Bug 19506

Summary: graphicsmagick new security issues CVE-2016-7800 and CVE-2016-799[67]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, nicolas.salguero, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/703123/
Whiteboard: MGA5-32-OK MGA5-64-OK
Source RPM: graphicsmagick-1.3.25-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-10-02 01:25:39 CEST 
A CVE has been assigned for a security issue fixed upstream in graphicsmagick:
http://openwall.com/lists/oss-security/2016/10/01/7

The commit to fix the issue is linked in the message above.

Mageia 5 is also affected.
David Walser 2016-10-02 01:25:50 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-10-02 17:03:50 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2016-10-04 15:56:32 CEST 
Done for Mga5 and Cauldron.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Unsigned underflow leading to heap overflow when parsing 8BIM chunk (CVE-2016-7800).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7800
http://openwall.com/lists/oss-security/2016/10/01/7
========================

Updated packages in core/updates_testing:
========================
i586:
graphicsmagick-1.3.25-1.1.mga5.i586.rpm
libgraphicsmagick3-1.3.25-1.1.mga5.i586.rpm
libgraphicsmagick++12-1.3.25-1.1.mga5.i586.rpm
libgraphicsmagickwand2-1.3.25-1.1.mga5.i586.rpm
libgraphicsmagick-devel-1.3.25-1.1.mga5.i586.rpm
perl-Graphics-Magick-1.3.25-1.1.mga5.i586.rpm
graphicsmagick-doc-1.3.25-1.1.mga5.noarch.rpm

x86_64:
graphicsmagick-1.3.25-1.1.mga5.x86_64.rpm
lib64graphicsmagick3-1.3.25-1.1.mga5.x86_64.rpm
lib64graphicsmagick++12-1.3.25-1.1.mga5.x86_64.rpm
lib64graphicsmagickwand2-1.3.25-1.1.mga5.x86_64.rpm
lib64graphicsmagick-devel-1.3.25-1.1.mga5.x86_64.rpm
perl-Graphics-Magick-1.3.25-1.1.mga5.x86_64.rpm
graphicsmagick-doc-1.3.25-1.1.mga5.noarch.rpm

Source RPMs:
graphicsmagick-1.3.25-1.1.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2016-10-07 17:52:42 CEST 
CVE request for two issues in the WPG reader:
http://openwall.com/lists/oss-security/2016/10/07/4

A patch is included in that message that applies cleanly to our package.
Comment 4 Nicolas Salguero 2016-10-08 18:45:03 CEST 
Done for Mga5 and Cauldron.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Unsigned underflow leading to heap overflow when parsing 8BIM chunk (CVE-2016-7800).

Two issues in the WPG reader (description will have to be improved when CVE numbers are assigned).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7800
http://openwall.com/lists/oss-security/2016/10/01/7
http://openwall.com/lists/oss-security/2016/10/07/4
========================

Updated packages in core/updates_testing:
========================
i586:
graphicsmagick-1.3.25-1.2.mga5.i586.rpm
libgraphicsmagick3-1.3.25-1.2.mga5.i586.rpm
libgraphicsmagick++12-1.3.25-1.2.mga5.i586.rpm
libgraphicsmagickwand2-1.3.25-1.2.mga5.i586.rpm
libgraphicsmagick-devel-1.3.25-1.2.mga5.i586.rpm
perl-Graphics-Magick-1.3.25-1.2.mga5.i586.rpm
graphicsmagick-doc-1.3.25-1.2.mga5.noarch.rpm

x86_64:
graphicsmagick-1.3.25-1.2.mga5.x86_64.rpm
lib64graphicsmagick3-1.3.25-1.2.mga5.x86_64.rpm
lib64graphicsmagick++12-1.3.25-1.2.mga5.x86_64.rpm
lib64graphicsmagickwand2-1.3.25-1.2.mga5.x86_64.rpm
lib64graphicsmagick-devel-1.3.25-1.2.mga5.x86_64.rpm
perl-Graphics-Magick-1.3.25-1.2.mga5.x86_64.rpm
graphicsmagick-doc-1.3.25-1.2.mga5.noarch.rpm

Source RPMs:
graphicsmagick-1.3.25-1.2.mga5.src.rpm
Comment 5 William Kenney 2016-10-08 20:00:47 CEST 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
graphicsmagick perl-Graphics-Magick libgraphicsmagick3

default install of graphicsmagick perl-Graphics-Magick & libgraphicsmagick3

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.25-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.25-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libgraphicsmagick3
Package libgraphicsmagick3-1.3.25-1.mga5.i586 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF

install graphicsmagick perl-Graphics-Magick & libgraphicsmagick3 from updates_testing

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.25-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.25-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libgraphicsmagick3
Package libgraphicsmagick3-1.3.25-1.1.mga5.i586 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF

CC: (none) => wilcal.int

Comment 6 William Kenney 2016-10-08 20:01:03 CEST 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
graphicsmagick perl-Graphics-Magick lib64graphicsmagick3

default install of graphicsmagick perl-Graphics-Magick & libgraphicsmagick3

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.25-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.25-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64graphicsmagick3
Package lib64graphicsmagick3-1.3.25-1.mga5.x86_64 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF

install graphicsmagick perl-Graphics-Magick & libgraphicsmagick3 from updates_testing

[root@localhost wilcal]# urpmi graphicsmagick
Package graphicsmagick-1.3.25-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-Graphics-Magick
Package perl-Graphics-Magick-1.3.25-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64graphicsmagick3
Package lib64graphicsmagick3-1.3.25-1.1.mga5.x86_64 is already installed

Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
graphicsmagick conversions work, perl script creates an animated GIF
William Kenney 2016-10-08 20:01:13 CEST

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

Comment 7 William Kenney 2016-10-08 20:01:54 CEST 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 David Walser 2016-10-08 20:39:25 CEST 
CVE-2016-7996 and CVE-2016-7997:
http://openwall.com/lists/oss-security/2016/10/08/5

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Unsigned underflow leading to heap overflow when parsing 8BIM chunk (CVE-2016-7800).

Two issues in the WPG reader (CVE-2016-7996, CVE-2016-7997).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7997
http://openwall.com/lists/oss-security/2016/10/01/7
http://openwall.com/lists/oss-security/2016/10/08/5

Summary: graphicsmagick new security issue CVE-2016-7800 => graphicsmagick new security issues CVE-2016-7800 and CVE-2016-799[67]

Comment 9 Mageia Robot 2016-10-08 22:19:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0337.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-10-11 14:24:05 CEST

URL: (none) => http://lwn.net/Vulnerabilities/703123/