Bug 24584

Summary: imagemagick, graphicsmagick new security issue CVE-2018-20467, CVE-2019-7175, CVE-2019-7398
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, guillomovitch, marja11, mhrambo3501, nicolas.salguero, smelror
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO
Source RPM: graphicsmagick-1.3.31-1.4.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-03-28 21:29:39 CET 
openSUSE has issued an advisory today (March 28):
https://lists.opensuse.org/opensuse-updates/2019-03/msg00099.html

Mageia 6 is also affected.
David Walser 2019-03-28 21:29:47 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2019-03-28 21:34:30 CET 
SUSE has issued advisories for this on March 26 and 27:
http://lists.suse.com/pipermail/sle-security-updates/2019-March/005238.html
http://lists.suse.com/pipermail/sle-security-updates/2019-March/005256.html

There are some additional CVEs for ImageMagick.
Comment 2 Marja Van Waes 2019-03-29 08:03:53 CET 
Assigning to all packagers collectively, since there are no registered maintainer for these packages.
Also CC'ing some committers.

CC: (none) => geiger.david68210, guillomovitch, marja11, mrambo, nicolas.salguero, smelror
Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2019-03-30 20:07:17 CET 
SUSE has issued an advisory on March 29:
http://lists.suse.com/pipermail/sle-security-updates/2019-March/005265.html

Summary: imagemagick, graphicsmagick new security issue CVE-2019-7175 => imagemagick, graphicsmagick new security issue CVE-2018-20467, CVE-2019-7175, CVE-2019-7398

Comment 4 Nicolas Salguero 2019-04-03 10:05:57 CEST 
Hi,

Regarding imagemagick, CVE-2018-20467, CVE-2019-7175, CVE-2019-7398 were fixed by commits dating from the same date as commit for CVE-2019-7397 so imagemagick-6.9.10-33 from bug 24396 already fixed those CVEs.

Regarding graphicsmagick, after looking at the code (and confirmed by https://bugzilla.opensuse.org/show_bug.cgi?id=1128649#c2, i.e. graphicsmagick version 1.3.29), version 1.3.31 seems to already contain the fix for CVE-2019-7175.

But I found that imagemagick before 7.0.8-36 (and 6.9.10-36 for mageia 6) is affected by CVE-2019-10649 and CVE-2019-10650.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650

What is the best method: close that bug report and open a new one for those two new CVEs or update that bug report?

Best regards,

Nico.
Comment 5 David Walser 2019-04-03 12:39:40 CEST 
Hi Nicolas,

Thanks for figuring all that out.  If you wouldn't mind noting on the previous Mageia bugs where we fixed these CVEs for imagemagick and graphicsmagick, that can help me in the future.

We can close this as INVALID and open a new bug for the CVEs you found.
Comment 6 Nicolas Salguero 2019-04-03 12:50:23 CEST 
Okay.  I will do that.

Status: NEW => RESOLVED
Resolution: (none) => INVALID