From 9fcdfa8b226e6c7f6ca6cdf1d7e1d196be971a9b Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Fri, 6 Mar 2026 19:33:45 +0100 Subject: python3-pillow: patch CVE-2026-25990 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 Backport the patch referenced by the NVD advisory. Note that the patch contain some new binary test data, which requires "git" PATCHTOOL - other tools fail to apply binary patches. All ptests passed successfully: Testsuite summary TOTAL: 5011 PASS: 4577 SKIP: 431 XFAIL: 3 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 59 END: /usr/lib/python3-pillow/ptest 2026-03-06T17:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal --- meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb') diff --git a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb index 4db5db1572..34b462ca4f 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_12.0.0.bb @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a1b708da743e3fc0e5c35e92daac0bf8" SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https;tag=${PV} \ file://0001-support-cross-compiling.patch \ + file://CVE-2026-25990.patch \ " SRCREV = "693df7b42c666f88c719f9973be0ad71607328e0" @@ -65,3 +66,7 @@ CVE_PRODUCT = "pillow" RPROVIDES:${PN} += "python3-imaging" BBCLASSEXTEND = "native" + +# CVE-2026-25990.patch in SRC_URI contains a binary blob, which needs to +# be applied with git +PATCHTOOL = "git" -- cgit v1.2.3-54-g00ecf