23257 – imagemagick new security issues

Bug 23257 - imagemagick new security issues

Summary: imagemagick new security issues

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-06-30 18:57 CEST by David Walser
Modified:	2019-01-05 19:31 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	imagemagick-6.9.10.0-1.1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-06-30 18:57:17 CEST

openSUSE has issued an advisory today (June 30):
https://lists.opensuse.org/opensuse-updates/2018-06/msg00149.html

At least some of these issues have been fixed since our last update.

Comment 1 Marja Van Waes 2018-07-01 06:59:39 CEST

Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Shlomi Fish 2018-07-04 15:11:52 CEST

@marja : hi, I disowned imagemagick due to health problems.

Comment 3 Marja Van Waes 2018-07-04 15:39:09 CEST

(In reply to Shlomi Fish from comment #2)
> @marja : hi, I disowned imagemagick due to health problems.

Thanks for telling me. I hope your health will greatly improve (which doesn't mean you should then take this package again, you already maintain so many!).

Reassigning to all packagers collectively.

Assignee: shlomif => pkg-bugs
CC: (none) => geiger.david68210

Comment 4 David Walser 2018-07-16 19:53:25 CEST

Debian has issued an advisory on July 14:
https://www.debian.org/security/2018/dsa-4245

It also addresses some new issues.

Comment 5 David Walser 2018-07-16 19:55:21 CEST

Ubuntu has issued an advisory for this on July 11:
https://usn.ubuntu.com/3711-1/

Comment 6 David Walser 2018-07-24 18:26:48 CEST

SUSE has issued an advisory for this on July 23:
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004300.html

Comment 7 David Walser 2018-08-02 17:08:33 CEST

openSUSE has issued an advisory on July 28:
https://lists.opensuse.org/opensuse-updates/2018-07/msg00081.html

Comment 8 David Walser 2018-08-28 22:56:01 CEST

SUSE has issued an advisory on August 21:
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004481.html

openSUSE has issued an advisory on August 25:
https://lists.opensuse.org/opensuse-updates/2018-08/msg00136.html

Comment 9 David Walser 2018-08-31 19:05:18 CEST

SUSE has disabled Ghostscript in ImageMagick as they did with GraphicsMagick, due to issues that have been discussed on oss-security recently (see also Bug 23157 Comment 11):
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004508.html

Comment 10 David Walser 2018-09-04 20:07:58 CEST

(In reply to David Walser from comment #9)
> SUSE has disabled Ghostscript in ImageMagick as they did with
> GraphicsMagick, due to issues that have been discussed on oss-security
> recently (see also Bug 23157 Comment 11):
> http://lists.suse.com/pipermail/sle-security-updates/2018-August/004508.html

openSUSE has followed suit:
https://lists.opensuse.org/opensuse-updates/2018-09/msg00009.html

Comment 11 David Walser 2018-10-10 00:42:30 CEST

Ubuntu has issued an advisory on October 4:
https://usn.ubuntu.com/3785-1/

Comment 12 David Walser 2018-10-12 23:54:32 CEST

openSUSE has issued advisories on September 24, October 5, and October 11:
https://lists.opensuse.org/opensuse-updates/2018-09/msg00135.html
https://lists.opensuse.org/opensuse-updates/2018-10/msg00016.html
https://lists.opensuse.org/opensuse-updates/2018-10/msg00049.html

Comment 13 David Walser 2018-10-15 22:19:32 CEST

Debian has issued an advisory on October 12:
https://www.debian.org/security/2018/dsa-4316

Comment 14 David Walser 2018-10-17 22:51:45 CEST

openSUSE and SUSE have issued advisories today (October 17):
https://lists.opensuse.org/opensuse-updates/2018-10/msg00089.html
http://lists.suse.com/pipermail/sle-security-updates/2018-October/004682.html

Comment 15 David Walser 2018-10-23 17:00:00 CEST

openSUSE has issued an advisory on October 18:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00105.html

Comment 16 David Walser 2018-12-26 02:59:40 CET

openSUSE has issued an advisory on December 8:
https://lists.opensuse.org/opensuse-updates/2018-12/msg00039.html

Comment 17 Stig-Ørjan Smelror 2019-01-01 21:01:22 CET

Advisory
========

Imagemagick has been updated to fix several bugs and security issues.

References
==========

https://legacy.imagemagick.org/script/changelog.php

Files
=====

Uploaded to core/updates_testing

imagemagick-6.9.10.22-1.1.mga6
imagemagick-debuginfo-6.9.10.22-1.1.mga6
imagemagick-desktop-6.9.10.22-1.1.mga6
imagemagick-doc-6.9.10.22-1.1.mga6
lib64magick-6Q16_6-6.9.10.22-1.1.mga6
lib64magick++-6Q16_8-6.9.10.22-1.1.mga6
lib64magick-devel-6.9.10.22-1.1.mga6
perl-Image-Magick-6.9.10.22-1.1.mga6

from imagemagick-6.9.10.22-1.1.mga6.src.rpm

CC: (none) => smelror

Stig-Ørjan Smelror 2019-01-01 21:01:36 CET

Assignee: pkg-bugs => qa-bugs

Comment 18 Thomas Andrews 2019-01-03 15:57:15 CET

Packages have not yet reached the math.princeton mirror. Seems like it should have been long enough, but perhaps things were delayed because of the holiday. Will try again later.

CC: (none) => andrewsfarm

Comment 19 Thomas Andrews 2019-01-03 16:40:10 CET

Ah. It appears that the math.princeton mirror is broken at the moment. That is unfortunate.

Comment 20 Thomas Andrews 2019-01-03 17:08:02 CET

QA Repo did not find imagemagick-debuginfo-6.9.10.22-1.1.mga6 on the distrib-coffee mirror, but did find the rest.

On real hardware, Core 2 Duo, Intel graphics, 8GB RAM, 64-bit Plasma system using the desktop kernel.

Packages installed cleanly. Loaded a photo of a hot air balloon landing, played with special effects until the image was completely unrecognizable. No issues noted. OK for 64-bit.

Whiteboard: (none) => MGA6-64-OK

Comment 21 David Walser 2019-01-03 17:09:38 CET

The debuginfo packages are in a different repo, but QA doesn't need to worry about those.  We packagers shouldn't list them.

Comment 22 Thomas Andrews 2019-01-03 18:52:45 CET

Same hardware as Comment 20, 32-bit Xfce install using the server kernel.

There were no 32-bit libraries listed in Comment 17, but a little editing of the package list in QA Repo took care of that for this test.

Packages installed cleanly. Loaded a different photo, and again played with it until unrecognizable. No issues noted. Looks OK for 32-bit.

Validating. Suggested advisory in Comment 17, but the package list should be edited to include the 32-bit packages.

Whiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 23 David Walser 2019-01-03 19:19:37 CET

Don't worry about that.  The SVN advisory only has the SRPMS, not the binary packages.

Lewis Smith 2019-01-03 20:58:56 CET

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 24 Mageia Robot 2019-01-05 19:31:45 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0006.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.