openSUSE has issued an advisory on February 1: https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html openSUSE has issued an advisory on February 16: https://lists.opensuse.org/opensuse-updates/2018-02/msg00053.html openSUSE has issued an advisory on February 20: https://lists.opensuse.org/opensuse-updates/2018-02/msg00079.html openSUSE has issued an advisory on February 26: https://lists.opensuse.org/opensuse-updates/2018-02/msg00106.html openSUSE has issued an advisory on March 18: https://lists.opensuse.org/opensuse-updates/2018-03/msg00065.html openSUSE has issued an advisory on April 7: https://lists.opensuse.org/opensuse-updates/2018-04/msg00013.html openSUSE has issued an advisory on May 2: https://lists.opensuse.org/opensuse-updates/2018-05/msg00003.html Stig-Ørjan Smelror has built an update for 1.3.29, which may fix these issues. Advisory: ======================== GraphicsMagick 1.3.29 updated with fixes for several security issues. References: https://lists.opensuse.org/opensuse-updates/2018-02/msg00000.html https://lists.opensuse.org/opensuse-updates/2018-02/msg00053.html https://lists.opensuse.org/opensuse-updates/2018-02/msg00079.html https://lists.opensuse.org/opensuse-updates/2018-02/msg00106.html https://lists.opensuse.org/opensuse-updates/2018-03/msg00065.html https://lists.opensuse.org/opensuse-updates/2018-04/msg00013.html https://lists.opensuse.org/opensuse-updates/2018-05/msg00003.html Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.29-1.mga6 libgraphicsmagick3-1.3.29-1.mga6 libgraphicsmagick++12-1.3.29-1.mga6 libgraphicsmagickwand2-1.3.29-1.mga6 libgraphicsmagick-devel-1.3.29-1.mga6 perl-Graphics-Magick-1.3.29-1.mga6 graphicsmagick-doc-1.3.29-1.mga6 from graphicsmagick-1.3.29-1.mga6.src.rpm
Assignee: bugsquad => qa-bugsKeywords: advisory, validated_update => (none)Depends on: 22403 => (none)Source RPM: graphicsmagick-1.3.27-1.mga6.src.rpm => graphicsmagick-1.3.28-1.mga6.src.rpm
Accumulating reproducers for some of the CVEs. Quite a long list.
Created attachment 10118 [details] List of reproducers to be run before and after the updates
Continuing with this later.
Created attachment 10119 [details] Results of running the reproducers before updating GM
Created attachment 10120 [details] Results from running the PoC tests after updating GM
Comparisons between the PoC tests before and after show that little had changed which might indicate that most of the issues with reproducers had already been fixed. There is a net positive outcome anyway. Functionality tests tomorrow aka later.
Found a few more tests by following the seven links in the advisory again - after the update. The results seem to show that the underlying issues are being dealt with cleanly. There is general agreement with upstream tests. Tabulating these later.
Created attachment 10122 [details] Collection of reproducer files for GraphicsMagick
Created attachment 10123 [details] Quick conversion utility for images to be animated $ ruby frames.rb <imagelist> <extension>
Created attachment 10124 [details] Animation script for a set of images. Edit as required. See bug #17714.
In previous testing sessions there has often been trouble with gm conversions from * to TIFF. That still seems to be the case but IM can handle the conversion OK. $ gm convert GlenShiel_7.jpg glenshiel.tiff gm convert: glenshiel.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField). $ convert GlenShiel_7.jpg glenshiel.tiff Converting back again does not eradicate the message. $ gm convert glenshiel.tiff glenshiel.jpg $ gm convert glenshiel.jpg glen.tif gm convert: glen.tif: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField). $ gm display glenshiel.jpg $ gm display glen.tif $ gm convert GlenShiel_6.jpg loch.png $ gm display loch.png All the displays work fine. Vector graphics: $ ls *svg sample2.svg sample.svg test.svg $ gm display *.svg That showed sample2.svg. Left clicking for a menu and then clicking 'Next' advanced to sample.svg; another click for test.svg. Create an animated GIF from an image list. (Used the attached ruby script to generate a list of frame images.) Ran wilcal's animation script from bug #17714 comment 23. $ perl gmtest.pl Generated four-frame image frames.gif. $ gm display -delay 200 frames.gif Display the sequence with 2 second pauses. Units of 'delay' are hundredths of a second. Alternatively: $ gm display -delay 2.0 frames.gif for 2 second delays. $ gm convert -resize 120%x80% Ikapati.tif ikapati.png Creates a squashed image of a crater on Ceres. GM does not reproduce all of the IM functions but this works: $ gm convert -size 300x400 gradient:olivedrab-steelblue gradient_5.jpg $ gm display gradient_5.jpg It does not seem to support a builtin canvas. Switch an image from left to right. $ gm mogrify -flop frame5.png Turn the image upside down. $ gm mogrify -rotate 180 frame5.png Return the image to its original state. $ gm mogrify -flip frame5.png Looks like it is all working. Giving this an OK but shall add the latest PoC tests later. Need to revert for those - for information only - the bug can be validated.
Whiteboard: (none) => MGA6-64-OK
Created attachment 10125 [details] Convert a set of images to frame<n>.ext
Attachment 10123 is obsolete: 0 => 1
Created attachment 10126 [details] Convert a set of images to files names frame<n>.gif|ext
Attachment 10125 is obsolete: 0 => 1
Keywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0228.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED