openSUSE has issued advisories on May 22 and October 16: https://lists.opensuse.org/opensuse-updates/2019-05/msg00126.html https://lists.opensuse.org/opensuse-updates/2019-10/msg00091.html I don't know if the fixes for those issues are in 1.3.33.
Whiteboard: (none) => MGA7TOOCC: (none) => nicolas.salguero, smelror
No registered maintainer, nor a consistent active one, so assigning globally; CC'ing tv & kekepower who have touched it relatively recently.
Assignee: bugsquad => pkg-bugsCC: (none) => thierry.vignaud
After reading the code, CVE-2019-10131 is already fixed but CVE-2019-16709 needs the patch from OpenSUSE.
CVE: (none) => CVE-2019-16709Summary: graphicsmagick possible new security issues CVE-2019-10131 and CVE-2019-16709 => graphicsmagick possible new security issue CVE-2019-16709
Suggested advisory: ======================== The updated packages fix a security vulnerability: ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage. (CVE-2019-16709) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709 https://lists.opensuse.org/opensuse-updates/2019-10/msg00091.html ======================== Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.33-1.1.mga7 lib(64)graphicsmagick3-1.3.33-1.1.mga7 lib(64)graphicsmagick++12-1.3.33-1.1.mga7 lib(64)graphicsmagickwand2-1.3.33-1.1.mga7 lib(64)graphicsmagick-devel-1.3.33-1.1.mga7 perl-Graphics-Magick-1.3.33-1.1.mga7 graphicsmagick-doc-1.3.33-1.1.mga7 from SRPMS: graphicsmagick-1.3.33-1.1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
Thanks! That's what I expected.
Summary: graphicsmagick possible new security issue CVE-2019-16709 => graphicsmagick new security issue CVE-2019-16709
Mageia 7, x86_64 CVE-2019-16709 There is a reproducer for this at https://github.com/ImageMagick/ImageMagick/issues/1531 but it is expected to be tested withing the asan framework so does nothing useful here. Tested it with valgrind and all it reported was not being able to read a font. $ valgrind --leak-check=full --show-leak-kinds=all convert Memory-Leak-2 output.x Lots of output but nothing referring to leaks. It is a bit confusing to be testing GM for an IM issue but I am assuming the code is common. Updated the GM packages manually. A firefox problem interfered with MageiaUpdate. Ran the reproducer again 'using gm convert'. No difference in the output. Shall run some image manipulation tests with GM later.
CC: (none) => tarazed25
Following on from comment 5; $ gm version GraphicsMagick 1.3.33 2019-07-20 Q8 http://www.GraphicsMagick.org/ [...] Native Thread Safe yes Large Files (> 32 bit) yes Large Memory (> 32 bit) yes BZIP yes ....... $ gm identify JessicaAlba.tif $ gm identify JessicaAlba.tif JessicaAlba.tif TIFF 1200x896+0+0 DirectClass 8-bit 3.1Mi 0.000u 0m:0.000005s Juggled with and image using the gm convert with the -rotate, -flip and -flop options. Results as expected in gm display. $ gm montage frame*.png frames.jpg $ gm display frames.jpg Showed a montage of 13 thumbnails on a 6x3 panel. Exercised a graphicsmagick primitive using perl. $ sudo urpmi perl-Graphicks-Magick perl-Graphics-Magick-1.3.33-1.1 from updates-testing. $ ./gmtest.pl200 is 2.0 seconds. Superimposed red rectangle on existing image $ gm convert Ikapati.pgm martiancrater.jpeg $ display martiancrater.jpeg Looks fine. $ gm convert -resize 200% -quality 100 TatianaMaslany.jpg tatiana.tiff gm convert: tatiana.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField). $ display tatiana.tiff That worked perfectly. Produced an animated GIF from four PNG images using a downloaded perl script. This uses GM to read the images and stack them in a frame, output as a GIF. The original images can be run directly as an animation, or slideshow: $ gm display -delay 200 frames.png 200 is 2.0 seconds. So, basic operations are alright.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0372.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED