[gentoo-commits] repo/gentoo:master commit in: dev-python/imageio/files/, dev-python/imageio/

[Michał Górny]

commit:     40b85d13e7fd770f834fde7b160219829fad5311
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Tue Oct  4 08:18:48 2022 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Tue Oct  4 08:29:55 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40b85d13

dev-python/imageio: Block fetching remote shared libraries (!)

Bug: https://bugs.gentoo.org/874849
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>

 dev-python/imageio/Manifest                        |  2 ++
 .../files/imageio-2.22.0-block-download.patch      | 32 ++++++++++++++++++++++
 ...geio-2.22.0.ebuild => imageio-2.22.0-r1.ebuild} | 29 ++++++++++++++++++++
 3 files changed, 63 insertions(+)

diff --git a/dev-python/imageio/Manifest b/dev-python/imageio/Manifest
index d6e0baaa1216..ae59f0904f03 100644
--- a/dev-python/imageio/Manifest
+++ b/dev-python/imageio/Manifest
@@ -1 +1,3 @@
 DIST imageio-2.22.0.gh.tar.gz 394144 BLAKE2B 
957edbeaad6be459ff865eed3159b0f7776e3dd0782e0380bfe2c40362d0c08ccc8f29a2f38a8427deb263554495b73cc4df641e569b9d33700fcc6ed1395396
 SHA512 
23d606e32ab2bdc306a4b9d17120e5eda8c8a4fd96d840181afecd6e35f6649621740608f0286d2a5462822acc7ef4e1e7f1e9076882ce975f1da717b136c8c4
+DIST imageio-chelsea.png 221294 BLAKE2B 
58537d7a1678fa5be4cc899e5bacd925bfc180eb4ae691330a53749a49ff544e979609b529ed27e5c1fc9efe4bc050ca1ce49b777f4016fb1d66affd926ef9d3
 SHA512 
48470cdb843eed4dfa6673811c09c5aac9869ee23dd36be0c6b653d9f108d61d21b148c2a4435aaa6604887ba030e5bbc5e35d378da876366445dfc2d0ba4e27
+DIST imageio-cockatoo.mp4 728751 BLAKE2B 
45b22cd517c1cb7c0cd12f8865facaca6a847047aea716e49633cf2b1dc13826f94787c8a8f9dd5f48c6a896f5d37794c0058da1bde9e1469f196916476dbfa2
 SHA512 
e9cb7c25de8019c59ba4090cf10ab29f2b5d62ada37a877081ca07d2ecfe010036222ae843b41bbcc843130d97fa5e14421de252639e9481df1d1c27b19add49

diff --git a/dev-python/imageio/files/imageio-2.22.0-block-download.patch 
b/dev-python/imageio/files/imageio-2.22.0-block-download.patch
new file mode 100644
index 000000000000..ba483813b23c
--- /dev/null
+++ b/dev-python/imageio/files/imageio-2.22.0-block-download.patch
@@ -0,0 +1,32 @@
+From 1ae48cfa95e84cb064edc74a4a64bd0f7dee780a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgo...@gentoo.org>
+Date: Tue, 4 Oct 2022 09:40:42 +0200
+Subject: [PATCH] Unconditionally disable downloading binaries from Internet
+
+Bug: https://bugs.gentoo.org/874849
+---
+ imageio/core/fetching.py | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/imageio/core/fetching.py b/imageio/core/fetching.py
+index 0380bc7..70f1a3d 100644
+--- a/imageio/core/fetching.py
++++ b/imageio/core/fetching.py
+@@ -97,11 +97,10 @@ def get_remote_file(fname, directory=None, 
force_download=False, auto=True):
+                     break
+ 
+     # If we get here, we're going to try to download the file
+-    if os.getenv("IMAGEIO_NO_INTERNET", "").lower() in ("1", "true", "yes"):
++    if True:
+         raise InternetNotAllowedError(
+-            "Will not download resource from the "
+-            "internet because environment variable "
+-            "IMAGEIO_NO_INTERNET is set."
++            "Implicit insecure downloads disabled on Gentoo due to security "
++            "concerns.  See https://bugs.gentoo.org/874849.";
+         )
+ 
+     # Can we proceed with auto-download?
+-- 
+2.38.0
+

diff --git a/dev-python/imageio/imageio-2.22.0.ebuild 
b/dev-python/imageio/imageio-2.22.0-r1.ebuild
similarity index 59%
rename from dev-python/imageio/imageio-2.22.0.ebuild
rename to dev-python/imageio/imageio-2.22.0-r1.ebuild
index 6770d9759db9..20bd98f88e7f 100644
--- a/dev-python/imageio/imageio-2.22.0.ebuild
+++ b/dev-python/imageio/imageio-2.22.0-r1.ebuild
@@ -8,6 +8,7 @@ PYTHON_COMPAT=( python3_{8..10} )
 
 inherit distutils-r1
 
+BIN_COMMIT=224074bca448815e421a59266864c23041531a42
 DESCRIPTION="Python library for reading and writing image data"
 HOMEPAGE="
        https://imageio.readthedocs.io/en/stable/
@@ -17,6 +18,12 @@ HOMEPAGE="
 SRC_URI="
        https://github.com/imageio/imageio/archive/v${PV}.tar.gz
                -> ${P}.gh.tar.gz
+       test? (
+               
https://github.com/imageio/imageio-binaries/raw/${BIN_COMMIT}/images/chelsea.png
+                       -> ${PN}-chelsea.png
+               
https://github.com/imageio/imageio-binaries/raw/${BIN_COMMIT}/images/cockatoo.mp4
+                       -> ${PN}-cockatoo.mp4
+       )
 "
 
 LICENSE="MIT"
@@ -44,9 +51,31 @@ BDEPEND="
 
 distutils_enable_tests pytest
 
+src_prepare() {
+       local PATCHES=(
+               # block silently downloading vulnerable libraries from the 
Internet
+               "${FILESDIR}"/imageio-2.22.0-block-download.patch
+       )
+
+       if use test; then
+               mkdir -p "${HOME}"/.imageio/images || die
+               local i
+               for i in chelsea.png cockatoo.mp4; do
+                       cp "${DISTDIR}/${PN}-${i}" 
"${HOME}/.imageio/images/${i}" || die
+               done
+       fi
+
+       distutils-r1_src_prepare
+}
+
 EPYTEST_DESELECT=(
        # Fails because of system installed freeimage
        tests/test_core.py::test_findlib2
        # Tries to download ffmpeg binary ?!
        tests/test_ffmpeg.py::test_get_exe_installed
+       # blocked by our patch
+       tests/test_core.py::test_fetching
+       tests/test_core.py::test_request
+       # removed upstream
+       tests/test_pillow.py::test_png_remote
 )