Bug 11594 - graphicsmagick (mga3) new security issue fixed upstream in 1.3.18 (CVE-2013-4589)
: graphicsmagick (mga3) new security issue fixed upstream in 1.3.18 (CVE-2013-4...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/572760/
: feedback advisory has_procedure
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-04 19:15 CET by David Walser
Modified: 2013-11-30 22:44 CET (History)
4 users (show)

See Also:
Source RPM: graphicsmagick-1.3.17-2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-11-04 19:15:14 CET
Fedora has issued an advisory on October 18:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html

Cauldron is not affected as the issue is fixed in 1.3.18, which is in Cauldron.

Patched packages uploaded for Mageia 2 and Mageia 3.


Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

GraphicsMagick before 1.3.18 is found to have a vulnerability which can be
exploited by malicious people to cause a Denial of Service (DoS). The
vulnerability is caused due to an error within the "ExportAlphaQuantumType()"
function found in magick/export.c when exporting 8-bit RGBA images, which can
be exploited to cause a crash (SA55288).

References:
https://secunia.com/advisories/55288/
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.13-1.6.mga2
libgraphicsmagick3-1.3.13-1.6.mga2
libgraphicsmagickwand2-1.3.13-1.6.mga2
libgraphicsmagick-devel-1.3.13-1.6.mga2
perl-Graphics-Magick-1.3.13-1.6.mga2
graphicsmagick-doc-1.3.13-1.6.mga2
graphicsmagick-1.3.17-2.1.mga3
libgraphicsmagick3-1.3.17-2.1.mga3
libgraphicsmagickwand2-1.3.17-2.1.mga3
libgraphicsmagick-devel-1.3.17-2.1.mga3
perl-Graphics-Magick-1.3.17-2.1.mga3
graphicsmagick-doc-1.3.17-2.1.mga3

from SRPMS:
graphicsmagick-1.3.13-1.6.mga2.src.rpm
graphicsmagick-1.3.17-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-11-11 18:22:00 CET
Procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
Comment 2 claire robinson 2013-11-13 16:00:18 CET
Testing complete mga2 32 following the wiki procedure.
Comment 3 David Walser 2013-11-15 18:52:10 CET
A CVE has been requested for this:
http://openwall.com/lists/oss-security/2013/11/15/13
Comment 4 David Walser 2013-11-15 21:18:57 CET
CVE-2013-4589 has been allocated for this issue:
http://openwall.com/lists/oss-security/2013/11/15/14

Updating the advisory.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

GraphicsMagick before 1.3.18 is found to have a vulnerability which can be
exploited by malicious people to cause a Denial of Service (DoS). The
vulnerability is caused due to an error within the "ExportAlphaQuantumType()"
function found in magick/export.c when exporting 8-bit RGBA images, which can
be exploited to cause a crash (CVE-2013-4589).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4589
https://secunia.com/advisories/55288/
http://openwall.com/lists/oss-security/2013/11/15/14
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html
Comment 5 claire robinson 2013-11-18 11:27:12 CET
Testing complete mga2 64
Comment 6 claire robinson 2013-11-18 11:33:59 CET
advisory uploaded
Comment 7 claire robinson 2013-11-19 13:19:37 CET
The perl module is not working in mga3. Possibly related to bug 6561.

$ perl test.pl
perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick

$ ldd /usr/lib/perl5/vendor_perl/5.16.3/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so
        linux-vdso.so.1 (0x00007fffeb3fe000)
        libm.so.6 => /usr/lib64/libm.so.6 (0x00007f2557f95000)
        libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007f2557d79000)
        libc.so.6 => /usr/lib64/libc.so.6 (0x00007f25579c5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f25584c1000)
Comment 8 David Walser 2013-11-19 13:50:30 CET
Olivier, you fixed this linking issue before, and your patch is still there.  Can you look into this problem?
Comment 9 claire robinson 2013-11-19 13:58:30 CET
If necessary mga2 can be pushed separately for this one
Comment 10 David Walser 2013-11-19 15:02:00 CET
OK this doesn't make any sense.  I rebuilt this locally in a VM and it's also linked to liblcms2.so.2, libfreetype.so.6, libX11.so.6, libbz2.so.1, libz.so.1, libltdl.so.7, libxcb.so.1, libdl.so.2, libXau.so.6, libXdmcp.so.6, as well as the expected libGraphicsMagick.so.3.
Comment 11 claire robinson 2013-11-21 11:24:52 CET
Splitting the bug to allow mga2 to be pushed.

Mga2 is now bug 11719.

This bug is now mga3 only. Advisory updated.
Comment 12 David Walser 2013-11-25 19:25:14 CET
Since the CVE was allocated after the Fedora advisory was issued, it was not available when LWN made the initial vulnerability page for this.  They made a new one with our advisory and the CVE.  I notified them so that they can merge them.  The new one is:
http://lwn.net/Vulnerabilities/574927/
Comment 13 claire robinson 2013-11-29 12:46:34 CET
No response from packagers sadly so bug 11816 created for the perl module not working.

Validating this one with the bug still present. We can't allow security updates to sit indefinitely.


Could sysadmin please push from 3 core/updates_testing to updates.

Thanks!
Comment 14 Thomas Backlund 2013-11-30 22:44:33 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0355.html

Note You need to log in before you can comment on or make changes to this bug.