Ubuntu has issued an advisory on June 25: https://usn.ubuntu.com/4034-1/ We may have addresses some or all of these issues already, but some of the newer CVEs that we haven't specifically mentioned are: CVE-2019-10131 CVE-2019-11470 CVE-2019-11472 CVE-2019-11597 CVE-2019-11598 CVE-2019-7175 CVE-2019-7395 CVE-2019-7396 and there may be more from openSUSE/SUSE advisories, which I haven't gotten to in a few months.
Whiteboard: (none) => MGA6TOO
Assigning to our registered imagemagick maintainer.
Assignee: bugsquad => smelrorCC: (none) => marja11
Ubuntu has issued an advisory on November 14: https://usn.ubuntu.com/4192-1/ It fixes: CVE-2019-12974 CVE-2019-12975 CVE-2019-12976 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13135 CVE-2019-13137 CVE-2019-13295 CVE-2019-13297 CVE-2019-13300 CVE-2019-13301 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 CVE-2019-13307 CVE-2019-13308 CVE-2019-13309 CVE-2019-12974 CVE-2019-12975 CVE-2019-12976 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13135 CVE-2019-13137 CVE-2019-13295 CVE-2019-13297 CVE-2019-13300 CVE-2019-13301 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 CVE-2019-13307 CVE-2019-13308 CVE-2019-13309 CVE-2019-13310 CVE-2019-13311 CVE-2019-13391 CVE-2019-13454 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140 CVE-2019-16708 CVE-2019-16709 CVE-2019-16710 CVE-2019-16711 CVE-2019-16713 CVE-2019-13310 CVE-2019-13311 CVE-2019-13391 CVE-2019-13454 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140 CVE-2019-16708 CVE-2019-16709 CVE-2019-16710 CVE-2019-16711 CVE-2019-16713
Just starting to work through openSUSE advisories. These two CVEs are new: CVE-2019-11505 CVE-2019-11506 from June 24: https://lists.opensuse.org/opensuse-updates/2019-06/msg00115.html
CVE-2019-13133 CVE-2019-13134 CVE-2019-13136 CVE-2019-13296 CVE-2019-13298 CVE-2019-13299 CVE-2019-13302 CVE-2019-13303: https://lists.opensuse.org/opensuse-updates/2019-08/msg00168.html
CVE-2019-14980 CVE-2019-15141 CVE-2019-16712: https://lists.opensuse.org/opensuse-updates/2019-11/msg00092.html
CVE-2019-19948, CVE-2019-19949: https://www.debian.org/lts/security/2019/dla-2049
(In reply to David Walser from comment #6) > CVE-2019-19948, CVE-2019-19949: > https://www.debian.org/lts/security/2019/dla-2049 https://lists.opensuse.org/opensuse-updates/2020-02/msg00019.html
CC: (none) => mageiaWhiteboard: MGA6TOO => (none)
(In reply to David Walser from comment #6) > CVE-2019-19948, CVE-2019-19949: > https://www.debian.org/lts/security/2019/dla-2049 https://ubuntu.com/security/notices/USN-4549-1
CVE-2020-27560: https://lists.suse.com/pipermail/sle-security-updates/2020-November/007699.html Fixed upstream in 7.0.10-35.
(In reply to David Walser from comment #9) > CVE-2020-27560: > https://lists.suse.com/pipermail/sle-security-updates/2020-November/007699. > html > > Fixed upstream in 7.0.10-35. https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00037.html
ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.
CC: (none) => zombie_ryushu
CVE: (none) => CVE-2020-27560
URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2020-27560
Cauldron has version 7.0.10-46.
Mageia 7 has been in need of an update for a while now.
(In reply to David Walser from comment #14) > Mageia 7 has been in need of an update for a while now. Are you thinking about the latest 7.0.8-x version or latest 7.0.10-x?
Whatever will fix the issues documented above.
Ubuntu has issued an advisory for this on December 15: https://ubuntu.com/security/notices/USN-4670-1
CVE-2020-29599: https://access.redhat.com/errata/RHSA-2021:0024
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-27560 => (none)CVE: CVE-2020-27560 => (none)
(In reply to David Walser from comment #18) > CVE-2020-29599: > https://access.redhat.com/errata/RHSA-2021:0024 This one is high severity, fixed in 6.9.11-40 and 7.0.10-40. We need to finally do an imagemagick update for Mageia 7.
Severity: normal => critical
7.0.10-55 pushed in mga 7
bumping libmajor will cause several packages to need rebuild iirc
Yes, that's correct. It's a real pain, but one we've dealt with once before. I wish upstream would do a better job with ABI stability.
To be rebuilt: abydos-0.1.3-2.mga7.src.rpm converseen-0.9.7.2-2.mga7.src.rpm libopenshot-2.4.4-2.mga7.src.rpm mgba-0.6.3-5.mga7.src.rpm pfstools-2.1.0-13.mga7.src.rpm php-imagick-3.4.4-1.mga7.src.rpm sk1-2.0-0.rc3.5.mga7.src.rpm synfig-1.2.2-1.mga7.src.rpm uniconvertor-2.0-0.1.rc3_20171226.2.mga7.src.rpm xine-lib1.2-1.2.9-9.mga7.src.rpm abydos and xine-lib1.2 are also in tainted, so they need rebuilt too.
(In reply to Nicolas Lécureuil from comment #20) > 7.0.10-55 pushed in mga 7 dont forget the tainted build...
transcode (from tainted) also need to be rebuilt.
CC: (none) => nicolas.salguero
all rebuilds started.
Updated packages in core/updates_testing: ======================== imagemagick-7.0.10.55-1.mga8 imagemagick-desktop-7.0.10.55-1.mga8 libmagick-7Q16HDRI_8-7.0.10.55-1.mga8 libmagick++-7Q16HDRI_4-7.0.10.55-1.mga8 libmagick-devel-7.0.10.55-1.mga8 perl-Image-Magick-7.0.10.55-1.mga8 imagemagick-doc-7.0.10.55-1.mga8 libabydos0.1_0-0.1.3-2.1.mga7 libabydos0.1-devel-0.1.3-2.1.mga7 converseen-0.9.7.2-2.1.mga7 libopenshot17-2.4.4-2.1.mga7 libopenshot-devel-2.4.4-2.1.mga7 python3-libopenshot-2.4.4-2.1.mga7 mgba-0.6.3-5.1.mga7 mgba-qt-0.6.3-5.1.mga7 libmgba0.6-0.6.3-5.1.mga7 pfstools-2.1.0-13.1.mga7 pfscalibration-2.1.0-13.1.mga7 pfstmo-2.1.0-13.1.mga7 libpfstools2-2.1.0-13.1.mga7 pfstools-qt-2.1.0-13.1.mga7 pfstools-glview-2.1.0-13.1.mga7 pfstools-exr-2.1.0-13.1.mga7 pfstools-yuy-2.1.0-13.1.mga7 pfstools-imgmagick-2.1.0-13.1.mga7 pfstools-octave-2.1.0-13.1.mga7 libpfstools-devel-2.1.0-13.1.mga7 php-imagick-3.4.4-1.1.mga7 sk1-2.0-0.rc3.5.1.mga7 synfig-1.2.2-1.1.mga7 libsynfig0-1.2.2-1.1.mga7 libsynfig-devel-1.2.2-1.1.mga7 uniconvertor-2.0-0.1.rc3_20171226.2.1.mga7 xine1.2-common-1.2.9-9.1.mga7 libxine2-1.2.9-9.1.mga7 libxine1.2-devel-1.2.9-9.1.mga7 Updated packages in tainted/updates_testing: ======================== imagemagick-7.0.10.55-1.mga7.tainted imagemagick-desktop-7.0.10.55-1.mga7.tainted libmagick-7Q16HDRI_8-7.0.10.55-1.mga7.tainted libmagick++-7Q16HDRI_4-7.0.10.55-1.mga7.tainted libmagick-devel-7.0.10.55-1.mga7.tainted perl-Image-Magick-7.0.10.55-1.mga7.tainted imagemagick-doc-7.0.10.55-1.mga7.tainted libabydos0.1_0-0.1.3-2.1.mga7.tainted libabydos0.1-devel-0.1.3-2.1.mga7.tainted xine1.2-common-1.2.9-9.1.mga7.tainted libxine2-1.2.9-9.1.mga7.tainted libxine1.2-devel-1.2.9-9.1.mga7.tainted transcode-1.1.7-23.1.mga7.tainted from SRPMS: imagemagick-7.0.10.55-1.mga7.src.rpm imagemagick-7.0.10.55-1.mga7.tainted.src.rpm abydos-0.1.3-2.1.mga7.src.rpm abydos-0.1.3-2.1.mga7.tainted.src.rpm converseen-0.9.7.2-2.1.mga7.src.rpm libopenshot-2.4.4-2.1.mga7.src.rpm mgba-0.6.3-5.1.mga7.src.rpm pfstools-2.1.0-13.1.mga7.src.rpm php-imagick-3.4.4-1.1.mga7.src.rpm sk1-2.0-0.rc3.5.1.mga7.src.rpm synfig-1.2.2-1.1.mga7.src.rpm uniconvertor-2.0-0.1.rc3_20171226.2.1.mga7.src.rpm xine-lib1.2-1.2.9-9.1.mga7.src.rpm xine-lib1.2-1.2.9-9.1.mga7.tainted.src.rpm transcode-1.1.7-23.1.mga7.tainted.src.rpm
Assignee: smelror => qa-bugs
Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: The imagemagick package has been updated to version 7.0.10-55, fixing several security issues. The abydos, converseen, libopenshot, mgba, pfstools, php-imagick, sk1, synfig, transcode, uniconvertor, and xine-lib1.2 packages have been rebuilt against the updated libmagick library. References: https://github.com/ImageMagick/ImageMagick/blob/eaf760145905caaf45e8856d646f9c36003af0cd/ChangeLog
Will we be seeing CVEs with respect to new security issues only? Just wondering if QA would have to deal with the whole Ubuntu list.
CC: (none) => tarazed25
I would just do a basic functionality test. The update fixes the CVEs it fixes and doesn't fix ones that it doesn't (if any unfixed CVEs exist for ImageMagick). I also don't have time to go back and see which ones were fixed between 7.0.8-62 and 7.0.10-55, and we're not listing them in the advisory. It doesn't help that upstream doesn't include them in the changelog or have a page that maps CVEs to versions (like MariaDB has, for instance), at least that I'm aware of.
Fair enough David. I had thought of checking back on our test history myself but as you imply one life is not long enough and we all have enough to do.
The upstream URL in package uniconvertor seem wrong. I think it should be https://sk1project.net/uc2/
CC: (none) => fri
Yikes, thanks. Fixed in Cauldron.
Err, fixed in SVN. The package has to be dropped in Cauldron because it's still python2-only and pycairo is gone.
ISO size is also about download time, and the size it eats from persistence space. Maybe as a wiki page based community effort we could create a configuration for Draklive2 to create a minimal Live base, with option to add lists of tools.
wrong bug..
mga7, x64 Tainted versions installed here. Downgraded all the packages to release versions, where possible. Updated using MageiaUpdate. The following 33 packages are going to be installed: - imagemagick-7.0.10.55-1.mga7.x86_64 - imagemagick-desktop-7.0.10.55-1.mga7.x86_64 - imagemagick-doc-7.0.10.55-1.mga7.noarch - lib64abydos0.1-devel-0.1.3-2.1.mga7.x86_64 - lib64abydos0.1_0-0.1.3-2.1.mga7.x86_64 - lib64ass-devel-0.15.0-1.mga7.x86_64 - lib64ass9-0.15.0-1.mga7.x86_64 - lib64magick++-7Q16HDRI_4-7.0.10.55-1.mga7.x86_64 - lib64magick-7Q16HDRI_8-7.0.10.55-1.mga7.x86_64 - lib64magick-devel-7.0.10.55-1.mga7.x86_64 - lib64mgba0.6-0.6.3-5.1.mga7.x86_64 - lib64openshot-devel-2.4.4-2.1.mga7.x86_64 - lib64openshot17-2.4.4-2.1.mga7.x86_64 - lib64synfig-devel-1.2.2-1.1.mga7.x86_64 - lib64synfig0-1.2.2-1.1.mga7.x86_64 - lib64xine1.2-devel-1.2.9-9.1.mga7.x86_64 - lib64xine2-1.2.9-9.1.mga7.x86_64 - mgba-0.6.3-5.1.mga7.x86_64 - mgba-qt-0.6.3-5.1.mga7.x86_64 - perl-Image-Magick-7.0.10.55-1.mga7.x86_64 - pfscalibration-2.1.0-13.1.mga7.x86_64 - pfstmo-2.1.0-13.1.mga7.x86_64 - pfstools-2.1.0-13.1.mga7.x86_64 - pfstools-exr-2.1.0-13.1.mga7.x86_64 - pfstools-glview-2.1.0-13.1.mga7.x86_64 - pfstools-imgmagick-2.1.0-13.1.mga7.x86_64 - pfstools-octave-2.1.0-13.1.mga7.x86_64 - pfstools-qt-2.1.0-13.1.mga7.x86_64 - pfstools-yuy-2.1.0-13.1.mga7.x86_64 - sk1-2.0-0.rc3.5.1.mga7.x86_64 - synfig-1.2.2-1.1.mga7.x86_64 - uniconvertor-2.0-0.1.rc3_20171226.2.1.mga7.x86_64 - xine1.2-common-1.2.9-9.1.mga7.x86_64 That ran smoothly. Running basic tests only on ImageMagick; display, identify, convert, covering several common image formats. No problems. $ identify SantaMaria* SantaMaria.png PNG 1638x1410 1638x1410+0+0 8-bit sRGB 1.14054MiB 0.000u 0:00.000 SantaMaria.tif TIFF 1638x1410 1638x1410+0+0 8-bit sRGB 1.89081MiB 0.000u 0:00.011 $ convert -resize 50% SantaMaria.tif santamaria.jpg $ identify santamaria.jpg santamaria.jpg JPEG 819x705 819x705+0+0 8-bit sRGB 128805B 0.000u 0:00.000 $ convert -resize 50% SantaMaria.tif santamaria.jp2 $ display santamaria.jp2 <OK> $ xine columbia_dem_2_1280.mov This is xine (X11 gui) - a free video player v0.10.1. (c) 2000-2014 The xine Team. vo_vdpau: this hardware doesn't support h264. vo_vdpau: this hardware doesn't support vc1. vo_vdpau: this hardware doesn't support mpeg1/2. vo_vdpau: this hardware doesn't support mpeg4-part2. No video or sound then at the end of the track nouveau triggered an abort. Openshot video editing is too complex to investigate here but it performs well as an image viewer and can play videos, MOV anyway. $ transcode -i /dev/dvd/ -x dvd -j 16,0 -B 5,0 -Y 40,8 -s 4.47 -U my_movie -y xvid -w 1618 This appeared to start OK, picking up the CSS keys from somewhere and recording the title section as an AVI, which played in vlc, but then went into a loop retrieving CSS keys again. Crashed out after two hours. So it works in part. sk1 does not launch at all from the system graphics menu and from the command line reports errors; e.g. import wx.combo ImportError: No module named combo And it looks like synfig needs some configuration - not going there. Been on this all day as it is. Catching up with tainted tomorrow.
Created attachment 12201 [details] ImageMagick functions demo This has been used before but the attribution is lost somewhere in QA test history. Originally found by Lewys Smith I think.
Enabled tainted-updates-testing $ urpmi.update -a $MageiaUpdate - imagemagick-7.0.10.55-1.mga7.tainted.x86_64 - imagemagick-desktop-7.0.10.55-1.mga7.tainted.x86_64 - imagemagick-doc-7.0.10.55-1.mga7.tainted.noarch - lib64abydos0.1-devel-0.1.3-2.1.mga7.tainted.x86_64 - lib64abydos0.1_0-0.1.3-2.1.mga7.tainted.x86_64 - lib64magick++-7Q16HDRI_4-7.0.10.55-1.mga7.tainted.x86_64 - lib64magick-7Q16HDRI_8-7.0.10.55-1.mga7.tainted.x86_64 - lib64magick-devel-7.0.10.55-1.mga7.tainted.x86_64 - lib64xine1.2-devel-1.2.9-9.1.mga7.tainted.x86_64 - lib64xine2-1.2.9-9.1.mga7.tainted.x86_64 - perl-Image-Magick-7.0.10.55-1.mga7.tainted.x86_64 - transcode-1.1.7-23.1.mga7.tainted.x86_64 - xine1.2-common-1.2.9-9.1.mga7.tainted.x86_64 No improvement when running xine-ui. Triggered an abort on a MOV file. Just wondering if things would be better with nvidia. Using nouveau just now. Tried $ xine /dev/dvd Empty window. Right click to start configuration -> show controls -> dvd -> play The optical drive is accessed, then after an interval nouveau crashes: .... nouveau: 0x000008f3 nouveau: 0x1000f010 xine: ../nouveau/pushbuf.c:723: nouveau_pushbuf_data: Assertion `kref' failed. Aborted (core dumped) sk1 hangs on launch without launching a gui then times out. $ transcode -i /dev/dvd/ -x dvd -j 16,0 -B 5,0 -Y 40,8 -s 4.47 -U my_movie -y xvid -w 1618 That got no further than before. It appeared to have hung for two or three hours. To exercize the perl support functions, ran a script which created images demonstrating special effects and performed ImageMagick transformations on a specimen image and displayed all the results as a montage containing 75 thumbnails. That worked very well. That also shows that imagemagick is working without regressions.
Whiteboard: (none) => MGA7-64-OK
Your work on this one is greatly appreciated, Len. Lots of time invested here. Validating. Advisory in Comment 29, package list in Comment 28. A reminder: there are both tainted and release versions of this update.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
(In reply to Thomas Andrews from comment #41) > Your work on this one is greatly appreciated, Len. Lots of time invested > here. > > Validating. Advisory in Comment 29, package list in Comment 28. A reminder: > there are both tainted and release versions of this update. Advisory pushed to SVN.
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0013.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
CVE-2020-19667, CVE-2020-25665, CVE-2020-25674, CVE-2020-27560, CVE-2020-27750, CVE-2020-27760, CVE-2020-27763, CVE-2020-27765, CVE-2020-27773, CVE-2020-29599: https://www.debian.org/lts/security/2021/dla-2523 All fixed in this update.
CVE-2020-25664 CVE-2020-25665 CVE-2020-25666 CVE-2020-25674 CVE-2020-25675 CVE-2020-25676 CVE-2020-27750 CVE-2020-27751 CVE-2020-27752 CVE-2020-27753 CVE-2020-27754 CVE-2020-27755 CVE-2020-27756 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27760 CVE-2020-27761 CVE-2020-27762 CVE-2020-27763 CVE-2020-27764 CVE-2020-27765 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27773 CVE-2020-27774 CVE-2020-27775 CVE-2020-27776 CVE-2020-29599: https://lists.suse.com/pipermail/sle-security-updates/2021-January/008217.html I'm assuming this fixed all of those.
Same from openSUSE: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GMIDOKTR355FMU6NNJAZYI3VSQVSKBVF/