Bug 11594

Procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Testing complete mga2 32 following the wiki procedure.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-32-ok

A CVE has been requested for this:
http://openwall.com/lists/oss-security/2013/11/15/13

CVE-2013-4589 has been allocated for this issue:
http://openwall.com/lists/oss-security/2013/11/15/14

Updating the advisory.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

GraphicsMagick before 1.3.18 is found to have a vulnerability which can be
exploited by malicious people to cause a Denial of Service (DoS). The
vulnerability is caused due to an error within the "ExportAlphaQuantumType()"
function found in magick/export.c when exporting 8-bit RGBA images, which can
be exploited to cause a crash (CVE-2013-4589).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4589
https://secunia.com/advisories/55288/
http://openwall.com/lists/oss-security/2013/11/15/14
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html

Summary: graphicsmagick new security issue fixed upstream in 1.3.18 => graphicsmagick new security issue fixed upstream in 1.3.18 (CVE-2013-4589)

Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure mga2-32-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok

advisory uploaded

Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO advisory has_procedure mga2-32-ok mga2-64-ok

The perl module is not working in mga3. Possibly related to bug 6561.

$ perl test.pl
perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick

$ ldd /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so
        linux-vdso.so.1 (0x00007fffeb3fe000)
        libm.so.6 => /usr/lib64/libm.so.6 (0x00007f2557f95000)
        libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007f2557d79000)
        libc.so.6 => /usr/lib64/libc.so.6 (0x00007f25579c5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f25584c1000)

Whiteboard: MGA2TOO advisory has_procedure mga2-32-ok mga2-64-ok => MGA2TOO feedback advisory has_procedure mga2-32-ok mga2-64-ok

Olivier, you fixed this linking issue before, and your patch is still there.  Can you look into this problem?

CC: (none) => fundawang, mageia

If necessary mga2 can be pushed separately for this one

OK this doesn't make any sense.  I rebuilt this locally in a VM and it's also linked to liblcms2.so.2, libfreetype.so.6, libX11.so.6, libbz2.so.1, libz.so.1, libltdl.so.7, libxcb.so.1, libdl.so.2, libXau.so.6, libXdmcp.so.6, as well as the expected libGraphicsMagick.so.3.

Splitting the bug to allow mga2 to be pushed.

Mga2 is now bug 11719.

This bug is now mga3 only. Advisory updated.

Summary: graphicsmagick new security issue fixed upstream in 1.3.18 (CVE-2013-4589) => graphicsmagick (mga3) new security issue fixed upstream in 1.3.18 (CVE-2013-4589)
Whiteboard: MGA2TOO feedback advisory has_procedure mga2-32-ok mga2-64-ok => feedback advisory has_procedure

Since the CVE was allocated after the Fedora advisory was issued, it was not available when LWN made the initial vulnerability page for this.  They made a new one with our advisory and the CVE.  I notified them so that they can merge them.  The new one is:
http://lwn.net/Vulnerabilities/574927/

No response from packagers sadly so bug 11816 created for the perl module not working.

Validating this one with the bug still present. We can't allow security updates to sit indefinitely.


Could sysadmin please push from 3 core/updates_testing to updates.

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2013-0355.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED