From aa1f47819fc505abf5033e04c6e0d586f60222f7 Mon Sep 17 00:00:00 2001
From: Hugo Buddelmeijer <hugo@buddelmeijer.nl>
Date: Mon, 16 Mar 2026 14:32:21 +0100
Subject: [PATCH] gnu: python-pillow: Update to 12.1.1 [security-fixes].
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Release notes since 11.1.0 (2025-01-02):
- 12.1.1 (2026-02-11)
  <https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html>.
- 12.1.0 (2026-01-02)
  <https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html>.
- 12.0.0 (2025-10-15)
  <https://pillow.readthedocs.io/en/stable/releasenotes/12.0.0.html>.
- 11.3.0 (2025-07-01)
  <https://pillow.readthedocs.io/en/stable/releasenotes/11.3.0.html>.
- 11.2.1 (2025-04-12)
  <https://pillow.readthedocs.io/en/stable/releasenotes/11.2.1.html>.

Containes fixes for:
CVE-2026-25990: Out-of-bounds write vulnerability in Pillow (Python
                imaging library) affecting versions 10.3.0 through
                12.1.0. The vulnerability can be triggered when loading
                specially crafted PSD image files.
CVE 2025-48379: Write buffer overflow on BCn encoding.
CVE-2021-25289: Heap-based Buffer Overflow.

* gnu/packages/python-xyz.scm (python-pillow): Update to 12.1.1.
[source]: Switch to git-fetch.
[native-inputs]: Add pybind11.
[home-page]: Update URL.
[license]: Switch to MIT-CMU license.

Merges: https://codeberg.org/guix/guix/pulls/7218
Change-Id: I5b13dca66aeb7efdfcc44c8c144b6c64601d9b1e
Reviewed-by: Nguyễn Gia Phong <cnx@loang.net>
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
---
 gnu/packages/python-xyz.scm | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index 08bcc6e735..39e2d58d10 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -13214,13 +13214,16 @@ Python list with elements of type @code{PIL.Image} (from the
 (define-public python-pillow
   (package
     (name "python-pillow")
-    (version "11.1.0")
+    (version "12.1.1")
     (source
      (origin
-       (method url-fetch)
-       (uri (pypi-uri "pillow" version))
+       (method git-fetch)
+       (uri (git-reference
+              (url "https://github.com/python-pillow/Pillow")
+              (commit version)))
+       (file-name (git-file-name name version))
        (sha256
-        (base32 "081abgpz7g013cgzz7pjhmf8m7q626ngza4hnfs76vdk104ag39n"))))
+        (base32 "1g374rklljx0941j6d1gib9pgcq3scmqw9psqaj2c7m8pilqsn9n"))))
     (build-system pyproject-build-system)
     (arguments
      (list
@@ -13236,7 +13239,8 @@ Python list with elements of type @code{PIL.Image} (from the
                 (setenv "HOME" (getcwd))
                 (invoke "python" "selftest.py" "--installed")
                 (invoke "python" "-m" "pytest" "-vv")))))))
-    (native-inputs (list python-defusedxml
+    (native-inputs (list pybind11
+                         python-defusedxml
                          python-markdown2
                          python-olefile
                          python-pytest
@@ -13249,7 +13253,7 @@ Python list with elements of type @code{PIL.Image} (from the
                   libwebp
                   openjpeg
                   zlib))
-    (home-page "https://python-pillow.org")
+    (home-page "https://python-pillow.github.io/")
     (synopsis "Fork of the Python Imaging Library")
     (description
      "The Python Imaging Library adds image processing capabilities to your
@@ -13260,8 +13264,8 @@ stored in a few basic pixel formats.  It should provide a solid foundation for
 a general image processing tool.")
     (properties `((cpe-name . "pillow")))
     (license (license:x11-style
-              "http://www.pythonware.com/products/pil/license.htm"
-              "The PIL Software License"))))
+              "https://github.com/python-pillow/Pillow/blob/12.1.1/LICENSE"
+              "MIT-CMU License"))))
 
 (define-public python-pillow-heif
   (package