Bug 26094

Summary: graphicsmagick new security issues CVE-2019-19950 CVE-2019-19951 CVE-2019-19953
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: graphicsmagick-1.3.34-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-01-16 23:50:32 CET 
openSUSE has issued an advisory on January 15:
https://lists.opensuse.org/opensuse-updates/2020-01/msg00057.html

I'm not sure if these are all fixed in 1.3.34 (Bug 26056).

If not, Mageia 7 would also be affected.
David Walser 2020-01-16 23:50:44 CET

Whiteboard: (none) => MGA7TOO
Severity: normal => major

Comment 1 David Walser 2020-01-30 23:18:17 CET 
Debian-LTS has issued an advisory for this on January 29:
https://www.debian.org/lts/security/2020/dla-2084
Comment 2 Stig-Ørjan Smelror 2020-02-24 08:40:32 CET 
Cauldron has been updated to version 1.3.35.
Comment 3 Stig-Ørjan Smelror 2020-02-24 08:44:41 CET 
Advisory
========

Graphicsmagick has been updated to the latest version to fix several critical security issues.

References
==========
https://lists.opensuse.org/opensuse-updates/2020-01/msg00057.html
https://www.debian.org/lts/security/2020/dla-2084
https://nvd.nist.gov/vuln/detail/CVE-2019-19950
https://nvd.nist.gov/vuln/detail/CVE-2019-19951
https://nvd.nist.gov/vuln/detail/CVE-2019-19953

Files
=====

Uploaded to core/updates_testing

libgraphicsmagickwand2-1.3.35-1.mga7
libgraphicsmagick++12-1.3.35-1.mga7
perl-Graphics-Magick-1.3.35-1.mga7
libgraphicsmagick-devel-1.3.35-1.mga7
libgraphicsmagick3-1.3.35-1.mga7
graphicsmagick-1.3.35-1.mga7
graphicsmagick-doc-1.3.35-1.mga7

from graphicsmagick-1.3.35-1.mga7.src.rpm

Assignee: smelror => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 4 Thomas Andrews 2020-02-25 01:26:35 CET 
On a 64-bit Plasma system:

The following 3 packages are going to be installed:

- graphicsmagick-1.3.35-1.mga7.x86_64
- graphicsmagick-doc-1.3.35-1.mga7.noarch
- lib64graphicsmagick3-1.3.35-1.mga7.x86_64

All packages installed cleanly.

GraphicksMagick is a powerful cli tool with a multitude of options, far too many to master for testing purposes. However, after looking online, I found a brief, very basic beginners tutorial at https://www.tecmint.com/graphicsmagick-image-processing-cli-tool-for-linux/. As suggested, I ran the following commands first:

$ gm convert -list formats	#check that the expected image formats are supported
$ gm convert -list fonts	#check if fonts are available
$ gm convert -list delegates	#check if delegates (external programs) are configured as expected
$ gm convert -list colors	#check if color definitions may be loaded
$ gm convert -list resources	#check that GraphicsMagick is properly identifying the resources of your machine

All were successful. I then displayed a couple of images, and converted a couple of others between formats. Everything worked.

I believe those tests are adequate for QA purposes, so I'm sending this on its way.

Verifying. Advisory in Comment 3.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-02-26 10:36:49 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-02-26 11:22:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0102.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2020-03-31 23:37:11 CEST 
This update also fixed CVE-2020-10938:
https://lists.opensuse.org/opensuse-security-announce/2020-03/msg00049.html