Fedora has issued an advisory on October 18: https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html Cauldron is not affected as the issue is fixed in 1.3.18, which is in Cauldron. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated graphicsmagick packages fix security vulnerability: GraphicsMagick before 1.3.18 is found to have a vulnerability which can be exploited by malicious people to cause a Denial of Service (DoS). The vulnerability is caused due to an error within the "ExportAlphaQuantumType()" function found in magick/export.c when exporting 8-bit RGBA images, which can be exploited to cause a crash (SA55288). References: https://secunia.com/advisories/55288/ https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html ======================== Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.13-1.6.mga2 libgraphicsmagick3-1.3.13-1.6.mga2 libgraphicsmagickwand2-1.3.13-1.6.mga2 libgraphicsmagick-devel-1.3.13-1.6.mga2 perl-Graphics-Magick-1.3.13-1.6.mga2 graphicsmagick-doc-1.3.13-1.6.mga2 graphicsmagick-1.3.17-2.1.mga3 libgraphicsmagick3-1.3.17-2.1.mga3 libgraphicsmagickwand2-1.3.17-2.1.mga3 libgraphicsmagick-devel-1.3.17-2.1.mga3 perl-Graphics-Magick-1.3.17-2.1.mga3 graphicsmagick-doc-1.3.17-2.1.mga3 from SRPMS: graphicsmagick-1.3.13-1.6.mga2.src.rpm graphicsmagick-1.3.17-2.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Testing complete mga2 32 following the wiki procedure.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-32-ok
A CVE has been requested for this: http://openwall.com/lists/oss-security/2013/11/15/13
CVE-2013-4589 has been allocated for this issue: http://openwall.com/lists/oss-security/2013/11/15/14 Updating the advisory. Advisory: ======================== Updated graphicsmagick packages fix security vulnerability: GraphicsMagick before 1.3.18 is found to have a vulnerability which can be exploited by malicious people to cause a Denial of Service (DoS). The vulnerability is caused due to an error within the "ExportAlphaQuantumType()" function found in magick/export.c when exporting 8-bit RGBA images, which can be exploited to cause a crash (CVE-2013-4589). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4589 https://secunia.com/advisories/55288/ http://openwall.com/lists/oss-security/2013/11/15/14 https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html
Summary: graphicsmagick new security issue fixed upstream in 1.3.18 => graphicsmagick new security issue fixed upstream in 1.3.18 (CVE-2013-4589)
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure mga2-32-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok
advisory uploaded
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO advisory has_procedure mga2-32-ok mga2-64-ok
The perl module is not working in mga3. Possibly related to bug 6561. $ perl test.pl perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick $ ldd /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so linux-vdso.so.1 (0x00007fffeb3fe000) libm.so.6 => /usr/lib64/libm.so.6 (0x00007f2557f95000) libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007f2557d79000) libc.so.6 => /usr/lib64/libc.so.6 (0x00007f25579c5000) /lib64/ld-linux-x86-64.so.2 (0x00007f25584c1000)
Whiteboard: MGA2TOO advisory has_procedure mga2-32-ok mga2-64-ok => MGA2TOO feedback advisory has_procedure mga2-32-ok mga2-64-ok
Olivier, you fixed this linking issue before, and your patch is still there. Can you look into this problem?
CC: (none) => fundawang, mageia
If necessary mga2 can be pushed separately for this one
OK this doesn't make any sense. I rebuilt this locally in a VM and it's also linked to liblcms2.so.2, libfreetype.so.6, libX11.so.6, libbz2.so.1, libz.so.1, libltdl.so.7, libxcb.so.1, libdl.so.2, libXau.so.6, libXdmcp.so.6, as well as the expected libGraphicsMagick.so.3.
Splitting the bug to allow mga2 to be pushed. Mga2 is now bug 11719. This bug is now mga3 only. Advisory updated.
Summary: graphicsmagick new security issue fixed upstream in 1.3.18 (CVE-2013-4589) => graphicsmagick (mga3) new security issue fixed upstream in 1.3.18 (CVE-2013-4589)Whiteboard: MGA2TOO feedback advisory has_procedure mga2-32-ok mga2-64-ok => feedback advisory has_procedure
Since the CVE was allocated after the Fedora advisory was issued, it was not available when LWN made the initial vulnerability page for this. They made a new one with our advisory and the CVE. I notified them so that they can merge them. The new one is: http://lwn.net/Vulnerabilities/574927/
No response from packagers sadly so bug 11816 created for the perl module not working. Validating this one with the bug still present. We can't allow security updates to sit indefinitely. Could sysadmin please push from 3 core/updates_testing to updates. Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0355.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED