OpenSuSE has issued an advisory on November 12: http://lists.opensuse.org/opensuse-updates/2014-11/msg00036.html These CVEs were discussed here on the oss-security list: http://openwall.com/lists/oss-security/2014/10/29/5 http://openwall.com/lists/oss-security/2014/10/31/3 Note that there's also a CVE-2014-8561 not mentioned in the OpenSuSE advisory. Those issues are all fixed in 6.8.9-9, which is already in Cauldron. More recently, CVE-2014-8716 has been assigned: http://openwall.com/lists/oss-security/2014/11/12/4 That issue is fixed upstream and will be in the 6.8.9-10 release, so Cauldron is currently affected by that one. Mageia 3 and Mageia 4 are likely affected by some of these issues. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Summary: imagemagick new security issues CVE-2014-835[45], CVE-2014-856[12], and => imagemagick new security issues CVE-2014-835[45], CVE-2014-856[12], and CVE-2014-8716
CVE-2014-8354 fix: http://trac.imagemagick.org/changeset/16765 CVE-2014-8355 fix: http://trac.imagemagick.org/changeset/16773 For CVE-2014-8561, I'm confused. Ubuntu and an imagemagick.org forum post claim that the change in magick/profile.c in the DeleteImageProfile call's arguments from (image,name) to (image,next) was what caused the issue, but the Debian bug claims the issue was fixed in 6.8.9-9, which still has (image,next) as the arguments. The change was only made in August. So, it at least appears that Mageia 3 and Mageia 4 aren't vulnerable. Either Cauldron still is, or the upstream fix changed something elsewhere in the code. The Debian bug has a PoC, so this could be tested in Cauldron. http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8561.html http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26399%23p116146 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872 CVE-2014-8562 fix: http://trac.imagemagick.org/changeset/16795 Other notes: There is some PoC information for some of the CVEs here: http://seclists.org/fulldisclosure/2014/Nov/1 GraphicsMagick is affected by CVE-2014-8355 and has a fix here: http://sourceforge.net/p/graphicsmagick/code/ci/4426024497f9ed26cbadc5af5a5de55ac84796ff/ GraphicsMagick also had a recent security fix in coders/psd.c (CVE-2014-1947), which we had already patched, but the upstream fix had instead of: (void) sprintf(layer_name, "L%02d", layer_count++ ); they have this: FormatString( layer_name, "L%04d", layer_count++ );
CVE-2014-8716 fix: http://trac.imagemagick.org/changeset/16872
PoC information for CVE-2014-8716: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456
For graphicsmagick, I'll file a new bug. As for ImageMagick, patched packages uploaded for Mageia 4 and Cauldron. For Mageia 3, for some reason it won't accept the ThrowPCXException thing that is #define'd in the patch: http://pkgsubmit.mageia.org/uploads/failure/3/core/updates_testing/20141114004245.luigiwalser.valstar.1576/log/imagemagick-6.8.1.1-2.3.mga3/build.0.20141114004305.log Just saving the advisory for later, below. Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: ImageMagick is vulnerable to a denial of service due to out-of-bounds memory accesses in the resize code (CVE-2014-8354), PCX parser (CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder (CVE-2014-8716). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8716 http://lists.opensuse.org/opensuse-updates/2014-11/msg00036.html
Packages built so far: graphicsmagick-1.3.17-2.4.mga3 libgraphicsmagick3-1.3.17-2.4.mga3 libgraphicsmagickwand2-1.3.17-2.4.mga3 libgraphicsmagick-devel-1.3.17-2.4.mga3 perl-Graphics-Magick-1.3.17-2.4.mga3 graphicsmagick-doc-1.3.17-2.4.mga3 graphicsmagick-1.3.18-3.3.mga4 libgraphicsmagick3-1.3.18-3.3.mga4 libgraphicsmagickwand2-1.3.18-3.3.mga4 libgraphicsmagick-devel-1.3.18-3.3.mga4 perl-Graphics-Magick-1.3.18-3.3.mga4 graphicsmagick-doc-1.3.18-3.3.mga4 imagemagick-6.8.7.0-2.3.mga4 imagemagick-desktop-6.8.7.0-2.3.mga4 libmagick-6Q16_1-6.8.7.0-2.3.mga4 libmagick++-6Q16_3-6.8.7.0-2.3.mga4 libmagick-devel-6.8.7.0-2.3.mga4 perl-Image-Magick-6.8.7.0-2.3.mga4 imagemagick-doc-6.8.7.0-2.3.mga4 from SRPMS: graphicsmagick-1.3.17-2.4.mga3.src.rpm graphicsmagick-1.3.18-3.3.mga4.src.rpm imagemagick-6.8.7.0-2.3.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Thanks to an extra set of eyes from Pascal, a couple of errors in the CVE-2014-8355 patch were fixed, so now Mageia 3's update is built. imagemagick-6.8.1.1-2.3.mga3 imagemagick-desktop-6.8.1.1-2.3.mga3 libmagick7-6.8.1.1-2.3.mga3 libmagick-devel-6.8.1.1-2.3.mga3 perl-Image-Magick-6.8.1.1-2.3.mga3 imagemagick-doc-6.8.1.1-2.3.mga3 from imagemagick-6.8.1.1-2.3.mga3.src.rpm Fortunately this made me look at the Mageia 4 patch too, which had been blank initially somehow, so I fixed that too (already in the build from the previous comment).
Assigning to QA. Note the PoC information referenced in Comment 1 and Comment 3. It would be nice if someone could test CVE-2014-8561 on Cauldron, to see if I still need patch that. GraphicsMagick CVE-2014-8355 has been filed as Bug 14546. Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: ImageMagick is vulnerable to a denial of service due to out-of-bounds memory accesses in the resize code (CVE-2014-8354), PCX parser (CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder (CVE-2014-8716). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8716 http://lists.opensuse.org/opensuse-updates/2014-11/msg00036.html ======================== Updated packages in core/updates_testing: ======================== imagemagick-6.8.1.1-2.3.mga3 imagemagick-desktop-6.8.1.1-2.3.mga3 libmagick7-6.8.1.1-2.3.mga3 libmagick-devel-6.8.1.1-2.3.mga3 perl-Image-Magick-6.8.1.1-2.3.mga3 imagemagick-doc-6.8.1.1-2.3.mga3 imagemagick-6.8.7.0-2.3.mga4 imagemagick-desktop-6.8.7.0-2.3.mga4 libmagick-6Q16_1-6.8.7.0-2.3.mga4 libmagick++-6Q16_3-6.8.7.0-2.3.mga4 libmagick-devel-6.8.7.0-2.3.mga4 perl-Image-Magick-6.8.7.0-2.3.mga4 imagemagick-doc-6.8.7.0-2.3.mga4 from SRPMS: imagemagick-6.8.1.1-2.3.mga3.src.rpm imagemagick-6.8.7.0-2.3.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12742#c5 Please also see the PoC information in comment 1 and comment 3. Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure advisory
I couldn't reproduce crashes with any of the PoCs. The CVE-2014-8355 gave normal identify output, as it did with GraphicsMagick, and the others gave error messages (but not a SEGV). After the update, the CVE-2014-8355 one gave an error message, as it also did with the GraphicsMagick update, and the other ones still gave the same error messages as before. I also tested some of the commands from Claire's testcase. Testing complete Mageia 3 i586 and Mageia 4 i586.
Whiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory
Testing on Mageia3-64 real HW Current packages : ---------------- $ rpm -q imagemagick imagemagick-6.8.1.1-2.1.mga3 CVE-2014-8716 $ convert imagetest png:/dev/null convert: Corrupt JPEG data: premature end of data segment `imagetest' @ warning/jpeg.c/JPEGWarningHandler/348. CVE-2014-8355 : identify command didn't give any error. and convert could convert imagetest2.pcx in imagetest2.gif Following procedure mentionned in comment 8 : Could convert, identify and tested some of Claire's tests in testing procedure found in comment 8 as well as the perl script Update to testing packages : -------------------------- - imagemagick-6.8.1.1-2.3.mga3.x86_64 - imagemagick-desktop-6.8.1.1-2.3.mga3.x86_64 - imagemagick-doc-6.8.1.1-2.3.mga3.noarch - lib64magick-devel-6.8.1.1-2.3.mga3.x86_64 - lib64magick7-6.8.1.1-2.3.mga3.x86_64 - perl-Image-Magick-6.8.1.1-2.3.mga3.x86_64 $ convert imagetest png:/dev/null convert: Corrupt JPEG data: premature end of data segment `imagetest' @ warning/jpeg.c/JPEGWarningHandler/348. CVE-2014-8355 : identify and convert commands gave error messages (identify: En-tête d'image incorrect `imagetest2.pcx' @ error/pcx.c/ReadPCXImage/393.) Other tests ok. I don't know about both CVEs if that results were expected.
CC: (none) => olchal
(In reply to olivier charles from comment #10) > I don't know about both CVEs if that results were expected. Yep, thanks. Adding the OK.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK advisory
Validating, it's been well tested already.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0482.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2014-8716: http://lwn.net/Vulnerabilities/622954/