Fedora has issued an advisory on December 8: https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173409.html Debian also has fixes for those issues, as well as a handful of DoS issues, in git: http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/log/?h=debian-patches/6.7.7.10-5%2bdeb7u4 We were in sync with Debian as of January 1, so I just have to pull in the newer patches. They didn't include a fix for the issue in tga.c mentioned in rhbz#1269562, so I will backport that from upstream as well. Reproducible: Steps to Reproduce:
Patched package uploaded for Mageia 5. Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: This update fixes denial of service issues in miff, vicar, hdr, and pdb image handling, a buffer overflow issue in icon handling, and double-free issues in pict and tga image handling. References: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931 http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933 http://trac.imagemagick.org/changeset/17846 http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932 http://trac.imagemagick.org/changeset/17855 https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362 https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173409.html ======================== Updated packages in core/updates_testing: ======================== imagemagick-6.8.9.9-4.2.mga5 imagemagick-desktop-6.8.9.9-4.2.mga5 libmagick-6Q16_2-6.8.9.9-4.2.mga5 libmagick++-6Q16_5-6.8.9.9-4.2.mga5 libmagick-devel-6.8.9.9-4.2.mga5 perl-Image-Magick-6.8.9.9-4.2.mga5 imagemagick-doc-6.8.9.9-4.2.mga5 from imagemagick-6.8.9.9-4.2.mga5.src.rpm
Assignee: bugsquad => qa-bugsSeverity: normal => major
URL: (none) => http://lwn.net/Vulnerabilities/667319/
In VirtualBox, M5, KDE, 32-bit Package(s) under test: imagemagick imagemagick-desktop default install of imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.9.9-4.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.8.9.9-4.1.mga5.i586 is already installed I can open a file with imagemagick, enhance the file then save it under a different name. That saved file can be opened with gwenview. install imagemagick & imagemagick-desktop from updates_testing [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.9.9-4.2.mga5.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.8.9.9-4.2.mga5.i586 is already installed I can open a different file with imagemagick, enhance the file then save it under a different name. That saved file can be opened with gwenview. I can open the previously created image file.
CC: (none) => wilcal.intWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: imagemagick imagemagick-desktop default install of imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.9.9-4.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.8.9.9-4.1.mga5.x86_64 is already installed I can open a file with imagemagick, enhance the file then save it under a different name. That saved file can be opened with gwenview. install imagemagick & imagemagick-desktop from updates_testing [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.8.9.9-4.2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.8.9.9-4.2.mga5.x86_64 is already installed I can open a different file with imagemagick, enhance the file then save it under a different name. That saved file can be opened with gwenview. I can open the previously created image file.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0471.html
Status: NEW => RESOLVEDResolution: (none) => FIXED