Bug 19078 - imagemagick new buffer overflows fixed in 6.9.5-5 and later (inc. CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773, CVE-2016-10046, CVE-2016-1005[1-8], CVE-2016-10068...)
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 and later (inc. CVE-2016-50...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/695953/
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on: 22657
Blocks: 22654
  Show dependency treegraph
 
Reported: 2016-07-28 21:12 CEST by David Walser
Modified: 2018-05-12 08:29 CEST (History)
10 users (show)

See Also:
Source RPM: imagemagick-6.9.5.2-1.mga6.src.rpm
CVE:
Status comment:


Attachments
Patch to the cauldron mgarepo checkout to update to latest IM-6.x release (1.81 KB, patch)
2017-05-26 21:03 CEST, Shlomi Fish
Details | Diff
ImageMagick demonstration test script (11.82 KB, application/x-perl)
2018-05-02 21:53 CEST, Lewis Smith
Details
Small collection of demonstration scripts for ruby-rmagick (10.00 KB, application/octet-stream)
2018-05-03 01:26 CEST, Len Lawrence
Details

Description David Walser 2016-07-28 21:12:59 CEST
Just an FYI that we should update again to 6.9.5-4, at least for Cauldron, once it's available.  We can probably wait for more fixes before the next Mageia 5 update.

6.9.5-4 will contain these two buffer overflow fixes:
http://git.imagemagick.org/repos/ImageMagick/commit/c20de102cc57f3739a8870f79e728e3b0bea18c0
http://git.imagemagick.org/repos/ImageMagick/commit/5cb6c1acd3e3b12f9260daf207db432df7f792c2

A CVE has been requested for the second one:
http://openwall.com/lists/oss-security/2016/07/28/13
Comment 1 David Walser 2016-07-28 22:44:58 CEST
(In reply to David Walser from comment #0)
> A CVE has been requested for the second one:
> http://openwall.com/lists/oss-security/2016/07/28/13

CVE-2016-6491:
http://openwall.com/lists/oss-security/2016/07/28/15

Summary: imagemagick new buffer overflows fixed in 6.9.5-4 => imagemagick new buffer overflows fixed in 6.9.5-4 (including CVE-2016-6491)

David Walser 2016-08-08 21:31:00 CEST

URL: (none) => http://lwn.net/Vulnerabilities/695953/

Comment 2 David Walser 2016-08-10 18:25:33 CEST
Another buffer overflow and use-after-free fix in 6.9.5-5:
http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog

Freeze push requested for Cauldron.

Summary: imagemagick new buffer overflows fixed in 6.9.5-4 (including CVE-2016-6491) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-6491)

Comment 3 David Walser 2016-08-15 19:27:32 CEST
https://bugzilla.suse.com/show_bug.cgi?id=991444 shows CVE-2016-5010 fixed in 6.9.5-3.

This came from:
http://lwn.net/Vulnerabilities/697263/

I'm not sure how they got CVE-2016-6520, as that appears to only have been in imagemagick 7.

Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-6491) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010 and CVE-2016-6491)

Comment 4 David Walser 2016-09-26 12:24:39 CEST
CVE-2016-6823 has been assigned for an issue fixed in 6.9.5-8:
http://www.openwall.com/lists/oss-security/2016/09/26/3

There appears to be another security fix in 6.9.5-8 as well.

Freeze push for 6.9.5-10 requested for Cauldron.

Version: Cauldron => 5
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010 and CVE-2016-6491) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823)

Comment 5 David Walser 2016-09-26 19:33:02 CEST
CVE-2016-7101 was also fixed in 6.9.5-8:
http://www.openwall.com/lists/oss-security/2016/09/26/8

Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101)

Comment 6 David Walser 2016-09-26 20:51:06 CEST
LWN reference for yet another issue fixed in 6.9.5-8:
http://lwn.net/Vulnerabilities/701917/
Comment 7 David Walser 2016-10-01 16:37:00 CEST
CVE request for another issue fixed yesterday:
http://openwall.com/lists/oss-security/2016/10/01/4

6.9.5-11 hasn't been released yet.
Comment 8 David Walser 2016-10-02 01:24:00 CEST
(In reply to David Walser from comment #7)
> CVE request for another issue fixed yesterday:
> http://openwall.com/lists/oss-security/2016/10/01/4

CVE-2016-7799:
http://openwall.com/lists/oss-security/2016/10/01/6

Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799)

Comment 9 David Walser 2016-10-02 19:12:35 CEST
CVE-2016-7906:
http://openwall.com/lists/oss-security/2016/10/02/3

Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906)

Comment 10 David Walser 2016-10-11 14:16:51 CEST
LWN reference for CVE-2016-7799 and CVE-2016-7906:
http://lwn.net/Vulnerabilities/703103/
Comment 11 David Walser 2016-10-16 22:30:33 CEST
CVE-2016-8677 and CVE-2016-8678:
http://openwall.com/lists/oss-security/2016/10/16/1
http://openwall.com/lists/oss-security/2016/10/16/2

Not sure if those affect 6.x.
Comment 12 David Walser 2016-10-20 13:54:48 CEST
CVE-2016-8862:
http://www.openwall.com/lists/oss-security/2016/10/20/2

Not sure if 6.x is affected.
Comment 13 David Walser 2016-10-21 14:35:11 CEST
CVE-2016-8866:
http://www.openwall.com/lists/oss-security/2016/10/21/5
Comment 14 David Walser 2016-10-31 20:22:56 CET
LWN reference for several CVEs:
http://lwn.net/Vulnerabilities/705125/

openSUSE has issued an advisory on October 28:
https://lists.opensuse.org/opensuse-updates/2016-10/msg00107.html
Comment 15 David Walser 2016-11-14 21:58:02 CET
CVE-2016-9298:
http://openwall.com/lists/oss-security/2016/11/14/10

Not sure if 6.x is affected.
Comment 16 David Walser 2016-11-20 17:28:58 CET
Two more issues for imagemagick 7 (not sure if 6 is affected):
http://openwall.com/lists/oss-security/2016/11/19/4
http://openwall.com/lists/oss-security/2016/11/19/7
Comment 17 David Walser 2016-11-23 00:12:39 CET
Ubuntu has issued an advisory for this on November 21:
https://www.ubuntu.com/usn/usn-3131-1/
Comment 18 David Walser 2016-11-24 13:21:49 CET
(In reply to David Walser from comment #16)
> Two more issues for imagemagick 7 (not sure if 6 is affected):
> http://openwall.com/lists/oss-security/2016/11/19/4
> http://openwall.com/lists/oss-security/2016/11/19/7

CVE-2016-9556 and CVE-2016-9559:
http://openwall.com/lists/oss-security/2016/11/23/1
http://openwall.com/lists/oss-security/2016/11/23/4
Comment 19 Zombie Ryushu 2016-11-29 16:00:58 CET
Additional CVEs

New CVEs are attached to this bug

CVE-2016-7799 CVE-2016-7906 CVE-2016-8677

CC: (none) => zombie_ryushu

Comment 20 David Walser 2016-12-01 18:57:29 CET
(In reply to David Walser from comment #18)
> (In reply to David Walser from comment #16)
> > Two more issues for imagemagick 7 (not sure if 6 is affected):
> > http://openwall.com/lists/oss-security/2016/11/19/4
> > http://openwall.com/lists/oss-security/2016/11/19/7
> 
> CVE-2016-9556 and CVE-2016-9559:
> http://openwall.com/lists/oss-security/2016/11/23/1
> http://openwall.com/lists/oss-security/2016/11/23/4

LWN reference for CVE-2016-9556:
https://lwn.net/Vulnerabilities/707857/

So that at least affects 6.

Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906) => imagemagick new buffer overflows fixed in 6.9.5-5 and later (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-9556)

Comment 21 David Walser 2016-12-03 19:09:22 CET
CVE-2016-9773 (affects 7, not sure about 6):
http://openwall.com/lists/oss-security/2016/12/02/11
Comment 22 David Walser 2016-12-06 19:10:02 CET
LWN reference for CVE-2016-9559:
https://lwn.net/Vulnerabilities/708243/
Comment 23 David Walser 2016-12-21 23:34:20 CET
CVE request for several more issues:
http://openwall.com/lists/oss-security/2016/12/20/3

At least 4 of those are fixed new 6 newer than the version we currently have.
Comment 24 David Walser 2016-12-22 17:44:03 CET
CVE-2016-8707:
https://lwn.net/Vulnerabilities/709984/

CVE-2016-9773:
https://lwn.net/Vulnerabilities/709988/

Summary: imagemagick new buffer overflows fixed in 6.9.5-5 and later (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-9556) => imagemagick new buffer overflows fixed in 6.9.5-5 and later (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773)

Comment 25 David Walser 2016-12-26 23:24:05 CET
(In reply to David Walser from comment #23)
> CVE request for several more issues:
> http://openwall.com/lists/oss-security/2016/12/20/3

CVE assignments:
http://openwall.com/lists/oss-security/2016/12/26/9

Summary: imagemagick new buffer overflows fixed in 6.9.5-5 and later (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773) => imagemagick new buffer overflows fixed in 6.9.5-5 and later (inc. CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773, CVE-2016-10046, CVE-2016-1005[1-8], CVE-2016-10068)

Comment 26 David Walser 2017-01-17 02:42:34 CET
CVE-2016-1014[4-6], CVE-2017-550[6-9], CVE-2017-551[01]:
http://openwall.com/lists/oss-security/2017/01/17/5

These CVEs didn't fit in the bug title.

Some of them have been fixed upstream recently, some of them may not have been fixed yet.

Summary: imagemagick new buffer overflows fixed in 6.9.5-5 and later (inc. CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773, CVE-2016-10046, CVE-2016-1005[1-8], CVE-2016-10068) => , CVE-2016-10068...) imagemagick new buffer overflows fixed in 6.9.5-5 and later (inc. CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773, CVE-2016-10046, CVE-2016-1005[1-8]

Comment 27 David Walser 2017-01-31 04:55:19 CET
(In reply to David Walser from comment #26)
> CVE-2016-1014[4-6], CVE-2017-550[6-9], CVE-2017-551[01]:
> http://openwall.com/lists/oss-security/2017/01/17/5

LWN reference:
https://lwn.net/Vulnerabilities/713049/
Comment 28 David Walser 2017-03-02 12:10:15 CET
Debian has issued an advisory for this on March 1:
https://www.debian.org/security/2017/dsa-3799

It includes CVE-2016-10062, which I don't believe I've listed yet.
Comment 29 David Walser 2017-03-03 12:08:03 CET
openSUSE has issued an advisory for this on March 2:
https://lists.opensuse.org/opensuse-updates/2017-03/msg00000.html

It also has CVE-2016-1004[89], CVE-2015-1005[09], CVE-2016-1006[0-5], CVE-2016-10069, CVE-2016-1007[01].
Comment 30 David Walser 2017-03-14 14:52:27 CET
Debian has issued an advisory on March 13:
https://www.debian.org/security/2017/dsa-3808

It adds CVE-2017-6498, CVE-2017-6499, CVE-2017-6500.
Comment 31 David Walser 2017-04-10 10:14:57 CEST
CVE-2017-7606:
http://openwall.com/lists/oss-security/2017/04/10/7
Comment 32 David Walser 2017-05-20 12:33:06 CEST
CVE-2017-9098:
http://openwall.com/lists/oss-security/2017/05/20/1
Comment 33 David Walser 2017-05-26 16:57:57 CEST
Debian has issued an advisory on May 25:
https://www.debian.org/security/2017/dsa-3863

It includes the CVEs I mentioned in the last two comments and several new ones.

CVE-2017-7606, CVE-2017-7619, CVE-2017-7941, CVE-2017-7943, CVE-2017-8343,
CVE-2017-8344, CVE-2017-8345, CVE-2017-8346, CVE-2017-8347, CVE-2017-8348,
CVE-2017-8349, CVE-2017-8350, CVE-2017-8351, CVE-2017-8352, CVE-2017-8353,
CVE-2017-8354, CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, CVE-2017-8765,
CVE-2017-8830, CVE-2017-9098, CVE-2017-9141, CVE-2017-9142, CVE-2017-9143,
CVE-2017-9144.
Comment 34 Shlomi Fish 2017-05-26 18:27:18 CEST
So which versions of imagemagick should we upgrade to in both cauldron and mgav5?
Comment 35 David Walser 2017-05-26 20:00:49 CEST
(In reply to Shlomi Fish from comment #34)
> So which versions of imagemagick should we upgrade to in both cauldron and
> mgav5?

The absolute latest from the ImageMagick-6 branch.
Comment 36 Shlomi Fish 2017-05-26 20:15:53 CEST
(In reply to David Walser from comment #35)
> (In reply to Shlomi Fish from comment #34)
> > So which versions of imagemagick should we upgrade to in both cauldron and
> > mgav5?
> 
> The absolute latest from the ImageMagick-6 branch.

Thanks, David!
Comment 37 Shlomi Fish 2017-05-26 21:01:17 CEST
(In reply to David Walser from comment #35)
> (In reply to Shlomi Fish from comment #34)
> > So which versions of imagemagick should we upgrade to in both cauldron and
> > mgav5?
> 
> The absolute latest from the ImageMagick-6 branch.

The problem is that after patching the .spec to build 6.9.8-6 , the major and cppmajor were changed as well, which means that some dependencies will have to be rebuilt. Should we proceed with that?
Comment 38 Shlomi Fish 2017-05-26 21:03:30 CEST
Created attachment 9340 [details]
Patch to the cauldron mgarepo checkout to update to latest IM-6.x release
Comment 39 David Walser 2017-05-27 04:50:06 CEST
(In reply to Shlomi Fish from comment #37)
> (In reply to David Walser from comment #35)
> > (In reply to Shlomi Fish from comment #34)
> > > So which versions of imagemagick should we upgrade to in both cauldron and
> > > mgav5?
> > 
> > The absolute latest from the ImageMagick-6 branch.
> 
> The problem is that after patching the .spec to build 6.9.8-6 , the major
> and cppmajor were changed as well, which means that some dependencies will
> have to be rebuilt. Should we proceed with that?

Unfortunately it would be almost impossible to find patches for all of the CVEs at this point, so I think we'll have to.  The only other reasonable possibility is if there's some branch of Debian we can sync with, which I've done in the past.
Comment 40 Zombie Ryushu 2017-05-27 06:26:53 CEST
Package        : imagemagick
CVE ID         : CVE-2017-7606 CVE-2017-7619 CVE-2017-7941 CVE-2017-7943 
                 CVE-2017-8343 CVE-2017-8344 CVE-2017-8345 CVE-2017-8346 
                 CVE-2017-8347 CVE-2017-8348 CVE-2017-8349 CVE-2017-8350 
                 CVE-2017-8351 CVE-2017-8352 CVE-2017-8353 CVE-2017-8354 
                 CVE-2017-8355 CVE-2017-8356 CVE-2017-8357 CVE-2017-8765 
                 CVE-2017-8830 CVE-2017-9098 CVE-2017-9141 CVE-2017-9142 
                 CVE-2017-9143 CVE-2017-9144
Debian Bug     : 860736 862577 859771 859769 860734 862572 862574 862573
                 862575 862590 862589 862587 862632 862633 862634 862635
		 862636 862578 860735 862653 862637 863126 863125 863124
		 863123 862967

This update fixes several vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service, memory disclosure or the execution of
arbitrary code if malformed RLE, ART, JNG, DDS, BMP, ICO, EPT, SUN, MTV,
PICT, XWD, PCD, SFW, MAT, EXR, DCM, MNG, PCX or SVG files are processed.
Comment 41 Shlomi Fish 2017-05-29 15:32:31 CEST
Remi and I submitted an update for imagemagick in mgav6 to the latest 6.9.x version. I also rebuilt most of the reverse deps on its libs there. Now we'll need to handle mageia v5...
Comment 42 David Walser 2017-05-31 12:08:50 CEST
Ubuntu has issued an advisory for this on May 30:
https://www.ubuntu.com/usn/usn-3302-1/

It adds CVE-2017-7942.
Comment 43 David Walser 2017-06-15 01:58:41 CEST
openSUSE has issued an advisory for this today (June 14):
https://lists.opensuse.org/opensuse-updates/2017-06/msg00045.html
Comment 44 David Walser 2017-07-17 12:16:39 CEST
CVE-2017-11352:
http://openwall.com/lists/oss-security/2017/07/17/1
Comment 45 David Walser 2017-07-20 12:11:14 CEST
Debian has issued an advisory on July 18:
https://www.debian.org/security/2017/dsa-3914

Now with more CVEs!  :D
Comment 46 David Walser 2017-07-27 16:15:40 CEST
Ubuntu has issued an advisory for this on July 24:
https://usn.ubuntu.com/usn/usn-3363-1/
Comment 47 David Walser 2017-08-17 03:13:45 CEST
Two more issues fixed in 7, not sure if they affect 6:
http://openwall.com/lists/oss-security/2017/08/16/2
http://openwall.com/lists/oss-security/2017/08/16/3
Comment 48 David Walser 2017-08-17 12:07:30 CEST
CVE-2017-11403 CVE-2017-9439 CVE-2017-9501:
https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00049.html
Comment 49 David Walser 2017-08-29 02:53:50 CEST
(In reply to David Walser from comment #48)
> CVE-2017-11403 CVE-2017-9439 CVE-2017-9501:
> https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00049.html

Also CVE-2017-9440:
https://lists.opensuse.org/opensuse-updates/2017-08/msg00102.html
Comment 50 David Walser 2017-09-27 01:58:24 CEST
CVE-2017-14741:
http://openwall.com/lists/oss-security/2017/09/26/10
Comment 52 David Walser 2017-10-09 13:45:36 CEST
CVE-2017-14989:
http://openwall.com/lists/oss-security/2017/10/09/5
Comment 54 David Walser 2017-11-06 21:37:33 CET
Debian has issued an advisory on November 5:
https://www.debian.org/security/2017/dsa-4019

It adds more CVEs:
CVE-2017-9500, CVE-2017-11446, CVE-2017-11523, CVE-2017-11533,
CVE-2017-11535, CVE-2017-11537, CVE-2017-11639, CVE-2017-11640,
CVE-2017-12428, CVE-2017-12431, CVE-2017-12432, CVE-2017-12434,
CVE-2017-12587, CVE-2017-12640, CVE-2017-12671, CVE-2017-13139,
CVE-2017-13140, CVE-2017-13141, CVE-2017-13142, CVE-2017-13143,
CVE-2017-13144, CVE-2017-13145.
Comment 55 David Walser 2017-11-13 16:23:45 CET
Debian has issued an advisory on November 12:
https://www.debian.org/security/2017/dsa-4032

It adds more CVEs:
CVE-2017-12983, CVE-2017-13134, CVE-2017-13758, CVE-2017-13769,
CVE-2017-14224, CVE-2017-14607, CVE-2017-14682, CVE-2017-14989,
CVE-2017-15277.
Comment 56 David Walser 2017-11-13 16:28:14 CET
openSUSE has issued an advisory for this on November 12:
https://lists.opensuse.org/opensuse-updates/2017-11/msg00042.html

It adds:
CVE-2016-7530 CVE-2017-11534 CVE-2017-12433 CVE-2017-13133 CVE-2017-15033
Comment 57 Zombie Ryushu 2017-11-16 08:27:45 CET
Security database references:
    In the Debian bugtracking system: Bug 873134, Bug 873099, Bug 878508, Bug 878507, Bug 876097, Bug 878527, Bug 876488, Bug 878562.
    In Mitre's CVE dictionary: CVE-2017-12983, CVE-2017-13134, CVE-2017-13758, CVE-2017-13769, CVE-2017-14224, CVE-2017-14607, CVE-2017-14682, CVE-2017-14989, CVE-2017-15277.
More information:

    This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed GIF, TTF, SVG, TIFF, PCX, JPG or SFW files are processed.
Comment 59 David Walser 2017-11-22 19:36:12 CET
Debian has issued an advisory on November 17:
https://www.debian.org/security/2017/dsa-4040

It adds more CVEs:
CVE-2017-11352, CVE-2017-11640, CVE-2017-12431, CVE-2017-12640, CVE-2017-12877, CVE-2017-12983, CVE-2017-13134, CVE-2017-13139, CVE-2017-13144, CVE-2017-13758, CVE-2017-13769, CVE-2017-14224, CVE-2017-14607, CVE-2017-14682, CVE-2017-14989, CVE-2017-15277, CVE-2017-16546.
Comment 61 David Walser 2017-12-26 21:46:37 CET
openSUSE advisory from December 22 with a ton of CVEs as well:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00095.html
Comment 62 David Walser 2017-12-30 15:13:35 CET
Debian has issued an advisory on December 28:
https://www.debian.org/security/2017/dsa-4074

It fixes CVE-2017-12877, CVE-2017-16546, CVE-2017-17499, CVE-2017-17504, CVE-2017-17879.
Comment 63 David Walser 2017-12-30 19:58:54 CET
I checked what it would look like to try to apply all patches from Debian stretch to our package.

For Mageia 5, it looks like they all apply to some degree, but there's too many failing hunks that would need rediffed for me to have time to do that.

For Mageia 6, it's a mix of patches that apply and patches that have already been applied upstream, and you'd hope it'd be ones that had and then ones that haven't if you go in order, but it's a scattered mix, so also wouldn't be fun to pick out the ones that apply (though it may at least be possible).

Probably our best bet is just upgrading it and rebuilding everything.  It'd be really nice if upstream would stop changing library majors in what's supposed to be an old stable branch.

Version: 5 => 6

Comment 64 David Walser 2018-01-09 00:22:59 CET
More from openSUSE on January 5:
https://lists.opensuse.org/opensuse-updates/2018-01/msg00004.html
Comment 65 David Walser 2018-01-16 12:15:58 CET
More from openSUSE on January 15:
https://lists.opensuse.org/opensuse-updates/2018-01/msg00036.html
Comment 66 Marc Krämer 2018-01-17 18:49:40 CET
In order not to rebuild all, can't we just add a symlink pointing to the new version? It is not clean, but upstream changing the majors is neither.

CC: (none) => mageia

Comment 67 David Walser 2018-01-17 18:53:01 CET
No, we'll need rebuilds.
Comment 68 David Walser 2018-01-20 19:22:53 CET
More from openSUSE today (January 20):
https://lists.opensuse.org/opensuse-updates/2018-01/msg00058.html
Comment 69 Thomas Backlund 2018-02-01 19:27:44 CET
Hm, is it a real abi break, or can we simply patch it to use old major ?

CC: (none) => tmb

Comment 70 David Walser 2018-02-01 20:34:52 CET
(In reply to Thomas Backlund from comment #69)
> Hm, is it a real abi break, or can we simply patch it to use old major ?

Who knows.  I get the impression that a lot of open source developers don't understand the meaning or purpose of library majors, so you never know.  I know ROSA has a tool for detecting ABI incompatibilities.  I don't know how else you could know that for sure.
Comment 71 David Walser 2018-02-10 21:41:39 CET
More from openSUSE on February 8:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00025.html
Stig-Ørjan Smelror 2018-02-28 22:00:00 CET

Blocks: (none) => 22654

Stig-Ørjan Smelror 2018-03-01 21:16:24 CET

CC: (none) => smelror
Depends on: (none) => 22657

Comment 72 David Walser 2018-03-11 16:01:04 CET
More from openSUSE on March 7:
https://lists.opensuse.org/opensuse-updates/2018-03/msg00015.html
Comment 73 David Walser 2018-03-19 12:53:54 CET
Fedora has issued an advisory for this today (March 19):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J3FMLBOKBCT4YVJKWP4TYIRITAY5IVEO/
Comment 74 Stig-Ørjan Smelror 2018-03-19 14:41:42 CET
Imagemagick 6.9.9-39 has been pushed to core/updates_testing to fix the issues mentioned in comment #73.
Comment 75 David Walser 2018-03-31 22:44:25 CEST
libpaper issue that might need to be fixed along with this:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JLPT3ZHBHK5U2U3LMAOB4XVNXFB4VPSF/
Comment 76 David Walser 2018-03-31 22:45:22 CEST
(In reply to David Walser from comment #75)
> libpaper issue that might need to be fixed along with this:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/JLPT3ZHBHK5U2U3LMAOB4XVNXFB4VPSF/

also for ruby-rmagick:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P73Z7BY4WMO7IU46NB6LGDNZSCRORQSJ/
Comment 77 David Walser 2018-04-08 02:28:56 CEST
More from openSUSE today (April 7):
https://lists.opensuse.org/opensuse-updates/2018-04/msg00012.html
Comment 78 David Walser 2018-05-01 21:24:21 CEST
Stig-Ørjan Smelror, can you push the latest imagemagick 6 and post a full list of updated and rebuilt packages for this update here?
Comment 79 Stig-Ørjan Smelror 2018-05-01 22:22:02 CEST
ImageMagick 6.9.9.41

Files:

imagemagick-doc-6.9.9.41-1.mga6
imagemagick-6.9.9.41-1.mga6
imagemagick-debuginfo-6.9.9.41-1.mga6
imagemagick-debugsource-6.9.9.41-1.mga6
imagemagick-desktop-6.9.9.41-1.mga6
lib64magick-6Q16_6-6.9.9.41-1.mga6
lib64magick-6Q16_6-debuginfo-6.9.9.41-1.mga6
lib64magick++-6Q16_8-6.9.9.41-1.mga6
lib64magick++-6Q16_8-debuginfo-6.9.9.41-1.mga6
lib64magick-devel-6.9.9.41-1.mga6
perl-Image-Magick-6.9.9.41-1.mga6
perl-Image-Magick-debuginfo-6.9.9.41-1.mga6

from imagemagick-6.9.9.41-1.mga6.src.rpm

Rebuilt for new ImageMagick:

vdr-plugin-skinelchi-0.2.8-8.2.mga6
vdr-plugin-skinenigmang-0.1.2-10.2.mga6
transcode-1.1.7-17.2.mga6
synfig-1.2.1-2.2.mga6
ruby-rmagick-2.15.4-12.2.mga6
pythonmagick-0.9.12-7.2.mga6
psiconv-0.9.8-26.2.mga6
php-magickwand-1.0.9.2-10.2.mga6
php-imagick-3.4.1-6.2.mga6
pfstools-2.0.6-3.2.mga6
perl-Image-SubImageFind-0.30.0-6.2.mga6
ocaml-glmlite-0.03.51-17.2.mga6
libopenshot-0.1.8-1.2.mga6
kxstitch-2.0.0-2.2.mga6
k3d-0.8.0.5-5.2.mga6
inkscape-0.92.1-2.2.mga6
emacs-24.5-8.3.mga6
dvdauthor-0.7.2-2.2.mga6
cuneiform-linux-1.1.0-9.2.mga6
converseen-0.9.6.2-1.3.mga6
Comment 80 David Walser 2018-05-02 02:35:12 CEST
Advisory:
========================

Updated imagemagick packages fix security vulnerabilities:

The imagemagick package has been updated to version 6.9.9.41 which fixes several unspecified security vulnerabilities.  Several packages have been rebuilt for the updated ImageMagick.

References:
http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog


Package list in Comment 79.  Some of the rebuilt packages include Qt5 components so those rebuilds were also needed for the Qt5 stack update.

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

Comment 81 William Kenney 2018-05-02 18:10:32 CEST
In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
imagemagick imagemagick-desktop

default install of imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.8.7-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.8.7-1.mga6.i586 is already installed

I can open files ( jpeg, png, bmp ) with imagemagick, enhance and modify
those files then save them under a different name. Those saved files can be
opened with gimp.

install imagemagick & imagemagick-desktop from updates_testing

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.9.41-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.9.41-1.mga6.i586 is already installed

I can open different files with imagemagick, modify those files then save
them under a different name. Those saved files can be opened with gimp.
I can open the previously created image files.

CC: (none) => wilcal.int

Comment 82 William Kenney 2018-05-02 18:39:02 CEST
In VirtualBox, M6, Mate, 64-bit

Package(s) under test:
imagemagick imagemagick-desktop

default install of imagemagick & imagemagick-desktop

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.8.7-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.8.7-1.mga6.x86_64 is already installed

I can open files ( jpg, png, gif ) with imagemagick, enhance and modify
those files then save them under a different name. Those saved files can be
opened with gimp.

install imagemagick & imagemagick-desktop from updates_testing

[root@localhost wilcal]# urpmi imagemagick
Package imagemagick-6.9.9.41-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi imagemagick-desktop
Package imagemagick-desktop-6.9.9.41-1.mga6.x86_64 is already installed

I can open different files with imagemagick, modify those files then save
them under a different name. Those saved files can be opened with gimp.
I can open the previously created image files.
Comment 83 William Kenney 2018-05-02 18:39:59 CEST
You make the call David. Looks good here.
Comment 84 David Walser 2018-05-02 19:50:30 CEST
Make sure you test some of the rebuilt apps and not just imagemagick itself, but yeah I expect it to be fine.
Comment 85 Lewis Smith 2018-05-02 21:53:55 CEST
Created attachment 10115 [details]
ImageMagick demonstration test script

See https://bugs.mageia.org/show_bug.cgi?id=12742#c5
This clever script is from http://www.imagemagick.org/script/examples.php, and has been slightly modified to comment out 1 test which no longer works. It requires also 'perl-Image-Magick'.
To run it from a certain directory, create in the same directory two image files 'model.gif' and 'smile.gif' e.g. by converting them from any other image file:
 $ convert any-old-picture.jpg model.gif
 $ convert a-smilie-from-the-net.png smile.gif
To run it:
 $ perl examples.pl
which ends up displaying a single output image 'demo.jpg' composed of the results of lots of IM operations. This script alone is a demanding ImageMagick test.
Comment 86 Lewis Smith 2018-05-02 22:56:42 CEST
Testing M6/64 real hardware.

BEFORE the update, ran the test script attached & saved its output.

UPDATED ImageMagick & a few other applications from comment 79:
- imagemagick-6.9.9.41-1.mga6.x86_64
- imagemagick-desktop-6.9.9.41-1.mga6
- lib64magick++-6Q16_8-6.9.9.41-1.mga6.x86_64
- lib64magick-6Q16_6-6.9.9.41-1.mga6.x86_64
- perl-Image-Magick-6.9.9.41-1.mga6.x86_64
- inkscape-0.92.1-2.2.mga6.x86_64
- cuneiform-linux-1.1.0-9.2.mga6.x86_64
- k3d-0.8.0.5-5.2.mga6.x86_64
- kxstitch-2.0.0-2.2.mga6.x86_64

The Qt5 stack updates are installed.

Re-ran the ImageMagick test script, the new O/P was identical to previously. Take that as OK.

* cuneiform-linux
A command line OCR program, very cryptic (no man page or command help).
/usr/share/doc/cuneiform-linux/readme.txt has the essential info under "Running".
On a clear jpg image of a single page of typed French text, I ran:
 $ cuneiform -l fra -o marcel.txt --singlecolumn /mnt/common/Marcel/Bruxelles1958/0001.jpeg
The output text file 'marcel.txt' was recognisably OCR'd, but of poor quality. This is not the best program to use for this function, but this test is OK.

* Inkscape
Imported JPG & PNG images, able to resize & rotate them. This is OK.
However, when trying to import other image types from a directory with all sorts, it crashed consistently on opening the directory. Cannot say whether this is new behaviour, need to confirm elsewhere; does not seem related to the update.

* k3d
With my total ignorance of this program, it could be made to do things. Looks OK.

* kxstitch
Reading its manual a long way, you eventually find how to do stitching. It seems to work OK.

I am willing to 64-bit OK this update, but hope Bill will try other applications: transcode is video! converseen I could/should have installed & tried. Also, I could have tried - might yet - more image types.
Comment 87 Len Lawrence 2018-05-03 00:08:11 CEST
Using the updated emacs here and investigating ruby-rmagick.

CC: (none) => tarazed25

Comment 88 Len Lawrence 2018-05-03 01:24:08 CEST
Tried out several examples from a tutorial at https://rmagick.github.io/usage.html

These involved creating a simple image, creating an animated gif, resizing an original image, drawing on a canvas and annotating an image.  Everything worked as expected.  The scripts have been assembled into a tar file.  Other users will need to install ruby and supply their own images.
$ ruby <script>.rb

ruby-rmagick and emacs work fine.
Comment 89 Len Lawrence 2018-05-03 01:26:22 CEST
Created attachment 10116 [details]
Small collection of demonstration scripts for ruby-rmagick
Comment 90 Len Lawrence 2018-05-03 01:57:27 CEST
Might be interesting to rewrite examples.pl for pythonmagick, but not on this ticket.  examples.pl is definitely going into my toolbox - as you say Lewis, a real workout.
Comment 91 Len Lawrence 2018-05-03 08:54:31 CEST
transcode does not seem to have arrived in Updates Testing yet.
Comment 92 Stig-Ørjan Smelror 2018-05-03 09:10:20 CEST
Transcode is in tainted/updates_testing in case you don't have it enabled.

Cheers,
Stig
Comment 93 Len Lawrence 2018-05-03 09:23:01 CEST
Thanks Stig - got it.
Comment 94 Lewis Smith 2018-05-03 10:05:23 CEST
(In reply to Len Lawrence from comment #91)
> transcode does not seem to have arrived in Updates Testing yet.
I was going to say the same as Stig!

M6/64 continued

* converseen-0.9.6.2-1.3.mga6
Launching this from the Graphics menu, the first time also fires up a browser -> its home page:  http://converseen.fasterland.net/
"A Batch Image Conversion Tool for Windows & Linux" looks like a graphical front end to ImageMagick. You of course need to know how to drive it, not evident. In the end I got it to convert PNG SVG & JPG images to TIFF (which landed up in the home directory, not the source one); these tif images were only accepted by some viewers, others did not like them; but this is not uncommon for tifs.
I could only see 'convert' between formats; the other claims "resize, rotate and flip" are, one imagines, to come.
A useful looking program. OK here.

I think once once transcode is flown, this can be OK'd & validated.

@ David: is your comment 80 advisory enough? I can add the CVEs from the bug title, but what about all the dependant applications in comment 79? Do they all need to be SRPM cited as well? i.e. Do they form an integral part of this update?

CC: (none) => lewyssmith

Comment 95 Len Lawrence 2018-05-03 10:08:58 CEST
Loaded a commercial DVD and ran this command as listed in the man pages:
$ transcode -i /dev/dvd/ -x dvd -j 16,0 -B 5,0 -Y 40,8 -s 4.47 -U my_movie -y xvid -w 1618

This outputs a log of its operations and warns "This can take a long time" and it does.  ksysguard reports that the main process is sleeping - "waiting for something to happen".
The last few messages read:
libdvdread: Get key for /VIDEO_TS/VTS_09_1.VOB at 0x003f7016
libdvdread: Elapsed time 0
libdvdread: Found 9 VTS's
libdvdread: Elapsed time 0

The first 5 minutes of the film are encoded into an AVI file which can be played in vlc - my_movie-ch01.avi.  A second chapter is started and then the process appears to hang.

Interrupted the command and ran it again with the --no_split option.  It ran for about two minutes then hung at approximately the same place as before, on a chapter break.
Comment 96 Len Lawrence 2018-05-03 10:11:40 CEST
Re comment 95.  I would think this is a sufficient test of transcode.  It looks like there might be a problem with it, unrelated to ImageMagick.
Comment 97 Lewis Smith 2018-05-03 10:40:54 CEST
M6/64 continued:

* Inkscape (see comment 86)
Reverted from updated inkscape-0.92.1-2.2 to pre-update inkscape-0.92.1-2 and found that the crash on opening (to import a file) a very mixed image directory *was* previously present - and warrants a bug. So the update is confirmed OK.
Comment 98 David Walser 2018-05-03 15:00:48 CEST
Lewis, my generic advisory will have to suffice.  We don't have the exact list of CVEs and the SRPMS will already be listed in the advisory.
Comment 99 Herman Viaene 2018-05-04 12:55:03 CEST
I could not find libopenshot-0.1.8-1.2.mga6, looking at the version numbers, I suppose the package name is libopenshot13, right???

CC: (none) => herman.viaene

Comment 100 Stig-Ørjan Smelror 2018-05-04 12:57:24 CEST
Herman,

I think you're right. Copied the text from pkgsubmit and it's the name of the src package, not the compiled one.

Cheers,
Stig
Comment 101 Herman Viaene 2018-05-04 17:48:57 CEST
MGA6-32 on Dell latitude D600
No installation issues apart from the remark in Comment 99.
Run different picture types in imagemagick, seems OK.
Tried to run the perl example as per Comment 85: all seems to go well until this machine runs out of space. In first run, the demo.jpg was generated but was not complete.
I won't even try to do video conversion on this machine, so AFAICS the updates are OK here, and have not blown up anything else.
Comment 102 Len Lawrence 2018-05-04 19:24:52 CEST
A few more tests for ImageMagick on x86_64.

$ identify GlenShiel*.pnm
GlenShiel.pnm PPM 2304x1728 2304x1728+0+0 8-bit sRGB 11.3906MiB 0.010u 0:01.030

Generate output images from builtin canvases.

$ convert -size 200x160 canvas:MistyRose rose.png
$ display rose.png
Shows a pink rectangle.

$ convert -size 100x100  gradient:tomato-steelblue gradient_5.jpg
Displays as a rectangled shaded red to blue downwards.

$ convert rose: -background black -vignette 0x5  rose_vignette.gif
The image is of a vignetted rose.

Convert images from one type to another.  mogrify converts in situ.

$ convert TatianaMaslany.jpg -background grey44 -vignette 0x5 Maslany.png
Produces an image of a girl in an oval against a grey background.

Shrink an image to quarter size as losslessly as possible.
$ mogrify -resize 50% -quality 100 GlenShiel.jpg

Make a squashed image of a TIFF in JPEG format, with approximately the same area.
$ convert -resize 120%x80% Ikapati.tif ikapati.jpg 
$ identify ikapati.jpg
ikapati.jpg JPEG 1229x819 1229x819+0+0 8-bit Gray 256c 365436B 0.000u 0:00.000

Hide a message in another image.
$ convert -gravity center -size 480x100 label:"Good morning QA" message.png
$ composite message.png SantaMaria.png -stegano +15+2 crater.png
$ display crater.png
crater and SantaMaria look identical.
Recover the message:
$ convert -size 480x100+15+2 stegano:crater.png secret.png
$ display secret.png

Rotate an image:
$ mogrify -rotate 270 newbridge.tif
Apply these transformations:
$ mogrify -flip newbridge.tif
$ mogrify -flop newbridge.tif
$ mogrify -rotate -90 newbridge.tif
That restores the original image.

Create a rainbow, sort of.
$ convert -size 60x500 gradient:'#FFF-#0FF' -rotate 90 -set colorspace HSB -colorspace RGB rainbow_2.jpg

Diagonal shading from blue to black.
$ convert -size 400x200 xc: -sparse-color barycentric '0,0 skyblue  -%w,%h skyblue  %w,%h black' diagonal_gradient.jpg

http://www.imagemagick.org/Usage/transform/ supplies more information.

Everything seems to be functioning OK.
Comment 103 Lewis Smith 2018-05-05 21:45:10 CEST
Advisory made from: heading, comment 80, comment 57, all comments citing CVEs (a few of which were duplicates), and the bug RPMs page for the SRPMs.
Aware that we have not specifically tested all the supplementary packages in comment 79 (we have too much on our plate), those that we have tested look OK, so OKing thus update & validating it.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 104 Mageia Robot 2018-05-12 08:29:04 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0229.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.