Fedora has issued advisories on October 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6Z4EMB7JFEKIYRFRANRNDD7ZIIZP6T4Z/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OCWBP5ZUZHIZXP7IFUEZIJG7Q3VLJXBV/ The issues are fixed upstream in 2.3.6. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOOCC: (none) => geiger.david68210
Done for Cauldron and mga6 updating to latest 2.4.0 release!
Assigning to all packagers collectively, since the registered maintainer for gmic is most likely unavailable and there is no registered maintainer for cimg. CC'ing the gmic maintainer.
CC: (none) => marja11, matteo.pasotti
(In reply to David GEIGER from comment #1) > Done for Cauldron and mga6 updating to latest 2.4.0 release! Ouch, I keep overlooking your comments :-(((( But I also forgot to assign to all packagers.... I understand David Walser will write the advisory?
Assignee: bugsquad => luigiwalser
Advisory: ======================== Updated cimg and gmic packages fix security vulnerabilities: An issue was discovered in CImg v.220. DoS occurs when loading a crafted bmp image that triggers an allocation failure in load_bmp in CImg.h (CVE-2018-7587). An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image (CVE-2018-7588). An issue was discovered in CImg v.220. A double free in load_bmp in CImg.h occurs when loading a crafted bmp image (CVE-2018-7589). An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image. This is in a "16 colors" case, aka case 4 (CVE-2018-7637). An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image. This is in a "256 colors" case, aka case 8 (CVE-2018-7638). An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image. This is in a "16 bits colors" case, aka case 16 (CVE-2018-7639). An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image. This is in a Monochrome case, aka case 1 (CVE-2018-7640). An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image. This is in a "32 bits colors" case, aka case 32 (CVE-2018-7641). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7587 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7588 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7589 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7637 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7638 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7639 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7641 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6Z4EMB7JFEKIYRFRANRNDD7ZIIZP6T4Z/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OCWBP5ZUZHIZXP7IFUEZIJG7Q3VLJXBV/ ======================== Updated packages in core/updates_testing: ======================== cimg-2.4.0-1.mga6 gmic-2.4.0-1.mga6 zart-2.4.0-1.mga6 gimp-plugin-gmic-2.4.0-1.mga6 libgmic2-2.4.0-1.mga6 libgmic-devel-2.4.0-1.mga6 from SRPMS: cimg-2.4.0-1.mga6.src.rpm gmic-2.4.0-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: luigiwalser => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Tried to run zart on a jpeg file and apply the negative color preset to it. Zart runs, but after 15 min, it is still running but no preview shows up yet. This laptop is probably far too underpowered, but at least it does not crash or harm anything else.
CC: (none) => herman.viaene
Trying this for 64-bits. Installed all the packages except lib(64)gmic2. Cannot be found. $ urpmq -i lib64gmic2 No package named lib64gmic2
CC: (none) => tarazed25
Continuing this test with gmic to load images.
There is a stack of PoCs for this - crafted BMP files. https://github.com/xiaoqx/pocs/tree/master/cimg Looks like these should all be tested with cimgload, but... $ cimgload cimg-crash-1 bash: cimgload: command not found Is this because the library is missing? $ urpmq -i lib64gmic1 Name : lib64gmic1 Version : 2.0.0 Release : 2.mga6 Group : System/Libraries Size : 11190488 Architecture: x86_64 Source RPM : gmic-2.0.0-2.mga6.src.rpm URL : http://gmic.eu/ Summary : Library for gmic Description : This package contains the library needed to run programs dynamically linked with gmic. # urpmi lib64gmic1 Package lib64gmic1-2.0.0-2.mga6.x86_64 is already installed $ cimgload cimg-crash-1 bash: cimgload: command not found [root@difda lib64]# ls -l *gmic* lrwxrwxrwx 1 root root 13 Jun 5 2017 libcgmic.so -> libcgmic.so.2* lrwxrwxrwx 1 root root 15 Jun 5 2017 libcgmic.so.1 -> libcgmic.so.200* lrwxrwxrwx 1 root root 15 Jun 5 2017 libcgmic.so.2 -> libcgmic.so.200* -rwxr-xr-x 1 root root 5638392 Jun 5 2017 libcgmic.so.200* lrwxrwxrwx 1 root root 12 Jun 5 2017 libgmic.so -> libgmic.so.2* lrwxrwxrwx 1 root root 14 Jun 5 2017 libgmic.so.1 -> libgmic.so.200* lrwxrwxrwx 1 root root 14 Jun 5 2017 libgmic.so.2 -> libgmic.so.200* -rwxr-xr-x 1 root root 5552096 Jun 5 2017 libgmic.so.200* The only command in bin is gmic and the documentation on that is extensive. Running gmic starts the G'MIC interpreter. By itself it brings up a gui containing a menu of demonstrations which might suffice for testing the package. In command line mode it can be used to display or otherwise load images so that is how we should test the PoCs. Before update: -------------------------------------------------------------------------------- Note that there is uncertainty here about which CVEs are which - tried to align them but abandoned the task. $ gmic cimg-crash-1 [gmic]-0./ *** Error *** [instance(0,0,0,0,(nil),non-shared)] gmic<float>::assign(): Failed to allocate memory (384.0 Gio) for image (1073741856,32,1,3). $ gmic cimg-dos-load_bmp-1 [gmic] G'MIC encountered a fatal error (Segmentation fault). Please submit a bug report, at: https://github.com/dtschump/gmic-community/issues $ gmic cimg-double-free-1 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-double-free-1' at position 0*** Error in `gmic': malloc(): memory corruption: 0x0000000001963b40 *** ======= Backtrace: ========= [...] 7f83197cf000-7f83197eb000 r--p 0008c000 08:02 271177 /usr/lib64/libvorbisenc.so.2.0.11Aborted (core dumped) $ gmic cimg-heap-overflow-1 [gmic] G'MIC encountered a fatal error (Segmentation fault). Please submit a bug report, at: https://github.com/dtschump/gmic-community/issues $ gmic cimg-heap-overflow-load_bmp-48378 [gmic]-1./ Display image [0] = 'cimg-heap-overflow-load_bmp-48378'. [0] = 'cimg-heap-overflow-load_bmp-48378': size = (6,11,1,3) [792 b of floats]. data = (3,3,3,3,3,3;3,3,3,3,3,3;(...),18,18,18,18,18,18;18,234,18,18,18,18). min = 0, max = 234, mean = 12.1515, std = 32.211, coords_min = (1,2,0,0), coords_max = (1,2,0,2). $ gmic cimg-heap-overflow-load_bmp-48378 This displays an image, a black rectangle with three small coloured boxes down the left-hand side. $ gmic cimg-heap-overflow-load_bmp-48397 This also displays an image without any error messages. $ gmic cimg-heap-overflow-load_bmp-48413 This hangs without displaying anything. $ gmic cimg-heap-overflow-load_bmp-48427 [gmic] G'MIC encountered a fatal error (Segmentation fault). Please submit a bug report, at: https://github.com/dtschump/gmic-community/issues CVE-2018-7588* $ gmic cimg-heap-overflow-load_bmp-48457 [gmic] G'MIC encountered a fatal error (Segmentation fault). Please submit a bug report, at: https://github.com/dtschump/gmic-community/issues
Continuing from comment #8. Updated to: - cimg-2.4.0-1.mga6.x86_64 - gimp-plugin-gmic-2.4.0-1.mga6.x86_64 - gmic-2.4.0-1.mga6.x86_64 - lib64gmic-devel-2.4.0-1.mga6.x86_64 - lib64gmic2-2.4.0-1.mga6.x86_64 - zart-2.4.0-1.mga6.x86_64 file /usr/lib64/libgmic.so.2 from install of lib64gmic2-2.4.0-1.mga6.x86_64 conflicts with file from package lib64gmic1-2.0.0-2.mga6.x86_64 Backed out and removed lib64gmic1 which removed four of the newly installed packages. Reinstalled those one by one. After update ------------------------------------------------------------------------------ Tested the PoCs without identifying specific CVEs. Not enough information upstream to sort them out. And, 9 PoC files for 8 CVEs. Sometimes the names give a pointer to the address where failures occur but even that is not enough of a clue for certainty. 1) $ gmic cimg-crash-1 Same message as before. 2) $ gmic cimg-dos-load_bmp-1 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-dos-load_bmp-1' at position 0 (1 image 16416x65504x1x3). [gmic]-1./ Display image [0] = 'cimg-dos-load_bmp-1'. [0] = 'cimg-dos-load_bmp-1': size = (16416,65504,1,3) [12305 Mio of floats]. data = (0,0,0,0,0,0,0,0,0,0,0,0,(...),0,0,0,0,0,0,0,0,0,0,0,0). min = 0, max = 0, mean = 0, std = 0, coords_min = (0,0,0,0), coords_max = (0,0,0,0). This generated a large narrow vertical black rectangle. 3) $ gmic cimg-double-free-1 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-double-free-1' at position 0 (1 image 33x32x1x3). [gmic]-1./ Display image [0] = 'cimg-double-free-1'. [0] = 'cimg-double-free-1': size = (33,32,1,3) [12 Kio of floats]. data = (18,255,255,255,255,255,255,255,255,255,255,255,(...),0,255,255,255,255,255,255,255,255,255,255,255). min = 0, max = 255, mean = 180.133, std = 115.078, coords_min = (28,0,0,0), coords_max = (1,0,0,0). Generated an image of random-length red and black bars on a white background. 4) $ gmic cimg-heap-overflow-1 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-heap-overflow-1' at position 0 (1 image 16416x65504x1x3). [gmic]-1./ Display image [0] = 'cimg-heap-overflow-1'. [0] = 'cimg-heap-overflow-1': size = (16416,65504,1,3) [12305 Mio of floats]. data = (0,0,0,0,0,0,0,0,0,0,0,0,(...),0,0,0,0,0,0,0,0,0,0,0,0). min = 0, max = 0, mean = 0, std = 0, coords_min = (0,0,0,0), coords_max = (0,0,0,0). This generated the same image as test 2. The test images are the same size, just 56 bytes so it is likely that they are identical. diff gives zero. 5) $ gmic cimg-heap-overflow-load_bmp-48378 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-heap-overflow-load_bmp-48378' at position 0 (1 image 6x11x1x3). [gmic]-1./ Display image [0] = 'cimg-heap-overflow-load_bmp-48378'. [0] = 'cimg-heap-overflow-load_bmp-48378': size = (6,11,1,3) [792 b of floats]. data = (0,0,0,0,0,0;0,0,0,0,0,0;(...),0,0,0,0,0,0;0,0,0,0,0,0). min = 0, max = 0, mean = 0, std = 0, coords_min = (0,0,0,0), coords_max = (0,0,0,0). Medium sized vertical black rectangle. 6) $ gmic cimg-heap-overflow-load_bmp-48397 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-heap-overflow-load_bmp-48397' at position 0 (1 image 32x32x1x3). [gmic]-1./ Display image [0] = 'cimg-heap-overflow-load_bmp-48397'. [0] = 'cimg-heap-overflow-load_bmp-48397': size = (32,32,1,3) [12 Kio of floats]. data = (0,0,0,0,0,0,0,0,0,0,0,0,(...),0,0,0,0,0,0,0,0,0,0,0,0). min = 0, max = 0, mean = 0, std = 0, coords_min = (0,0,0,0), coords_max = (0,0,0,0). Displays a black square. 7) $ gmic cimg-heap-overflow-load_bmp-48413 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-heap-overflow-load_bmp-48413' at position 0 (1 image 5x385875966x1x3). [gmic]-1./ Display image [0] = 'cimg-heap-overflow-load_bmp-48413'. [0] = 'cimg-heap-overflow-load_bmp-48413': size = (5,385875966,1,3) [22079 Mio of floats]. data = (0,0,0,0,0;0,0,0,0,0;0,0,(...),0,0;0,0,0,0,0;0,0,0,0,0). min = 0, max = 0, mean = 0, std = 0, coords_min = (0,0,0,0), coords_max = (0,0,0,0). Same image as test 2 but the files are different. 8) $ gmic cimg-heap-overflow-load_bmp-48427 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-heap-overflow-load_bmp-48427' at position 0 (1 image 268435457x2x1x3). [gmic]-1./ Display image [0] = 'cimg-heap-overflow-load_bmp-48427'. [0] = 'cimg-heap-overflow-load_bmp-48427': size = (268435457,2,1,3) [6144 Mio of floats]. data = (0,0,0,0,0,0,0,0,0,0,0,0,(...),0,0,0,0,0,0,0,0,0,0,0,0). min = 0, max = 0, mean = 0, std = 0, coords_min = (0,0,0,0), coords_max = (0,0,0,0). Displays a large horizontal black rectangle. 9) $ gmic cimg-heap-overflow-load_bmp-48457 [gmic]-0./ Start G'MIC interpreter. [gmic]-0./ Input file 'cimg-heap-overflow-load_bmp-48457' at position 0 (1 image 402656015x1x1x3). [gmic]-1./ Display image [0] = 'cimg-heap-overflow-load_bmp-48457'. [0] = 'cimg-heap-overflow-load_bmp-48457': size = (402656015,1,1,3) [4608 Mio of floats]. data = (0,0,0,0,0,0,0,0,0,0,0,0,(...),0,0,0,0,0,0,0,0,0,0,0,0). min = 0, max = 0, mean = 0, std = 0, coords_min = (0,0,0,0), coords_max = (0,0,0,0). Image similar to that in test 8. Conclusion: The PoC tests are largely successful. It is a pity that we cannot match them to the CVEs with any confidence. There seems to be a packaging problem regarding the main library. It does not update cleanly - there is a change of name.
Continuing from comment #9. Used the gmic test display to exercize the library. Played a few games and watched some of the displays. zart presented a window for developing "art" from a source image or video file. There was also a window to echo the underlying script commands. There is a snapshot button. Switched to fullscreen and back with Esc. Other than that I have no idea how to proceed. The package appears to be working. Withholding the 64-bit OK in case somebody thinks the packaging problem should be fixed first.
@Len for zart: Maximize the window, then all buttons appear more clearly. At the right side, select image (e.g.) instead of Video, click the "Open" button, select a picture. Then select some effect and then click "Apply" on the left lower side. I would expect to see a preview of the applied effect.
@Herman: Thanks - shall give it a go. And OT, good to see you back in the saddle.
Back to zart. Selected a picture of a Scottish waterfall, then presets -> artistic -> cartoon, then apply, and nothing changed. Preview mode was Right. The G'MIC program window showed this: fx_cartoon_preview $"*" Pressed the play button, which started the processing - a black rectangle appeared at the right lower corner of the screen and the application segfaulted. ?? Tried again with another colour image and chose the black and white -> inkwash effect and hit play then stopped it after a few seconds and the image changed to a greyscale one which looked fine. So it looks like it works but you may have to avoid certain filters. In another test successfully added drops of water to a picture of a face. Good for 64-bits.
Whiteboard: (none) => MGA6-64-OK
Confirming the packaging problem noted in Comment 9. First installed the packages to be tested on a 64-bit Plasma system. All packages installed cleanly. Then activated testing repositories and attempted to update the packages, receiving the following message: "1 installation transactions failed There was a problem during the installation: file /usr/lib64/libcgmic.so.2 from install of lib64gmic2-2.4.0-1.mga6.x86_64 conflicts with file from package lib64gmic1-2.0.0-2.mga6.x86_64 file /usr/lib64/libgmic.so.2 from install of lib64gmic2-2.4.0-1.mga6.x86_64 conflicts with file from package lib64gmic1-2.0.0-2.mga6.x86_64" This conflict needs to be resolved.
CC: (none) => andrewsfarm
Removing the 64-bit OK because the package conflict is with the 64-bit packages.
Whiteboard: MGA6-64-OK => (none)
(In reply to Thomas Andrews from comment #14) > Confirming the packaging problem noted in Comment 9. > > First installed the packages to be tested on a 64-bit Plasma system. All > packages installed cleanly. Then activated testing repositories and > attempted to update the packages, receiving the following message: > > "1 installation transactions failed > > There was a problem during the installation: > > file /usr/lib64/libcgmic.so.2 from install of lib64gmic2-2.4.0-1.mga6.x86_64 > conflicts with file from package lib64gmic1-2.0.0-2.mga6.x86_64 > > file /usr/lib64/libgmic.so.2 from install of lib64gmic2-2.4.0-1.mga6.x86_64 > conflicts with file from package lib64gmic1-2.0.0-2.mga6.x86_64" > > > This conflict needs to be resolved. The conflict exists in 32-bit as well. Doing the same test as described above, only on a 32-bit Plasma install, and I see the same message. I forgot to note that in Comment 14 that I did not install the devel package, as I believe most users would not, as well.
libgmic2 should conflict and obsolete libgmic1. Under normal circumstances we wouldn't do that, but libgmic1 was packaged incorrectly and should have already been called libgmic2.
Keywords: (none) => feedback
Well, whatever it should do, it's not doing it. Mageia Update refuses to update these packages as they are now.
Should be fixed in next gmic-2.4.0-1.1.mga6
Keywords: feedback => (none)
Packages now install properly, though I did get the message that the conflicting library needed to be removed three times as I cherry-picked the packages I was to install. That's not likely to happen to most users. Restoring the 64-bit OK. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
(In reply to Thomas Andrews from comment #20) > Packages now install properly, though I did get the message that the > conflicting library needed to be removed three times as I cherry-picked the > packages I was to install. That's not likely to happen to most users. > > Restoring the 64-bit OK. Validating. Advisory in Comment 4. Nope, unvalidating... Enduser should not see the "package need to be removed..." So it still is missing the obsoletes David pointed out in comment 17
Keywords: validated_update => feedbackCC: (none) => tmb
(In reply to Thomas Backlund from comment #21) > (In reply to Thomas Andrews from comment #20) > > Packages now install properly, though I did get the message that the > > conflicting library needed to be removed three times as I cherry-picked the > > packages I was to install. That's not likely to happen to most users. > > > > Restoring the 64-bit OK. Validating. Advisory in Comment 4. > > > Nope, unvalidating... > > Enduser should not see the "package need to be removed..." > > So it still is missing the obsoletes David pointed out in comment 17 Lesson learned. I will file that bit of information away for future reference. Thanks.
Ok, the obsoletes added now! Updated packages in 6/core/updates_testing: ======================== gmic-2.4.0-1.2.mga6 zart-2.4.0-1.2.mga6 gimp-plugin-gmic-2.4.0-1.2.mga6 libgmic2-2.4.0-1.2.mga6 libgmic-devel-2.4.0-1.2.mga6 from SRPMS: gmic-2.4.0-1.2.mga6.src.rpm
Trying again... Packages install cleanly now in 64-bit. Decided to try my hand with Zart, and loaded a personal photo of the hot air balloon "B Happy." Tried Herman's advice from Comment 11, but clicking on "Apply" seemed to do nothing. Hovering over an arrow at the bottom of the gui showed the tooltip "Launch processing." Clicking on that produced previews of several effects, in turn. Looks like this is OK now, to me anyway. Removing feedback notice, restoring 64-bit OK, and re-validating. Advisory in Comment 4, with updated package numbers in Comment 23.
Keywords: feedback => validated_updateWhiteboard: (none) => MGA6-64-OK
Looks good, pushing
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0438.html
Status: NEW => RESOLVEDResolution: (none) => FIXED