A CVE has been assigned for a security issue fixed upstream in graphicsmagick: http://openwall.com/lists/oss-security/2016/10/01/7 The commit to fix the issue is linked in the message above. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Done for Mga5 and Cauldron. Suggested advisory: ======================== The updated packages fix a security vulnerability: Unsigned underflow leading to heap overflow when parsing 8BIM chunk (CVE-2016-7800). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7800 http://openwall.com/lists/oss-security/2016/10/01/7 ======================== Updated packages in core/updates_testing: ======================== i586: graphicsmagick-1.3.25-1.1.mga5.i586.rpm libgraphicsmagick3-1.3.25-1.1.mga5.i586.rpm libgraphicsmagick++12-1.3.25-1.1.mga5.i586.rpm libgraphicsmagickwand2-1.3.25-1.1.mga5.i586.rpm libgraphicsmagick-devel-1.3.25-1.1.mga5.i586.rpm perl-Graphics-Magick-1.3.25-1.1.mga5.i586.rpm graphicsmagick-doc-1.3.25-1.1.mga5.noarch.rpm x86_64: graphicsmagick-1.3.25-1.1.mga5.x86_64.rpm lib64graphicsmagick3-1.3.25-1.1.mga5.x86_64.rpm lib64graphicsmagick++12-1.3.25-1.1.mga5.x86_64.rpm lib64graphicsmagickwand2-1.3.25-1.1.mga5.x86_64.rpm lib64graphicsmagick-devel-1.3.25-1.1.mga5.x86_64.rpm perl-Graphics-Magick-1.3.25-1.1.mga5.x86_64.rpm graphicsmagick-doc-1.3.25-1.1.mga5.noarch.rpm Source RPMs: graphicsmagick-1.3.25-1.1.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
CVE request for two issues in the WPG reader: http://openwall.com/lists/oss-security/2016/10/07/4 A patch is included in that message that applies cleanly to our package.
Done for Mga5 and Cauldron. Suggested advisory: ======================== The updated packages fix a security vulnerability: Unsigned underflow leading to heap overflow when parsing 8BIM chunk (CVE-2016-7800). Two issues in the WPG reader (description will have to be improved when CVE numbers are assigned). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7800 http://openwall.com/lists/oss-security/2016/10/01/7 http://openwall.com/lists/oss-security/2016/10/07/4 ======================== Updated packages in core/updates_testing: ======================== i586: graphicsmagick-1.3.25-1.2.mga5.i586.rpm libgraphicsmagick3-1.3.25-1.2.mga5.i586.rpm libgraphicsmagick++12-1.3.25-1.2.mga5.i586.rpm libgraphicsmagickwand2-1.3.25-1.2.mga5.i586.rpm libgraphicsmagick-devel-1.3.25-1.2.mga5.i586.rpm perl-Graphics-Magick-1.3.25-1.2.mga5.i586.rpm graphicsmagick-doc-1.3.25-1.2.mga5.noarch.rpm x86_64: graphicsmagick-1.3.25-1.2.mga5.x86_64.rpm lib64graphicsmagick3-1.3.25-1.2.mga5.x86_64.rpm lib64graphicsmagick++12-1.3.25-1.2.mga5.x86_64.rpm lib64graphicsmagickwand2-1.3.25-1.2.mga5.x86_64.rpm lib64graphicsmagick-devel-1.3.25-1.2.mga5.x86_64.rpm perl-Graphics-Magick-1.3.25-1.2.mga5.x86_64.rpm graphicsmagick-doc-1.3.25-1.2.mga5.noarch.rpm Source RPMs: graphicsmagick-1.3.25-1.2.mga5.src.rpm
In VirtualBox, M5, KDE, 32-bit Package(s) under test: graphicsmagick perl-Graphics-Magick libgraphicsmagick3 default install of graphicsmagick perl-Graphics-Magick & libgraphicsmagick3 [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.25-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi perl-Graphics-Magick Package perl-Graphics-Magick-1.3.25-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libgraphicsmagick3 Package libgraphicsmagick3-1.3.25-1.mga5.i586 is already installed Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick graphicsmagick conversions work, perl script creates an animated GIF install graphicsmagick perl-Graphics-Magick & libgraphicsmagick3 from updates_testing [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.25-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi perl-Graphics-Magick Package perl-Graphics-Magick-1.3.25-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libgraphicsmagick3 Package libgraphicsmagick3-1.3.25-1.1.mga5.i586 is already installed Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick graphicsmagick conversions work, perl script creates an animated GIF
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Package(s) under test: graphicsmagick perl-Graphics-Magick lib64graphicsmagick3 default install of graphicsmagick perl-Graphics-Magick & libgraphicsmagick3 [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.25-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi perl-Graphics-Magick Package perl-Graphics-Magick-1.3.25-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64graphicsmagick3 Package lib64graphicsmagick3-1.3.25-1.mga5.x86_64 is already installed Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick graphicsmagick conversions work, perl script creates an animated GIF install graphicsmagick perl-Graphics-Magick & libgraphicsmagick3 from updates_testing [root@localhost wilcal]# urpmi graphicsmagick Package graphicsmagick-1.3.25-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi perl-Graphics-Magick Package perl-Graphics-Magick-1.3.25-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64graphicsmagick3 Package lib64graphicsmagick3-1.3.25-1.1.mga5.x86_64 is already installed Per: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick graphicsmagick conversions work, perl script creates an animated GIF
Whiteboard: (none) => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CVE-2016-7996 and CVE-2016-7997: http://openwall.com/lists/oss-security/2016/10/08/5 Suggested advisory: ======================== The updated packages fix a security vulnerability: Unsigned underflow leading to heap overflow when parsing 8BIM chunk (CVE-2016-7800). Two issues in the WPG reader (CVE-2016-7996, CVE-2016-7997). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7997 http://openwall.com/lists/oss-security/2016/10/01/7 http://openwall.com/lists/oss-security/2016/10/08/5
Summary: graphicsmagick new security issue CVE-2016-7800 => graphicsmagick new security issues CVE-2016-7800 and CVE-2016-799[67]
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0337.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/703123/