Bug 14014

Summary: graphicsmagick new security issue CVE-2014-1947
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lebarhon, rverschelde, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/609958/
Whiteboard: MGA3TOO has_procedure advisory mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK
Source RPM: graphicsmagick-1.3.18-3.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-08-29 18:22:39 CEST 
Fedora has issued an advisory on August 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137120.html

We first encountered this in Bug 12742, but it only affected older versions of ImageMagick than what we had.  It was found that it also affects GraphicsMagick, however.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

A buffer overflow flaw was found in the way GraphicsMagick writes PSD images
when the input data has a large number of layers. Due to the compilation
options used in Mageia, the buffer overflow is reduced to a crash, making
this a denial of service issue (CVE-2014-1947).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1947
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/137120.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.17-2.3.mga3
libgraphicsmagick3-1.3.17-2.3.mga3
libgraphicsmagickwand2-1.3.17-2.3.mga3
libgraphicsmagick-devel-1.3.17-2.3.mga3
perl-Graphics-Magick-1.3.17-2.3.mga3
graphicsmagick-doc-1.3.17-2.3.mga3
graphicsmagick-1.3.18-3.2.mga4
libgraphicsmagick3-1.3.18-3.2.mga4
libgraphicsmagickwand2-1.3.18-3.2.mga4
libgraphicsmagick-devel-1.3.18-3.2.mga4
perl-Graphics-Magick-1.3.18-3.2.mga4
graphicsmagick-doc-1.3.18-3.2.mga4

from SRPMS:
graphicsmagick-1.3.17-2.3.mga3.src.rpm
graphicsmagick-1.3.18-3.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-29 18:22:45 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Rémi Verschelde 2014-08-29 18:32:27 CEST 
Testing procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 André DESMOTTES 2014-08-29 19:48:19 CEST 
100% success with Mageia 4 64 bits

CC: (none) => lebarhon

Comment 3 claire robinson 2014-08-29 23:01:40 CEST 
Remember to add mga4-64-ok in the whiteboard please André

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 4 André DESMOTTES 2014-08-30 18:10:03 CEST 
100% success with Mageia 4 32 bit, in a VM.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Comment 5 William Kenney 2014-08-30 18:56:42 CEST 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
graphicsmagick

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.17-2.2.mga3.i586 is already installed

Reference: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
Testing procedure for perl-Graphics-Magick
My code reads as follows:

#!/usr/local/bin/perl
# taken from http://www.graphicsmagick.org/perl.html#example-script
use Graphics::Magick;
my($image, $status);
$image = Graphics::Magick->new;
$status = $image->Read('image1.png', 'image2.png', 'image3.png');
warn "$status" if "$status";
$status = $image->Write('x.gif');
warn "$status" if "$status";

Results in the following:

[wilcal@localhost test_images]$ perl test.pl
Can't locate Graphics/Magick.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.16.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.16.3 /usr/lib/perl5/vendor_perl/5.16.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.16.3 /usr/lib/perl5/5.16.3/i386-linux-thread-multi /usr/lib/perl5/5.16.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.16.3 /usr/lib/perl5/vendor_perl/5.16.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.16.2 /usr/lib/perl5/vendor_perl/5.16.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl .) at test.pl line 3.
BEGIN failed--compilation aborted at test.pl line 3.

No animated GIF generated. What am I doing wrong?

CC: (none) => wilcal.int

Comment 6 Rémi Verschelde 2014-08-30 19:04:15 CEST 
To use graphicsmagick with perl, you need to install perl-Graphics-Magick (which is also part of the update candidate).
Comment 7 William Kenney 2014-08-30 19:18:37 CEST 
(In reply to Rémi Verschelde from comment #6)

> To use graphicsmagick with perl, you need to install perl-Graphics-Magick
> (which is also part of the update candidate).

Thanks Rémi, that did it. Not installed with graphicsmagick.
Comment 8 Rémi Verschelde 2014-08-30 19:22:03 CEST 
(In reply to William Kenney from comment #7)
> 
> Thanks Rémi, that did it. Not installed with graphicsmagick.

Yes it's not a strict requirement for GraphicsMagick: Basically GraphicsMagick is an independent tool and library, that you can use directly with its "gm" binary. The library can also be used in other environments such as in perl programs, but for this the perl bindings are necessary, hence the need for a perl-Graphics-Magick package. But the latter is not _required_ to use GraphicsMagick, that's why it's not installed by default :-)
Comment 9 William Kenney 2014-08-30 19:33:39 CEST 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
graphicsmagick perl-Graphics-Magick

default install of graphicsmagick & perl-Graphics-Magick

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.17-2.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.17-2.2.mga3.i586 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF

install graphicsmagick & perl-Graphics-Magick from updates_testing

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.17-2.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.17-2.3.mga3.i586 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK

Comment 10 William Kenney 2014-08-30 20:26:07 CEST 
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
graphicsmagick lib64graphicsmagick3 perl-Graphics-Magick

default install of graphicsmagick lib64graphicsmagick3 & perl-Graphics-Magick

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.17-2.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64graphicsmagick3
Package lib64graphicsmagick3-1.3.17-2.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.17-2.2.mga3.x86_64 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF

install graphicsmagick & perl-Graphics-Magick from updates_testing

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.17-2.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64graphicsmagick3
Package lib64graphicsmagick3-1.3.17-2.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.17-2.3.mga3.x86_64 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK => MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK

Comment 11 William Kenney 2014-08-30 20:27:01 CEST 
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks all.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 claire robinson 2014-09-02 18:44:08 CEST 
Advisory from comment 0 uploaded.

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure advisory mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK

Comment 13 Mageia Robot 2014-09-05 11:08:43 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0370.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED