11719 – graphicsmagick (mga2) new security issue fixed upstream in 1.3.18 (CVE-2013-4589)

Bug 11719 - graphicsmagick (mga2) new security issue fixed upstream in 1.3.18 (CVE-2013-4589)

Summary: graphicsmagick (mga2) new security issue fixed upstream in 1.3.18 (CVE-2013-4...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	advisory mga2-32-ok mga2-64-ok
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-11-21 11:10 CET by claire robinson
Modified:	2013-11-22 20:28 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	graphicsmagick
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description claire robinson 2013-11-21 11:10:22 CET

Splitting bug 11594 so mga2 can be pushed separately.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

GraphicsMagick before 1.3.18 is found to have a vulnerability which can be
exploited by malicious people to cause a Denial of Service (DoS). The
vulnerability is caused due to an error within the "ExportAlphaQuantumType()"
function found in magick/export.c when exporting 8-bit RGBA images, which can
be exploited to cause a crash (SA55288).

References:
https://secunia.com/advisories/55288/
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.13-1.6.mga2
libgraphicsmagick3-1.3.13-1.6.mga2
libgraphicsmagickwand2-1.3.13-1.6.mga2
libgraphicsmagick-devel-1.3.13-1.6.mga2
perl-Graphics-Magick-1.3.13-1.6.mga2
graphicsmagick-doc-1.3.13-1.6.mga2


from SRPMS:
graphicsmagick-1.3.13-1.6.mga2.src.rpm


Reproducible: 

Steps to Reproduce:

Comment 1 claire robinson 2013-11-21 11:27:19 CET

Later advisory..

CVE-2013-4589 has been allocated for this issue:
http://openwall.com/lists/oss-security/2013/11/15/14

Updating the advisory.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

GraphicsMagick before 1.3.18 is found to have a vulnerability which can be
exploited by malicious people to cause a Denial of Service (DoS). The
vulnerability is caused due to an error within the "ExportAlphaQuantumType()"
function found in magick/export.c when exporting 8-bit RGBA images, which can
be exploited to cause a crash (CVE-2013-4589).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4589
https://secunia.com/advisories/55288/
http://openwall.com/lists/oss-security/2013/11/15/14
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/120008.html

Keywords: (none) => validated_update
Whiteboard: (none) => advisory mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 2 claire robinson 2013-11-21 11:31:15 CET

Making a mess of this, sorry.

Advisory now uploaded.


Could sysadmin please push from 2 core/updates_testing to updates

Thanks!

Comment 3 Thomas Backlund 2013-11-22 20:28:10 CET

Update pushed:
http://advisories.mageia.org/MGASA-2013-0350.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.