Bug 5701

Summary: imagemagick new security issues CVE-2012-0259, CVE-2012-0260, CVE-2012-1798, CVE-2012-1610
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, olivier.delaune, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: imagemagick-6.6.6.10-5.1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-05-01 05:13:24 CEST 
Debian has issued this advisory on April 29:
http://www.debian.org/security/2012/dsa-2462

Cauldron is also affected.  Patches commited to SVN and freeze push requested.

Patched package for Mageia 1 uploaded.

Advisory:
========================

Updated imagemagick packages fix security vulnerabilities:

An out-of heap-based buffer read flaw was found in the way ImageMagick,
an image display and manipulation tool for the X Window System, retrieved
Exchangeable image file format (Exif) header tag information from certain
JPEG files. A remote attacker could provide a JPEG image file, with EXIF
header containing specially-crafted tag values, which once opened in some ImageMagick tool would lead to the crash of that tool (denial of service)
(CVE-2012-0259, CVE-2012-0260, CVE-2012-1798, CVE-2012-1610).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0259
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1610
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1798
http://www.debian.org/security/2012/dsa-2462
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259
========================

Updated packages in core/updates_testing:
========================
imagemagick-6.6.6.10-5.2.mga1
imagemagick-desktop-6.6.6.10-5.2.mga1
libmagick4-6.6.6.10-5.2.mga1
libmagick-devel-6.6.6.10-5.2.mga1
perl-Image-Magick-6.6.6.10-5.2.mga1
imagemagick-doc-6.6.6.10-5.2.mga1

from imagemagick-6.6.6.10-5.2.mga1.src.rpm
David Walser 2012-05-01 05:13:54 CEST

Blocks: (none) => 5046

David Walser 2012-05-01 15:59:45 CEST

Blocks: 5046 => (none)

Comment 1 Olivier Delaune 2012-05-04 08:31:11 CEST 
Testing on 64-bits Mageia 1. I did basic test such as display, identify or convert. It works fine.

CC: (none) => olivier.delaune

Comment 2 Dave Hodgins 2012-05-05 02:09:00 CEST 
Testing complete on i586.

Testing using basic tests, including resizing and adding a border to images.

Could someone from the sysadmin team push the srpm
imagemagick-6.6.6.10-5.2.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory:
Updated imagemagick packages fix security vulnerabilities:

An out-of heap-based buffer read flaw was found in the way ImageMagick,
an image display and manipulation tool for the X Window System, retrieved
Exchangeable image file format (Exif) header tag information from certain
JPEG files. A remote attacker could provide a JPEG image file, with EXIF
header containing specially-crafted tag values, which once opened in some
ImageMagick tool would lead to the crash of that tool (denial of service)
(CVE-2012-0259, CVE-2012-0260, CVE-2012-1798, CVE-2012-1610).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0259
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1610
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1798
http://www.debian.org/security/2012/dsa-2462
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259

https://bugs.mageia.org/show_bug.cgi?id=5701

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Thomas Backlund 2012-05-07 14:45:25 CEST 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED