openSUSE has issued an advisory on May 11: https://lists.opensuse.org/opensuse-updates/2018-05/msg00026.html I'm not sure if any of the issues are still unfixed after our last update.
Similar for the Debian advisory from May 18: https://www.debian.org/security/2018/dsa-4204
Similar for the Ubuntu advisory from today (June 12): https://usn.ubuntu.com/3681-1/
Advisory ======== Imagemagick has been updated to version 6.9.10.0 to fix several bugs and possible security issues. - Fixed numerous use of uninitialized values, integer overflow, memory exceeded, and timeouts - Missing break when checking "compliance" element. - Fixed errant 'not enough pixel data' (reference https://github.com/ImageMagick/ImageMagick/issues/1133) - Fixed memory corruption for MVG paths - A SVG rectangle with a width and height of 1, is a point - Properly initialize SVG color style - Heap buffer overflow fix (reference https://github.com/ImageMagick/ImageMagick/issues/1156) References ========== https://lists.opensuse.org/opensuse-updates/2018-05/msg00026.html https://www.debian.org/security/2018/dsa-4204 https://usn.ubuntu.com/3681-1/ https://legacy.imagemagick.org/script/changelog.php Files ===== Uploaded to core/updates_testing imagemagick-6.9.10.0-1.mga6 imagemagick-doc-6.9.10.0-1.mga6 perl-Image-Magick-6.9.10.0-1.mga6 lib64magick-devel-6.9.10.0-1.mga6 lib64magick++-6Q16_8-6.9.10.0-1.mga6 lib64magick-6Q16_6-6.9.10.0-1.mga6 imagemagick-desktop-6.9.10.0-1.mga6 from imagemagick-6.9.10.0-1.mga6.src.rpm
Assignee: smelror => qa-bugs
Mageia 6, x86_64 Undertook search for reproducers before updating, following links at https://lists.opensuse.org/opensuse-updates/2018-05/msg00026.html CVE-2017-10928 https://bugzilla.suse.com/show_bug.cgi?id=1047356 Turned out to be gzipped. Used ark to extract it. $ identify imagemagick-heap-buffer-overflow-4.svg.uncompressed imagemagick-heap-buffer-overflow-4.svg.uncompressed SVG 128x128 128x128+0+0 16-bit sRGB 16384B 0.010u 0:00.009 Does not crash so maybe already fixed. -------------------------------------------------------------- CVE-2017-14325 https://github.com/ImageMagick/ImageMagick/issues/741 $ file *.icon im_poc_1504841049.icon: MS Windows icon resource - 1 icon, 24x7, 2 colors $ convert im_poc_1504841049.icon output.mpc convert: insufficient image data in file `im_poc_1504841049.icon' @ error/icon.c/ReadICONImage/404. convert: no images defined `output.mpc' @ error/convert.c/ConvertImageCommand/3258. (convert output.mpc output.art) -------------------------------------------------------------- CVE-2017-17887 https://github.com/ImageMagick/ImageMagick/issues/903 $ convert memory-leaks-wYQ0gKxwmALb50pqSNuH0mMtB2nGc6DL.mng /dev/null Expected a message such as "cache resources exhausted" but there was nothing. $ valgrind --leak-check=full --show-leak-kinds=all convert memory-leaks-wYQ0gKxwmALb50pqSNuH0mMtB2nGc6DL.mng /dev/null This returned 1 error and 20 loss records. -------------------------------------------------------------- CVE-2017-1825{0,1,2,4} No reproducer -------------------------------------------------------------- CVE-2018-10177 https://bugzilla.suse.com/show_bug.cgi?id=1089781 $ convert imagemagick_7-0-7_convert_infinite-loop_ReadOneMNGImage.mng foo.png Hangs forever, as expected. GM has the same issue but may need a different patch. -------------------------------------------------------------- CVE-2018-8960 $ wget https://github.com/ImageMagick/ImageMagick/files/1806047/tif_heap-buffer-overflow.zip $ unzip tif_heap-buffer-overflow.zip $ convert tif_heap-buffer-overflow dev/null convert: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/913. convert: Incorrect count for "StripOffsets"; tag ignored. `TIFFFetchStripThing' @ warning/tiff.c/TIFFWarnings/913. convert: Incorrect count for "StripByteCounts"; tag ignored. `TIFFFetchStripThing' @ warning/tiff.c/TIFFWarnings/913. convert: Incorrect count for "ColorMap"; tag ignored. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/913. convert: Not enough data for scanline 0, expected a request for at most 152 bytes, got a request for 1024 bytes. `DumpModeDecode' @ error/tiff.c/TIFFErrors/569. convert: Read error at scanline 0; got 408 bytes, expected 1024. `TIFFReadEncodedStrip' @ error/tiff.c/TIFFErrors/569. convert: Invalid strip byte count 0, strip 1. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/569. -------------------------------------------------------------- CVE-2018-9018 https://sourceforge.net/p/graphicsmagick/bugs/554/ $ identify graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng MNG 160x120 160x120+0+0 16-bit sRGB 0.000u 0:00.000 This matches the "before" report at https://bugzilla.suse.com/show_bug.cgi?id=1086773 for ImageMagick version 6.9.9-40. We have imagemagick-6.9.9.41-1.mga6 here before updating. Other possible returns were FPE or Divide-by-zero. -------------------------------------------------------------- CVE-2018-9135 https://bugzilla.suse.com/show_bug.cgi?id=1087825 $ identify poc.9135 poc.9135 WEBP 1610x4378 1610x4378+0+0 8-bit sRGB 1619B 0.000u 0:00.000 $ valgrind identify -verbose poc.9135 The output contains the line: identify: corrupt image `poc.9135' @ error/webp.c/ReadWEBPImage/333. which matches the report at the above link. -------------------------------------------------------------- Update report later.
CC: (none) => tarazed25
Clean update of all the packages. PoC tests: CVE-2017-10928 No change - so it probably had already been fixed. CVE-2017-14325 Same output. Probably fixed already. CVE-2017-17887 valgrind output is the same. CVE-2018-10177 This still hangs - maybe no patch. CVE-2018-8960 Same output. CVE-2018-9018 identify: corrupt image `graphicsmagick_1-3-28_identify_divide-by-zero_ReadMNGImage.mng' @ error/png.c/ReadOneMNGImage/5253. That is a definite positive result. CVE-2018-9135 identify poc.9135 No change in the output and valgrind still identifies the image as corrupt and does not return image parameters. identify by itself does. One would expect identify to state that the image is corrupt if the patch works, and not return any parameter values. Summarizing; we have not gained very much from this exercise. Some issues may be historic. One patch is definitely successful and some issues may still be open. Utility tests to follow.
Took the lazy way out and ran the tests outlined in bug 19078. The examples.pl script discovered by Lewis did not work, because of some problem with Perl I think. $ identify JessicaAlba.tif JessicaAlba.tif TIFF 600x448 600x448+0+0 8-bit sRGB 806716B 0.000u 0:00.009 Image conversion and vignetting. $ convert TatianaMaslany.jpg -background grey44 -vignette 0x5 Maslany.png $ display Maslany.png Make a squashed image of a TIFF in JPEG format, with approximately the same area. $ identify Ikapati.tif Ikapati.tif TIFF 1024x1024 1024x1024+0+0 8-bit Grayscale Gray 1.00118MiB 0.000u 0:00.000 $ convert -resize 120%x80% Ikapati.tif ikapati.jpg $ identify ikapati.jpg ikapati.jpg JPEG 1229x819 1229x819+0+0 8-bit Gray 256c 365436B 0.000u 0:00.000 Hide a message in an image. $ convert -gravity center -size 480x100 label:"Good morning QA" message.png $ composite message.png SantaMaria.png -stegano +15+2 crater.png $ display crater.png $ convert -size 480x100+15+2 stegano:crater.png secret.png $ display secret.png This says "Good morning QA". crater.png and SantaMaria.png look the same when displayed. Modify an image in place. Apply a series of rotations and reflections which restore the image to its original state. $ mogrify -rotate 270 newbridge.tif $ mogrify -flip newbridge.tif $ mogrify -flop newbridge.tif $ mogrify -rotate -90 newbridge.tif Convert can be used to create images as well and it can make use of builtin objects. Create a coloured bar which displays nearly all the colours of the optical spectrum. $ convert -size 60x500 gradient:'#FFF-#0FF' -rotate 90 -set colorspace HSB -colorspace RGB rainbow_2.jpg Create a panel shaded diagonally from blue to black. $ convert -size 400x200 xc: -sparse-color barycentric '0,0 skyblue -%w,%h skyblue %w,%h black' diagonal_gradient.jpg Create a montage consisting of thumbnails of the 10 referenced images. $ montage -adjoin lakedistrict32?.gif lakes.gif Create a rose pink rectangle. $ convert -size 200x160 canvas:MistyRose rose.png Create a square shaded vertically from tomato-red to blue. $ convert -size 100x100 gradient:tomato-steelblue gradient_5.jpg A rose in a blue frame. $ convert rose: -fill none -stroke navy -strokewidth 11 -draw 'rectangle 0,0 69,45' borderrose.jpg Create an image of a rose with a bevelled border. $ convert rose: -raise 5 framed_rose.png $ convert LochLubnaig_4.jpg GlenShiel_7.jpg -composite scotland.jpg This overlays a picture of a glen on an image of a lake, the smaller image in the top left-hand corner. You could go on and on with this but these operations would indicate that IM is functioning normally.
Also checked the animate function of ImageMagick, running an animation of several images and also building a stacked frame image and animating that by specifying a delay interval. That all worked as intended. Re comment 0. Have made no comparisons with previous bug tests regarding fixed or unfixed issues. Would that be worth doing?
In VirtualBox, M6, MATE, 32-bit Package(s) under test: imagemagick imagemagick-desktop default install of imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.9.41-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.9.41-1.mga6.i586 is already installed I can open files ( jpeg, png, bmp ) with imagemagick, enhance and modify those files then save them under a different name. Those saved files can be opened with gimp. install imagemagick & imagemagick-desktop from updates_testing [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.10.0-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.10.0-1.mga6.i586 is already installed I can open different files with imagemagick, modify those files then save them under a different name. Those saved files can be opened with gimp. I can open the previously created image files.
CC: (none) => wilcal.int
In VirtualBox, M6, MATE, 64-bit Package(s) under test: imagemagick imagemagick-desktop default install of imagemagick & imagemagick-desktop [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.9.41-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.9.41-1.mga6.x86_64 is already installed I can open files ( jpg, png, gif ) with imagemagick, enhance and modify those files then save them under a different name. Those saved files can be opened with gimp. install imagemagick & imagemagick-desktop from updates_testing [root@localhost wilcal]# urpmi imagemagick Package imagemagick-6.9.10.0-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi imagemagick-desktop Package imagemagick-desktop-6.9.10.0-1.mga6.x86_64 is already installed I can open different files with imagemagick, modify those files then save them under a different name. Those saved files can be opened with gimp. I can open the previously created image files.
Good to go Len.
Whiteboard: (none) => MGA6-32-OK MGA6-64-O
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Right you are Bill.
Whiteboard: MGA6-32-OK MGA6-64-O => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0285.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Re comment 6. examples.pl is for use with Perl::Magick.