Bug 26056

Summary: graphicsmagick 1.3.34 fixes security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: graphicsmagick-1.3.33-1.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-01-12 17:26:28 CET 
GraphicsMagick 1.3.34 has been released on December 24, fixing security issues:
http://www.graphicsmagick.org/NEWS.html#december-24-2019
Comment 1 David Walser 2020-01-12 17:51:40 CET 
Fedora has issued an advisory for this on January 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FS76VNCFL3FVRMGXQEMHBOKA7EE46BTS/
Comment 2 Stig-Ørjan Smelror 2020-01-12 18:04:31 CET 
Advisory
========
GraphicsMagick has been updated to fix security issues.


References
==========
http://www.graphicsmagick.org/NEWS.html#december-24-2019
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FS76VNCFL3FVRMGXQEMHBOKA7EE46BTS/

Files
=====

Uploaded to core/updates_testing

graphicsmagick-1.3.34-1.mga7
libgraphicsmagick3-1.3.34-1.mga7
libgraphicsmagick++12-1.3.34-1.mga7
libgraphicsmagickwand2-1.3.34-1.mga7
libgraphicsmagick-devel-1.3.34-1.mga7
perl-Graphics-Magick-1.3.34-1.mga7
graphicsmagick-doc-1.3.34-1.mga7

from graphicsmagick-1.3.34-1.mga7.src.rpm

Assignee: smelror => qa-bugs

Comment 3 Len Lawrence 2020-01-13 01:06:32 CET 
Mageia7, x86_64

graphicsmagick-1.3.33-1.1.mga7
lib64graphicsmagick3-1.3.33-1.1.mga7

The POC trail leads to imagemagick tests within the ASAN framework which cause ABORT on testing.

This URL indicates that one issue was first detected in graphicsmagick.
https://github.com/ntu-sec/pocs/tree/master/imagemagick/112760b26/crashes

https://github.com/ImageMagick/ImageMagick/issues/1553
https://github.com/ntu-sec/pocs/raw/master/imagemagick/112760b26/crashes/read_xwd.c:573_1.xwd
https://github.com/ntu-sec/pocs/raw/master/imagemagick/112760b26/crashes/read_xwd.c:573_2.xwd

$ gm convert read_xwd.c_573_1.xwd a.png 
gm convert: Improper image header (read_xwd.c_573_1.xwd).
$ gm convert read_xwd.c_573_2.xwd a.png 
gm convert: Improper image header (read_xwd.c_573_2.xwd).

Running updates tomorrow.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2020-01-13 15:37:15 CET 
Continued from comment 3:

Updates ran smoothly - seven packages.
$ gm identify read_xwd.c_573_1.xwd
gm identify: Improper image header (read_xwd.c_573_1.xwd).
gm identify: Request did not return an image.
$ gm identify read_xwd.c_573_2.xwd
gm identify: Improper image header (read_xwd.c_573_2.xwd).
...

No change there so the fixes were likely already in place before the update.

Ran a batch of tests on a local image collection, as documented in previous bugs #24966, #24766, #24103 ....

Everything worked as expected including the perl module (created an animated gif).  Created an image montage, converted image types, applied geometric transformations and other functions to various images- all fine.

Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2020-01-13 17:04:03 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 5 Mageia Robot 2020-01-13 17:52:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0037.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED