CVEs have been assigned for two security issues in graphicsmagick: http://openwall.com/lists/oss-security/2016/10/16/6 http://openwall.com/lists/oss-security/2016/10/16/7 Links to patches to fix them are in the message above.
Whiteboard: (none) => MGA5TOO
A third issue: http://openwall.com/lists/oss-security/2016/10/16/15
Summary: graphicsmagick new security issues CVE-2016-8682 and CVE-2016-8683 => graphicsmagick new security issues CVE-2016-8682, CVE-2016-8683, and CVE-2016-8684
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => fundawang, luigiwalser, mageia, marja11, nicolas.salguero, olav, rverschelde, thierry.vignaudAssignee: bugsquad => pkg-bugs
Done for Mga5 and Cauldron. Suggested advisory: ======================== The updated packages fix security vulnerabilities: Stack-based buffer overflow in ReadSCTImage (CVE-2016-8682). Memory allocation failure in ReadPCXImage (CVE-2016-8683). Memory allocation failure in MagickMalloc (CVE-2016-8684). References: http://openwall.com/lists/oss-security/2016/10/16/6 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8682 http://openwall.com/lists/oss-security/2016/10/16/7 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8683 http://openwall.com/lists/oss-security/2016/10/16/15 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8684 ======================== Updated packages in core/updates_testing: ======================== i586: graphicsmagick-1.3.25-1.3.mga5.i586.rpm libgraphicsmagick3-1.3.25-1.3.mga5.i586.rpm libgraphicsmagick++12-1.3.25-1.3.mga5.i586.rpm libgraphicsmagickwand2-1.3.25-1.3.mga5.i586.rpm libgraphicsmagick-devel-1.3.25-1.3.mga5.i586.rpm perl-Graphics-Magick-1.3.25-1.3.mga5.i586.rpm graphicsmagick-doc-1.3.25-1.3.mga5.noarch.rpm x86_64: graphicsmagick-1.3.25-1.3.mga5.x86_64.rpm lib64graphicsmagick3-1.3.25-1.3.mga5.x86_64.rpm lib64graphicsmagick++12-1.3.25-1.3.mga5.x86_64.rpm lib64graphicsmagickwand2-1.3.25-1.3.mga5.x86_64.rpm lib64graphicsmagick-devel-1.3.25-1.3.mga5.x86_64.rpm perl-Graphics-Magick-1.3.25-1.3.mga5.x86_64.rpm graphicsmagick-doc-1.3.25-1.3.mga5.noarch.rpm Source RPMs: graphicsmagick-1.3.25-1.3.mga5.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
x86_64 real hardware Made sure that the 1.3.25-1.2 packages were installed. Found no useful testing information at the end of the links so upgraded from Updates Testing. Played with animated gifs using gm from the command line and also playing animations from the GraphicsMagick menu. Split up an animated gif using $ gifsicle -e loadingAnimation.gif Hid the original and ran $ gm animate loadingAnimation.gif.* to display the same animation. Continuing to put gm through its paces. Summary later.
CC: (none) => tarazed25
Applications which use libgraphicsmagick3 are darktable, octave and zbar. gnudl, octave, pdf2djvu and photoqt require lib64graphicsmagick++12. zbar needs lib64graphicsmagickwand2. octave is an interactive programming interface for solving mathematical problems aimed at general engineering and course work. The graphics may come in for displaying plots and special symbols. Stepping past this one because it would involve extensive training. gnudl is also mathematical, mainly for plotting functions and data arrays. The README that comes with it mentions ImageMagick but it probably can be built against instead. urpmq --requires indicates that. It also uses plplot, already installed and readline, already installed as lib64readline6. After all that, the gnudl command cannot be found! pdf2djvu was easier. $ pdf2djvu --output gitmanual.pdf MasteringGit.pdf Boy, that set the fans humming! All 418 pages reported as it went along. books]$ ls -l gitmanual.djvu -rw-r--r-- 1 lcl lcl 4799136 Oct 17 19:17 gitmanual.djvu books]$ ls -l MasteringGit.pdf -rw-rw-r-- 1 lcl lcl 5655472 May 7 05:04 MasteringGit.pdf Cannot say if it is readable, LO makes nothing of it. Take it on faith I guess. zbar is a barcode reader. photoqt is an immersive image viewer which automatically resizes images to fit the screen. Right-click for menu, popup thumbnail menu at the bottom of the screen and dropdown main menu at the top. Works fine. That should be enough for the dependent applications.
s/instead/gm instead/
Played around with various commandline options for gm using a variety of images and used gm display for the results. Converted images from one format to another, displayed one image and used the gm menu options to modify it, geometric transformations, special effects, enhancements, etc. Edit -> undo was useful at this stage. Tried some of the terminal commands from the http://www.graphicsmagick.org/convert.html site, like drawing a coloured border around an SVG image, annotating an image, etc. No regressions noted. This is fine for 64-bits.
Whiteboard: (none) => MGA5-64-OK
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0357.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/704703/