Bug 23257 - imagemagick new security issues
Summary: imagemagick new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-30 18:57 CEST by David Walser
Modified: 2019-01-05 19:31 CET (History)
6 users (show)

See Also:
Source RPM: imagemagick-6.9.10.0-1.1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-06-30 18:57:17 CEST
openSUSE has issued an advisory today (June 30):
https://lists.opensuse.org/opensuse-updates/2018-06/msg00149.html

At least some of these issues have been fixed since our last update.
Comment 1 Marja Van Waes 2018-07-01 06:59:39 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Shlomi Fish 2018-07-04 15:11:52 CEST
@marja : hi, I disowned imagemagick due to health problems.
Comment 3 Marja Van Waes 2018-07-04 15:39:09 CEST
(In reply to Shlomi Fish from comment #2)
> @marja : hi, I disowned imagemagick due to health problems.

Thanks for telling me. I hope your health will greatly improve (which doesn't mean you should then take this package again, you already maintain so many!).

Reassigning to all packagers collectively.

Assignee: shlomif => pkg-bugs
CC: (none) => geiger.david68210

Comment 4 David Walser 2018-07-16 19:53:25 CEST
Debian has issued an advisory on July 14:
https://www.debian.org/security/2018/dsa-4245

It also addresses some new issues.
Comment 5 David Walser 2018-07-16 19:55:21 CEST
Ubuntu has issued an advisory for this on July 11:
https://usn.ubuntu.com/3711-1/
Comment 6 David Walser 2018-07-24 18:26:48 CEST
SUSE has issued an advisory for this on July 23:
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004300.html
Comment 7 David Walser 2018-08-02 17:08:33 CEST
openSUSE has issued an advisory on July 28:
https://lists.opensuse.org/opensuse-updates/2018-07/msg00081.html
Comment 8 David Walser 2018-08-28 22:56:01 CEST
SUSE has issued an advisory on August 21:
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004481.html

openSUSE has issued an advisory on August 25:
https://lists.opensuse.org/opensuse-updates/2018-08/msg00136.html
Comment 9 David Walser 2018-08-31 19:05:18 CEST
SUSE has disabled Ghostscript in ImageMagick as they did with GraphicsMagick, due to issues that have been discussed on oss-security recently (see also Bug 23157 Comment 11):
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004508.html
Comment 10 David Walser 2018-09-04 20:07:58 CEST
(In reply to David Walser from comment #9)
> SUSE has disabled Ghostscript in ImageMagick as they did with
> GraphicsMagick, due to issues that have been discussed on oss-security
> recently (see also Bug 23157 Comment 11):
> http://lists.suse.com/pipermail/sle-security-updates/2018-August/004508.html

openSUSE has followed suit:
https://lists.opensuse.org/opensuse-updates/2018-09/msg00009.html
Comment 11 David Walser 2018-10-10 00:42:30 CEST
Ubuntu has issued an advisory on October 4:
https://usn.ubuntu.com/3785-1/
Comment 13 David Walser 2018-10-15 22:19:32 CEST
Debian has issued an advisory on October 12:
https://www.debian.org/security/2018/dsa-4316
Comment 14 David Walser 2018-10-17 22:51:45 CEST
openSUSE and SUSE have issued advisories today (October 17):
https://lists.opensuse.org/opensuse-updates/2018-10/msg00089.html
http://lists.suse.com/pipermail/sle-security-updates/2018-October/004682.html
Comment 15 David Walser 2018-10-23 17:00:00 CEST
openSUSE has issued an advisory on October 18:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00105.html
Comment 16 David Walser 2018-12-26 02:59:40 CET
openSUSE has issued an advisory on December 8:
https://lists.opensuse.org/opensuse-updates/2018-12/msg00039.html
Comment 17 Stig-Ørjan Smelror 2019-01-01 21:01:22 CET
Advisory
========

Imagemagick has been updated to fix several bugs and security issues.

References
==========

https://legacy.imagemagick.org/script/changelog.php

Files
=====

Uploaded to core/updates_testing

imagemagick-6.9.10.22-1.1.mga6
imagemagick-debuginfo-6.9.10.22-1.1.mga6
imagemagick-desktop-6.9.10.22-1.1.mga6
imagemagick-doc-6.9.10.22-1.1.mga6
lib64magick-6Q16_6-6.9.10.22-1.1.mga6
lib64magick++-6Q16_8-6.9.10.22-1.1.mga6
lib64magick-devel-6.9.10.22-1.1.mga6
perl-Image-Magick-6.9.10.22-1.1.mga6

from imagemagick-6.9.10.22-1.1.mga6.src.rpm

CC: (none) => smelror

Stig-Ørjan Smelror 2019-01-01 21:01:36 CET

Assignee: pkg-bugs => qa-bugs

Comment 18 Thomas Andrews 2019-01-03 15:57:15 CET
Packages have not yet reached the math.princeton mirror. Seems like it should have been long enough, but perhaps things were delayed because of the holiday. Will try again later.

CC: (none) => andrewsfarm

Comment 19 Thomas Andrews 2019-01-03 16:40:10 CET
Ah. It appears that the math.princeton mirror is broken at the moment. That is unfortunate.
Comment 20 Thomas Andrews 2019-01-03 17:08:02 CET
QA Repo did not find imagemagick-debuginfo-6.9.10.22-1.1.mga6 on the distrib-coffee mirror, but did find the rest.

On real hardware, Core 2 Duo, Intel graphics, 8GB RAM, 64-bit Plasma system using the desktop kernel.

Packages installed cleanly. Loaded a photo of a hot air balloon landing, played with special effects until the image was completely unrecognizable. No issues noted. OK for 64-bit.

Whiteboard: (none) => MGA6-64-OK

Comment 21 David Walser 2019-01-03 17:09:38 CET
The debuginfo packages are in a different repo, but QA doesn't need to worry about those.  We packagers shouldn't list them.
Comment 22 Thomas Andrews 2019-01-03 18:52:45 CET
Same hardware as Comment 20, 32-bit Xfce install using the server kernel.

There were no 32-bit libraries listed in Comment 17, but a little editing of the package list in QA Repo took care of that for this test.

Packages installed cleanly. Loaded a different photo, and again played with it until unrecognizable. No issues noted. Looks OK for 32-bit.

Validating. Suggested advisory in Comment 17, but the package list should be edited to include the 32-bit packages.

Whiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 23 David Walser 2019-01-03 19:19:37 CET
Don't worry about that.  The SVN advisory only has the SRPMS, not the binary packages.
Lewis Smith 2019-01-03 20:58:56 CET

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 24 Mageia Robot 2019-01-05 19:31:45 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0006.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.