Bug 24396

Assigning to all packagers collectively, since there is no registered maintainer for this package.


Also CC'ing some submitters.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, mrambo, nicolas.salguero, smelror

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c. (CVE-2019-7397)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397
https://lists.opensuse.org/opensuse-updates/2019-02/msg00106.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.31-1.4.mga6
lib(64)graphicsmagick3-1.3.31-1.4.mga6
lib(64)graphicsmagick++12-1.3.31-1.4.mga6
lib(64)graphicsmagickwand2-1.3.31-1.4.mga6
lib(64)graphicsmagick-devel-1.3.31-1.4.mga6
perl-Graphics-Magick-1.3.31-1.4.mga6
graphicsmagick-doc-1.3.31-1.4.mga6

imagemagick-6.9.10.33-1.mga6
imagemagick-desktop-6.9.10.33-1.mga6
lib(64)magick-6Q16_6-6.9.10.33-1.mga6
lib(64)magick++-6Q16_8-6.9.10.33-1.mga6
lib(64)magick-devel-6.9.10.33-1.mga6
perl-Image-Magick-6.9.10.33-1.mga6
imagemagick-doc-6.9.10.33-1.mga6

from SRPMS:
graphicsmagick-1.3.31-1.4.mga6.src.rpm
imagemagick-6.9.10.33-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
CVE: (none) => CVE-2019-7397
Whiteboard: MGA6TOO => (none)
Source RPM: graphicsmagick-1.3.31-4.mga7.src.rpm => imagemagick-6.9.10.22-1.1.mga6.src.rpm, graphicsmagick-1.3.31-1.3.mga6.src.rpm
Summary: graphicsmagick new security issue CVE-2019-7397 => imagemagick and graphicsmagick new security issue CVE-2019-7397
Status: NEW => ASSIGNED

Nicolas, it looks like you're rebuilding packages for imagemagick, but if the library major(s) didn't change, that's not needed.

Yes, I am sorry.  I made a mistake.

I found that, at least, transcode (tainted) and xine-lib1.2 (core and tainted) were not rebuilt when we switched to imagemagick-6.9.9.41 and I thought none of the packages were rebuilt.

In fact, transcode was already rebuilt but was not transferred from updates_testing to updates.

So, I think the new builds I made will have to be removed from updates_testing except transcode and xine-lib1.2 which would be added to the list from comment 2.

transcode-1.1.7-17.2.mga6.tainted was already tested (see bug 19078 comment 96) but was not pushed to updates.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c. (CVE-2019-7397)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397
https://lists.opensuse.org/opensuse-updates/2019-02/msg00106.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.31-1.4.mga6
lib(64)graphicsmagick3-1.3.31-1.4.mga6
lib(64)graphicsmagick++12-1.3.31-1.4.mga6
lib(64)graphicsmagickwand2-1.3.31-1.4.mga6
lib(64)graphicsmagick-devel-1.3.31-1.4.mga6
perl-Graphics-Magick-1.3.31-1.4.mga6
graphicsmagick-doc-1.3.31-1.4.mga6

imagemagick-6.9.10.33-1.mga6
imagemagick-desktop-6.9.10.33-1.mga6
lib(64)magick-6Q16_6-6.9.10.33-1.mga6
lib(64)magick++-6Q16_8-6.9.10.33-1.mga6
lib(64)magick-devel-6.9.10.33-1.mga6
perl-Image-Magick-6.9.10.33-1.mga6
imagemagick-doc-6.9.10.33-1.mga6

xine1.2-common-1.2.8-8.1.mga6
lib(64)xine2-1.2.8-8.1.mga6
lib(64)xine1.2-devel-1.2.8-8.1.mga6

from SRPMS:
graphicsmagick-1.3.31-1.4.mga6.src.rpm
imagemagick-6.9.10.33-1.mga6.src.rpm
xine-lib1.2-1.2.8-8.1.mga6.src.rpm

Updated packages in tainted/updates_testing:
========================
xine1.2-common-1.2.8-8.1.mga6.tainted
lib(64)xine2-1.2.8-8.1.mga6.tainted
lib(64)xine1.2-devel-1.2.8-8.1.mga6.tainted
transcode-1.1.7-17.2.mga6.tainted

from SRPMS:
xine-lib1.2-1.2.8-8.1.mga6.tainted.src.rpm
transcode-1.1.7-17.2.mga6.tainted.src.rpm

Re comment 5 - the test of transcode from testing had not been entirely satisfactory - shall look at it again after the non-tainted stuff.

CC: (none) => tarazed25

Mageia 6, x86_64

Updated these packages:
- graphicsmagick-1.3.31-1.4.mga6.x86_64
- graphicsmagick-doc-1.3.31-1.4.mga6.noarch
- imagemagick-6.9.10.33-1.mga6.x86_64
- lib64graphicsmagick++12-1.3.31-1.4.mga6.x86_64
- lib64graphicsmagick-devel-1.3.31-1.4.mga6.x86_64
- lib64graphicsmagick3-1.3.31-1.4.mga6.x86_64
- lib64graphicsmagickwand2-1.3.31-1.4.mga6.x86_64
- lib64magick-6Q16_6-6.9.10.33-1.mga6.x86_64
- perl-Graphics-Magick-1.3.31-1.4.mga6.x86_64
- xine1.2-common-1.2.8-8.1.mga6.x86_64

Added these manually:
imagemagick-desktop-6.9.10.33-1.mga6
lib64magick++-6Q16_8-6.9.10.33-1.mga6
lib64magick-devel-6.9.10.33-1.mga6
perl-Image-Magick-6.9.10.33-1.mga6
imagemagick-doc-6.9.10.33-1.mga6
lib64xine2-1.2.8-8.1.mga6
lib64xine1.2-devel-1.2.8-8.1.mga6

xine-ui-0.99.9-3.mga6.tainted was installed so I replaced it by xine-ui-0.99.9-3.mga6.

Running xine from the system menus brings up the player window and the xine logo which vanishes immediately.  Right clicking in the window brings up the control menu for xine 0.99.9 which allows a file to be selected.  That plays fine with both sound and video.  Alternatively
$ xine <filename>
The media control gui can be launched by clicking "show controls".  The control menu is still available in the player window.  Subtitles can be enabled if available.  Fullscreen works.
Music playlists can be run from the commandline, e.g.
$ xine SteeleyeSpan.m3u
This is xine (X11 gui) - a free video player v0.99.9.
(c) 2000-2014 The xine Team.

The gui appears and tracks can be paused or skipped.  There is a volume control and a mute.  Clicking the centre button on the selector wheel brings up a file browser, not to be confused with the STOP button.
This one was a challenge:
$ xine LaFollia.webm

It played the music without any trouble but the video is 4K UHD which may be out of spec for xine, at least by default.  The video went to fullscreen but was totally pixelated.  mplayer copes with it.  Had to stop it by moving the mouse to the panel, selecting another workspace and killing it from a terminal.  An flv file from Youtube worked OK with xine, so did an mp4 music video.  An mp3 file played OK.  flac, ogg and wav files all played OK.  Inserted a commercial CD and chose xine - no problem.  Did the same for a commercial DVD - that could not get started - pixelation then a freeze.  Used the media control menu and selected DVD and that worked perfectly, so xine is OK.

Testing the image packages later.

Re comment 7 - What is the connection between xine and the image packages?  Nothing apparent using urpmq nor for xine1.2-common.  Looks like my xine tests might be a waste of time.  Confusing.

Keywords: (none) => feedback

Ah.  
$ urpmq --requires-recursive xine1.2-common | sort -u | grep magick
lib64magick-6Q16_6

Continuing from comment #7...

Have not found any POC for the CVEs so onto image tests.

$ identify StrathDionard.jpg
StrathDionard.jpg JPEG 3264x2448 3264x2448+0+0 8-bit sRGB 3.73736MiB 0.000u 0:00.000
$ display StrathDionard.jpg
Image OK
Displayed and identified a number of images in JPEG, PNG, TIFF, PNM, PPM, JP2, Postscript, PDF, GIF, PGM formats.

$ identify lena.pnm
lena.pnm PPM 512x512 512x512+0+0 8-bit sRGB 786447B 0.000u 0:00.069
$ display lena.ps
$ gm display jessica_grey.pgm

Repeated all these tests on the same images using GraphicsMagick>
$ gm identify JessicaAlba.tif
JessicaAlba.tif TIFF 600x448+0+0 DirectClass 8-bit 787.8Ki 0.000u 0m:0.000002s
$ gm display JessicaAlba.tif
$ gm identify jessica_grey.pgm
jessica_grey.pgm PGM 600x448 600x448+0+0 8-bit Grayscale Gray 268815B 0.000u 0:00.000

Conversions all work fine.
$ convert TatianaMaslany.jpg -background grey44 -vignette 0x5 Maslany.png
Displays as a vignetted version of the original.
GM does not have the vignette option.

Make a squashed image of a TIFF in JPEG format, with approximately the same area.
$ identify Ikapati.tif
Ikapati.tif TIFF 1024x1024 1024x1024+0+0 8-bit Grayscale Gray 1.00118MiB 0.000u 0:00.009
$ convert -resize 120%x80% Ikapati.tif ikapati.jpg
$ identify ikapati.jpg
ikapati.jpg JPEG 1229x819 1229x819+0+0 8-bit Gray 256c 366559B 0.000u 0:00.000

Hide a message in an image.
$ convert -gravity center -size 640x120 label:"Thank you for choosing Mageia" message.png
$ composite message.png SantaMaria.png -stegano +15+2 crater.png
$ display crater.png
No change => good
$ convert -size 640x120+15+2 stegano:crater.png secret.png
$ display secret.png
Image contains message "Thank you for choosing Mageia".

$ mogrify -rotate 270 newbridge.tif
$ display newbridge.tif
Image rotated through 270°
$ gm mogrify -rotate 90 newbridge.tif
$ display newbridge.tif
The final image looks the same as the original.

$ identify JayeGriffiths.jpg 
JayeGriffiths.jpg JPEG 465x421 465x421+0+0 8-bit sRGB 17714B 0.000u 0:00.000
$ convert -resize 200% JayeGriffiths.jpg Jaye.png
$ identify Jaye.png 
Jaye.png PNG 930x842 930x842+0+0 8-bit sRGB 577400B 0.000u 0:00.000

This is just a small sample of the possibilities.  No problems encountered so far.

transcode next.

Continuing from comment #10...

Installed the tainted updates packages.
Ran a command found in the man pages for transcode.  Loaded a commercial DVD.

$ transcode -i /dev/dvd/ -x dvd -j 16,0 -B 5,0 -Y 40,8 -s 4.47 -U my_movie -y xvid -w 1618

That produced an AVI file for the first chapter on the disc; my_movie-ch01.avi.
This was a 9.8 second clip showing the introductory logo for MGM.  It worked in xine and vlc.

Attempted to follow the help and man pages but could get no further than either an empty file or the first VOB as a 10 second clip.

Tried commands like this:

$ transcode -i /dev/dvd -x dvd --vob_seek 4 -c 00:01:00,00:06:01 -s 4.47 --output clip2.avi -y xvid

$ transcode -i /dev/dvd -x dvd -a 1,1 -c 40:21-58:02 --output clip5.mp4 

The simplest was 
$ transcode -i /dev/dvd -x dvd --output clip6.mp4
transcode v1.1.7 (C) 2001-2003 Thomas Oestreich, 2003-2010 Transcode Team
[dvd_reader.c] -- Unspecified Subs --
[...]
[dvd_reader.c] DVD title 1/7: 1 chapter(s), 1 angle(s), title set 1
[dvd_reader.c] title playback time: 00:00:09.19  10 sec
[...]
[dvd_reader.c] DVD title 1/7: 1 chapter(s), 1 angle(s), title set 1
[dvd_reader.c] title playback time: 00:00:09.19  10 sec
[transcode] V: auto-probing     | /dev/dvd (OK)
[transcode] V: import format    | MPEG 2 program stream in DVD PAL (module=dvd)
[transcode] A: auto-probing     | /dev/dvd (OK)
[transcode] A: import format    | AC3 in DVD PAL (module=dvd)
[transcode] V: AV demux/sync    | (1) sync AV at initial MPEG sequence
[transcode] V: import frame     | 720x576  1.25:1  encoded @ 16:9
[transcode] V: bits/pixel       | 0.174
[transcode] V: decoding fps,frc | 25.000,3
[transcode] V: video format     | YUV420 (4:2:0) aka I420
[transcode] A: import format    | 0x2000  AC3          [48000,16,2]
[transcode] A: export           | disabled
[transcode] V: encoding fps,frc | 25.000,3
[transcode] A: language         | en
[transcode] A: bytes per frame  | 7680 (7680.000000)
[transcode] A: adjustment       | 0@1000
[transcode] V: IA32/AMD64 accel | sse42 sse41 ssse3 sse3 sse2 sse mmx cmove asm 
[transcode] warning: no option -y found, option -o ignored, writing to "/dev/null"
[transcode] V: video buffer     | 10 @ 720x576 [0x2]
[transcode] A: audio buffer     | 10 @ 48000x2x16
[import_dvd.so] v0.4.1 (2007-07-15) (video) DVD | (audio) MPEG/AC3/PCM
[export_null.so] v0.1.2 (2001-08-17) (video) null | (audio) null
[import_dvd.so] tccat -T 1,1,1 -i "/dev/dvd" -t dvd -d 0 | tcdemux -a 0 -x ac3 -S 0 -M 1 -d 0 | tcextract -t vob -x ac3 -a 0 -d 0 | tcdecode -x ac3 -d 0 -s 1.000000,1.000000,1.000000 -A 0
[import_dvd.so] tccat -T 1,1,1 -i "/dev/dvd" -t dvd -d 0 | tcdemux -s 0x80 -x mpeg2 -S 0 -M 1 -d 0 | tcextract -t vob -a 0 -x mpeg2 -d 0 | tcdecode -x mpeg2 -d 0 -y yuv420p
[import_dvd.so] delaying DVD access by 3 seconds
[import_dvd.so] waiting...
No accelerated IMDCT transform found

libdvdread: Attempting to retrieve all CSS keys
libdvdread: This can take a _long_ time, please be patient

libdvdread: Get key for /VIDEO_TS/VIDEO_TS.VOB at 0x0000013a
libdvdread: Elapsed time 0
[...]
libdvdread: Get key for /VIDEO_TS/VTS_07_1.VOB at 0x0021f77d
libdvdread: Elapsed time 0
libdvdread: Found 7 VTS's
libdvdread: Elapsed time 0
[import_dvd.so] waiting...
[import_dvd.so] waiting...
[decode_mpeg2.c] libmpeg2 acceleration: mmxext

libdvdread: Attempting to retrieve all CSS keys
libdvdread: This can take a _long_ time, please be patient

libdvdread: Get key for /VIDEO_TS/VIDEO_TS.VOB at 0x0000013a
[...]
libdvdread: Get key for /VIDEO_TS/VTS_05_1.VOB at 0x0021f57d
libdvdread: Error cracking CSS key for /VIDEO_TS/VTS_05_1.VOB (0x0021f57d)!!
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_06_0.VOB at 0x0021f62c
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_06_1.VOB at 0x0021f679
libdvdread: Error cracking CSS key for /VIDEO_TS/VTS_06_1.VOB (0x0021f679)!!
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_07_0.VOB at 0x0021f730
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_07_1.VOB at 0x0021f77d
libdvdread: Elapsed time 0
libdvdread: Found 7 VTS's
libdvdread: Elapsed time 0
[decoder.c] cancelling the import threads: 0:00:09,  ( 9, 8| 0, 0| 1, 2) 

[transcode] encoded 243 frames (0 dropped, 0 cloned), clip length   9.72 s

Note the key decoding errors.

$ ll *.mp4
-rw-r--r-- 1 lcl lcl 1076628 Mar 15 00:51 clip6.mp4
$ mediainfo clip6.mp4 | head
General
Complete name                            : clip6.mp4
Format                                   : AVI
Format/Info                              : Audio Video Interleave
File size                                : 1.03 MiB
Duration                                 : 9s 760ms
Overall bit rate                         : 882 Kbps
Writing application                      : transcode-1.1.7

Video

Tried another DVD.
$ transcode -i /dev/dvd -x dvd -s 4.47 --output clip5.avi -y xvid

That generated a 3 minute clip from the beginning of the film.  The man page says the default is to encode all chapters which is what should have happened here.
There is a complaint about using xvid and a recommendation to use tcaud which I know nothing about.

This was another attempt:
$ transcode -i /dev/dvd -x dvd -c 11:00-15:40 -s 4.47 --output clip4.mp4 -y xvid

This produced nothing - the -c option specifies a 4m40s chunk of the film starting at 11 minutes.
$ transcode -i /dev/dvd -x dvd -c 00:11:00-00:15:40 -s 4.47 --output clip4.mp4 -y xvid

was no more effective.

This probably needs a transcode expert.

Referring to comment 5 and CVE-2019-7397, added a quick check of conversions to PDF.  Not possible to say if this definitely exercizes the fix to pdf writes but there were no problems.

$ convert JayeGriffiths.jpg Jaye.pdf
$ display Jaye.pdf
$ gm convert JayeGriffiths.jpg jaye.pdf
$ gm display jaye.pdf

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Repeated all commands from Comment10 above (tx a lot Len) with all good results.
Xine plays mpg file well.
Did first transcode operation as from Comment 11 above, got a load of messages
"[audio_trans.c] critical: Sorry, output audio format not supported0,10)"
but that is OK as this DVD is a homemade one and contains nothing but images and captured super8-movies, thus no sound at all. The resulting avi file plays OK.
Len, when you're satisfied with your tests, you may OK the 32-bit as well.

CC: (none) => herman.viaene

@Herman, comment 14.
Thanks Herman.  You are probably correct about copying commercial DVDs - it is one thing to be able to read them, quite another to write them.  I have no home-made ones just now so shall let it pass.  Giving it your OK.

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK

I believe you are right, Len, in that transcode testing requires an expert. I recall playing with it once several years ago, and getting nothing but confused.

Since ImageMagick tests out OK, and the packages all install without issue, I'm going to validate this update. Suggested advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0115.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED