SUSE has issued an advisory on August 22: https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00059.html A previous update (Bug 19668) should have fixed CVE-2017-11403 and hopefully CVE-2017-8350, but we're not sure yet about the others.
Whiteboard: (none) => MGA6TOO, MGA5TOOCC: (none) => rverschelde
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory on August 24: https://lists.opensuse.org/opensuse-updates/2017-08/msg00095.html It fixes two of the new issues.
Another security issue fixed upstream (no CVE yet): http://www.openwall.com/lists/oss-security/2017/08/28/5 The upstream commit to fix the issue is linked in the message above.
CVE-2017-1377[5-7]: http://www.openwall.com/lists/oss-security/2017/08/31/3 http://www.openwall.com/lists/oss-security/2017/08/31/2 http://www.openwall.com/lists/oss-security/2017/08/31/1
(In reply to David Walser from comment #3) > Another security issue fixed upstream (no CVE yet): > http://www.openwall.com/lists/oss-security/2017/08/28/5 CVE-2017-14042: http://www.openwall.com/lists/oss-security/2017/09/01/5 Plus another security issue fixed upstream (no CVE yet): http://www.openwall.com/lists/oss-security/2017/09/01/6 The upstream commit to fix the issue is linked in the message above.
(In reply to David Walser from comment #5) > Plus another security issue fixed upstream (no CVE yet): > http://www.openwall.com/lists/oss-security/2017/09/01/6 CVE-2017-14103: http://www.openwall.com/lists/oss-security/2017/09/01/7
CVE-2017-14165: http://openwall.com/lists/oss-security/2017/09/06/4
CVE-2017-14649: http://openwall.com/lists/oss-security/2017/09/22/2
CVE-2017-14994: http://openwall.com/lists/oss-security/2017/10/03/1
CVE-2017-14532 CVE-2017-15033: https://lists.opensuse.org/opensuse-updates/2017-10/msg00049.html
CVE-2017-12936 CVE-2017-12937 CVE-2017-13063 CVE-2017-13064 CVE-2017-13139 CVE-2017-13775: https://lists.opensuse.org/opensuse-updates/2017-10/msg00112.html
CVE-2017-12983 CVE-2017-13134 CVE-2017-13776 CVE-2017-13777 CVE-2017-14165 CVE-2017-15930: https://lists.opensuse.org/opensuse-updates/2017-11/msg00048.html
CVE-2017-11640 CVE-2017-13737 CVE-2017-14341 CVE-2017-14342 CVE-2017-16545 CVE-2017-16546: https://lists.opensuse.org/opensuse-updates/2017-12/msg00026.html
GraphicsMagick 1.3.27 is available, we should update now: http://openwall.com/lists/oss-security/2017/12/10/6
Suggested advisory: ======================== The updated packages fix many security vulnerabilities. References: http://openwall.com/lists/oss-security/2017/12/10/6 ======================== Updated package in 5/core/updates_testing: ======================== graphicsmagick-1.3.27-1.mga5 lib64graphicsmagick3-1.3.27-1.mga5 lib64graphicsmagick++12-1.3.27-1.mga5 lib64graphicsmagickwand2-1.3.27-1.mga5 lib64graphicsmagick-devel-1.3.27-1.mga5 perl-Graphics-Magick-1.3.27-1.mga5 graphicsmagick-doc-1.3.27-1.mga5 from SRPMS: graphicsmagick-1.3.27-1.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== graphicsmagick-1.3.27-1.mga6 lib64graphicsmagick3-1.3.27-1.mga6 lib64graphicsmagick++12-1.3.27-1.mga6 lib64graphicsmagickwand2-1.3.27-1.mga6 lib64graphicsmagick-devel-1.3.27-1.mga6 perl-Graphics-Magick-1.3.27-1.mga6 graphicsmagick-doc-1.3.27-1.mga6 from SRPMS: graphicsmagick-1.3.27-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 6Source RPM: graphicsmagick-1.3.26-4.mga7.src.rpm => graphicsmagick-1.3.26-1.3.mga6.src.rpmWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => nicolas.salguero
CVE-2017-10799 CVE-2017-12140 CVE-2017-12644 CVE-2017-12662 CVE-2017-14733 CVE-2017-14994: https://lists.opensuse.org/opensuse-updates/2017-12/msg00045.html Hopefully those are fixed in 1.3.27.
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Used test as per bug 21564 Comment 6: $ gm display 001.tif is OK $ gm convert 1973-024.jpg 1973.pnm $ gm display 1973.pnm is OK $ gm convert 1973.pnm 1973.jpg $ gm display 1973.jpg is OK $ gm convert 1973.jpg 1973.tif gm convert: 1973.tif: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField). resulting tif s$ gm identify 1973.jpg 1973.jpg JPEG 2904x4208+0+0 DirectClass 8-bit 482.6Ki 0.000u 0m:0.000009s hows OK in ristretto $ gm montage 1973.jpg 1973-024.jpg P1151655.JPG montage.jpg resulting montage.jpg displays OK in gm display and in ristretto. All seems OK
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Advisory from comment 15. QA procedure: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick Not yet seeing this in updates_testing; mirror problem (coffee)?
Keywords: (none) => advisory, has_procedureCC: (none) => lewyssmith
Testing M5/64 AFTER update: graphicsmagick-1.3.27-1.mga5 lib64graphicsmagick3-1.3.27-1.mga5 lib64graphicsmagickwand2-1.3.27-1.mga5 perl-Graphics-Magick-1.3.27-1.mga5 Using the QA procedure as a guide: $ gm convert bouilliore.JPG bouilliore.png $ gm convert traverserpont.jpg traverserpont.tiff gm convert: traverserpont.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField). $ gm convert traverserpont.jpg traverserpont.pdf all produced good results, *including* the TIFF conversion, despite the err msg. $ gm convert -draw "rectangle 20,20 150,100" balanceDiag1.jpg rectangle.jpg overlaid a small solid black rectangle top-left on the image. $ gm convert -rotate +90 bouilliore.png rotated.png gave the correct O/P image rotated 90deg clockwise. $ gm display -flip traverserpont.tiff gave an inverted image displayed full-size; in this case, owing to its size, showing only 1/2 the image at a time. This could be panned, reduced, restored. $ gm identify <filename> gave a single line summary for images of type GIF, PNG, JPG, TIFF, PPM. $ gm montage tuxpaint.png newton.png blackbuck.png montage.png yielded a single composite left->right image of the 3 originals. $ gm montage 200a_s.gif 200_s.png mnsoleil.JPG blackbuck.tif montage.png similarly for this more demanding test with 4 different I/P image types. $ gm import -window root screenshot.png produced a good full-screen screenshot. perl-Graphics-Magick Followed the instructions, created in one directory: -rw-r--r-- 1 lewis lewis 43572 Rha 18 11:19 test1.png -rw-r--r-- 1 lewis lewis 6348 Rha 18 11:20 test2.png -rw-r--r-- 1 lewis lewis 163949 Rha 18 11:20 test3.png -rwxrwxr-x 1 lewis lewis 320 Rha 18 11:31 test.pl* $ perl test.pl $ ls -l x.gif -rw-rw-r-- 1 lewis lewis 128880 Rha 18 11:31 x.gif but trying to display the result 'x'.gif' in a browser, or with: $ gm display x.gif showed only the first image. But all three are there, I think: $ gm identify x.gif x.gif[0] GIF 296x200+0+0 PseudoClass 256c 8-bit 125.9Ki 0.000u 0m:0.000007s x.gif[1] GIF 275x206+0+0 PseudoClass 32c 8-bit 125.9Ki 0.010u 0m:0.007364s x.gif[2] GIF 512x512+0+0 PseudoClass 256c 8-bit 125.9Ki 0.010u 0m:0.006328s BTAIM This update looks good. Will try Mageia 6.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK
CVE-2017-14042 CVE-2017-14504 CVE-2017-15277 CVE-2017-17498: https://lists.opensuse.org/opensuse-updates/2017-12/msg00073.html
Mageia6 :: x86_64 Updated the GraphicsMagick packages. Copied the test procedure linked from comment 18 to wiki.pl. Used gm convert to generate three PNG images from an earlier GIF animation sequence. Ran the test procedure against the three new images and used eom to display the animation. $ gm identify x.gif x.gif[0] GIF 180x180+0+0 PseudoClass 128c 8-bit 19.1Ki 0.000u 0m:0.000001s x.gif[1] GIF 180x180+0+0 PseudoClass 64c 8-bit 19.1Ki 0.000u 0m:0.000327s x.gif[2] GIF 180x180+0+0 PseudoClass 128c 8-bit 19.1Ki 0.000u 0m:0.000186s Shrank a number of images by a factor of 16. $ gm convert image_5.jpg -resize 25% series_2.jpg Created a montage of a series of images. The output image displayed the originals as thumbnails in a 3x2 grid. $ gm montage -tile 3x2 series*.jpg panel.jpg Generated images in various formats from original images and checked them using gm display. $ gm convert series_4.jpg new.tiff gm convert: new.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField). Despite that the output file looked OK. $ gm convert -resize 200% -quality 100% ~/qa/images/piuvax.pnm new.jpg $ gm identify ~/qa/images/piuvax.pnm /home/lcl/qa/images/piuvax.pnm PPM 320x340+0+0 DirectClass 8-bit 318.8Ki 0.000u 0m:0.000001s $ gm identify new.jpg new.jpg JPEG 640x680+0+0 DirectClass 8-bit 376.2Ki 0.000u 0m:0.000002s $ gm convert image_5.jpg -border 200 -bordercolor "blue" bordered.jpg This produced an image with a 200 pixel wide border. Note that it is important in this case to place the parameters before the name of the source file otherwise the border is always white. Sorry Lewis, did not notice your last remark.
CC: (none) => tarazed25
Thanks Len for your (original) Mageia 6 tests. Perhaps we could add your ideas to the wiki? I take it that you forgot the 'OK'; doing that now, & validating.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OKCC: (none) => sysadmin-bugs
@Lewis: No OK was deliberate in case you wished to add a report yourself. Thanks. I should look at the wiki I guess.
Groan. That last example was the wrong way to do it. Should have been: $ gm convert -border 100 -bordercolor "blue" image_5.jpg bordered.jpg
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0455.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED