openSUSE has issued advisories on October 26: https://lists.opensuse.org/opensuse-updates/2016-10/msg00094.html https://lists.opensuse.org/opensuse-updates/2016-10/msg00097.html They list several CVEs I haven't seen before: http://lwn.net/Vulnerabilities/704704/ http://lwn.net/Vulnerabilities/704711/ I don't know where they came from or if we have already fixed them.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => cjw, fundawang, jani.valimaa, mageia, mageia, makowski.mageia, marja11, nicolas.salguero, olav, thierry.vignaudAssignee: bugsquad => pkg-bugs
openSUSE has issued an advisory on November 17: https://lists.opensuse.org/opensuse-updates/2016-11/msg00073.html This has another new CVE. LWN reference: http://lwn.net/Vulnerabilities/706851/
CVE-2016-9830 has been assigned for another security issue fixed upstream: http://openwall.com/lists/oss-security/2016/12/05/5
openSUSE has issued an advisory today (December 6): https://lists.opensuse.org/opensuse-updates/2016-12/msg00042.html LWN reference for one of the CVEs: https://lwn.net/Vulnerabilities/708243/
CVE-2016-9830: https://lwn.net/Vulnerabilities/709987/
CVE-2016-10048 CVE-2016-10050 CVE-2016-10051 CVE-2016-10052 CVE-2016-10068 CVE-2016-10070: https://lwn.net/Vulnerabilities/713786/ CVE-2016-10059 CVE-2016-10064 CVE-2016-10065 CVE-2016-10069: https://lwn.net/Vulnerabilities/713787/ openSUSE has issued advisories for this on February 6: https://lists.opensuse.org/opensuse-updates/2017-02/msg00028.html https://lists.opensuse.org/opensuse-updates/2017-02/msg00031.html
Another security issue has been fixed upstream: http://openwall.com/lists/oss-security/2017/02/24/1 The upstream commit and a minimal patch with a fix are in the message above.
(In reply to David Walser from comment #7) > Another security issue has been fixed upstream: > http://openwall.com/lists/oss-security/2017/02/24/1 > > The upstream commit and a minimal patch with a fix are in the message above. CVE-2017-6335: http://openwall.com/lists/oss-security/2017/02/28/2
Fedora has issued an advisory today (March 9): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2DLPLLMLNBNAT7YWOSVGDII4AM3IADJP/ They have some new CVEs (CVE-2016-7800, CVE-2016-799[67], CVE-2016-868[2-4]).
(In reply to David Walser from comment #8) > (In reply to David Walser from comment #7) > > Another security issue has been fixed upstream: > > http://openwall.com/lists/oss-security/2017/02/24/1 > > > > The upstream commit and a minimal patch with a fix are in the message above. > > CVE-2017-6335: > http://openwall.com/lists/oss-security/2017/02/28/2 openSUSE has issued an advisory for this today (March 31): https://lists.opensuse.org/opensuse-updates/2017-03/msg00116.html
Fixed in cauldron and pushed in mga5 updates_testing src.rpm: graphicsmagick-1.3.25-1.4.mga5
CC: (none) => mageiaVersion: Cauldron => 5CVE: (none) => CVE-2017-6335Assignee: pkg-bugs => qa-bugs
Nicolas, you only patched one CVE. There are several here.
Whiteboard: (none) => MGA5TOOAssignee: qa-bugs => pkg-bugsVersion: 5 => Cauldron
List of CVEs we need to fix: CVE-2015-8957 CVE-2015-8958 CVE-2016-5688 CVE-2016-6823 CVE-2016-7101 CVE-2016-7446 CVE-2016-7515 CVE-2016-7516 CVE-2016-7517 CVE-2016-7519 CVE-2016-7522 CVE-2016-7524 CVE-2016-7526 CVE-2016-7527 CVE-2016-7528 CVE-2016-7529 CVE-2016-7531 CVE-2016-7533 CVE-2016-7537 CVE-2016-8862 CVE-2016-9830 CVE-2016-9556 CVE-2016-9559 CVE-2016-10048 CVE-2016-10050 CVE-2016-10051 CVE-2016-10052 CVE-2016-10059 CVE-2016-10064 CVE-2016-10065 CVE-2016-10068 CVE-2016-10069 CVE-2016-10070 CVE-2016-10146 CVE-2017-5511 CVE-2017-6335 CVE-2016-7800, CVE-2016-799[67], CVE-2016-868[2-4]
As discussed on IRC, it might be simpler to package a snapshot of the current mercurial branch to benefit from all upstream security fixes since 1.3.25. The changelog since 1.3.25 (see https://sourceforge.net/p/graphicsmagick/code/ci/default/tree/ChangeLog.2016 and https://sourceforge.net/p/graphicsmagick/code/ci/default/tree/ChangeLog) show mostly security bugfixes, some code sanitization and only a few "feature" commits. Might be worth suggesting to the upstream developer to make a formal new release in parallel.
Status: NEW => ASSIGNEDAssignee: pkg-bugs => rverschelde
Add CVE-2017-7941 to the list. openSUSE has issued an advisory on on May 4: https://lists.opensuse.org/opensuse-updates/2017-05/msg00008.html
openSUSE has issued an advisory today (May 26): https://lists.opensuse.org/opensuse-updates/2017-05/msg00085.html It fixes four new CVEs: CVE-2017-835[0135].
openSUSE has issued an advisory on June 8: https://lists.opensuse.org/opensuse-updates/2017-06/msg00023.html It fixes a new CVE: CVE-2017-9142.
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
openSUSE has issued an advisory today (July 6): https://lists.opensuse.org/opensuse-updates/2017-07/msg00028.html It has an additional fix related to CVE-2017-8350.
Fedora has issued an advisory today (July 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNLOUPX5V6JWQH244LAOXC353ALXBL5J/ They updated to the new upstream release 1.3.26.
graphicsmagick-1.3.26-1.mga7 uploaded for Cauldron by Rémi.
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Uploaded graphicsmagick-1.3.26-1.mga5 and graphicsmagick-1.3.26-1.mga6 to Mageia 5 & 6 core/updates_testing. Advisory yet to come, but here's the list of fixed CVEs I could gather: - CVE-2016-7800 - CVE-2016-7996 - CVE-2016-7997 - CVE-2016-8682 (not mentioned but our patch was from upstream) - CVE-2016-8683 (not mentioned but our patch was from upstream) - CVE-2016-8684 (not mentioned but our patch was from upstream) - CVE-2016-9830 - CVE-2017-6335 - CVE-2017-8350 - CVE-2017-10794 - CVE-2017-10799 - CVE-2017-10800 Unclear: - CVE-2015-8957 - CVE-2015-8958 - CVE-2016-5688 - CVE-2016-6823 - CVE-2016-7101 - CVE-2016-7446 - CVE-2016-751[5679] - CVE-2016-752[246789] - CVE-2016-753[137] - CVE-2016-8862 - CVE-2016-955[69] - CVE-2016-10048 - CVE-2016-1005[0129] - CVE-2016-1006[4589] - CVE-2016-10070 - CVE-2016-10146 - CVE-2017-5511 - CVE-2017-7941 https://lists.opensuse.org/opensuse-updates/2017-05/msg00008.html - CVE-2017-9142 https://lists.opensuse.org/opensuse-updates/2017-06/msg00023.html - CVE-2017-835[135] https://lists.opensuse.org/opensuse-updates/2017-05/msg00085.html I believe that many of the "unclear" CVEs might have been fixed in 1.3.26 and some maybe in 1.3.25, as many changelog entries are security fixes with no mentioned CVE number. As this is becoming a very hairy mess, I propose that we: - push the pristine 1.3.26 and trust upstream for having done its job well (that's what Fedora did) - continue monitoring SUSE who seems particularly eager to patch gazillions of CVEs without making sure that those will be properly referenced upstream - currently they still ship 1.3.25 with scores of patches, let's check what they keep when they upgrade to 1.3.26.
Rémi, I agree with your proposal here and with what you said on IRC. This will just have a generic advisory saying it fixes several unspecified security issues.
CVE-2017-11403: http://openwall.com/lists/oss-security/2017/07/18/1 The message above contains a link to the upstream fix.
(In reply to David Walser from comment #23) > CVE-2017-11403: > http://openwall.com/lists/oss-security/2017/07/18/1 > > The message above contains a link to the upstream fix. Fedora has issued an advisory for this today (July 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GFIL5ZM7IEMGCD4RC2FMV3VLRUTSNJX5/ I think we can update to 1.3.26 plus this patch.
I've added a patch for CVE-2017-11403, so those packages are ready for testing: Mageia 5: ========= SRPM: graphicsmagick-1.3.26-1.1.mga5 graphicsmagick-1.3.26-1.1.mga5 lib(64)graphicsmagick3-1.3.26-1.1.mga5 lib(64)graphicsmagick++12-1.3.26-1.1.mga5 lib(64)graphicsmagickwand2-1.3.26-1.1.mga5 lib(64)graphicsmagick-devel-1.3.26-1.1.mga5 perl-Graphics-Magick-1.3.26-1.1.mga5 graphicsmagick-doc-1.3.26-1.1.mga5.noarch Mageia 6: ========= SRPM: graphicsmagick-1.3.26-1.1.mga6 graphicsmagick-1.3.26-1.1.mga6 lib(64)graphicsmagick3-1.3.26-1.1.mga6 lib(64)graphicsmagick++12-1.3.26-1.1.mga6 lib(64)graphicsmagickwand2-1.3.26-1.1.mga6 lib(64)graphicsmagick-devel-1.3.26-1.1.mga6 perl-Graphics-Magick-1.3.26-1.1.mga6 graphicsmagick-doc-1.3.26-1.1.mga6.noarch Advisory should come soon™, though with the unclear status on many of the CVEs I'm not sure exactly what should go in it.
CVE: CVE-2017-6335 => (none)Assignee: rverschelde => qa-bugs
Going to stay on this one. It looks like a long haul. Testing on mga5 x86_64 to start with. Preupdate test for CVE-2017-11403 https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c provides a link to a reproducer. The analysis is in terms of ASAN which we cannot emulate without performing a local build. Having tried that route before and failed to enable ASAN I think I shall give it a miss and simply run the reproducer before and after the update. An Abort is expected before it. $ gm identify 00301-graphicsmagick-UAF-CloseBlob gm: magick/blob.c:859: CloseBlob: Assertion `image->signature == 0xabacadabUL' failed. gm identify: abort due to signal 6 (SIGABRT) "Abort"... Aborted
CC: (none) => tarazed25
Updated the seven packages for x86_64 and ran the earlier test. $ gm identify 00301-graphicsmagick-UAF-CloseBlob gm identify: Request did not return an image. That clears CVE-2017-11403. I am keeping the pre and post graphicsmagick libraries on separate workstations running mga5 and Mate to allow incremental testing with reference to the CVEs if this is a possibility and sharing any PoCs that may turn up, via NFS.
Meanwhile, starting a search among the fixed CVEs for test cases and running use tests for the gm tools.
No luck yet with test cases but the sample of utility tests ran successfully. See attachment.
Created attachment 9518 [details] A selection of utility tests for GraphicsMagick
Progress report: in the middle of accumulating testcases for the CVEs. Later.
Created attachment 9526 [details] Notes jotted down while researching CVEs This can be used to match up CVEs and reproducers. Some CVEs have more than one test file.
Created attachment 9527 [details] List of test results for the reproducers before the updates
Created attachment 9528 [details] List of test results after the updates An = sign after the test indicates no difference from 'before'. *** indicates that the diagnostic messages differed from 'before'.
Whiteboard: MGA5TOO => MGA5TOO feedback
My apologies for the length of time this has taken. There are 52 CVEs listed and for which it has been possible to track down 31 reproducers, most of which have been written for the AFL testing framework. These have been tested with the 'gm identify' command and sometimes 'gm display' or 'gm convert'. Tests were run before and after the updates. Comparing these results shows very few differences which means that it is difficult to draw conclusions about the effectiveness of the patches. Example: $ gm identify memory-leak-in-ReadPICTImage-16.pict gm identify: Improper image header (memory-leak-in-ReadPICTImage-16.pict). gm identify: Request did not return an image. That looks like a happy outcome even if the reports are identical but a result like the following might not be: $ gm identify id_000419,sig_06,src_001803+004110,op_splice,rep_2 id_000419,sig_06,src_001803+004110,op_splice,rep_2 PDB 4x30+0+0 PseudoClass 16c 8-bit 164 0.000u 0m:0.000002s In cases like the latter it is often possible to display the test file as if it were a valid image. The question is, are we wasting our time running reproducers which were originally written for and tested with the AFL framework? Adding the feedback marker - some guidance would be appreciated. Also posting summaries of the work so far.
CC: jani.valimaa => (none)
Most of the test cases are generated by fuzzers, which mostly result in invalid or corrupt files, so error messages are to be expected. Mainly we just want to make sure they don't cause crashes. Thanks for tracking down all of these test cases.
Whiteboard: MGA5TOO feedback => MGA5TOO
Thanks David. On the basis that no crashes were observed and that there are no apparent regressions in the functionality tests, this gets the OK. Writing the advisory could be a bit of a headache. Maybe group the CVEs according to specific vulnerabilities rather than addressing them individually. Willing to help there.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
MGA-32 ON Asus A6000VM MATE No installation issues. Tested as per utilities.txt attached by Len, using an own .pmg file to start with. Stopped after some 15 tests. All result in displayable images, with some remarks: The result of convert -average is a complete blur as the background of then images is also quite different. The plain gm convert does not give any feedback, neither does the gm display of the resulting image. The convert -border results in a higher resolution image, so the following convert -crop results in a real crop of the original image in this test. All in all this seems OK.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-32-OK
Advisory: ========= Updated graphicsmagick packages fix security vulnerabilities New stable upstream release including security fixes for CVE-2016-7800, CVE-2017-10794, CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683, CVE-2016-8684, CVE-2016-9830, CVE-2017-6335, CVE-2017-8350, CVE-2017-10794, CVE-2017-10799, CVE-2017-10800, CVE-2017-11403 and possibly several other security issues with and without associated CVE number. References: - http://www.graphicsmagick.org/NEWS.html#july-4-2017 - https://bugzilla.redhat.com/show_bug.cgi?id=1472214
Fixed a typo: Advisory: ========= Updated graphicsmagick packages fix security vulnerabilities New stable upstream release including security fixes for CVE-2016-7800, CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683, CVE-2016-8684, CVE-2016-9830, CVE-2017-6335, CVE-2017-8350, CVE-2017-10794, CVE-2017-10799, CVE-2017-10800, CVE-2017-11403 and possibly several other security issues with and without associated CVE number. References: - http://www.graphicsmagick.org/NEWS.html#july-4-2017 - https://bugzilla.redhat.com/show_bug.cgi?id=1472214
Advisory uploaded, validating.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-64-OK MGA6-32-OK => advisory MGA5TOO MGA5-64-OK MGA6-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0229.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED