Bug 26751

Summary: graphicsmagick new security issue CVE-2020-12672
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: graphicsmagick-1.3.35-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-06-09 19:29:18 CEST 
Debian-LTS has issued an advisory on June 7:
https://www.debian.org/lts/security/2020/dla-2236

Mageia 7 is also affected.
David Walser 2020-06-09 19:29:28 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-06-09 19:50:08 CEST 
openSUSE has issued an advisory for this on June 8:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00034.html
Comment 2 David Walser 2020-12-27 18:55:26 CET 
Patched packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage
in coders/png.c (CVE-2020-12672).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12672
https://lists.opensuse.org/opensuse-updates/2020-06/msg00034.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.35-1.1.mga7
libgraphicsmagick3-1.3.35-1.1.mga7
libgraphicsmagick++12-1.3.35-1.1.mga7
libgraphicsmagickwand2-1.3.35-1.1.mga7
libgraphicsmagick-devel-1.3.35-1.1.mga7
perl-Graphics-Magick-1.3.35-1.1.mga7
graphicsmagick-doc-1.3.35-1.1.mga7

from graphicsmagick-1.3.35-1.1.mga7.src.rpm

Assignee: smelror => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Thomas Andrews 2020-12-27 23:00:30 CET 
Tested on a 64-bit Plasma system, amd HD8490 graphics.

The following 2 packages are going to be installed:

- graphicsmagick-1.3.35-1.1.mga7.x86_64
- lib64graphicsmagick3-1.3.35-1.1.mga7.x86_64

No installation issues.

Referred to https://bugs.mageia.org/show_bug.cgi?id=26094#c4 for testing procedure. In addion manipulated an image in various ways from the gui.

All tests were successful. Biving this an OK and validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 4 Aurelien Oudelet 2020-12-29 10:49:00 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-12-29 12:58:38 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0472.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED