Just an FYI that we should update again to 6.9.5-4, at least for Cauldron, once it's available. We can probably wait for more fixes before the next Mageia 5 update. 6.9.5-4 will contain these two buffer overflow fixes: http://git.imagemagick.org/repos/ImageMagick/commit/c20de102cc57f3739a8870f79e728e3b0bea18c0 http://git.imagemagick.org/repos/ImageMagick/commit/5cb6c1acd3e3b12f9260daf207db432df7f792c2 A CVE has been requested for the second one: http://openwall.com/lists/oss-security/2016/07/28/13
(In reply to David Walser from comment #0) > A CVE has been requested for the second one: > http://openwall.com/lists/oss-security/2016/07/28/13 CVE-2016-6491: http://openwall.com/lists/oss-security/2016/07/28/15
Summary: imagemagick new buffer overflows fixed in 6.9.5-4 => imagemagick new buffer overflows fixed in 6.9.5-4 (including CVE-2016-6491)
URL: (none) => http://lwn.net/Vulnerabilities/695953/
Another buffer overflow and use-after-free fix in 6.9.5-5: http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog Freeze push requested for Cauldron.
Summary: imagemagick new buffer overflows fixed in 6.9.5-4 (including CVE-2016-6491) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-6491)
https://bugzilla.suse.com/show_bug.cgi?id=991444 shows CVE-2016-5010 fixed in 6.9.5-3. This came from: http://lwn.net/Vulnerabilities/697263/ I'm not sure how they got CVE-2016-6520, as that appears to only have been in imagemagick 7.
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-6491) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010 and CVE-2016-6491)
CVE-2016-6823 has been assigned for an issue fixed in 6.9.5-8: http://www.openwall.com/lists/oss-security/2016/09/26/3 There appears to be another security fix in 6.9.5-8 as well. Freeze push for 6.9.5-10 requested for Cauldron.
Version: Cauldron => 5Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010 and CVE-2016-6491) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823)
CVE-2016-7101 was also fixed in 6.9.5-8: http://www.openwall.com/lists/oss-security/2016/09/26/8
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101)
LWN reference for yet another issue fixed in 6.9.5-8: http://lwn.net/Vulnerabilities/701917/
CVE request for another issue fixed yesterday: http://openwall.com/lists/oss-security/2016/10/01/4 6.9.5-11 hasn't been released yet.
(In reply to David Walser from comment #7) > CVE request for another issue fixed yesterday: > http://openwall.com/lists/oss-security/2016/10/01/4 CVE-2016-7799: http://openwall.com/lists/oss-security/2016/10/01/6
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799)
CVE-2016-7906: http://openwall.com/lists/oss-security/2016/10/02/3
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799) => imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906)
LWN reference for CVE-2016-7799 and CVE-2016-7906: http://lwn.net/Vulnerabilities/703103/
CVE-2016-8677 and CVE-2016-8678: http://openwall.com/lists/oss-security/2016/10/16/1 http://openwall.com/lists/oss-security/2016/10/16/2 Not sure if those affect 6.x.
CVE-2016-8862: http://www.openwall.com/lists/oss-security/2016/10/20/2 Not sure if 6.x is affected.
CVE-2016-8866: http://www.openwall.com/lists/oss-security/2016/10/21/5
LWN reference for several CVEs: http://lwn.net/Vulnerabilities/705125/ openSUSE has issued an advisory on October 28: https://lists.opensuse.org/opensuse-updates/2016-10/msg00107.html
CVE-2016-9298: http://openwall.com/lists/oss-security/2016/11/14/10 Not sure if 6.x is affected.
Two more issues for imagemagick 7 (not sure if 6 is affected): http://openwall.com/lists/oss-security/2016/11/19/4 http://openwall.com/lists/oss-security/2016/11/19/7
Ubuntu has issued an advisory for this on November 21: https://www.ubuntu.com/usn/usn-3131-1/
(In reply to David Walser from comment #16) > Two more issues for imagemagick 7 (not sure if 6 is affected): > http://openwall.com/lists/oss-security/2016/11/19/4 > http://openwall.com/lists/oss-security/2016/11/19/7 CVE-2016-9556 and CVE-2016-9559: http://openwall.com/lists/oss-security/2016/11/23/1 http://openwall.com/lists/oss-security/2016/11/23/4
Additional CVEs New CVEs are attached to this bug CVE-2016-7799 CVE-2016-7906 CVE-2016-8677
CC: (none) => zombie_ryushu
(In reply to David Walser from comment #18) > (In reply to David Walser from comment #16) > > Two more issues for imagemagick 7 (not sure if 6 is affected): > > http://openwall.com/lists/oss-security/2016/11/19/4 > > http://openwall.com/lists/oss-security/2016/11/19/7 > > CVE-2016-9556 and CVE-2016-9559: > http://openwall.com/lists/oss-security/2016/11/23/1 > http://openwall.com/lists/oss-security/2016/11/23/4 LWN reference for CVE-2016-9556: https://lwn.net/Vulnerabilities/707857/ So that at least affects 6.
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906) => imagemagick new buffer overflows fixed in 6.9.5-5 and later (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-9556)
CVE-2016-9773 (affects 7, not sure about 6): http://openwall.com/lists/oss-security/2016/12/02/11
LWN reference for CVE-2016-9559: https://lwn.net/Vulnerabilities/708243/
CVE request for several more issues: http://openwall.com/lists/oss-security/2016/12/20/3 At least 4 of those are fixed new 6 newer than the version we currently have.
CVE-2016-8707: https://lwn.net/Vulnerabilities/709984/ CVE-2016-9773: https://lwn.net/Vulnerabilities/709988/
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 and later (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-9556) => imagemagick new buffer overflows fixed in 6.9.5-5 and later (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773)
(In reply to David Walser from comment #23) > CVE request for several more issues: > http://openwall.com/lists/oss-security/2016/12/20/3 CVE assignments: http://openwall.com/lists/oss-security/2016/12/26/9
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 and later (including CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773) => imagemagick new buffer overflows fixed in 6.9.5-5 and later (inc. CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773, CVE-2016-10046, CVE-2016-1005[1-8], CVE-2016-10068)
CVE-2016-1014[4-6], CVE-2017-550[6-9], CVE-2017-551[01]: http://openwall.com/lists/oss-security/2017/01/17/5 These CVEs didn't fit in the bug title. Some of them have been fixed upstream recently, some of them may not have been fixed yet.
Summary: imagemagick new buffer overflows fixed in 6.9.5-5 and later (inc. CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773, CVE-2016-10046, CVE-2016-1005[1-8], CVE-2016-10068) => imagemagick new buffer overflows fixed in 6.9.5-5 and later (inc. CVE-2016-5010, CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7799, CVE-2016-7906, CVE-2016-8707, CVE-2016-9556, CVE-2016-9773, CVE-2016-10046, CVE-2016-1005[1-8], CVE-2016-10068...)
(In reply to David Walser from comment #26) > CVE-2016-1014[4-6], CVE-2017-550[6-9], CVE-2017-551[01]: > http://openwall.com/lists/oss-security/2017/01/17/5 LWN reference: https://lwn.net/Vulnerabilities/713049/
Debian has issued an advisory for this on March 1: https://www.debian.org/security/2017/dsa-3799 It includes CVE-2016-10062, which I don't believe I've listed yet.
openSUSE has issued an advisory for this on March 2: https://lists.opensuse.org/opensuse-updates/2017-03/msg00000.html It also has CVE-2016-1004[89], CVE-2015-1005[09], CVE-2016-1006[0-5], CVE-2016-10069, CVE-2016-1007[01].
Debian has issued an advisory on March 13: https://www.debian.org/security/2017/dsa-3808 It adds CVE-2017-6498, CVE-2017-6499, CVE-2017-6500.
CVE-2017-7606: http://openwall.com/lists/oss-security/2017/04/10/7
CVE-2017-9098: http://openwall.com/lists/oss-security/2017/05/20/1
Debian has issued an advisory on May 25: https://www.debian.org/security/2017/dsa-3863 It includes the CVEs I mentioned in the last two comments and several new ones. CVE-2017-7606, CVE-2017-7619, CVE-2017-7941, CVE-2017-7943, CVE-2017-8343, CVE-2017-8344, CVE-2017-8345, CVE-2017-8346, CVE-2017-8347, CVE-2017-8348, CVE-2017-8349, CVE-2017-8350, CVE-2017-8351, CVE-2017-8352, CVE-2017-8353, CVE-2017-8354, CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, CVE-2017-8765, CVE-2017-8830, CVE-2017-9098, CVE-2017-9141, CVE-2017-9142, CVE-2017-9143, CVE-2017-9144.
So which versions of imagemagick should we upgrade to in both cauldron and mgav5?
(In reply to Shlomi Fish from comment #34) > So which versions of imagemagick should we upgrade to in both cauldron and > mgav5? The absolute latest from the ImageMagick-6 branch.
(In reply to David Walser from comment #35) > (In reply to Shlomi Fish from comment #34) > > So which versions of imagemagick should we upgrade to in both cauldron and > > mgav5? > > The absolute latest from the ImageMagick-6 branch. Thanks, David!
(In reply to David Walser from comment #35) > (In reply to Shlomi Fish from comment #34) > > So which versions of imagemagick should we upgrade to in both cauldron and > > mgav5? > > The absolute latest from the ImageMagick-6 branch. The problem is that after patching the .spec to build 6.9.8-6 , the major and cppmajor were changed as well, which means that some dependencies will have to be rebuilt. Should we proceed with that?
Created attachment 9340 [details] Patch to the cauldron mgarepo checkout to update to latest IM-6.x release
(In reply to Shlomi Fish from comment #37) > (In reply to David Walser from comment #35) > > (In reply to Shlomi Fish from comment #34) > > > So which versions of imagemagick should we upgrade to in both cauldron and > > > mgav5? > > > > The absolute latest from the ImageMagick-6 branch. > > The problem is that after patching the .spec to build 6.9.8-6 , the major > and cppmajor were changed as well, which means that some dependencies will > have to be rebuilt. Should we proceed with that? Unfortunately it would be almost impossible to find patches for all of the CVEs at this point, so I think we'll have to. The only other reasonable possibility is if there's some branch of Debian we can sync with, which I've done in the past.
Package : imagemagick CVE ID : CVE-2017-7606 CVE-2017-7619 CVE-2017-7941 CVE-2017-7943 CVE-2017-8343 CVE-2017-8344 CVE-2017-8345 CVE-2017-8346 CVE-2017-8347 CVE-2017-8348 CVE-2017-8349 CVE-2017-8350 CVE-2017-8351 CVE-2017-8352 CVE-2017-8353 CVE-2017-8354 CVE-2017-8355 CVE-2017-8356 CVE-2017-8357 CVE-2017-8765 CVE-2017-8830 CVE-2017-9098 CVE-2017-9141 CVE-2017-9142 CVE-2017-9143 CVE-2017-9144 Debian Bug : 860736 862577 859771 859769 860734 862572 862574 862573 862575 862590 862589 862587 862632 862633 862634 862635 862636 862578 860735 862653 862637 863126 863125 863124 863123 862967 This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed RLE, ART, JNG, DDS, BMP, ICO, EPT, SUN, MTV, PICT, XWD, PCD, SFW, MAT, EXR, DCM, MNG, PCX or SVG files are processed.
Remi and I submitted an update for imagemagick in mgav6 to the latest 6.9.x version. I also rebuilt most of the reverse deps on its libs there. Now we'll need to handle mageia v5...
Ubuntu has issued an advisory for this on May 30: https://www.ubuntu.com/usn/usn-3302-1/ It adds CVE-2017-7942.
openSUSE has issued an advisory for this today (June 14): https://lists.opensuse.org/opensuse-updates/2017-06/msg00045.html
CVE-2017-11352: http://openwall.com/lists/oss-security/2017/07/17/1
Debian has issued an advisory on July 18: https://www.debian.org/security/2017/dsa-3914 Now with more CVEs! :D
Ubuntu has issued an advisory for this on July 24: https://usn.ubuntu.com/usn/usn-3363-1/
Two more issues fixed in 7, not sure if they affect 6: http://openwall.com/lists/oss-security/2017/08/16/2 http://openwall.com/lists/oss-security/2017/08/16/3
CVE-2017-11403 CVE-2017-9439 CVE-2017-9501: https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00049.html
(In reply to David Walser from comment #48) > CVE-2017-11403 CVE-2017-9439 CVE-2017-9501: > https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00049.html Also CVE-2017-9440: https://lists.opensuse.org/opensuse-updates/2017-08/msg00102.html
CVE-2017-14741: http://openwall.com/lists/oss-security/2017/09/26/10
CVE-2017-13768: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C2HIXQHG4EV5DD7JOTXHDLRA6GQLMCMB/
CVE-2017-14989: http://openwall.com/lists/oss-security/2017/10/09/5
Another issue with no CVE, fixed in 6.9.9-20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ATCAOPWFKB5R36KTIJNI2IN4ERU43HN4/
Debian has issued an advisory on November 5: https://www.debian.org/security/2017/dsa-4019 It adds more CVEs: CVE-2017-9500, CVE-2017-11446, CVE-2017-11523, CVE-2017-11533, CVE-2017-11535, CVE-2017-11537, CVE-2017-11639, CVE-2017-11640, CVE-2017-12428, CVE-2017-12431, CVE-2017-12432, CVE-2017-12434, CVE-2017-12587, CVE-2017-12640, CVE-2017-12671, CVE-2017-13139, CVE-2017-13140, CVE-2017-13141, CVE-2017-13142, CVE-2017-13143, CVE-2017-13144, CVE-2017-13145.
Debian has issued an advisory on November 12: https://www.debian.org/security/2017/dsa-4032 It adds more CVEs: CVE-2017-12983, CVE-2017-13134, CVE-2017-13758, CVE-2017-13769, CVE-2017-14224, CVE-2017-14607, CVE-2017-14682, CVE-2017-14989, CVE-2017-15277.
openSUSE has issued an advisory for this on November 12: https://lists.opensuse.org/opensuse-updates/2017-11/msg00042.html It adds: CVE-2016-7530 CVE-2017-11534 CVE-2017-12433 CVE-2017-13133 CVE-2017-15033
Security database references: In the Debian bugtracking system: Bug 873134, Bug 873099, Bug 878508, Bug 878507, Bug 876097, Bug 878527, Bug 876488, Bug 878562. In Mitre's CVE dictionary: CVE-2017-12983, CVE-2017-13134, CVE-2017-13758, CVE-2017-13769, CVE-2017-14224, CVE-2017-14607, CVE-2017-14682, CVE-2017-14989, CVE-2017-15277. More information: This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed GIF, TTF, SVG, TIFF, PCX, JPG or SFW files are processed.
CVE-2017-14505: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZVO4AHS7BTO7MTLTE2NVU5NZ4MDHHCTL/
Debian has issued an advisory on November 17: https://www.debian.org/security/2017/dsa-4040 It adds more CVEs: CVE-2017-11352, CVE-2017-11640, CVE-2017-12431, CVE-2017-12640, CVE-2017-12877, CVE-2017-12983, CVE-2017-13134, CVE-2017-13139, CVE-2017-13144, CVE-2017-13758, CVE-2017-13769, CVE-2017-14224, CVE-2017-14607, CVE-2017-14682, CVE-2017-14989, CVE-2017-15277, CVE-2017-16546.
SUSE has issued advisories on December 20 fixing a ton of CVEs: https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00081.html https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00082.html
openSUSE advisory from December 22 with a ton of CVEs as well: https://lists.opensuse.org/opensuse-updates/2017-12/msg00095.html
Debian has issued an advisory on December 28: https://www.debian.org/security/2017/dsa-4074 It fixes CVE-2017-12877, CVE-2017-16546, CVE-2017-17499, CVE-2017-17504, CVE-2017-17879.
I checked what it would look like to try to apply all patches from Debian stretch to our package. For Mageia 5, it looks like they all apply to some degree, but there's too many failing hunks that would need rediffed for me to have time to do that. For Mageia 6, it's a mix of patches that apply and patches that have already been applied upstream, and you'd hope it'd be ones that had and then ones that haven't if you go in order, but it's a scattered mix, so also wouldn't be fun to pick out the ones that apply (though it may at least be possible). Probably our best bet is just upgrading it and rebuilding everything. It'd be really nice if upstream would stop changing library majors in what's supposed to be an old stable branch.
Version: 5 => 6
More from openSUSE on January 5: https://lists.opensuse.org/opensuse-updates/2018-01/msg00004.html
More from openSUSE on January 15: https://lists.opensuse.org/opensuse-updates/2018-01/msg00036.html
In order not to rebuild all, can't we just add a symlink pointing to the new version? It is not clean, but upstream changing the majors is neither.
CC: (none) => mageia
No, we'll need rebuilds.
More from openSUSE today (January 20): https://lists.opensuse.org/opensuse-updates/2018-01/msg00058.html
Hm, is it a real abi break, or can we simply patch it to use old major ?
CC: (none) => tmb
(In reply to Thomas Backlund from comment #69) > Hm, is it a real abi break, or can we simply patch it to use old major ? Who knows. I get the impression that a lot of open source developers don't understand the meaning or purpose of library majors, so you never know. I know ROSA has a tool for detecting ABI incompatibilities. I don't know how else you could know that for sure.
More from openSUSE on February 8: https://lists.opensuse.org/opensuse-updates/2018-02/msg00025.html
Blocks: (none) => 22654
CC: (none) => smelrorDepends on: (none) => 22657
More from openSUSE on March 7: https://lists.opensuse.org/opensuse-updates/2018-03/msg00015.html
Fedora has issued an advisory for this today (March 19): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J3FMLBOKBCT4YVJKWP4TYIRITAY5IVEO/
Imagemagick 6.9.9-39 has been pushed to core/updates_testing to fix the issues mentioned in comment #73.
libpaper issue that might need to be fixed along with this: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JLPT3ZHBHK5U2U3LMAOB4XVNXFB4VPSF/
(In reply to David Walser from comment #75) > libpaper issue that might need to be fixed along with this: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/JLPT3ZHBHK5U2U3LMAOB4XVNXFB4VPSF/ also for ruby-rmagick: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P73Z7BY4WMO7IU46NB6LGDNZSCRORQSJ/
More from openSUSE today (April 7): https://lists.opensuse.org/opensuse-updates/2018-04/msg00012.html
Stig-Ørjan Smelror, can you push the latest imagemagick 6 and post a full list of updated and rebuilt packages for this update here?
ImageMagick 6.9.9.41 Files: imagemagick-doc-6.9.9.41-1.mga6 imagemagick-6.9.9.41-1.mga6 imagemagick-debuginfo-6.9.9.41-1.mga6 imagemagick-debugsource-6.9.9.41-1.mga6 imagemagick-desktop-6.9.9.41-1.mga6 lib64magick-6Q16_6-6.9.9.41-1.mga6 lib64magick-6Q16_6-debuginfo-6.9.9.41-1.mga6 lib64magick++-6Q16_8-6.9.9.41-1.mga6 lib64magick++-6Q16_8-debuginfo-6.9.9.41-1.mga6 lib64magick-devel-6.9.9.41-1.mga6 perl-Image-Magick-6.9.9.41-1.mga6 perl-Image-Magick-debuginfo-6.9.9.41-1.mga6 from imagemagick-6.9.9.41-1.mga6.src.rpm Rebuilt for new ImageMagick: vdr-plugin-skinelchi-0.2.8-8.2.mga6 vdr-plugin-skinenigmang-0.1.2-10.2.mga6 transcode-1.1.7-17.2.mga6 synfig-1.2.1-2.2.mga6 ruby-rmagick-2.15.4-12.2.mga6 pythonmagick-0.9.12-7.2.mga6 psiconv-0.9.8-26.2.mga6 php-magickwand-1.0.9.2-10.2.mga6 php-imagick-3.4.1-6.2.mga6 pfstools-2.0.6-3.2.mga6 perl-Image-SubImageFind-0.30.0-6.2.mga6 ocaml-glmlite-0.03.51-17.2.mga6 libopenshot-0.1.8-1.2.mga6 kxstitch-2.0.0-2.2.mga6 k3d-0.8.0.5-5.2.mga6 inkscape-0.92.1-2.2.mga6 emacs-24.5-8.3.mga6 dvdauthor-0.7.2-2.2.mga6 cuneiform-linux-1.1.0-9.2.mga6 converseen-0.9.6.2-1.3.mga6
Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: The imagemagick package has been updated to version 6.9.9.41 which fixes several unspecified security vulnerabilities. Several packages have been rebuilt for the updated ImageMagick. References: http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog Package list in Comment 79. Some of the rebuilt packages include Qt5 components so those rebuilds were also needed for the Qt5 stack update.
CC: (none) => shlomifAssignee: shlomif => qa-bugs
In VirtualBox, M6, Mate, 32-bit Package(s) under test: imagemagick imagemagick-desktop default install of imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.8.7-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.8.7-1.mga6.i586 is already installed I can open files ( jpeg, png, bmp ) with imagemagick, enhance and modify those files then save them under a different name. Those saved files can be opened with gimp. install imagemagick & imagemagick-desktop from updates_testing [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.9.41-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.9.41-1.mga6.i586 is already installed I can open different files with imagemagick, modify those files then save them under a different name. Those saved files can be opened with gimp. I can open the previously created image files.
CC: (none) => wilcal.int
In VirtualBox, M6, Mate, 64-bit Package(s) under test: imagemagick imagemagick-desktop default install of imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.8.7-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.8.7-1.mga6.x86_64 is already installed I can open files ( jpg, png, gif ) with imagemagick, enhance and modify those files then save them under a different name. Those saved files can be opened with gimp. install imagemagick & imagemagick-desktop from updates_testing [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.9.41-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.9.41-1.mga6.x86_64 is already installed I can open different files with imagemagick, modify those files then save them under a different name. Those saved files can be opened with gimp. I can open the previously created image files.
You make the call David. Looks good here.
Make sure you test some of the rebuilt apps and not just imagemagick itself, but yeah I expect it to be fine.
Created attachment 10115 [details] ImageMagick demonstration test script See https://bugs.mageia.org/show_bug.cgi?id=12742#c5 This clever script is from http://www.imagemagick.org/script/examples.php, and has been slightly modified to comment out 1 test which no longer works. It requires also 'perl-Image-Magick'. To run it from a certain directory, create in the same directory two image files 'model.gif' and 'smile.gif' e.g. by converting them from any other image file: $ convert any-old-picture.jpg model.gif $ convert a-smilie-from-the-net.png smile.gif To run it: $ perl examples.pl which ends up displaying a single output image 'demo.jpg' composed of the results of lots of IM operations. This script alone is a demanding ImageMagick test.
Testing M6/64 real hardware. BEFORE the update, ran the test script attached & saved its output. UPDATED ImageMagick & a few other applications from comment 79: - imagemagick-6.9.9.41-1.mga6.x86_64 - imagemagick-desktop-6.9.9.41-1.mga6 - lib64magick++-6Q16_8-6.9.9.41-1.mga6.x86_64 - lib64magick-6Q16_6-6.9.9.41-1.mga6.x86_64 - perl-Image-Magick-6.9.9.41-1.mga6.x86_64 - inkscape-0.92.1-2.2.mga6.x86_64 - cuneiform-linux-1.1.0-9.2.mga6.x86_64 - k3d-0.8.0.5-5.2.mga6.x86_64 - kxstitch-2.0.0-2.2.mga6.x86_64 The Qt5 stack updates are installed. Re-ran the ImageMagick test script, the new O/P was identical to previously. Take that as OK. * cuneiform-linux A command line OCR program, very cryptic (no man page or command help). /usr/share/doc/cuneiform-linux/readme.txt has the essential info under "Running". On a clear jpg image of a single page of typed French text, I ran: $ cuneiform -l fra -o marcel.txt --singlecolumn /mnt/common/Marcel/Bruxelles1958/0001.jpeg The output text file 'marcel.txt' was recognisably OCR'd, but of poor quality. This is not the best program to use for this function, but this test is OK. * Inkscape Imported JPG & PNG images, able to resize & rotate them. This is OK. However, when trying to import other image types from a directory with all sorts, it crashed consistently on opening the directory. Cannot say whether this is new behaviour, need to confirm elsewhere; does not seem related to the update. * k3d With my total ignorance of this program, it could be made to do things. Looks OK. * kxstitch Reading its manual a long way, you eventually find how to do stitching. It seems to work OK. I am willing to 64-bit OK this update, but hope Bill will try other applications: transcode is video! converseen I could/should have installed & tried. Also, I could have tried - might yet - more image types.
Using the updated emacs here and investigating ruby-rmagick.
CC: (none) => tarazed25
Tried out several examples from a tutorial at https://rmagick.github.io/usage.html These involved creating a simple image, creating an animated gif, resizing an original image, drawing on a canvas and annotating an image. Everything worked as expected. The scripts have been assembled into a tar file. Other users will need to install ruby and supply their own images. $ ruby <script>.rb ruby-rmagick and emacs work fine.
Created attachment 10116 [details] Small collection of demonstration scripts for ruby-rmagick
Might be interesting to rewrite examples.pl for pythonmagick, but not on this ticket. examples.pl is definitely going into my toolbox - as you say Lewis, a real workout.
transcode does not seem to have arrived in Updates Testing yet.
Transcode is in tainted/updates_testing in case you don't have it enabled. Cheers, Stig
Thanks Stig - got it.
(In reply to Len Lawrence from comment #91) > transcode does not seem to have arrived in Updates Testing yet. I was going to say the same as Stig! M6/64 continued * converseen-0.9.6.2-1.3.mga6 Launching this from the Graphics menu, the first time also fires up a browser -> its home page: http://converseen.fasterland.net/ "A Batch Image Conversion Tool for Windows & Linux" looks like a graphical front end to ImageMagick. You of course need to know how to drive it, not evident. In the end I got it to convert PNG SVG & JPG images to TIFF (which landed up in the home directory, not the source one); these tif images were only accepted by some viewers, others did not like them; but this is not uncommon for tifs. I could only see 'convert' between formats; the other claims "resize, rotate and flip" are, one imagines, to come. A useful looking program. OK here. I think once once transcode is flown, this can be OK'd & validated. @ David: is your comment 80 advisory enough? I can add the CVEs from the bug title, but what about all the dependant applications in comment 79? Do they all need to be SRPM cited as well? i.e. Do they form an integral part of this update?
CC: (none) => lewyssmith
Loaded a commercial DVD and ran this command as listed in the man pages: $ transcode -i /dev/dvd/ -x dvd -j 16,0 -B 5,0 -Y 40,8 -s 4.47 -U my_movie -y xvid -w 1618 This outputs a log of its operations and warns "This can take a long time" and it does. ksysguard reports that the main process is sleeping - "waiting for something to happen". The last few messages read: libdvdread: Get key for /VIDEO_TS/VTS_09_1.VOB at 0x003f7016 libdvdread: Elapsed time 0 libdvdread: Found 9 VTS's libdvdread: Elapsed time 0 The first 5 minutes of the film are encoded into an AVI file which can be played in vlc - my_movie-ch01.avi. A second chapter is started and then the process appears to hang. Interrupted the command and ran it again with the --no_split option. It ran for about two minutes then hung at approximately the same place as before, on a chapter break.
Re comment 95. I would think this is a sufficient test of transcode. It looks like there might be a problem with it, unrelated to ImageMagick.
M6/64 continued: * Inkscape (see comment 86) Reverted from updated inkscape-0.92.1-2.2 to pre-update inkscape-0.92.1-2 and found that the crash on opening (to import a file) a very mixed image directory *was* previously present - and warrants a bug. So the update is confirmed OK.
Lewis, my generic advisory will have to suffice. We don't have the exact list of CVEs and the SRPMS will already be listed in the advisory.
I could not find libopenshot-0.1.8-1.2.mga6, looking at the version numbers, I suppose the package name is libopenshot13, right???
CC: (none) => herman.viaene
Herman, I think you're right. Copied the text from pkgsubmit and it's the name of the src package, not the compiled one. Cheers, Stig
MGA6-32 on Dell latitude D600 No installation issues apart from the remark in Comment 99. Run different picture types in imagemagick, seems OK. Tried to run the perl example as per Comment 85: all seems to go well until this machine runs out of space. In first run, the demo.jpg was generated but was not complete. I won't even try to do video conversion on this machine, so AFAICS the updates are OK here, and have not blown up anything else.
A few more tests for ImageMagick on x86_64. $ identify GlenShiel*.pnm GlenShiel.pnm PPM 2304x1728 2304x1728+0+0 8-bit sRGB 11.3906MiB 0.010u 0:01.030 Generate output images from builtin canvases. $ convert -size 200x160 canvas:MistyRose rose.png $ display rose.png Shows a pink rectangle. $ convert -size 100x100 gradient:tomato-steelblue gradient_5.jpg Displays as a rectangled shaded red to blue downwards. $ convert rose: -background black -vignette 0x5 rose_vignette.gif The image is of a vignetted rose. Convert images from one type to another. mogrify converts in situ. $ convert TatianaMaslany.jpg -background grey44 -vignette 0x5 Maslany.png Produces an image of a girl in an oval against a grey background. Shrink an image to quarter size as losslessly as possible. $ mogrify -resize 50% -quality 100 GlenShiel.jpg Make a squashed image of a TIFF in JPEG format, with approximately the same area. $ convert -resize 120%x80% Ikapati.tif ikapati.jpg $ identify ikapati.jpg ikapati.jpg JPEG 1229x819 1229x819+0+0 8-bit Gray 256c 365436B 0.000u 0:00.000 Hide a message in another image. $ convert -gravity center -size 480x100 label:"Good morning QA" message.png $ composite message.png SantaMaria.png -stegano +15+2 crater.png $ display crater.png crater and SantaMaria look identical. Recover the message: $ convert -size 480x100+15+2 stegano:crater.png secret.png $ display secret.png Rotate an image: $ mogrify -rotate 270 newbridge.tif Apply these transformations: $ mogrify -flip newbridge.tif $ mogrify -flop newbridge.tif $ mogrify -rotate -90 newbridge.tif That restores the original image. Create a rainbow, sort of. $ convert -size 60x500 gradient:'#FFF-#0FF' -rotate 90 -set colorspace HSB -colorspace RGB rainbow_2.jpg Diagonal shading from blue to black. $ convert -size 400x200 xc: -sparse-color barycentric '0,0 skyblue -%w,%h skyblue %w,%h black' diagonal_gradient.jpg http://www.imagemagick.org/Usage/transform/ supplies more information. Everything seems to be functioning OK.
Advisory made from: heading, comment 80, comment 57, all comments citing CVEs (a few of which were duplicates), and the bug RPMs page for the SRPMs. Aware that we have not specifically tested all the supplementary packages in comment 79 (we have too much on our plate), those that we have tested look OK, so OKing thus update & validating it.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0229.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED