Bug 21600 - graphicsmagick several (possible) new security issues
Summary: graphicsmagick several (possible) new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2017-08-23 21:04 CEST by David Walser
Modified: 2017-12-21 18:44 CET (History)
7 users (show)

See Also:
Source RPM: graphicsmagick-1.3.26-1.3.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-23 21:04:10 CEST
SUSE has issued an advisory on August 22:
https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00059.html

A previous update (Bug 19668) should have fixed CVE-2017-11403 and hopefully CVE-2017-8350, but we're not sure yet about the others.
David Walser 2017-08-23 21:04:30 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => rverschelde

Comment 1 Marja Van Waes 2017-08-24 08:49:49 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-08-25 15:13:03 CEST
openSUSE has issued an advisory on August 24:
https://lists.opensuse.org/opensuse-updates/2017-08/msg00095.html

It fixes two of the new issues.
Comment 3 David Walser 2017-08-29 02:24:48 CEST
Another security issue fixed upstream (no CVE yet):
http://www.openwall.com/lists/oss-security/2017/08/28/5

The upstream commit to fix the issue is linked in the message above.
Comment 5 David Walser 2017-09-01 14:45:46 CEST
(In reply to David Walser from comment #3)
> Another security issue fixed upstream (no CVE yet):
> http://www.openwall.com/lists/oss-security/2017/08/28/5

CVE-2017-14042:
http://www.openwall.com/lists/oss-security/2017/09/01/5

Plus another security issue fixed upstream (no CVE yet):
http://www.openwall.com/lists/oss-security/2017/09/01/6

The upstream commit to fix the issue is linked in the message above.
Comment 6 David Walser 2017-09-01 21:53:25 CEST
(In reply to David Walser from comment #5)
> Plus another security issue fixed upstream (no CVE yet):
> http://www.openwall.com/lists/oss-security/2017/09/01/6

CVE-2017-14103:
http://www.openwall.com/lists/oss-security/2017/09/01/7
Comment 7 David Walser 2017-09-07 18:33:06 CEST
CVE-2017-14165:
http://openwall.com/lists/oss-security/2017/09/06/4
Comment 8 David Walser 2017-09-22 11:56:18 CEST
CVE-2017-14649:
http://openwall.com/lists/oss-security/2017/09/22/2
Comment 9 David Walser 2017-10-03 11:51:51 CEST
CVE-2017-14994:
http://openwall.com/lists/oss-security/2017/10/03/1
Comment 10 David Walser 2017-10-18 18:50:57 CEST
CVE-2017-14532 CVE-2017-15033:
https://lists.opensuse.org/opensuse-updates/2017-10/msg00049.html
Comment 11 David Walser 2017-11-03 17:13:12 CET
CVE-2017-12936 CVE-2017-12937 CVE-2017-13063
CVE-2017-13064 CVE-2017-13139 CVE-2017-13775:
https://lists.opensuse.org/opensuse-updates/2017-10/msg00112.html
Comment 12 David Walser 2017-11-15 23:15:25 CET
CVE-2017-12983 CVE-2017-13134 CVE-2017-13776
CVE-2017-13777 CVE-2017-14165 CVE-2017-15930:
https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html
Comment 13 David Walser 2017-12-06 20:44:48 CET
CVE-2017-11640 CVE-2017-13737 CVE-2017-14341
CVE-2017-14342 CVE-2017-16545 CVE-2017-16546:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00026.html
Comment 14 David Walser 2017-12-11 12:24:18 CET
GraphicsMagick 1.3.27 is available, we should update now:
http://openwall.com/lists/oss-security/2017/12/10/6
Comment 15 Nicolas Salguero 2017-12-12 15:41:37 CET
Suggested advisory:
========================

The updated packages fix many security vulnerabilities.

References:
http://openwall.com/lists/oss-security/2017/12/10/6
========================

Updated package in 5/core/updates_testing:
========================
graphicsmagick-1.3.27-1.mga5
lib64graphicsmagick3-1.3.27-1.mga5
lib64graphicsmagick++12-1.3.27-1.mga5
lib64graphicsmagickwand2-1.3.27-1.mga5
lib64graphicsmagick-devel-1.3.27-1.mga5
perl-Graphics-Magick-1.3.27-1.mga5
graphicsmagick-doc-1.3.27-1.mga5

from SRPMS:
graphicsmagick-1.3.27-1.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
graphicsmagick-1.3.27-1.mga6
lib64graphicsmagick3-1.3.27-1.mga6
lib64graphicsmagick++12-1.3.27-1.mga6
lib64graphicsmagickwand2-1.3.27-1.mga6
lib64graphicsmagick-devel-1.3.27-1.mga6
perl-Graphics-Magick-1.3.27-1.mga6
graphicsmagick-doc-1.3.27-1.mga6

from SRPMS:
graphicsmagick-1.3.27-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 6
Source RPM: graphicsmagick-1.3.26-4.mga7.src.rpm => graphicsmagick-1.3.26-1.3.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => nicolas.salguero

Comment 16 David Walser 2017-12-12 23:46:37 CET
CVE-2017-10799 CVE-2017-12140 CVE-2017-12644
CVE-2017-12662 CVE-2017-14733 CVE-2017-14994:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00045.html

Hopefully those are fixed in 1.3.27.
Comment 17 Herman Viaene 2017-12-15 10:51:43 CET
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Used test as per bug 21564 Comment 6:
$ gm display 001.tif
is OK
$ gm convert 1973-024.jpg 1973.pnm
$ gm display 1973.pnm 
is OK
$ gm convert 1973.pnm 1973.jpg
$ gm display 1973.jpg 
is OK
$ gm convert 1973.jpg 1973.tif
gm convert: 1973.tif: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField).
resulting tif s$ gm identify 1973.jpg 
1973.jpg JPEG 2904x4208+0+0 DirectClass 8-bit 482.6Ki 0.000u 0m:0.000009s
hows OK in ristretto
$ gm montage 1973.jpg 1973-024.jpg P1151655.JPG montage.jpg
resulting montage.jpg displays OK in gm display and in ristretto.
All seems OK

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 18 Lewis Smith 2017-12-16 10:47:55 CET
Advisory from comment 15.
QA procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick

Not yet seeing this in updates_testing; mirror problem (coffee)?

Keywords: (none) => advisory, has_procedure
CC: (none) => lewyssmith

Comment 19 Lewis Smith 2017-12-18 11:40:18 CET
Testing M5/64

AFTER update:
 graphicsmagick-1.3.27-1.mga5
 lib64graphicsmagick3-1.3.27-1.mga5
 lib64graphicsmagickwand2-1.3.27-1.mga5
 perl-Graphics-Magick-1.3.27-1.mga5

Using the QA procedure as a guide:
 $ gm convert bouilliore.JPG bouilliore.png
 $ gm convert traverserpont.jpg traverserpont.tiff
gm convert: traverserpont.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField).
 $ gm convert traverserpont.jpg traverserpont.pdf
all produced good results, *including* the TIFF conversion, despite the err msg.

 $ gm convert -draw "rectangle 20,20 150,100" balanceDiag1.jpg rectangle.jpg
overlaid a small solid black rectangle top-left on the image.

 $ gm convert -rotate +90 bouilliore.png rotated.png
gave the correct O/P image rotated 90deg clockwise.

 $ gm display -flip traverserpont.tiff
gave an inverted image displayed full-size; in this case, owing to its size, showing only 1/2 the image at a time. This could be panned, reduced, restored.

 $ gm identify <filename>
gave a single line summary for images of type GIF, PNG, JPG, TIFF, PPM.

 $ gm montage tuxpaint.png newton.png blackbuck.png montage.png
yielded a single composite left->right image of the 3 originals.
 $ gm montage 200a_s.gif 200_s.png mnsoleil.JPG blackbuck.tif montage.png
similarly for this more demanding test with 4 different I/P image types.

 $ gm import -window root screenshot.png
produced a good full-screen screenshot.

perl-Graphics-Magick
Followed the instructions, created in one directory:
-rw-r--r-- 1 lewis lewis  43572 Rha  18 11:19 test1.png
-rw-r--r-- 1 lewis lewis   6348 Rha  18 11:20 test2.png
-rw-r--r-- 1 lewis lewis 163949 Rha  18 11:20 test3.png
-rwxrwxr-x 1 lewis lewis    320 Rha  18 11:31 test.pl*

 $ perl test.pl
 $ ls -l x.gif
-rw-rw-r-- 1 lewis lewis 128880 Rha  18 11:31 x.gif
but trying to display the result 'x'.gif' in a browser, or with:
 $ gm display x.gif
showed only the first image. But all three are there, I think:
 $ gm identify x.gif
x.gif[0] GIF 296x200+0+0 PseudoClass 256c 8-bit 125.9Ki 0.000u 0m:0.000007s
x.gif[1] GIF 275x206+0+0 PseudoClass 32c 8-bit 125.9Ki 0.010u 0m:0.007364s
x.gif[2] GIF 512x512+0+0 PseudoClass 256c 8-bit 125.9Ki 0.010u 0m:0.006328s

BTAIM This update looks good. Will try Mageia 6.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK

Comment 20 David Walser 2017-12-18 14:56:32 CET
CVE-2017-14042 CVE-2017-14504 CVE-2017-15277
CVE-2017-17498:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00073.html
Comment 21 Len Lawrence 2017-12-18 15:19:17 CET
Mageia6 :: x86_64

Updated the GraphicsMagick packages.
Copied the test procedure linked from comment 18 to wiki.pl.
Used gm convert to generate three PNG images from an earlier GIF animation sequence.
Ran the test procedure against the three new images and used eom to display the animation.
$ gm identify x.gif
x.gif[0] GIF 180x180+0+0 PseudoClass 128c 8-bit 19.1Ki 0.000u 0m:0.000001s
x.gif[1] GIF 180x180+0+0 PseudoClass 64c 8-bit 19.1Ki 0.000u 0m:0.000327s
x.gif[2] GIF 180x180+0+0 PseudoClass 128c 8-bit 19.1Ki 0.000u 0m:0.000186s

Shrank a number of images by a factor of 16.
$ gm convert image_5.jpg -resize 25% series_2.jpg

Created a montage of a series of images.  The output image displayed the originals as thumbnails in a 3x2 grid.
$ gm montage -tile 3x2 series*.jpg panel.jpg

Generated images in various formats from original images and checked them using gm display.

$ gm convert series_4.jpg new.tiff
gm convert: new.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField).
Despite that the output file looked OK.

$ gm convert -resize 200% -quality 100% ~/qa/images/piuvax.pnm new.jpg
$ gm identify ~/qa/images/piuvax.pnm
/home/lcl/qa/images/piuvax.pnm PPM 320x340+0+0 DirectClass 8-bit 318.8Ki 0.000u 0m:0.000001s
$ gm identify new.jpg
new.jpg JPEG 640x680+0+0 DirectClass 8-bit 376.2Ki 0.000u 0m:0.000002s

$ gm convert image_5.jpg -border 200 -bordercolor "blue" bordered.jpg
This produced an image with a 200 pixel wide border.  Note that it is important in this case to place the parameters before the name of the source file otherwise the border is always white.

Sorry Lewis, did not notice your last remark.

CC: (none) => tarazed25

Comment 22 Lewis Smith 2017-12-20 08:48:55 CET
Thanks Len for your (original) Mageia 6 tests. Perhaps we could add your ideas to the wiki? I take it that you forgot the 'OK'; doing that now, & validating.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 23 Len Lawrence 2017-12-20 13:21:04 CET
@Lewis: No OK was deliberate in case you wished to add a report yourself.
Thanks.  I should look at the wiki I guess.
Comment 24 Len Lawrence 2017-12-20 13:27:52 CET
Groan.
That last example was the wrong way to do it.  Should have been:
$ gm convert -border 100 -bordercolor "blue" image_5.jpg bordered.jpg
Comment 25 Mageia Robot 2017-12-21 18:44:24 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0455.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.