openSUSE has issued an advisory on January 15: https://lists.opensuse.org/opensuse-updates/2018-01/msg00031.html Their previous two advisories were: https://lists.opensuse.org/opensuse-updates/2017-12/msg00045.html https://lists.opensuse.org/opensuse-updates/2017-12/msg00073.html I'm not sure which, if any, of these issues were already fixed in 1.3.27.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11, nicolas.salgueroAssignee: bugsquad => pkg-bugs
I'm looking into this. Looks like they released version 1.3.27a on December 11, 2017 and that 1.3.28 is to be released this month. Will first try 1.3.27a and then update to 1.3.28 when it's released. http://www.graphicsmagick.org/NEWS.html#january-2017 (I know the URL looks wrong, but it's their typo) Cheers, Stig
CC: (none) => smelror
Hi. graphicsmagick 1.3.27a uploaded to 6/updates_testing. Cheers, Stig
Thanks. I guess we don't know what 1.3.27a fixes, but hopefully 1.3.28 will be available soon.
https://sourceforge.net/p/graphicsmagick/code/ci/GraphicsMagick-1_3/tree/ChangeLog 2017-12-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * version.sh (PACKAGE_RELEASE_DATE): Fix syntax error in PACKAGE_RELEASE_DATE specification. Prepare a 1.3.27a release package to address this.
Hi. GraphicsMagick 1.3.28 uploaded to 6/updates_testing with fixes for several security issues. See http://www.graphicsmagick.org/NEWS.html#january-20-2017 for more details. Cheers, Stig
graphicsmagick-1.3.28-1.mga6 libgraphicsmagick3-1.3.28-1.mga6 libgraphicsmagick++12-1.3.28-1.mga6 libgraphicsmagickwand2-1.3.28-1.mga6 libgraphicsmagick-devel-1.3.28-1.mga6 perl-Graphics-Magick-1.3.28-1.mga6 graphicsmagick-doc-1.3.28-1.mga6 from graphicsmagick-1.3.28-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
Shall get on to this tomorrow.
CC: (none) => tarazed25
Mageia 6 :: x86_64 As usual with graphicsmagick there are multiple issues. Some of them affect images from MATLAB and the bad news is that there are reproducers for some of the CVEs, so testing could take some time. Probably worth while checking some of these though. CVE-2017-11449 memory-leak-in-ReadMPCImage-19.mpc https://bugzilla.suse.com/show_bug.cgi?id=1042948 Before the update: $ valgrind -q --leak-check=full identify memory-leak-in-ReadMPCImage-19.mpc identify: insufficient image data in file `memory-leak-in-ReadMPCImage-19.mpc' @ error/mpc.c/ReadMPCImage/870. This result is in accord with the upstream report *after* patching. The only difference from the before situation is the addition of the line number where the error occurred. This makes me suspicious of the chronology of the CVEs and POCs. As Stig says, we don't know what version 1.3.27 fixes, so I doubt if we gain anything by running these tests so I shall aim for a clean update and some utility testing afterwards.
Sorry, s/Stig/David/.
Continuing from comment 9... The packages updated cleanly. Tried out 'gm display' on a variety of colour and greyscale images, formats PNG, TIFF, JPEG, TARGA, JPC, PPM, PNM, BMP, J2K, JP2, PGX, RAS, PDF. piuva.pdf is a one page PDF document which displays equally well with xpdf. $ gm display sample*.jpg displayed a set of images as a stack where right-clicking and selecting 'next' advanced to the next frame. The help system works fine; e.g. gm help convert $ gm animate samples*.jpg displayed the images from the set in quick succession. $ gm identify balloon.jpg balloon.jpg JPEG 543x740+0+0 DirectClass 8-bit 468.1Ki 0.000u 0m:0.000001s $ gm convert -resize 50% balloon.jpg quarterballoon.jpg $ gm identify quarterballoon.jpg quarterballoon.jpg JPEG 272x370+0+0 DirectClass 8-bit 22.2Ki 0.000u 0m:0.000001s $ gm convert -resize 100%x50% balloon.jpg squashedballoon.jpg $ gm identify squashedballoon.jpgsquashedballoon.jpg JPEG 543x370+0+0 DirectClass 8-bit 45.0Ki 0.000u 0m:0.000001s Magnify an image by a factor of 2 by interpolation. $ gm identify Piuva.jpg Piuva.jpg JPEG 320x340+0+0 DirectClass 8-bit 15.0Ki 0.000u 0m:0.000001s $ gm convert -magnify Piuva.jpg Piuva2.jpg $ gm identify Piuva2.jpg Piuva2.jpg JPEG 640x680+0+0 DirectClass 8-bit 34.6Ki 0.000u 0m:0.000001s Convert an image from one format to another. $ gm convert cellphone.png mobile.gif Clockwise rotation of image through 90°. $ gm convert -rotate 90 Sculptor_Galaxy.jpeg galaxy.png Add swirl effect to an image. $ gm convert -swirl 40 ice.jpeg ice40.jpg $ gm display ice40.jpg Flat landscape transformed to a rolling hill. There is a lot more you can do with gm but these tests show that basic functions work. All the generated images looked as expected when displayed. Giving this the 64-bit OK.
Whiteboard: (none) => MGA6-64-OK
@ David : Advisory please? C7 is not enough. Validating anyway; Len's OKs mean what they say.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Advisory: ======================== GraphicsMagick 1.3.28 updated with fixes for several security issues. References: openSUSE has issued an advisory on January 15: https://lists.opensuse.org/opensuse-updates/2018-01/msg00031.html Their previous two advisories were: https://lists.opensuse.org/opensuse-updates/2017-12/msg00045.html https://lists.opensuse.org/opensuse-updates/2017-12/msg00073.html Announcement from GraphicsMagick.org http://www.graphicsmagick.org/NEWS.html#january-20-2017 Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.28-1.mga6 libgraphicsmagick3-1.3.28-1.mga6 libgraphicsmagick++12-1.3.28-1.mga6 libgraphicsmagickwand2-1.3.28-1.mga6 libgraphicsmagick-devel-1.3.28-1.mga6 perl-Graphics-Magick-1.3.28-1.mga6 graphicsmagick-doc-1.3.28-1.mga6 from graphicsmagick-1.3.28-1.mga6.src.rpm
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0100.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
openSUSE advisory from today (January 25) with even more CVEs: https://lists.opensuse.org/opensuse-updates/2018-01/msg00090.html Hopefully these have been fixed.
Re comment 15 Investigated a few of the POCs on an updated system. From the standpoint of AFTER the update, version 1.3.28, followed the CVE-2017-11750 trail to https://bugzilla.suse.com/show_bug.cgi?id=1051442 and checked the reproducer. $ valgrind -q --leak-check=full gm convert SEGV-0x000000000000_output_aai_1501399328.45 output.aai gm convert: Insufficient image data in file (SEGV-0x000000000000_output_aai_1501399328.45). This output is close to that posted on the link for 42.x/GraphicsMagick and 11/GraphicsMagick which I think relate to version 1.3.25. Tried a few more: CVE-2017-12673 https://bugzilla.suse.com/show_bug.cgi?id=1052717 $ valgrind -q --leak-check=full gm identify memory_leak_in_ReadOneMNGImage_2.mng gm identify: Corrupt image (memory_leak_in_ReadOneMNGImage_2.mng). gm identify: Request did not return an image. CVE-2017-12935 https://bugzilla.suse.com/show_bug.cgi?id=1054600 $ gm convert -clip -negate 00303-graphicsmagick-invalidread-SetImageColorCallBack /dev/null gm convert: Improper image header (00303-graphicsmagick-invalidread-SetImageColorCallBack). $ valgrind -q --leak-check=full gm convert -clip -negate 00303-graphicsmagick-invalidread-SetImageColorCallBack gm convert: Request did not return an image. CVE-2017-13147 https://www.suse.com/security/cve/CVE-2017-13147/ $ time gm identify gm_allocation_failure_in_ReadMNGImage gm identify: Corrupt image (gm_allocation_failure_in_ReadMNGImage). gm identify: Request did not return an image. real 0m0.002s user 0m0.002s sys 0m0.000s These timings are similar to those posted upstream for the after case. CVE-2017-14103 https://bugzilla.suse.com/show_bug.cgi?id=1057000 $ gm convert 00333-graphicsmagick-UAF-CloseBlob foo.jpg gm convert: Insufficient image data in file (00333-graphicsmagick-UAF-CloseBlob). Agreement with upstream. These checks endorse "Hopefully these have been fixed."
Len, thank you so much for your comprehensive tests for this package. AFAICS, there hasn't been any updates to the source tree in the last 2 days, so I don't know if they're working on something or if they're aware of these advisories. Cheers, Stig
openSUSE has issued an advisory today (February 1): https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html I don't know the status of those CVEs with respect to GraphicsMagick 1.3.28.
openSUSE has issued an advisory today (February 16): https://lists.opensuse.org/opensuse-updates/2018-02/msg00053.html I don't know the status of those CVEs with respect to GraphicsMagick 1.3.28.
openSUSE has issued an advisory on February 20: https://lists.opensuse.org/opensuse-updates/2018-02/msg00079.html
openSUSE has issued an advisory on February 26: https://lists.opensuse.org/opensuse-updates/2018-02/msg00106.html
openSUSE has issued an advisory today (March 18): https://lists.opensuse.org/opensuse-updates/2018-03/msg00065.html
openSUSE has issued an advisory today (April 7): https://lists.opensuse.org/opensuse-updates/2018-04/msg00013.html
openSUSE has issued an advisory today (May 2): https://lists.opensuse.org/opensuse-updates/2018-05/msg00003.html
Advisory: ======================== GraphicsMagick 1.3.29 updated with fixes for several security issues. References: https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html https://lists.opensuse.org/opensuse-updates/2018-02/msg00053.html https://lists.opensuse.org/opensuse-updates/2018-02/msg00079.html https://lists.opensuse.org/opensuse-updates/2018-02/msg00106.html https://lists.opensuse.org/opensuse-updates/2018-03/msg00065.html https://lists.opensuse.org/opensuse-updates/2018-04/msg00013.html https://lists.opensuse.org/opensuse-updates/2018-05/msg00003.html Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.29-1.mga6 libgraphicsmagick3-1.3.29-1.mga6 libgraphicsmagick++12-1.3.29-1.mga6 libgraphicsmagickwand2-1.3.29-1.mga6 libgraphicsmagick-devel-1.3.29-1.mga6 perl-Graphics-Magick-1.3.29-1.mga6 graphicsmagick-doc-1.3.29-1.mga6 from graphicsmagick-1.3.29-1.mga6.src.rpm
Status: RESOLVED => REOPENEDKeywords: advisory, validated_update => (none)Source RPM: graphicsmagick-1.3.27-1.mga6.src.rpm => graphicsmagick-1.3.28-1.mga6.src.rpmResolution: FIXED => (none)Whiteboard: MGA6-64-OK => (none)
Thanks! Could you put this bug back the way it was and open a new one for this update (like I should have)?
Setting bug back how it was.
Whiteboard: (none) => MGA6-64-OKResolution: (none) => FIXEDKeywords: (none) => advisory, validated_updateStatus: REOPENED => RESOLVEDSource RPM: graphicsmagick-1.3.28-1.mga6.src.rpm => graphicsmagick-1.3.27-1.mga6.src.rpm
Blocks: (none) => 22988
Blocks: 22988 => (none)