dev-python/imageio: Block fetching remote shared libraries (!)

Bug: https://bugs.gentoo.org/874849 Signed-off-by: Michał Górny <mgorny@gentoo.org>
2026-01-05 14:07:27 -08:00 · 2022-10-04 10:18:48 +02:00 · 2022-10-04 10:18:48 +02:00 · 40b85d13e7
commit 40b85d13e7
parent dd1ad44e37
3 changed files with 63 additions and 0 deletions
--- a/dev-python/imageio/Manifest
+++ b/dev-python/imageio/Manifest
@ -1 +1,3 @@
 DIST imageio-2.22.0.gh.tar.gz 394144 BLAKE2B 957edbeaad6be459ff865eed3159b0f7776e3dd0782e0380bfe2c40362d0c08ccc8f29a2f38a8427deb263554495b73cc4df641e569b9d33700fcc6ed1395396 SHA512 23d606e32ab2bdc306a4b9d17120e5eda8c8a4fd96d840181afecd6e35f6649621740608f0286d2a5462822acc7ef4e1e7f1e9076882ce975f1da717b136c8c4
+DIST imageio-chelsea.png 221294 BLAKE2B 58537d7a1678fa5be4cc899e5bacd925bfc180eb4ae691330a53749a49ff544e979609b529ed27e5c1fc9efe4bc050ca1ce49b777f4016fb1d66affd926ef9d3 SHA512 48470cdb843eed4dfa6673811c09c5aac9869ee23dd36be0c6b653d9f108d61d21b148c2a4435aaa6604887ba030e5bbc5e35d378da876366445dfc2d0ba4e27
+DIST imageio-cockatoo.mp4 728751 BLAKE2B 45b22cd517c1cb7c0cd12f8865facaca6a847047aea716e49633cf2b1dc13826f94787c8a8f9dd5f48c6a896f5d37794c0058da1bde9e1469f196916476dbfa2 SHA512 e9cb7c25de8019c59ba4090cf10ab29f2b5d62ada37a877081ca07d2ecfe010036222ae843b41bbcc843130d97fa5e14421de252639e9481df1d1c27b19add49
--- a/dev-python/imageio/files/imageio-2.22.0-block-download.patch
+++ b/dev-python/imageio/files/imageio-2.22.0-block-download.patch
@ -0,0 +1,32 @@
+From 1ae48cfa95e84cb064edc74a4a64bd0f7dee780a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
+Date: Tue, 4 Oct 2022 09:40:42 +0200
+Subject: [PATCH] Unconditionally disable downloading binaries from Internet
+
+Bug: https://bugs.gentoo.org/874849
+---
+ imageio/core/fetching.py | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/imageio/core/fetching.py b/imageio/core/fetching.py
+index 0380bc7..70f1a3d 100644
+--- a/imageio/core/fetching.py
+++ b/imageio/core/fetching.py
+@@ -97,11 +97,10 @@ def get_remote_file(fname, directory=None, force_download=False, auto=True):
+                     break
+ 
+     # If we get here, we're going to try to download the file
+-    if os.getenv("IMAGEIO_NO_INTERNET", "").lower() in ("1", "true", "yes"):
+    if True:
+         raise InternetNotAllowedError(
+-            "Will not download resource from the "
+-            "internet because environment variable "
+-            "IMAGEIO_NO_INTERNET is set."
+            "Implicit insecure downloads disabled on Gentoo due to security "
+            "concerns.  See https://bugs.gentoo.org/874849."
+         )
+ 
+     # Can we proceed with auto-download?
+-- 
+2.38.0
+
--- a/dev-python/imageio/imageio-2.22.0-r1.ebuild
+++ b/dev-python/imageio/imageio-2.22.0-r1.ebuild
@ -8,6 +8,7 @@ PYTHON_COMPAT=( python3_{8..10} )

 inherit distutils-r1

+BIN_COMMIT=224074bca448815e421a59266864c23041531a42
 DESCRIPTION="Python library for reading and writing image data"
 HOMEPAGE="
 	https://imageio.readthedocs.io/en/stable/
@ -17,6 +18,12 @@ HOMEPAGE="
 SRC_URI="
 	https://github.com/imageio/imageio/archive/v${PV}.tar.gz
 		-> ${P}.gh.tar.gz
+	test? (
+		https://github.com/imageio/imageio-binaries/raw/${BIN_COMMIT}/images/chelsea.png
+			-> ${PN}-chelsea.png
+		https://github.com/imageio/imageio-binaries/raw/${BIN_COMMIT}/images/cockatoo.mp4
+			-> ${PN}-cockatoo.mp4
+	)
 "

 LICENSE="MIT"
@ -44,9 +51,31 @@ BDEPEND="

 distutils_enable_tests pytest

+src_prepare() {
+	local PATCHES=(
+		# block silently downloading vulnerable libraries from the Internet
+		"${FILESDIR}"/imageio-2.22.0-block-download.patch
+	)
+
+	if use test; then
+		mkdir -p "${HOME}"/.imageio/images || die
+		local i
+		for i in chelsea.png cockatoo.mp4; do
+			cp "${DISTDIR}/${PN}-${i}" "${HOME}/.imageio/images/${i}" || die
+		done
+	fi
+
+	distutils-r1_src_prepare
+}
+
 EPYTEST_DESELECT=(
 	# Fails because of system installed freeimage
 	tests/test_core.py::test_findlib2
 	# Tries to download ffmpeg binary ?!
 	tests/test_ffmpeg.py::test_get_exe_installed
+	# blocked by our patch
+	tests/test_core.py::test_fetching
+	tests/test_core.py::test_request
+	# removed upstream
+	tests/test_pillow.py::test_png_remote
 )