Fixed upstream in 6.9.4-6, along with another possible security issue with "indirect reads" which use "@" instead of "|" for the pipes/popen CVE-2016-5118 issue.

Freeze push requested for Cauldron.

For Mageia 5, you'll need to rebuild ruby-rmagick again since you didn't remove the explicit version requirement last time.

Updated imagemagick-6.9.4.6-1.mga5.src.rpm submitted to mga5 core/updates_testing. I'll try to get to preparing an advisory soon. I've tested "convert" on converting a .jpg to a .png and it worked.

Package list:
imagemagick-6.9.4.6-1.mga5
imagemagick-desktop-6.9.4.6-1.mga5
libmagick-6Q16_2-6.9.4.6-1.mga5
libmagick++-6Q16_6-6.9.4.6-1.mga5
libmagick-devel-6.9.4.6-1.mga5
perl-Image-Magick-6.9.4.6-1.mga5
imagemagick-doc-6.9.4.6-1.mga5

from imagemagick-6.9.4.6-1.mga5.src.rpm

Shlomi, remember that ruby-rmagick needs rebuilt again too.

Freeze push was pushed in Cauldron, setting version to 5.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Debian has issued an advisory for this on June 1:
https://www.debian.org/security/2016/dsa-3591

Advisory:

I have uploaded an upgraded imagemagick package to Mageia 5 core/updates_testing. It can be tested by running the imagemagick's command line tools.

Suggested advisory:
===================

Updated imagemagick package fixes CVE-2016-5118 and Mageia bug #18598.
Slackware has issued an advisory on May 30:
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.397749

The issue was reported by the GraphicsMagick author, here:
http://seclists.org/oss-sec/2016/q2/432

("CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename")

References:
* http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.397749
* http://seclists.org/oss-sec/2016/q2/432
* https://www.debian.org/security/2016/dsa-3591
* https://security-tracker.debian.org/tracker/CVE-2016-5118

Updated packages in core/updates_testing:
========================

imagemagick-6.9.4.6-1.mga5
imagemagick-desktop-6.9.4.6-1.mga5
libmagick-6Q16_2-6.9.4.6-1.mga5
libmagick++-6Q16_6-6.9.4.6-1.mga5
libmagick-devel-6.9.4.6-1.mga5
perl-Image-Magick-6.9.4.6-1.mga5
imagemagick-doc-6.9.4.6-1.mga5

Source RPMs:
imagemagick-6.9.4.6-1.mga5.src.rpm

Assigning to QA.

Status: NEW => ASSIGNED
CC: (none) => qa-bugs

(In reply to David Walser from comment #1)
> For Mageia 5, you'll need to rebuild ruby-rmagick again since you didn't
> remove the explicit version requirement last time.

(In reply to David Walser from comment #3)
> Shlomi, remember that ruby-rmagick needs rebuilt again too.

CC: qa-bugs => shlomif

6.9.4-7 fixes a path traversal issue:
https://github.com/ImageMagick/ImageMagick/blob/ImageMagick-6/ChangeLog

see the magick/module.c part of this commit for the fix:
https://github.com/ImageMagick/ImageMagick/commit/fc6080f1321fd21e86ef916195cc110b05d9effb

We might as well update it again.  Please remember to rebuild ruby-rmagick this time.

6.9.4-8 disables indirect reads by policy, and it fixes a heap overflow:
http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog

(In reply to David Walser from comment #9)
> 6.9.4-8 disables indirect reads by policy, and it fixes a heap overflow:
> http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog

imagemagick 6.9.4.8 was just submitted to the core 5 updates_testing repository. Sorry it took me so long. I'll see about rebuilding ruby-rmagick next.

Thanks.  Package list is below.  Just need an advisory.

ruby-rmagick-2.13.2-21.2.mga5
ruby-rmagick-doc-2.13.2-21.2.mga5
imagemagick-6.9.4.8-1.mga5
imagemagick-desktop-6.9.4.8-1.mga5
libmagick-6Q16_2-6.9.4.8-1.mga5
libmagick++-6Q16_6-6.9.4.8-1.mga5
libmagick-devel-6.9.4.8-1.mga5
perl-Image-Magick-6.9.4.8-1.mga5
imagemagick-doc-6.9.4.8-1.mga5

Source RPMs:
ruby-rmagick-2.13.2-21.2.mga5.src.rpm
imagemagick-6.9.4.8-1.mga5.src.rpm

Assignee: shlomif => qa-bugs
Whiteboard: feedback => (none)

Installed the updates on x86_64 and generated some images using the built-in image creation functions.
$ convert -size 200x160 canvas:MistyRose rose.png
$ convert -size 100x100  gradient:tomato-steelblue gradient_5.jpg
$ convert -size 60x500 gradient:'#FFF-#0FF' -rotate 90 -set colorspace HSB -colorspace RGB rainbow_2.jpg
$ convert -size 100x100  plasma:yellow yellowplasma.jpg
$ convert -size 400x200 xc: -sparse-color barycentric '0,0 skyblue  -%w,%h skyblue  %w,%h black' diagonal_gradient.jpg

Converted a jpeg image to PNG format and then the png image to GIF without any degradation.
Resized an image in place by 60%.
$ mogrify -resize 60%x60% -quality 100 ensemble.jpg
Generated a squashed image in a different image format.
$ convert -resize 120%x80% -quality 100 ensemble.png squashed.jpg
Create a vignetted picture of a rose (from stock image).
$ convert rose: -background black -vignette 0x5  rose_vignette.gif
Make a vignette from an image:
$ convert -background none -vignette 0x10 ensemble.jpg vignette.jpg
Hide a message in another image:
$ convert -gravity center -size 60x50 label:"Morning QA" message.png
$ composite message.png rose: -stegano +15+2 rose_message.png
And recover the message:
$ convert -size 60x50+15+2 stegano:rose_message.png recovered.png
Examine a set of images:
$ identify *{gif,png}
ensemble.gif GIF 550x845 550x845+0+0 8-bit sRGB 256c 355KB 0.000u 0:00.000
message.gif GIF 50x40 50x40+0+0 8-bit sRGB 128c 728B 0.000u 0:00.000
pbl130.gif GIF 343x664 343x664+0+0 8-bit sRGB 256c 128KB 0.000u 0:00.000
rose_vignette.gif GIF 70x46 70x46+0+0 8-bit sRGB 256c 3.73KB 0.000u 0:00.000
ensemble.png PNG 660x676 660x676+0+0 8-bit sRGB 535KB 0.000u 0:00.000
message.png PNG 60x50 60x50+0+0 16-bit sRGB 932B 0.000u 0:00.000
recovered.png PNG 60x50 60x50+0+0 16-bit sRGB 1.75KB 0.000u 0:00.000
rose_message.png PNG 70x46 70x46+0+0 16-bit sRGB 13.3KB 0.000u 0:00.000

Rotate an image:
$ mogrify -rotate 270 anyimage.jpg

Most of these and many other examples can be found at http://www.imagemagick.org/Usage/transform/

This looks fine so far.  Can we assume that functionality tests are all that is required here?

Shall look into ruby-rmagick next.

CC: (none) => tarazed25

(In reply to Len Lawrence from comment #12)
> This looks fine so far.  Can we assume that functionality tests are all that
> is required here?

Mostly, yes.  There's a PoC for the CVE in this message:
http://seclists.org/oss-sec/2016/q2/432

It would be nice to try that.

Testing+ M5 x64
Further to Len's exhaustive work in Comment 12, I tried the POC. The URL in Comment 13 (thanks David) shows identical data to the same problem for GraphicksMagic.

BEFORE UPDATE
imagemagick-6.9.4.2-0.1.mga5
lib64magick-6Q16_2-6.9.4.2-0.1.mga5
lib64magick++-6Q16_5-6.8.9.9-4.2.mga5      [note]
perl-Image-Magick-6.9.4.2-0.1.mga5
ruby-rmagick-2.13.2-21.1.mga5

$ rm -f hello.txt
$ convert '|echo Hello > hello.txt;' null:
convert: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/504.
convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3257.
$ cat hello.txt 
Hello

which is *wrong*.

AFTER UPDATE
imagemagick-6.9.4.8-1.mga5
lib64magick-6Q16_2-6.9.4.8-1.mga5
lib64magick++-6Q16_5-6.8.9.9-4.2.mga5      [note]
perl-Image-Magick-6.9.4.8-1.mga5
ruby-rmagick-2.13.2-21.2.mga5

$ rm -f hello.txt
$ convert '|echo Hello > hello.txt;' null:
convert: unable to open image `|echo Hello > hello.txt;': No such file or directory @ error/blob.c/OpenBlob/2705.
convert: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/504.
convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3257.
$ cat hello.txt 
cat: hello.txt: No such file or directory

which is *correct*. So that is sorted.
______________________________________

 lib64magick++-6Q16_5-6.8.9.9-4.2.mga5
stays the same after the update, whereas it should be (Comment 11):
 lib64magick++-6Q16_6-6.9.4.8-1.mga5
It was not in Updates Testing. Witholding the MGA5-64-OK for the moment, but please put it if this incident is unimportant.

CC: (none) => lewyssmith

libmagick++-6Q16_6 is in updates_testing, so you might have a mirror issue if you don't see it.  It will not just automatically replace the _5 one with the _6 one though, so you might have just had a misunderstanding there.

You raise an important issue though, I hadn't noticed that library major changed, so we'll need to rebuild all of the packages that use it (we should have done so last time):
converseen
cuneiform-linux
inkscape
k3d
kcm-grub2
kxstitch
performous
perl-Image-SubImageFind
pfstools
pstoedit
pythonmagick
synfig
vdr-plugin-skinelchi
vdr-plugin-skinenigmang

Whiteboard: (none) => feedback

(In reply to David Walser from comment #15)
> libmagick++-6Q16_6 is in updates_testing, so you might have a mirror issue
> if you don't see it.  It will not just automatically replace the _5 one with
> the _6 one though, so you might have just had a misunderstanding there.
> 
> I hadn't noticed that library major changed
>
Well, I had lib64magick++-6Q16_5 before the update, so the subtle (despite being called 'major') number change would have meant legitimately that I did not see the new lib64magick++-6Q16_6 not having the prior one!
Will the update automatically make the _5 to _6 jump?

(In reply to Lewis Smith from comment #16)
> Will the update automatically make the _5 to _6 jump?

If you didn't have _5 installed, you won't have either, but if you did, currently all of the packages that are built against it require _5.  They won't require _6 until we rebuild them.  Once we do that, updating the rebuilt packages will install _6 and _5 will get orphaned.

@Lewis  Thanks for chasing up the PoC.

As I did not have the packages installed before the update only the "6" library packages appeared.

Tested the RMagick gem with ruby:
 #!/bin/env ruby
#
# rim.rb
# Test harness for some RMagick methods
# Refer to https://rmagick.github.io/usage.html for detailed usage.

require 'RMagick'
include Magick

box = { }

generate = Proc.new { |colour| Image.new( 240, 180 ){ self.background_color = colour } }

# Create image object from a JPEG file
star = ImageList.new( "MariaSharapova_2.jpg" ) 
maria = star.minify
# Display half size image
maria.display
# Convert an image to another format
star.write "tennis_star.png"
puts star.inspect
# This returns image information:
# [MariaSharapova_2.jpg=>tennis_star.png JPEG 564x749 564x749+0+0 DirectClass 8-bit 433kb]
# Display the original image in PNG format
ImageList.new( "tennis_star.png" ).display
star = ImageList.new( "MariaSharapova_3.jpg" )
newimage = star.frame( width=25, height=25, x=25, y=25, inner_bevel=6, outer_bevel=6,
                       color='OliveDrab' )
newimage.display
# Create a coloured panel and display it
rectangle = Image.new( 220, 160 ) { self.background_color = "CadetBlue" }
rectangle.display

colour = %w( red orange yellow green blue indigo violet )
colour.each { |hue| box[hue] = generate.call hue } 
# Create an animated gif
names = [ ]
box.each_key { |s| box[s].write( "#{s}.gif" ); names << "#{s}.gif" }
animation = ImageList.new( *names )
animation.write( "rainbow.gif" )
# Show the animation
system "eom rainbow.gif"

exit

All the tests worked as expected so maybe we can give this the OK?

To be more precise, before the update rmagick and the lib64 packages were not installed.

Well, we can make a note that as far as ImageMagick itself, you've tested it and it's MGA5-64-OK.  We still need Shlomi to rebuild the packages I listed in Comment 15.

OK David.  Thanks.
So that means we shall have to revisit this bug or will it be a new one?

I guess we could do it either way, but since we should have rebuilt those last time, the sooner we can get that done the better.

Running some checks on i586 in virtualbox

Before update the PoC gave the result posted in comment 14.
$ convert '|echo Hello > hello.txt;' null:
convert: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/504.
convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3257.
$ cat hello.txt
Hello

Updated and installed the packages.
Cherrypicking:
- imagemagick-6.9.4.8-1
- libmagick-6Q16_2-6.9.4.8-1
Manual:
libmagick++-6Q16_6-6.9.4.8-1
libmagick-devel-6.9.4.8-1 pulled in 15 other packages
perl-Image-Magick-6.9.4.8-1
imagemagick-doc-6.9.4.8-1
imagemagick-desktop-6.9.4.8-1 pulled in luit and xterm
ruby-rmagick-2.13.2-21.2
ruby-rmagick-doc-2.13.2-21.2

PoC test after update:
$ rm hello.txt
$ convert '|echo Hello > hello.txt;' null:
convert: unable to open image `|echo Hello > hello.txt;': No such file or directory @ error/blob.c/OpenBlob/2705.
convert: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/504.
convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3257.
$ cat hello.txt
cat: hello.txt: No such file or directory

Just as Lewis said.

Put imagemagick through its paces by running convert/mogrify/identify on a selection of images and exercized some of the canvas image creation commands as before, using eom to view images.  Not quite true that PNG or JPEG images convert to GIF without degradation.  The limited colourspace of GIF images means that the conversions can never be perfect.

Tested rmagick gem using the earlier ruby script.
No problems there either.

ImageMagick is good for 32bits.

Assigning to Shlomi to rebuild the packages listed in Comment 15.

CC: (none) => qa-bugs
Assignee: qa-bugs => shlomif

(In reply to David Walser from comment #15)
> libmagick++-6Q16_6 is in updates_testing, so you might have a mirror issue
> if you don't see it.  It will not just automatically replace the _5 one with
> the _6 one though, so you might have just had a misunderstanding there.
> 
> You raise an important issue though, I hadn't noticed that library major
> changed, so we'll need to rebuild all of the packages that use it (we should
> have done so last time):
> converseen

submitted.

> cuneiform-linux

submitted.

> inkscape

still getting built.

> k3d

this fails to build here - 
[ 12%] Building CXX object k3dsdk/CMakeFiles/k3dsdk.dir/user_property_changed_signal.cpp.o
[ 12%] Building CXX object k3dsdk/CMakeFiles/k3dsdk.dir/ustring.cpp.o
[ 12%] Building CXX object k3dsdk/CMakeFiles/k3dsdk.dir/utility_gl.cpp.o
[ 12%] Building CXX object k3dsdk/CMakeFiles/k3dsdk.dir/uuid.cpp.o
/home/shlomif/Download/unpack/Mageia/5/k3d/BUILD/k3d-source-0.8.0.2/k3dsdk/uuid.cpp:32:24: fatal error: uuid/uuid.h: No such file or directory
  #include <uuid/uuid.h>
                        ^
compilation terminated.
k3dsdk/CMakeFiles/k3dsdk.dir/build.make:2745: recipe for target 'k3dsdk/CMakeFiles/k3dsdk.dir/uuid.cpp.o' failed
make[2]: *** [k3dsdk/CMakeFiles/k3dsdk.dir/uuid.cpp.o] Error 1
CMakeFiles/Makefile2:107: recipe for target 'k3dsdk/CMakeFiles/k3dsdk.dir/all' failed
make[1]: *** [k3dsdk/CMakeFiles/k3dsdk.dir/all] Error 2
Makefile:117: recipe for target 'all' failed
make: *** [all] Error 2
error: Bad exit status from /home/shlomif/Download/unpack/Mageia/5/k3d/BUILDROOT/rpm-tmp.BGqAVH (%build)


RPM build errors:
    Bad exit status from /home/shlomif/Download/unpack/Mageia/5/k3d/BUILDROOT/rpm-tmp.BGqAVH (%build)
error: failed!
shlomif[rpms]:$mageia/5/k3d$ ack -g uuid.h
BUILD/k3d-source-0.8.0.2/k3dsdk/uuid.h


> kcm-grub2
> kxstitch
> performous
> perl-Image-SubImageFind
> pfstools
> pstoedit
> pythonmagick
> synfig
> vdr-plugin-skinelchi
> vdr-plugin-skinenigmang

I'll deal with those later.

For k3d, try changing the BR pkgconfig(uuid) to uuid-devel.  Unfortunately, there's some ossp_uuid thing that also provides pkgconfig(uuid) that might be messing it up.

(In reply to Shlomi Fish from comment #25)
> (In reply to David Walser from comment #15)
> > libmagick++-6Q16_6 is in updates_testing, so you might have a mirror issue
> > if you don't see it.  It will not just automatically replace the _5 one with
> > the _6 one though, so you might have just had a misunderstanding there.
> > 
> > You raise an important issue though, I hadn't noticed that library major
> > changed, so we'll need to rebuild all of the packages that use it (we should
> > have done so last time):
> > converseen
> 
> submitted.
> 
> > cuneiform-linux
> 
> submitted.
> 
> > inkscape
> 
> still getting built.
> 
> > k3d
> 
> this fails to build here - 
> [ 12%] Building CXX object
> k3dsdk/CMakeFiles/k3dsdk.dir/user_property_changed_signal.cpp.o
> [ 12%] Building CXX object k3dsdk/CMakeFiles/k3dsdk.dir/ustring.cpp.o
> [ 12%] Building CXX object k3dsdk/CMakeFiles/k3dsdk.dir/utility_gl.cpp.o
> [ 12%] Building CXX object k3dsdk/CMakeFiles/k3dsdk.dir/uuid.cpp.o
> /home/shlomif/Download/unpack/Mageia/5/k3d/BUILD/k3d-source-0.8.0.2/k3dsdk/
> uuid.cpp:32:24: fatal error: uuid/uuid.h: No such file or directory
>   #include <uuid/uuid.h>
>                         ^
> compilation terminated.
> k3dsdk/CMakeFiles/k3dsdk.dir/build.make:2745: recipe for target
> 'k3dsdk/CMakeFiles/k3dsdk.dir/uuid.cpp.o' failed
> make[2]: *** [k3dsdk/CMakeFiles/k3dsdk.dir/uuid.cpp.o] Error 1
> CMakeFiles/Makefile2:107: recipe for target
> 'k3dsdk/CMakeFiles/k3dsdk.dir/all' failed
> make[1]: *** [k3dsdk/CMakeFiles/k3dsdk.dir/all] Error 2
> Makefile:117: recipe for target 'all' failed
> make: *** [all] Error 2
> error: Bad exit status from
> /home/shlomif/Download/unpack/Mageia/5/k3d/BUILDROOT/rpm-tmp.BGqAVH (%build)
> 
> 
> RPM build errors:
>     Bad exit status from
> /home/shlomif/Download/unpack/Mageia/5/k3d/BUILDROOT/rpm-tmp.BGqAVH (%build)
> error: failed!
> shlomif[rpms]:$mageia/5/k3d$ ack -g uuid.h
> BUILD/k3d-source-0.8.0.2/k3dsdk/uuid.h
> 
> 
> > kcm-grub2
> > kxstitch
> > performous
> > perl-Image-SubImageFind
> > pfstools
> > pstoedit
> > pythonmagick
> > synfig
> > vdr-plugin-skinelchi
> > vdr-plugin-skinenigmang
> 
> I'll deal with those later.

I submitted most of them yesterday now.

(In reply to David Walser from comment #26)
> For k3d, try changing the BR pkgconfig(uuid) to uuid-devel.  Unfortunately,
> there's some ossp_uuid thing that also provides pkgconfig(uuid) that might
> be messing it up.

Thanks! I'm going to try that.

(In reply to David Walser from comment #26)
> For k3d, try changing the BR pkgconfig(uuid) to uuid-devel.  Unfortunately,
> there's some ossp_uuid thing that also provides pkgconfig(uuid) that might
> be messing it up.

Yeah, I fixed prefer.vendor.list in meta-task for this issue in cauldron yesterday.... I guess we could push a meta-task update in mga5 too

CC: (none) => tmb

SRPMS for the rebuilds:
converseen-0.8.3-3.1.mga5
cuneiform-linux-1.1.0-6.1.mga5
inkscape-0.91-1.1.mga5
k3d-0.8.0.2-10.1.mga5
kcm-grub2-0.5.8-12.2.mga5
kxstitch-1.2.0-3.1.mga5
performous-0.8.0-0.20141015.2.1.mga5
perl-Image-SubImageFind-0.30.0-2.1.mga5
pfstools-1.8.5-1.1.mga5
pstoedit-3.62-5.1.mga5
pythonmagick-0.9.12-1.mga5
synfig-0.64.1-6.1.mga5
vdr-plugin-skinelchi-0.2.8-6.1.mga5
vdr-plugin-skinenigmang-0.1.2-8.1.mga5

pfstools hasn't been successfully built yet, because first octave needs to be rebuilt because of the graphicsmagick update (Bug 17714).

Full package list for the rebuilds once they're done will be:
converseen-0.8.3-3.1.mga5
cuneiform-linux-1.1.0-6.1.mga5
libcuneiform0-1.1.0-6.1.mga5
libcuneiform-devel-1.1.0-6.1.mga5
inkscape-0.91-1.1.mga5
k3d-0.8.0.2-10.1.mga5
k3d-devel-0.8.0.2-10.1.mga5
kcm-grub2-0.5.8-12.2.mga5
kxstitch-1.2.0-3.1.mga5
kxstitch-handbook-1.2.0-3.1.mga5
performous-0.8.0-0.20141015.2.1.mga5
perl-Image-SubImageFind-0.30.0-2.1.mga5
pfstools-1.8.5-1.1.mga5
libpfstools1.2_0-1.8.5-1.1.mga5
pfstools-qt-1.8.5-1.1.mga5
pfstools-glview-1.8.5-1.1.mga5
pfstools-exr-1.8.5-1.1.mga5
pfstools-imgmagick-1.8.5-1.1.mga5
pfstools-octave-1.8.5-1.1.mga5
pfstools-gdal-1.8.5-1.1.mga5
libpfstools-devel-1.8.5-1.1.mga5
pstoedit-3.62-5.1.mga5
libpstoedit0-3.62-5.1.mga5
libpstoedit-devel-3.62-5.1.mga5
pythonmagick-0.9.12-1.mga5
synfig-0.64.1-6.1.mga5
libsynfig0-0.64.1-6.1.mga5
libsynfig-devel-0.64.1-6.1.mga5
vdr-plugin-skinelchi-0.2.8-6.1.mga5
vdr-plugin-skinenigmang-0.1.2-8.1.mga5

Package lists in Comment 11 (imagemagick and ruby-rmagick), Comment 30 (srpms for rebuilt packages), Comment 31 (rpms for rebuilt packages).

Suggested advisory:
===================

Updated imagemagick package fixes security vulnerabilities:

The OpenBlob function in blob.c in ImageMagick allows remote attackers to
execute arbitrary code via a | (pipe) character at the start of a filename
(CVE-2016-5118).

Also, several packages have been rebuilt to use the updated Magick++-6.Q16
library.  These include converseen, cuneiform-linux, inkscape, k3d, kcm-grub2,
kxstitch, performous, perl-Image-SubImageFind, pfstools, pstoedit,
pythonmagick, synfig, vdr-plugin-skinelchi, and vdr-plugin-skinenigmang.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118
http://seclists.org/oss-sec/2016/q2/432
http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog
https://www.debian.org/security/2016/dsa-3591

CC: qa-bugs => (none)
Whiteboard: feedback => (none)

Actually assigning to QA.  See Comment 32 for needed info.

It sounded like imagemagick itself (and ruby-rmagick) had been tested already, so we should just need a quick check for the rebuilt packages.

Assignee: shlomif => qa-bugs

Checking or downloading these packages for x86_64....

Pre-update.  Had to give up on testing the vdr skins because I could not get anywhere with vdr.  Installed it and ran w_scan to generate a channels.conf file
launched vdr as a service and went looking for frontends.  kodi was mentioned but that proved totally intractable.  After wasting over five hours on all this it became obvious that getting kodi to work would take several months, so that goes into the bin.  I am quite happy with vlc for TV so it looks like somebody else will have to test those skins.

Going on to the other packages right now.

The pfs packages install a set of tools named pfs*, 38 of them, most of which should be used in a pipe from an HDR (high dynamic range) image stream;

$ pfsin someimage.hdr | pfsglview

The problem is to find HDR images.  The site http://pages.cs.wisc.edu/~csverma/CS766_09/HDRI/DataSet/ provides several HDR datasets but they come as JPEG images which cause a segfault;

$ pfsin aligned_00241.jpg | pfsglview
/bin/pfsin: line 87: 29622 Segmentation fault      pfsinimgmagick "$file_pattern" $global_arguments $extra_arguments
terminate called after throwing an instance of 'PFSglViewException'
Abort
$ pfsin aligned_00241.jpg | pfsrotate -r 180
/bin/pfsin: line 87: 31722 Segmentation fault      pfsinimgmagick "$file_pattern" $global_arguments $extra_arguments

Maybe this will disappear after the update.  Watch this space.

$ cuneiform -l eng aligned_00259.jpg
Cuneiform for Linux 1.1.0
*** Error in `cuneiform': free(): invalid pointer: 0x0000000000d44ff0 ***

converseen launches a gui which I think is for editing images, manipulating transparency and that sort of thing.  Images can be added but the application segfaults when one is selected.

$ converseen
File  converseen 
libpng warning: iCCP: known incorrect sRGB profile
Segmentation fault

followed by a backtrace.

inkscape, k3d and kxstitch look like they are working.  The guis appear and samples display alright.

performous fails;
$ performous
logger/notice: Logging all notices, warnings and errors. Log file: /home/lcl/.cache/performous/infolog.txt
core/notice: Performous 0.8 starting...
  Build date:           Nov 14 2014
  Internationalization: Enabled
  MIDI Hardware I/O:    Enabled
  Webcam support:       Enabled
core/notice: Starting the audio subsystem (errors printed on console may be ignored).
ALSA lib pcm_dsnoop.c:618:(snd_pcm_dsnoop_open) unable to open slave
ALSA lib pcm_dmix.c:1022:(snd_pcm_dmix_open) unable to open slave
ALSA lib pcm.c:2239:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.rear
ALSA lib pcm.c:2239:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.center_lfe
ALSA lib pcm.c:2239:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.side
ALSA lib pcm_dmix.c:1022:(snd_pcm_dmix_open) unable to open slave
Cannot connect to server socket err = No such file or directory
Cannot connect to server request channel
jack server is not running or cannot be started
audio/error: Audio device 'dev="USBMIC" mics="blue,red"': No such device.
audio/error: Audio device 'dev="Microphone" mics="*"': No such device.
audio/error: Audio device 'mics="blue"': Device doesn't have enough input channels
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: i965
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
FATAL ERROR: OpenGL 2.1 is required but not available

pythonmagick is a python wrapper for ImageMagick as you would expect.  It needs a test script; I am willing but expect MrsB would rap my knuckles.
$ urpmq --whatrequires pythonmagick
pythonmagick

Going for the updates now.

VDR has it's own frontend, maybe web based but it's been a long time since I used it so can't be sure now. By default it's a bit psychedelic. The skins presumably skin this frontend.

The immersive interface for kodi takes over the monitor just like MythTV.  TCP port 8100 is mentioned in some of the configuration options so I tried localhost:8100 in firefox, without any result.  Thanks.
$ urpmq --whatrequires kodi
kodi
xbmc-addon-xvdr

xbmc seems to be an alias for kodi:
# urpmi xbmc
A requested package cannot be installed:
kodi-14.0-2.mga5.x86_64 (in order to keep kodi-14.0-2.1.mga5.x86_64)
# urpmi xbmc-addon-xvdr
Package xbmc-addon-xvdr-0.9.8-1.git20131223.3.mga5.x86_64 is already installed

Just ensure the packages update cleanly then Len. They're pretty obscure.

After updating all packages:

pfsin, pfsinmulti, pfscat, pfsglview, pfscut, pfsrotate, pfsflip, pfsout all work.
Note that output of a JPEG input file to HDR format creates someimage.hdr which cannot be viewed in a standard application like eom or gwenview.  Use :-

$ pfsin somefile.hdr | pfsglview

$ pfsv somefile.hdr
does not work but it works for the original JPEG files.

I am happy with pfs tools after the update.

cuneiform is an OCR application but I don't know how to run it.  It does not fail when an image is thrown at it.  It just hangs.

performous fails in exactly the same way as before, on the OpenGL 2.1 error, but I would guess this has nothing to do with imagemagick, probably more a case of PEBCK.

On the face of it converseen seems to work.  It accepted a jpeg image, displayed it and ran a null conversion on it and output the result as a new jpeg, which looked like the original image when viewed, as expected.

synfig is an image animation program but I don't know what kind of input it expects without  a self-teaching course.  It does not crash; simply complains about the arguments.  Have to leave it at that.

As before, inkscape, k3d, and kxstitch present guis which work as far as I can tell.

kcm-grub2 has something to do with editing the bootloader.  Web searches indicate that it is integrated into KDE system settings under the entry Startup and Shutdown.  Opened that and looked at the grub2 editor but made no changes.  No reason to suppose it is not working.

I am inclined to say that the packages work but would prefer to defer to higher authorities.  However, noting Claire's comment 39 giving them the OK.

I just noticed the references to the plugins when vdr.service is stopped.
# systemctl stop vdr
# systemctl status vdr
â vdr.service - Video Disk Recorder
   Loaded: loaded (/usr/lib/systemd/system/vdr.service; enabled)
   Active: inactive (dead) since Sun 2016-06-26 22:54:06 BST; 9s ago
     Docs: man:vdr(1)
           file:///usr/share/doc/vdr/README.install.urpmi
           file:///usr/share/doc/vdr/MANUAL
           file:///usr/share/doc/vdr/INSTALL
  Process: 8204 ExecStart=/usr/bin/runvdr (code=exited, status=0/SUCCESS)
 Main PID: 8204 (code=exited, status=0/SUCCESS)

Jun 26 22:54:04 vega vdr[8218]: [8218] stopping plugin: skinenigmang
Jun 26 22:54:04 vega vdr[8218]: [8218] stopping plugin: skinelchi
Jun 26 22:54:04 vega vdr[8218]: [8218] stopping plugin: xvdr
Jun 26 22:54:04 vega vdr[8218]: [8218] XVDR: XVDR Server stopped
Jun 26 22:54:04 vega vdr[8218]: [8218] saved setup to /var/lib/vdr/config/s...nf
Jun 26 22:54:05 vega vdr[8218]: [8224] section handler thread ended (pid=82...4)
Jun 26 22:54:05 vega vdr[8218]: [8223] tuner on frontend 0/0 thread ended (...3)
Jun 26 22:54:05 vega vdr[8218]: [8218] deleting plugin: skinenigmang
Jun 26 22:54:05 vega vdr[8218]: [8218] deleting plugin: skinelchi
Jun 26 22:54:05 vega vdr[8218]: [8218] deleting plugin: xvdr
Hint: Some lines were ellipsized, use -l to show in full.

Just to emphasize that the skins were plugged in.

Another rider.  had a look at converseen again.  Found an icon named swfdec.png with a transparent background which I converted to some vile colour which showed up in the saved image.

CVE-2016-5841 and CVE-2016-5842 have been assigned:
http://openwall.com/lists/oss-security/2016/06/25/3

They were fixed in 6.9.4-10 (already in Cauldron).

Shlomi, we should update this again.

QA: note that this won't affect the rebuilt packages from Comment 31, as they were just rebuilt against an updated library major, so only imagemagick itself would need to be retested.

Ran some tests on the rebuilt packages in i586 virtualbox.

Updated all the packages and checked the PoC.  That was OK.
Tested a number of the pfstools - all ran fine.
Had a look at some of the other packages and tested those that were amenable to testing like converseen, k3d and inkscape, albeit shallow testing.

Giving this a pass for 32-bits.

With special thanks to Len for his widespread & difficult testing of things depending on this update, validating it.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Based on comment 30, should this update be held till bug 17714 has been tested
too?

CC: (none) => davidwhodgins

(In reply to Dave Hodgins from comment #46)
> Based on comment 30, should this update be held till bug 17714 has been
> tested
> too?

Yes, and imagemagick needs to be updated again anyway (Bug 18841).

Depends on: (none) => 17714

Thanks. Removing validated_update from this bug.

Keywords: validated_update => (none)

Shlomi has uploaded 6.9.5.2, fixing CVE-2016-584[12].

Suggested advisory:
===================

Updated imagemagick package fixes security vulnerabilities:

The OpenBlob function in blob.c in ImageMagick allows remote attackers to
execute arbitrary code via a | (pipe) character at the start of a filename
(CVE-2016-5118).

Integer overflow in MagickCore/profile.c (CVE-2016-5841).

Buffer overread in MagickCore/property.c (CVE-2016-5842).

Also, several packages have been rebuilt to use the updated Magick++-6.Q16
library.  These include converseen, cuneiform-linux, inkscape, k3d, kcm-grub2,
kxstitch, performous, perl-Image-SubImageFind, pfstools, pstoedit,
pythonmagick, synfig, vdr-plugin-skinelchi, and vdr-plugin-skinenigmang.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5842
http://seclists.org/oss-sec/2016/q2/432
http://openwall.com/lists/oss-security/2016/06/25/3
http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog
https://www.debian.org/security/2016/dsa-3591
===================

Updated pacakges in core/updates_testing:
===================
imagemagick-6.9.5.2-1.mga5
imagemagick-desktop-6.9.5.2-1.mga5
libmagick-6Q16_2-6.9.5.2-1.mga5
libmagick++-6Q16_6-6.9.5.2-1.mga5
libmagick-devel-6.9.5.2-1.mga5
perl-Image-Magick-6.9.5.2-1.mga5
imagemagick-doc-6.9.5.2-1.mga5
converseen-0.8.3-3.1.mga5
cuneiform-linux-1.1.0-6.1.mga5
libcuneiform0-1.1.0-6.1.mga5
libcuneiform-devel-1.1.0-6.1.mga5
inkscape-0.91-1.1.mga5
k3d-0.8.0.2-10.1.mga5
k3d-devel-0.8.0.2-10.1.mga5
kcm-grub2-0.5.8-12.2.mga5
kxstitch-1.2.0-3.1.mga5
kxstitch-handbook-1.2.0-3.1.mga5
performous-0.8.0-0.20141015.2.1.mga5
perl-Image-SubImageFind-0.30.0-2.1.mga5
pfstools-1.8.5-1.1.mga5
libpfstools1.2_0-1.8.5-1.1.mga5
pfstools-qt-1.8.5-1.1.mga5
pfstools-glview-1.8.5-1.1.mga5
pfstools-exr-1.8.5-1.1.mga5
pfstools-imgmagick-1.8.5-1.1.mga5
pfstools-octave-1.8.5-1.1.mga5
pfstools-gdal-1.8.5-1.1.mga5
libpfstools-devel-1.8.5-1.1.mga5
pstoedit-3.62-5.1.mga5
libpstoedit0-3.62-5.1.mga5
libpstoedit-devel-3.62-5.1.mga5
pythonmagick-0.9.12-1.mga5
synfig-0.64.1-6.1.mga5
libsynfig0-0.64.1-6.1.mga5
libsynfig-devel-0.64.1-6.1.mga5
vdr-plugin-skinelchi-0.2.8-6.1.mga5
vdr-plugin-skinenigmang-0.1.2-8.1.mga5

from SRPMS:
imagemagick-6.9.5.2-1.mga5.src.rpm
converseen-0.8.3-3.1.mga5.src.rpm
cuneiform-linux-1.1.0-6.1.mga5.src.rpm
inkscape-0.91-1.1.mga5.src.rpm
k3d-0.8.0.2-10.1.mga5.src.rpm
kcm-grub2-0.5.8-12.2.mga5.src.rpm
kxstitch-1.2.0-3.1.mga5.src.rpm
performous-0.8.0-0.20141015.2.1.mga5.src.rpm
perl-Image-SubImageFind-0.30.0-2.1.mga5.src.rpm
pfstools-1.8.5-1.1.mga5.src.rpm
pstoedit-3.62-5.1.mga5.src.rpm
pythonmagick-0.9.12-1.mga5.src.rpm
synfig-0.64.1-6.1.mga5.src.rpm
vdr-plugin-skinelchi-0.2.8-6.1.mga5.src.rpm
vdr-plugin-skinenigmang-0.1.2-8.1.mga5.src.rpm

Whiteboard: MGA5-64-OK MGA5-32-OK feedback => (none)

*** Bug 18841 has been marked as a duplicate of this bug. ***

Hope to get round to this later today.

x86_64 / Mate / nvidia

Before updates:

Looked for any new PoC.  Did not see any.
Checked current status:
The pipe text insertion vulnerability had been fixed.
$ convert '|echo Hello > hello.txt;' null:
convert: unable to open image `|echo Hello > hello.txt;': No such file or directory @ error/blob.c/OpenBlob/2705.
convert: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/504.
convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3257.
$ ls hello.txt
ls: cannot access hello.txt: No such file or directory

The related SVG command insertion weakness seems to have been corrected.
$ display test.svg
This shows an image with the text "Linked image" framed in a red line box.
$ ls  hello.txt
ls: cannot access hello.txt: No such file or directory

Ran updates.  Most of the dependent packages were already in place.

Put ImageMagick through its paces; display, identify, mogrify, convert with flip, rotate, resize and other options.  Conversions from svg to png, png to jpeg, jpeg to gif, png to tiff, jpeg to tiff, tiff to jpeg. Other functions worked fine as well.
A comprehensive guide to the functionality of ImageMagick can be found at the aforementioned link http://www.imagemagick.org/Usage/transform/
------------------------------------------------------------------------------------
$ identify *.tif*
example.tiff TIFF 200x200 200x200+0+0 8-bit sRGB 120KB 0.000u 0:00.000
PIA13706_fig1.tif TIFF 8192x7051 8192x7051+0+0 8-bit sRGB 13.62MB 0.000u 0:00.000
The large TIFF image displayed fine.

$ convert -resize 20x20% -quality 100 PIA13706_fig1.tif mars.jpg
$ identify mars.jpg
mars.jpg JPEG 1638x1410 1638x1410+0+0 8-bit sRGB 993KB 0.000u 0:00.000
$ display mars.jpg
$ convert -resize 200x200% mars.jpg SantaMaria.tif
$ identify SantaMaria.tif 
SantaMaria.tif TIFF 3276x2820 3276x2820+0+0 8-bit sRGB 27.74MB 0.000u 0:00.000
$ ls -l SantaMaria.tif
-rw-r--r-- 1 lcl wireshark 27741804 Jul 17 10:32 SantaMaria.tif
$ display SantaMaria.tif 
Both the JPEG and doubly converted TIFF images looked fine, with no obvious loss of image quality.

Several options at a time:
$ convert -flip -resize 50% -quality 100 clock.png x.jpg
Convert in place:
$ mogrify -resize 80x80% -quality 100 mars.jpg
$ identify mars.jpg
mars.jpg JPEG 1310x1128 1310x1128+0+0 8-bit sRGB 684KB 0.000u 0:00.000
Use image from built-in image library:
$ convert rose: rose.png
Image creation functions:
$ convert -size 200x160 canvas:MistyRose rosy.jpg
That creates a pink rectangle and this a horizontal rainbow, sort of.
$ convert -size 60x500 gradient:'#FFF-#0FF' -rotate 90 -set colorspace HSB -colorspace RGB rainbow_2.jpg
Make image from text:
$ convert -gravity center -size 200x120 label:"Morning QA" message.png
Make a vignette from a stock image:
$ convert rose: -background PeachPuff -vignette 0x5 rose_vignette.gif
Create a diagonal colour gradient:
$ convert -size 400x200 xc: -sparse-color barycentric '0,0 skyblue  -%w,%h skyblue  %w,%h black' diagonal_gradient.jpg

That should do for now.  Having a look at some of the dependent packages next.

Used converseen to fill in a transparent png image with a pale blue colour.

Opened kxstitch and the handbook and made up a palette but took it no further.  The application acts a bit like a bitmap editor.

A few childish scribbles with inkscape - seems to work.

Created some interesting 3D objects with k3d.

Started vdr service but had trouble finding a front end for it to test the skins.
The two plugins listed installed to /usr/share/vdr/defaults as .defaults and .params files.  Hints on the web that xine could be configured as a frontend for vdr but nothing specific.
Installed vdr-plugin-xineliboutput and xineliboutput-sxfe and attempted to configure xineliboutput but could not get vdr.service started properly.  No future in this but the status message indicated that the plugins had been loaded.
# systemctl status -l vdr.service
â vdr.service - Video Disk Recorder
   Loaded: loaded (/usr/lib/systemd/system/vdr.service; disabled)
   Active: failed (Result: exit-code) since Sun 2016-07-17 17:11:11 BST; 2s ago
     Docs: man:vdr(1)
           file:///usr/share/doc/vdr/README.install.urpmi
           file:///usr/share/doc/vdr/MANUAL
           file:///usr/share/doc/vdr/INSTALL
  Process: 12398 ExecStart=/usr/bin/runvdr (code=exited, status=1/FAILURE)
 Main PID: 12398 (code=exited, status=1/FAILURE)

Jul 17 17:11:10 vega vdr[12414]: [12420] section handler thread ended (pid=12414, tid=12420)
Jul 17 17:11:11 vega vdr[12414]: [12419] tuner on frontend 0/0 thread ended (pid=12414, tid=12419)
Jul 17 17:11:11 vega vdr[12414]: [12414] [xine..put] cXinelibDevice::StopDevice(): Stopping device ...
Jul 17 17:11:11 vega vdr[12414]: [12414] deleting plugin: skinenigmang
Jul 17 17:11:11 vega vdr[12414]: [12414] deleting plugin: xineliboutput
Jul 17 17:11:11 vega vdr[12414]: [12414] deleting plugin: skinelchi
Jul 17 17:11:11 vega runvdr[12398]: VDR configuration error
Jul 17 17:11:11 vega systemd[1]: vdr.service: main process exited, code=exited, status=1/FAILURE
Jul 17 17:11:11 vega systemd[1]: Unit vdr.service entered failed state.
Jul 17 17:11:11 vega systemd[1]: vdr.service failed.

Thanks.  The rebuilt packages had already been checked, so only imagemagick needed to be checked again.

Whiteboard: (none) => MGA5-64-OK

Right, so I shall pass this for 64-bits.
Thanks David.

Validating

Keywords: (none) => validated_update

advisory uploaded.

Whiteboard: MGA5-64-OK => advisory MGA5-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0257.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED