Bug 17318

Summary: imagemagick various new security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/667319/
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: imagemagick-6.8.9.9-4.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-09 17:30:17 CET 
Fedora has issued an advisory on December 8:
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173409.html

Debian also has fixes for those issues, as well as a handful of DoS issues, in git:
http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/log/?h=debian-patches/6.7.7.10-5%2bdeb7u4

We were in sync with Debian as of January 1, so I just have to pull in the newer patches.  They didn't include a fix for the issue in tga.c mentioned in rhbz#1269562, so I will backport that from upstream as well.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-09 17:38:02 CET 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated imagemagick packages fix security vulnerabilities:

This update fixes denial of service issues in miff, vicar, hdr, and pdb image
handling, a buffer overflow issue in icon handling, and double-free issues in
pict and tga image handling.

References:
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933
http://trac.imagemagick.org/changeset/17846
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932
http://trac.imagemagick.org/changeset/17855
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173409.html
========================

Updated packages in core/updates_testing:
========================
imagemagick-6.8.9.9-4.2.mga5
imagemagick-desktop-6.8.9.9-4.2.mga5
libmagick-6Q16_2-6.8.9.9-4.2.mga5
libmagick++-6Q16_5-6.8.9.9-4.2.mga5
libmagick-devel-6.8.9.9-4.2.mga5
perl-Image-Magick-6.8.9.9-4.2.mga5
imagemagick-doc-6.8.9.9-4.2.mga5

from imagemagick-6.8.9.9-4.2.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => major

David Walser 2015-12-09 18:42:25 CET

URL: (none) => http://lwn.net/Vulnerabilities/667319/

Comment 2 William Kenney 2015-12-09 19:56:11 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
imagemagick imagemagick-desktop

default install of imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.9.9-4.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.8.9.9-4.1.mga5.i586 is already installed

I can open a file with imagemagick, enhance the file then save it
under a different name. That saved file can be opened with gwenview.

install imagemagick & imagemagick-desktop from updates_testing

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.9.9-4.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.8.9.9-4.2.mga5.i586 is already installed

I can open a different file with imagemagick, enhance the file then save
it under a different name. That saved file can be opened with gwenview.
I can open the previously created image file.

CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK

Comment 3 William Kenney 2015-12-09 20:07:54 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
imagemagick imagemagick-desktop

default install of imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.9.9-4.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.8.9.9-4.1.mga5.x86_64 is already installed

I can open a file with imagemagick, enhance the file then save it
under a different name. That saved file can be opened with gwenview.

install imagemagick & imagemagick-desktop from updates_testing

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.8.9.9-4.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.8.9.9-4.2.mga5.x86_64 is already installed

I can open a different file with imagemagick, enhance the file then save
it under a different name. That saved file can be opened with gwenview.
I can open the previously created image file.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 4 William Kenney 2015-12-09 20:08:34 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2015-12-10 09:52:20 CET 
Advisory uploaded.

Whiteboard: MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 6 Mageia Robot 2015-12-10 21:58:23 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0471.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED