diff options
| author |   Michał Górny <mgorny@gentoo.org> | 2022-10-04 10:18:48 +0200 |
|---|---|---|
| committer | Michał Górny <mgorny@gentoo.org> | 2022-10-04 10:29:55 +0200 |
| commit | 40b85d13e7fd770f834fde7b160219829fad5311 (patch) | |
| tree | 78fab596a77acf00b2e8d48f05961df29f608f66 | |
| parent | dev-python/imageio: Remove old (diff) | |
| download | gentoo-40b85d13e7fd770f834fde7b160219829fad5311.tar.gz gentoo-40b85d13e7fd770f834fde7b160219829fad5311.tar.bz2 gentoo-40b85d13e7fd770f834fde7b160219829fad5311.zip | |
dev-python/imageio: Block fetching remote shared libraries (!)
Bug: https://bugs.gentoo.org/874849
Signed-off-by: Michał Górny <mgorny@gentoo.org>
| -rw-r--r-- | dev-python/imageio/Manifest | 2 | ||||
| -rw-r--r-- | dev-python/imageio/files/imageio-2.22.0-block-download.patch | 32 | ||||
| -rw-r--r-- | dev-python/imageio/imageio-2.22.0-r1.ebuild (renamed from dev-python/imageio/imageio-2.22.0.ebuild) | 29 |
3 files changed, 63 insertions, 0 deletions
diff --git a/dev-python/imageio/Manifest b/dev-python/imageio/Manifest index d6e0baaa1216..ae59f0904f03 100644 --- a/dev-python/imageio/Manifest +++ b/dev-python/imageio/Manifest @@ -1 +1,3 @@ DIST imageio-2.22.0.gh.tar.gz 394144 BLAKE2B 957edbeaad6be459ff865eed3159b0f7776e3dd0782e0380bfe2c40362d0c08ccc8f29a2f38a8427deb263554495b73cc4df641e569b9d33700fcc6ed1395396 SHA512 23d606e32ab2bdc306a4b9d17120e5eda8c8a4fd96d840181afecd6e35f6649621740608f0286d2a5462822acc7ef4e1e7f1e9076882ce975f1da717b136c8c4 +DIST imageio-chelsea.png 221294 BLAKE2B 58537d7a1678fa5be4cc899e5bacd925bfc180eb4ae691330a53749a49ff544e979609b529ed27e5c1fc9efe4bc050ca1ce49b777f4016fb1d66affd926ef9d3 SHA512 48470cdb843eed4dfa6673811c09c5aac9869ee23dd36be0c6b653d9f108d61d21b148c2a4435aaa6604887ba030e5bbc5e35d378da876366445dfc2d0ba4e27 +DIST imageio-cockatoo.mp4 728751 BLAKE2B 45b22cd517c1cb7c0cd12f8865facaca6a847047aea716e49633cf2b1dc13826f94787c8a8f9dd5f48c6a896f5d37794c0058da1bde9e1469f196916476dbfa2 SHA512 e9cb7c25de8019c59ba4090cf10ab29f2b5d62ada37a877081ca07d2ecfe010036222ae843b41bbcc843130d97fa5e14421de252639e9481df1d1c27b19add49 diff --git a/dev-python/imageio/files/imageio-2.22.0-block-download.patch b/dev-python/imageio/files/imageio-2.22.0-block-download.patch new file mode 100644 index 000000000000..ba483813b23c --- /dev/null +++ b/dev-python/imageio/files/imageio-2.22.0-block-download.patch @@ -0,0 +1,32 @@ +From 1ae48cfa95e84cb064edc74a4a64bd0f7dee780a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org> +Date: Tue, 4 Oct 2022 09:40:42 +0200 +Subject: [PATCH] Unconditionally disable downloading binaries from Internet + +Bug: https://bugs.gentoo.org/874849 +--- + imageio/core/fetching.py | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/imageio/core/fetching.py b/imageio/core/fetching.py +index 0380bc7..70f1a3d 100644 +--- a/imageio/core/fetching.py ++++ b/imageio/core/fetching.py +@@ -97,11 +97,10 @@ def get_remote_file(fname, directory=None, force_download=False, auto=True): + break + + # If we get here, we're going to try to download the file +- if os.getenv("IMAGEIO_NO_INTERNET", "").lower() in ("1", "true", "yes"): ++ if True: + raise InternetNotAllowedError( +- "Will not download resource from the " +- "internet because environment variable " +- "IMAGEIO_NO_INTERNET is set." ++ "Implicit insecure downloads disabled on Gentoo due to security " ++ "concerns. See https://bugs.gentoo.org/874849." + ) + + # Can we proceed with auto-download? +-- +2.38.0 + diff --git a/dev-python/imageio/imageio-2.22.0.ebuild b/dev-python/imageio/imageio-2.22.0-r1.ebuild index 6770d9759db9..20bd98f88e7f 100644 --- a/dev-python/imageio/imageio-2.22.0.ebuild +++ b/dev-python/imageio/imageio-2.22.0-r1.ebuild @@ -8,6 +8,7 @@ PYTHON_COMPAT=( python3_{8..10} ) inherit distutils-r1 +BIN_COMMIT=224074bca448815e421a59266864c23041531a42 DESCRIPTION="Python library for reading and writing image data" HOMEPAGE=" https://imageio.readthedocs.io/en/stable/ @@ -17,6 +18,12 @@ HOMEPAGE=" SRC_URI=" https://github.com/imageio/imageio/archive/v${PV}.tar.gz -> ${P}.gh.tar.gz + test? ( + https://github.com/imageio/imageio-binaries/raw/${BIN_COMMIT}/images/chelsea.png + -> ${PN}-chelsea.png + https://github.com/imageio/imageio-binaries/raw/${BIN_COMMIT}/images/cockatoo.mp4 + -> ${PN}-cockatoo.mp4 + ) " LICENSE="MIT" @@ -44,9 +51,31 @@ BDEPEND=" distutils_enable_tests pytest +src_prepare() { + local PATCHES=( + # block silently downloading vulnerable libraries from the Internet + "${FILESDIR}"/imageio-2.22.0-block-download.patch + ) + + if use test; then + mkdir -p "${HOME}"/.imageio/images || die + local i + for i in chelsea.png cockatoo.mp4; do + cp "${DISTDIR}/${PN}-${i}" "${HOME}/.imageio/images/${i}" || die + done + fi + + distutils-r1_src_prepare +} + EPYTEST_DESELECT=( # Fails because of system installed freeimage tests/test_core.py::test_findlib2 # Tries to download ffmpeg binary ?! tests/test_ffmpeg.py::test_get_exe_installed + # blocked by our patch + tests/test_core.py::test_fetching + tests/test_core.py::test_request + # removed upstream + tests/test_pillow.py::test_png_remote ) |