Bug 14546 - graphicsmagick new security issue CVE-2014-8355
Summary: graphicsmagick new security issue CVE-2014-8355
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/620052/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-14 04:34 CET by David Walser
Modified: 2014-11-25 10:21 CET (History)
3 users (show)

See Also:
Source RPM: graphicsmagick-1.3.18-3.2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-14 04:34:45 CET
CVEs were assigned for some out-of-bounds memory reads fixed in ImageMagick:
http://openwall.com/lists/oss-security/2014/10/29/5

The CVE-2014-8355 issue also affected, and was fixed in, GraphicsMagick:
http://seclists.org/fulldisclosure/2014/Nov/1

There is also PoC information in that message.

ImageMagick is being handled in Bug 14526.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

GraphicsMagick is vulnerable to an out of bounds read / heap Overflow in the
function ReadPCXImage in the file pcx.c. This can be exploited by a crafted
image file to cause a denial of service (CVE-2014-8355).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355
http://seclists.org/fulldisclosure/2014/Nov/1
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.17-2.4.mga3
libgraphicsmagick3-1.3.17-2.4.mga3
libgraphicsmagickwand2-1.3.17-2.4.mga3
libgraphicsmagick-devel-1.3.17-2.4.mga3
perl-Graphics-Magick-1.3.17-2.4.mga3
graphicsmagick-doc-1.3.17-2.4.mga3
graphicsmagick-1.3.18-3.3.mga4
libgraphicsmagick3-1.3.18-3.3.mga4
libgraphicsmagickwand2-1.3.18-3.3.mga4
libgraphicsmagick-devel-1.3.18-3.3.mga4
perl-Graphics-Magick-1.3.18-3.3.mga4
graphicsmagick-doc-1.3.18-3.3.mga4

from SRPMS:
graphicsmagick-1.3.17-2.4.mga3.src.rpm
graphicsmagick-1.3.18-3.3.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-11-14 04:35:55 CET
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:GraphicsMagick

Also note the PoC information referenced in Comment 0.

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 David Walser 2014-11-14 17:54:01 CET
I wasn't able to reproduce a crash with the PoC before the update.  After the update, gm says "Improper image header" and "Request did not return an image."  I guess this is the intended behavior, identifying it as an invalid image file.

Marking OK for Mageia 3 i586 and Mageia 4 i586.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 3 Rémi Verschelde 2014-11-19 14:47:13 CET
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory

Comment 4 Len Lawrence 2014-11-24 02:10:06 CET
Testing on Magaeia4 x86_64

Did not try the older version beforehand.
The tests from the procedure linked in comment 1 all went well.
Marking this OK for 64bit.

CC: (none) => tarazed25
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK advisory MGA4-64-OK

Comment 5 Rémi Verschelde 2014-11-24 09:05:41 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Colin Guthrie 2014-11-24 23:08:34 CET
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (4/core/graphicsmagick-1.3.18-3.3.mga4) â 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 7 David Walser 2014-11-24 23:20:30 CET
The SRPM name is correct.  Someone manually removed all of the SRPMS from Mageia 4 updates_testing (!).  Hopefully Colin can restore them.

Keywords: (none) => validated_update

Comment 8 Mageia Robot 2014-11-25 10:21:55 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0484.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.