A CVE has been assigned for a security issue fixed recently in ImageMagick (possibly in 6.8.8-5): http://openwall.com/lists/oss-security/2014/02/12/13 The CVE request contains a possible patch for the issue: http://openwall.com/lists/oss-security/2014/02/12/2 Mageia 3 and possibly Mageia 4 are affected. Cauldron has version 6.8.8-5. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
OK there's been some confusion with this CVE assignment, but I think the current status is, CVE-2014-1947 refers to older (older than what we have in Mageia 3) versions of ImageMagick that have "L%02ld" as the format string. A new CVE will be assigned (but hasn't been yet) for the issue the patch posted in the request fixed, and the origin of that patch is this: http://trac.imagemagick.org/changeset/13736 CVE-2014-1958 refers to an even more recent commit: http://trac.imagemagick.org/changeset/14801 Mageia 4 is missing both commits, so we'll need patches for both in Mageia 3 and Mageia 4 once the CVE assignments are sorted out.
Summary: imagemagick new security issue CVE-2014-1947 => imagemagick new security issue CVE-2014-1958 and CVE-2014-XXXX
CVE-2014-2030 has finally been assigned for the first issue: http://openwall.com/lists/oss-security/2014/02/19/13
Summary: imagemagick new security issue CVE-2014-1958 and CVE-2014-XXXX => imagemagick new security issue CVE-2014-1958 and CVE-2014-2030
Patched packages uploaded for Mageia 3 and Mageia 4. I *think* my description for CVE-2014-2030 is accurate :o) Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: A buffer overflow flaw was found in the way ImageMagick handled PSD images that use RLE encoding. An attacker could create a malicious PSD image file that, when opened in ImageMagick, would cause ImageMagick to crash or, potentially, execute arbitrary code with the privileges of the user running ImageMagick (CVE-2014-1958). A buffer overflow flaw was found in the way ImageMagick writes PSD images when the input data has a large number of unlabeled layers (CVE-2014-2030). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2030 http://secunia.com/advisories/56844/ https://bugzilla.redhat.com/show_bug.cgi?id=1067276 https://bugzilla.redhat.com/show_bug.cgi?id=1064098 ======================== Updated packages in core/updates_testing: ======================== imagemagick-6.8.1.1-2.1.mga3 imagemagick-desktop-6.8.1.1-2.1.mga3 libmagick7-6.8.1.1-2.1.mga3 libmagick-devel-6.8.1.1-2.1.mga3 perl-Image-Magick-6.8.1.1-2.1.mga3 imagemagick-doc-6.8.1.1-2.1.mga3 imagemagick-6.8.7.0-2.1.mga4 imagemagick-desktop-6.8.7.0-2.1.mga4 libmagick-6Q16_1-6.8.7.0-2.1.mga4 libmagick++-6Q16_3-6.8.7.0-2.1.mga4 libmagick-devel-6.8.7.0-2.1.mga4 perl-Image-Magick-6.8.7.0-2.1.mga4 imagemagick-doc-6.8.7.0-2.1.mga4 from SRPMS: imagemagick-6.8.1.1-2.1.mga3.src.rpm imagemagick-6.8.7.0-2.1.mga4.src.rpm
Assignee: fundawang => qa-bugsSeverity: normal => major
Testing mga3 32 & 64 The CVEs relate to opening PSD files so downloaded some example ones to test with.
Testing complete mga3 32 & 64 using the examples.pl script from here and two images model.gif and smile.gif. Created the two images using the 'convert' cli tool from any-old-picture.jpg and a-smilie-from-the-net.png. http://www.imagemagick.org/script/examples.php $ convert any-old-picture.jpg model.gif $ convert a-smilie-from-the-net.png smile.gif $ perl examples.pl Read... Transform image... Adaptive Blur... Adaptive Resize... ...etc Vignette... Wave... Montage... Write... Display... $ display demo.jpg Clicked on the image and used played with some options in the menu which appears. Used some of the other imagemagick commands.. $ urpmf imagemagick | grep bin imagemagick:/usr/bin/animate imagemagick:/usr/bin/compare imagemagick:/usr/bin/composite imagemagick:/usr/bin/conjure imagemagick:/usr/bin/convert imagemagick:/usr/bin/display imagemagick:/usr/bin/identify imagemagick:/usr/bin/import imagemagick:/usr/bin/mogrify imagemagick:/usr/bin/montage imagemagick:/usr/bin/stream $ import -window root screencap.tiff $ display screencap.tiff $ identify screencap.tiff screencap.tiff TIFF 1024x768 1024x768+0+0 16-bit sRGB 4.725MB 0.000u 0:00.000 $ mogrify -gaussian-blur 20 screencap.tiff $ display screencap.tiff Some stuff with psd's for the CVE.. $ mogrify -gaussian-blur 20 ../04Start.psd $ display ../04Start.psd $ convert screencap.tiff screencap.psd $ display screencap.psd
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
I ran the same commands as Claire did at the end from 'import' on. I also created an XCF file in the GIMP with over 100 layers and converted it to a PSD file with convert and displayed it. (Note that only psd.c in the source is affected by this update). Didn't have any issues before or after the update. Tested on Mageia 4 i586.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: imagemagick default updated install of imagemagick [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.7.0-2.mga4.i586 is already installed [wilcal@localhost Pictures]$ convert desktop.png desktop.jpg works just fine install imagemagick from updates_testing [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.7.0-2.1.mga4.i586 is already installed [wilcal@localhost Pictures]$ convert desktop.png desktop.jpg works just fine Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.intWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: imagemagick default updated install of imagemagick [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.7.0-2.mga4.x86_64 is already installed [wilcal@localhost Pictures]$ convert desktop.png desktop.jpg works just fine install imagemagick from updates_testing [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.7.0-2.1.mga4.x86_64 is already installed [wilcal@localhost Pictures]$ convert desktop.png desktop.jpg works just fine Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK
For me this update works fine. Go ahead and push it.
Validating update, advisory uploaded. Please push to 3 & 4 core/updates.
CC: (none) => remi
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK advisoryCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0087.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Tested MGA4 64 re
CC: (none) => lewyssmith
Comment 12 irrelevant. Tested MGA4 64 real hardware OK. Further to comments 8 & 9 (again working in parallel). Installed current ImageMagick, tried it [display + playing] on several psd images. Updated from Testing to imagemagick-6.8.7.0-2.1.mga4 lib64magick++-6Q16_3-6.8.7.0-2.1.mga4 lib64magick-6Q16_1-6.8.7.0-2.1.mga4 perl-Image-Magick-6.8.7.0-2.1.mga4 Ran lots of tests directly on psd images for the clever perl script ex comment 5 http://www.imagemagick.org/source/examples.pl plus directly from 'display' menu possibilities. Apart from a few enigmas, all works fine. Converted different psd images to png, jpg, tiff, bmp, gif OK. Note that if the source image is multi-layer, it produces unique additional files for each layer. Confirm MGA4-64-OK
URL: (none) => http://lwn.net/Vulnerabilities/588051/