Sep 22, 2020
@hugovk
Copy link
Copy Markdown
Member

hugovk commented Sep 22, 2020

Thank you!

@hugovk hugovk mentioned this pull request Sep 22, 2020
Closed
@radarhere radarhere deleted the crash branch September 22, 2020 21:52
@radarhere radarhere mentioned this pull request Sep 23, 2020
Merged
@nulano nulano mentioned this pull request Oct 12, 2020
Closed
@radarhere radarhere mentioned this pull request Oct 19, 2020
Merged
@radarhere radarhere mentioned this pull request Jun 28, 2021
Merged
@aclark4life aclark4life mentioned this pull request Mar 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Antivirus Avast detect test image crash_2.tif as with exploit

3 participants

@radarhere @nulano @hugovk