openSUSE has issued an advisory on May 28: https://lists.opensuse.org/opensuse-updates/2018-05/msg00129.html I think this issue was fixed after 1.3.29. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
openSUSE has issued an advisory today (June 30): https://lists.opensuse.org/opensuse-updates/2018-06/msg00151.html This is also a new issue.
Summary: graphicsmagick new security issue CVE-2017-18271 => graphicsmagick new security issues CVE-2017-18271 and CVE-2018-10805
Cauldron has been updated to version 1.3.30.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Advisory ======== Graphicsmagick has been updated to fix a security issue along with 230 bugfixes. CVE-2016-2317: Multiple buffer overflows in GraphicsMagick 1.3.23 allow remote attackers to cause a denial of service (crash) via a crafted SVG file, related to the (1) TracePoint function in magick/render.c, (2) GetToken function in magick/utility.c, and (3) GetTransformTokens function in coders/svg.c. References ========== https://nvd.nist.gov/vuln/detail/CVE-2016-2317 Files ===== Files uploaded to core/updates_testing: perl-Graphics-Magick-1.3.30-1.mga6 lib64graphicsmagickwand2-1.3.30-1.mga6 lib64graphicsmagick-devel-1.3.30-1.mga6 lib64graphicsmagick3-1.3.30-1.mga6 lib64graphicsmagick++12-1.3.30-1.mga6 graphicsmagick-doc-1.3.30-1.mga6 graphicsmagick-1.3.30-1.mga6 from graphicsmagick-1.3.30-1.mga6.src.rpm
Assignee: smelror => qa-bugs
We fixed CVE-2016-2317 in Bug 17714. We need a correct advisory. It should have the two CVEs in the bug title (let's make sure 1.3.30 has the fixes).
Keywords: (none) => feedback
Meanwhile I have gone ahead and tested this on Mageia 6, x86_64. It looks OK in general but there does appear to be a bug related to SVG images. Searched for poc files and tested the one found. CVE-2017-18271 Infinite loop vulnerability - PoC relevant to ImageMagick as well. https://github.com/henices/pocs/raw/master/cpu-exhaustion-ReadMIFFImage $ gm convert cpu-exhaustion-ReadMIFFImage /dev/null The process hangs at this point. CVE-2018-10805 No reproducer available. Updated the seven packages and tried the poc. CVE-2017-18271 $ gm convert cpu-exhaustion-ReadMIFFImage /dev/null gm convert: Unexpected end-of-file (cpu-exhaustion-ReadMIFFImage). One problem fixed. $ gm version GraphicsMagick 1.3.30 2018-06-23 Q8 http://www.GraphicsMagick.org/ Copyright (C) 2002-2018 GraphicsMagick Group. Additional copyrights and licenses apply to this software. See http://www.GraphicsMagick.org/www/Copyright.html for details. Feature Support: Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) yes [...] Put GM through its paces using a test-file directory and tests similar to those in earlier update tests (bugs 21564, 19668, 17714), documented in the wiki at . https://wiki.mageia.org/en/QA_procedure:GraphicsMagick. Tested display, identify, mogrify, animate, montage, import and convert on GIF, TIFF, JPEG, PNG, SVG, PNM and PGM image formats. Examples: $ gm display mageia-2013.svg $ gm convert -resize 80%x100% -quality 100 mageia-2013.svg mageia.jpg Mageia logo squashed in the horizontal direction. $ gm animate -delay 200 xa*.png Four images displayed in a loop, one frame every 2 seconds. $ gm display flip GlenShiel_4.jpg Scotland upside-down. $ gm import -window root screenshot.tif $ gm import -window root -resize 50% workspace.jpg $ gm convert -rotate 270 SantaMaria.tif crater.png $ gm montage loch*.png showcase.pgm This generated an image containing 10 images and a thumbnail index, all in greyscale. $ gm montage loch*.png showcase.ppm A similar image was produced in the original colours. There is still a problem with conversions to TIFF, which has been on the books for at least two years - I guess nobody got round to posting a bug. It is not a current regression though. $ gm convert GlenShiel_2.jpg glenshiel.tiff gm convert: glenshiel.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField). However: $ gm convert BenBois_Clock.svg clock.tiff succeeds but the resulting image does not correspond. ImageMagick produces a perfect copy using the same command. In fact there is a problem in GM with conversion from SVG to any format. It may not have been tried in any of our tests before. The images are severely degraded but OK when produced by IM. Ran these example scripts to exercize perl--Graphics-Magick: http://www.graphicsmagick.org/perl.html#example-script $ perl imagestack.pl $ identify x.gif x.gif[0] GIF 100x100 100x100+100+100 8-bit sRGB 256c 36466B 0.000u 0:00.000 x.gif[1] GIF 100x100 100x100+100+100 8-bit sRGB 256c 36466B 0.000u 0:00.000 x.gif[2] GIF 100x100 100x100+100+100 8-bit sRGB 256c 36466B 0.000u 0:00.000 x.gif[3] GIF 100x100 100x100+100+100 8-bit sRGB 256c 36466B 0.000u 0:00.000 $ gm animate -delay 100 x.gif Slideshow at 1 frame per second. $ ./graffiti.pl This produced a new image x.ppm showing a red rectangle on a white background and a modified image of JessicaAlba with a red rectangle superimposed. Not confident in perl so leaving it there.
CC: (none) => tarazed25
Created attachment 10317 [details] Perl script to create a stack of images in one file suitable for animation Needs editing for local use.
Created attachment 10318 [details] Perl script for adding a rectangle to an image Edit to suit.
Rider to comment 5; In the output from 'gm -version' SVG is not mentioned under supported features but that list might not be complete.
Re SVG, comment 8. We probably have to live with this - some SVG images may render OK, others not. Recent quotes from GraphicsMagick News: "Due to significant issues being discovered and addressed for almost every release, it is recommended to update to the most current release and not attempt to patch older releases." Several quotes indicate that SVG rendering is being actively supported. Also: http://www.graphicsmagick.org/formats.html "Note that SVG is a very complex specification so support is still not complete." So there does not seem to be any point in a bug report or any reason to hold back this update. Witholding the 64-bit OK until the advisory is amended.
(In reply to David Walser from comment #4) > We fixed CVE-2016-2317 in Bug 17714. We need a correct advisory. It should > have the two CVEs in the bug title (let's make sure 1.3.30 has the fixes). Accoring to their changelog, they "really fixed" this CVE this time meaning it wasn't properly fixed earlier. I couldn't find anything else to report based on the mentioned changelog. Cheers, Stig
CC: (none) => smelror
Whiteboard: (none) => MGA6-64-OK
openSUSE has issued advisories on August 19 and 26: https://lists.opensuse.org/opensuse-updates/2018-08/msg00129.html https://lists.opensuse.org/opensuse-updates/2018-08/msg00149.html The first adds a new CVE and the second disable uses of GhostScript due to issues that have been discussed on oss-security recently.
Whiteboard: MGA6-64-OK => (none)CC: (none) => qa-bugsAssignee: qa-bugs => pkg-bugsSummary: graphicsmagick new security issues CVE-2017-18271 and CVE-2018-10805 => graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435Keywords: feedback => (none)
openSUSE has issued an advisory on September 8: https://lists.opensuse.org/opensuse-updates/2018-09/msg00048.html It fixes an additional issue.
Summary: graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435 => graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323
openSUSE has issued advisories on September 17 and 24: https://lists.opensuse.org/opensuse-updates/2018-09/msg00079.html https://lists.opensuse.org/opensuse-updates/2018-09/msg00143.html They fix 4 new issues.
Summary: graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323 => graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323, CVE-2018-1664[45], CVE-2018-16749, CVE-2018-16750
Debian has issued an advisory on October 16: https://www.debian.org/security/2018/dsa-4321
openSUSE has issued an advisory today (October 17): https://lists.opensuse.org/opensuse-updates/2018-10/msg00090.html
Summary: graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323, CVE-2018-1664[45], CVE-2018-16749, CVE-2018-16750 => graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323, CVE-2018-1664[45], CVE-2018-16749, CVE-2018-16750, CVE-2018-18024
SUSE has issued an advisory on October 22: http://lists.suse.com/pipermail/sle-security-updates/2018-October/004752.html
Summary: graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323, CVE-2018-1664[45], CVE-2018-16749, CVE-2018-16750, CVE-2018-18024 => graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323, CVE-2018-1664[02345], CVE-2018-16749, CVE-2018-16750, CVE-2018-1796[56], CVE-2018-18016, CVE-2018-18024
openSUSE has issued an advisory on today (October 26): https://lists.opensuse.org/opensuse-updates/2018-10/msg00197.html
graphicsmagick-1.3.31-1.mga7 uploaded for Cauldron by Stig-Ørjan.
openSUSE has issued an advisory today (November 20): https://lists.opensuse.org/opensuse-updates/2018-11/msg00097.html
Summary: graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323, CVE-2018-1664[02345], CVE-2018-16749, CVE-2018-16750, CVE-2018-1796[56], CVE-2018-18016, CVE-2018-18024 => graphicsmagick new security issues CVE-2017-18271, CVE-2018-10805, CVE-2018-14435, CVE-2018-16323, CVE-2018-1664[02345], CVE-2018-16749, CVE-2018-16750, CVE-2018-1796[56], CVE-2018-18016, CVE-2018-18024, CVE-2018-18544
We could upgrade to 1.3.31: http://www.graphicsmagick.org/NEWS.html#november-17-2018
(In reply to David Walser from comment #20) > We could upgrade to 1.3.31: > http://www.graphicsmagick.org/NEWS.html#november-17-2018 In mga6? Because we already have it in Cauldron. Cheers, Stig
(In reply to Stig-Ørjan Smelror from comment #21) > In mga6? Yes, of course.
Advisory ======== Graphicsmagick has been updated to fix several bugs and security issues. References ========== http://www.graphicsmagick.org/NEWS.html#november-17-2018 Files ===== Uploaded to core/updates_testing graphicsmagick-1.3.31-1.mga6 graphicsmagick-debuginfo-1.3.31-1.mga6 graphicsmagick-doc-1.3.31-1.mga6 lib64graphicsmagick++12-1.3.31-1 lib64graphicsmagick3-1.3.31-1.mga6 lib64graphicsmagick-devel-1.3.31-1.mga6 lib64graphicsmagickwand2-1.3.31-1.mga6 perl-Graphics-Magick-1.3.31-1.mga6 from graphicsmagick-1.3.31-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
Mageia 6, x86_64 Making a start on this. Ran several tests for reassurance then updated all the packages except *debuginfo with no problems. One of the GraphicsMagick utilities is 'conjure' which can be used to write one-off MSL scripts (using perl-Graphics-Magick) to perform image-processing tasks. The documentation does not make it clear why it would be used when gm already supplies the utilities for image processing at the cli. However, it should be tested. Downloaded a simple conjure script from http://www.graphicsmagick.org/conjure.html and edited it as required. conjure.msl resizes an image named in the text. $ identify glenview.png glenview.png PNG 602x400 602x400+0+0 8-bit sRGB 345807B 0.000u 0:00.000 [lcl@difda images]$ display glenview.png $ gm conjure -dimensions 400x400 conjure.msl $ identify image.png image.png PNG 400x266 400x266+0+0 8-bit sRGB 157962B 0.000u 0:00.000 conjure2.msl converts the type as well. $ identify JessicaAlba.jpg JessicaAlba.jpg JPEG 600x448 600x448+0+0 8-bit sRGB 41342B 0.000u 0:00.000 $ gm conjure -dimensions 900x672 conjure2.msl $ identify jessica.png jessica.png PNG 900x672 900x672+0+0 8-bit sRGB 649301B 0.000u 0:00.000 To be continued..
Created attachment 10624 [details] Resizing script for a specific image Specimen command in the comments.
Created attachment 10625 [details] conjure script for conversion and resizing of a particular image It appears that the print function does not work.
Running a few tests to exercize the builtin commands; conjure already tested. $ gm version GraphicsMagick 1.3.31 2018-11-17 Q8 http://www.GraphicsMagick.org/ Copyright (C) 2002-2018 GraphicsMagick Group. [...] Final Build Parameters: CC = gcc CFLAGS = -fopenmp -O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -Wall -pthread CPPFLAGS = -I/usr/include -I/usr/include/freetype2 -I/usr/include/libxml2 CXX = g++ CXXFLAGS = -O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -pthread LDFLAGS = -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id -Wl,--enable-new-dtags -L/usr/lib64 LIBS = -llcms2 -lfreetype -lX11 -llzma -lbz2 -lz -lltdl -lm -lpthread Tried animation. $ gm animate -pause 3 -delay 100 -backdrop -background 'OliveDrab' frame?.png The animation works, with a delay of 1 second between frames and a 3 second pause before restarting. The speed can be varied dynamically via the right-click menu. The batch command could be useful for automating these tests for a chosen file. To do. $ gm benchmark convert mageia.jpg -gaussian 0x1 output.ppm Results: 8 threads 1 iter 0.06s user 0.12s total 8.033 iter/s 16.667 iter/cpu $ gm display output.ppm Looks like Gaussian blur, softening the edges of the text. $ gm composite -geometry +10+10 clock.tif TatianaMaslany.jpg composite.miff $ gm display composite.miff Displays an image with a clock overlay at the top left-hand corner. Type conversion: $ gm convert TatianaMaslany.jpg Tatiana.png gm convert: profile matches sRGB but writing iCCP instead (Tatiana.png) [No such file or directory]. Nevertheless the image is generated and in appearance matches the input. $ gm convert Tatiana.png Tatiana.gif gm convert: iCCP: known incorrect sRGB profile (Tatiana.png). $ gm display Tatiana.gif Again, the output looks like the original. $ gm compare -metric mse TatianaMaslany.jpg Tatiana.jpgImage Difference (MeanSquaredError): Normalized Absolute ============ ========== Red: 0.0001194560 0.0 Green: 0.0000949516 0.0 Blue: 0.0001429296 0.0 Total: 0.0001191124 0.0 So, the copy is pretty close to the original in spite of the two intermediate type conversions. The documentation says that gm utilities support a huge range of image formats including several raw camera formats. Tried to display several different raw images and one conversion, without success, so this functionality may be limited. Convert image to postscript file: $ gm convert -page A4+0+0 Glenview.png glenview.ps Faithful reproduction when viewed using 'gm display'. gm also displayed an existing postscript file. $ gm convert JessicaAlba.jpg jessica_grey.pgm The resulting image is a greyscale copy of the original. $ gm convert -resize 200% JessicaAlba.jpg jessica_big.png Magnifies the original by a factor of 2x2. $ gm identify JessicaAlba.jpg JessicaAlba.jpg JPEG 600x448+0+0 DirectClass 8-bit 40.4Ki 0.000u 0m:0.000002s $ gm convert -resize 720x538 -flip JessicaAlba.jpg flip.ppm Outputs a magnified image upside-down. $ gm display -rotate 180 flip.ppm Shows the original image the right way up but flopped (mirror image). Change the colour contrast of an image on the fly. $ gm display -gamma 2.2 lena_color.tiff The enhanced gamma makes the picture look bleached. $ gm convert -paint 4 GlenShiel.jpg GlenCanvas.ppm produces an image with an oil-painted look. mogrify has the same options as convert but applies changes to the source image. $ gm mogrify -flop glenview.png $ gm display glenview.png Shows the mirror image of the original. $ gm montage LochLubnaig*.* Lubnaig_montage.png This produces a montage of thumbnails of the loch images. It would take a week to run through all the capabilities of GraphicsMagick so this shall have to do. GM looks fit for purpose, working as designed.
Advisory from comment 23, CVEs from bug title.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
We don't know for sure about the CVEs, since they weren't announced by upstream. That's why we had a generic advisory without CVEs.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0496.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED