| Summary: | graphicsmagick 1.3.33 fixes security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Stig-Ørjan Smelror <smelror> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6TOO MGA6-64-OK MGA7-64-OK | ||
| Source RPM: | CVE: | ||
| Status comment: | |||
|
Description
Stig-Ørjan Smelror
2019-08-10 18:04:16 CEST
Stig-Ørjan Smelror
2019-08-10 18:05:52 CEST
Assignee:
smelror =>
qa-bugs *** Bug 25257 has been marked as a duplicate of this bug. *** Advisory ======== This is a security and bugfix update. References ========== http://www.graphicsmagick.org/NEWS.html#july-20-2019 Files ===== Uploaded to core/updates_testing graphicsmagick-1.3.33-1.mga6 lib64graphicsmagick3-1.3.33-1.mga6 lib64graphicsmagick++12-1.3.33-1.mga6 lib64graphicsmagickwand2-1.3.33-1.mga6 lib64graphicsmagick-devel-1.3.33-1.mga6 perl-Graphics-Magick-1.3.33-1.mga6 graphicsmagick-doc-1.3.33-1.mga6 from graphicsmagick-1.3.33-1.mga6.src.rpm Whiteboard:
(none) =>
MGA6TOO
David Walser
2019-08-11 18:05:49 CEST
Summary:
Update Candidate mga7: GraphicsMagic 1.3.33 =>
graphicsmagick 1.3.33 fixes security issues mga7, x86_64 Shall test this later, mga6 too. Spending some time chasing up the clusterfuzz security issues (6 listed between 2018-08-28 and 2019-04-28). CC:
(none) =>
tarazed25 Hmm. It looks like there are no straightforward Proofs of Concept for these issues. The test cases are designed to be run within the clusterfuzz framework which involves a local build with ASAN run in a docker container by the look of it. Certainly not worth our following up. So all QA can do is exercise the GM utilities, as per usual. Later. mga7, x86_64 Installed the packages. $ gm version GraphicsMagick 1.3.33 2019-07-20 Q8 http://www.GraphicsMagick.org/ Copyright (C) 2002-2019 GraphicsMagick Group. [...] Feature Support: Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) yes BZIP yes [...] $ gm import screenshot.png $ eom screenshot.png Perfect copy. $ gm convert -rotate 90 harbour.tif harbour90.jpg $ gm display harbour90.jpg Picture rotated 90° clockwise. Create an image stack. $ ./gmtest.pl $ ll frames.gif -rw-r--r-- 1 lcl lcl 10120013 Aug 13 11:09 frames.gif $ gm animate frames.gif Displays four images in quick succession. $ gm animate -delay 100 frames.gif Continuous loop, 1 frame per second. $ cat gmtest.pl #!/bin/env perl # http://www.graphicsmagick.org/perl.html#example-script use Graphics::Magick; my($image, $status); $image = Graphics::Magick->new; $status = $image->Read('frame1.png', 'frame2.png', 'frame3.png', 'frame4.png'); warn "$status" if "$status"; $status = $image->Write('frames.gif'); warn "$status" if "$status"; $ gm montage frame*.png frames.jpg $ gm display frames.jpg Shows a mosaic of 12 thumbnail images. $ gm montage frame*.gif frames.gif $ gm display frames.gif Mosaic of 13 GIFs in a 6x3 arrangement. Shrink an image, overwriting the original. $ gm identify MartianCrater.tif MartianCrater.tif TIFF 1638x1410+0+0 DirectClass 8-bit 1.9Mi 0.000u 0m:0.000005s $ gm mogrify -resize 50% MartianCrater.tif gm mogrify: MartianCrater.tif: Invalid tag "BadFaxLines" (not supported by codec). (_TIFFVGetField). $ gm identify MartianCrater.tif MartianCrater.tif TIFF 819x705+0+0 DirectClass 8-bit 585.0Ki 0.000u 0m:0.000005s The BadFaxLines issue has been part of the TIFF processing functions forever. It is not a regression and does not seem to affect the quality of the images. More perl code. $ cat graffiti.pl #!/bin/env perl use Graphics::Magick; my($image, $p, $q); $image = Graphics::Magick->new; $image->Set(size=>'100x100'); $image->ReadImage('xc:white'); #$image->Set('pixel[49,49]'=>'red'); $image->Draw(stroke=>'red', primitive=>'rectangle', points=>'20,20 80,80'); $image->Write('x.ppm'); undef $image; $p = Graphics::Magick->new; $p->Read('J*.ppm'); $p->Draw(stroke=>'red', primitive=>'rectangle', points=>'20,20 120,120'); $p->Draw(stroke=>'red', primitive=>'rectangle', points=>'21,21 119,119'); $p->Draw(stroke=>'red', primitive=>'rectangle', points=>'22,22 118,118'); $p->Draw(stroke=>'red', primitive=>'rectangle', points=>'23,23 117,117'); $p->Write('xyz.ppm'); undef $p; $ perl graffiti.pl $ gm display x.ppm Generates an image of a white square with a superimposed red square. $ gm display xyz.ppm Resulting image is the original with a red square in one corner. Good enough for 64-bits. Whiteboard:
MGA6TOO =>
MGA6TOO MGA7-64-OK mga6, x86_64 Updated the packages and ran a batch of tests similar to or the same as those detailed in comment 5, with similar results. This is good for 64-bits. Whiteboard:
MGA6TOO MGA7-64-OK =>
MGA6-64-OK MGA7-64-OK
Thomas Backlund
2019-08-18 11:26:13 CEST
CC:
(none) =>
tmb
Thomas Backlund
2019-08-31 12:45:13 CEST
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0228.html Resolution:
(none) =>
FIXED |