Bug 25807 - graphicsmagick new security issue CVE-2019-16709
Summary: graphicsmagick new security issue CVE-2019-16709
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-03 19:13 CET by David Walser
Modified: 2019-12-06 15:17 CET (History)
7 users (show)

See Also:
Source RPM: graphicsmagick-1.3.33-2.mga8.src.rpm
CVE: CVE-2019-16709
Status comment:


Attachments

Description David Walser 2019-12-03 19:13:14 CET
openSUSE has issued advisories on May 22 and October 16:
https://lists.opensuse.org/opensuse-updates/2019-05/msg00126.html
https://lists.opensuse.org/opensuse-updates/2019-10/msg00091.html

I don't know if the fixes for those issues are in 1.3.33.
David Walser 2019-12-03 19:13:31 CET

Whiteboard: (none) => MGA7TOO
CC: (none) => nicolas.salguero, smelror

Comment 1 Lewis Smith 2019-12-03 19:21:26 CET
No registered maintainer, nor a consistent active one, so assigning globally; CC'ing tv & kekepower who have touched it relatively recently.

Assignee: bugsquad => pkg-bugs
CC: (none) => thierry.vignaud

Comment 2 Nicolas Salguero 2019-12-04 09:42:35 CET
After reading the code, CVE-2019-10131 is already fixed but CVE-2019-16709 needs the patch from OpenSUSE.
Nicolas Salguero 2019-12-04 09:42:50 CET

CVE: (none) => CVE-2019-16709
Summary: graphicsmagick possible new security issues CVE-2019-10131 and CVE-2019-16709 => graphicsmagick possible new security issue CVE-2019-16709

Comment 3 Nicolas Salguero 2019-12-04 10:12:29 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. (CVE-2019-16709)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709
https://lists.opensuse.org/opensuse-updates/2019-10/msg00091.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.33-1.1.mga7
lib(64)graphicsmagick3-1.3.33-1.1.mga7
lib(64)graphicsmagick++12-1.3.33-1.1.mga7
lib(64)graphicsmagickwand2-1.3.33-1.1.mga7
lib(64)graphicsmagick-devel-1.3.33-1.1.mga7
perl-Graphics-Magick-1.3.33-1.1.mga7
graphicsmagick-doc-1.3.33-1.1.mga7

from SRPMS:
graphicsmagick-1.3.33-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 David Walser 2019-12-04 13:04:44 CET
Thanks!  That's what I expected.

Summary: graphicsmagick possible new security issue CVE-2019-16709 => graphicsmagick new security issue CVE-2019-16709

Comment 5 Len Lawrence 2019-12-04 19:02:38 CET
Mageia 7, x86_64

CVE-2019-16709
There is a reproducer for this at https://github.com/ImageMagick/ImageMagick/issues/1531
but it is expected to be tested withing the asan framework so does nothing useful here.  Tested it with valgrind and all it reported was not being able to read a font.
$ valgrind --leak-check=full --show-leak-kinds=all convert Memory-Leak-2 output.x
Lots of output but nothing referring to leaks.

It is a bit confusing to be testing GM for an IM issue but I am assuming the code is common.

Updated the GM packages manually.  A firefox problem interfered with MageiaUpdate.
Ran  the reproducer again 'using gm convert'.
No difference in the output.

Shall run some image manipulation tests with GM later.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2019-12-04 20:17:17 CET
Following on from comment 5;

$ gm version
GraphicsMagick 1.3.33 2019-07-20 Q8 http://www.GraphicsMagick.org/
[...]
  Native Thread Safe       yes
  Large Files (> 32 bit)   yes
  Large Memory (> 32 bit)  yes
  BZIP                     yes
.......

$ gm identify JessicaAlba.tif
$ gm identify JessicaAlba.tif
JessicaAlba.tif TIFF 1200x896+0+0 DirectClass 8-bit 3.1Mi 0.000u 0m:0.000005s

Juggled with and image using the gm convert with the -rotate, -flip and -flop options.  Results as expected in gm display.

$ gm montage frame*.png frames.jpg
$ gm display frames.jpg
Showed a montage of 13 thumbnails on a 6x3 panel.

Exercised a graphicsmagick primitive using perl.

$ sudo urpmi perl-Graphicks-Magick
perl-Graphics-Magick-1.3.33-1.1 from updates-testing.
$ ./gmtest.pl200 is 2.0 seconds.
Superimposed red rectangle on existing image

$ gm convert Ikapati.pgm martiancrater.jpeg
$ display martiancrater.jpeg
Looks fine.

$ gm convert -resize 200% -quality 100 TatianaMaslany.jpg tatiana.tiff
gm convert: tatiana.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField).
$ display tatiana.tiff
That worked perfectly.

Produced an animated GIF from four PNG images using a downloaded perl script.
This uses GM to read the images and stack them in a frame, output as a GIF.
The original images can be run directly as an animation, or slideshow:
$ gm display -delay 200 frames.png
200 is 2.0 seconds.

So, basic operations are alright.

Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2019-12-04 22:33:51 CET
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-12-06 13:49:58 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-12-06 15:17:43 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0372.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.