Bug 25256 - graphicsmagick 1.3.33 fixes security issues
Summary: graphicsmagick 1.3.33 fixes security issues
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords:
: 25257 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-08-10 18:04 CEST by Stig-Ørjan Smelror
Modified: 2019-08-18 11:26 CEST (History)
2 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Stig-Ørjan Smelror 2019-08-10 18:04:16 CEST
Advisory
========

This is a security and bugfix update.

References
==========

http://www.graphicsmagick.org/NEWS.html#july-20-2019

Files
=====

Uploaded to core/updates_testing

graphicsmagick-1.3.33-1.mga7
lib64graphicsmagick3-1.3.33-1.mga7
lib64graphicsmagick++12-1.3.33-1.mga7
lib64graphicsmagickwand2-1.3.33-1.mga7
lib64graphicsmagick-devel-1.3.33-1.mga7
perl-Graphics-Magick-1.3.33-1.mga7
graphicsmagick-doc-1.3.33-1.mga7

from graphicsmagick-1.3.33-1.mga7.src.rpm
Stig-Ørjan Smelror 2019-08-10 18:05:52 CEST

Assignee: smelror => qa-bugs

Comment 1 Stig-Ørjan Smelror 2019-08-10 18:10:58 CEST
*** Bug 25257 has been marked as a duplicate of this bug. ***
Comment 2 Stig-Ørjan Smelror 2019-08-10 18:11:39 CEST
Advisory
========

This is a security and bugfix update.

References
==========

http://www.graphicsmagick.org/NEWS.html#july-20-2019

Files
=====

Uploaded to core/updates_testing

graphicsmagick-1.3.33-1.mga6
lib64graphicsmagick3-1.3.33-1.mga6
lib64graphicsmagick++12-1.3.33-1.mga6
lib64graphicsmagickwand2-1.3.33-1.mga6
lib64graphicsmagick-devel-1.3.33-1.mga6
perl-Graphics-Magick-1.3.33-1.mga6
graphicsmagick-doc-1.3.33-1.mga6

from graphicsmagick-1.3.33-1.mga6.src.rpm

Whiteboard: (none) => MGA6TOO

David Walser 2019-08-11 18:05:49 CEST

QA Contact: (none) => security
Component: RPM Packages => Security
Summary: Update Candidate mga7: GraphicsMagic 1.3.33 => graphicsmagick 1.3.33 fixes security issues

Comment 3 Len Lawrence 2019-08-12 20:47:20 CEST
mga7, x86_64

Shall test this later, mga6 too.  Spending some time chasing up the clusterfuzz security issues (6 listed between 2018-08-28 and 2019-04-28).

CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-08-12 21:21:32 CEST
Hmm.  It looks like there are no straightforward Proofs of Concept for these issues.  The test cases are designed to be run within the clusterfuzz framework which involves a local build with ASAN run in a docker container by the look of it.  Certainly not worth our following up.  So all QA can do is exercise the GM utilities, as per usual.  Later.
Comment 5 Len Lawrence 2019-08-13 12:52:40 CEST
mga7, x86_64

Installed the packages.
$ gm version
GraphicsMagick 1.3.33 2019-07-20 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2019 GraphicsMagick Group.
[...]
Feature Support:
  Native Thread Safe       yes
  Large Files (> 32 bit)   yes
  Large Memory (> 32 bit)  yes
  BZIP                     yes
[...]

$ gm import screenshot.png
$ eom screenshot.png
Perfect copy.

$ gm convert -rotate 90 harbour.tif harbour90.jpg
$ gm display harbour90.jpg
Picture rotated 90° clockwise.

Create an image stack.
$ ./gmtest.pl
$ ll frames.gif
-rw-r--r-- 1 lcl lcl 10120013 Aug 13 11:09 frames.gif
$ gm animate frames.gif
Displays four images in quick succession.
$ gm animate -delay 100 frames.gif
Continuous loop, 1 frame per second.

$ cat gmtest.pl
#!/bin/env perl
# http://www.graphicsmagick.org/perl.html#example-script
use Graphics::Magick;
my($image, $status);
$image = Graphics::Magick->new;
$status = $image->Read('frame1.png', 'frame2.png', 'frame3.png', 'frame4.png');
warn "$status" if "$status";
$status = $image->Write('frames.gif');
warn "$status" if "$status";

$ gm montage frame*.png frames.jpg
$ gm display frames.jpg
Shows a mosaic of 12 thumbnail images.

$ gm montage frame*.gif frames.gif
$ gm display frames.gif
Mosaic of 13 GIFs in a 6x3 arrangement.

Shrink an image, overwriting the original.
$ gm identify MartianCrater.tif 
MartianCrater.tif TIFF 1638x1410+0+0 DirectClass 8-bit 1.9Mi 0.000u 0m:0.000005s
$ gm mogrify -resize 50% MartianCrater.tif
gm mogrify: MartianCrater.tif: Invalid tag "BadFaxLines" (not supported by codec). (_TIFFVGetField).
$ gm identify MartianCrater.tif 
MartianCrater.tif TIFF 819x705+0+0 DirectClass 8-bit 585.0Ki 0.000u 0m:0.000005s

The BadFaxLines issue has been part of the TIFF processing functions forever.  It is not a regression and does not seem to affect the quality of the images.

More perl code.
$ cat graffiti.pl
#!/bin/env perl
use Graphics::Magick;
my($image, $p, $q);
$image = Graphics::Magick->new;
$image->Set(size=>'100x100');
$image->ReadImage('xc:white');
#$image->Set('pixel[49,49]'=>'red');
$image->Draw(stroke=>'red', primitive=>'rectangle', points=>'20,20 80,80');
$image->Write('x.ppm');
undef $image;    
$p = Graphics::Magick->new;
$p->Read('J*.ppm');
$p->Draw(stroke=>'red', primitive=>'rectangle', points=>'20,20 120,120');
$p->Draw(stroke=>'red', primitive=>'rectangle', points=>'21,21 119,119');
$p->Draw(stroke=>'red', primitive=>'rectangle', points=>'22,22 118,118');
$p->Draw(stroke=>'red', primitive=>'rectangle', points=>'23,23 117,117');
$p->Write('xyz.ppm');
undef $p;

$ perl graffiti.pl
$ gm display x.ppm
Generates an image of a white square with a superimposed red square.
$ gm display xyz.ppm
Resulting image is the original with a red square in one corner.

Good enough for 64-bits.

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

Comment 6 Len Lawrence 2019-08-13 13:31:11 CEST
mga6, x86_64

Updated the packages and ran a batch of tests similar to or the same as those detailed in comment 5, with similar results.

This is good for 64-bits.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6-64-OK MGA7-64-OK

Thomas Backlund 2019-08-18 11:26:13 CEST

Whiteboard: MGA6-64-OK MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
CC: (none) => tmb


Note You need to log in before you can comment on or make changes to this bug.