Bug 26751 - graphicsmagick new security issue CVE-2020-12672
Summary: graphicsmagick new security issue CVE-2020-12672
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-06-09 19:29 CEST by David Walser
Modified: 2020-12-29 12:58 CET (History)
2 users (show)

See Also:
Source RPM: graphicsmagick-1.3.35-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-06-09 19:29:18 CEST
Debian-LTS has issued an advisory on June 7:
https://www.debian.org/lts/security/2020/dla-2236

Mageia 7 is also affected.
David Walser 2020-06-09 19:29:28 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-06-09 19:50:08 CEST
openSUSE has issued an advisory for this on June 8:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00034.html
Comment 2 David Walser 2020-12-27 18:55:26 CET
Patched packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage
in coders/png.c (CVE-2020-12672).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12672
https://lists.opensuse.org/opensuse-updates/2020-06/msg00034.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.35-1.1.mga7
libgraphicsmagick3-1.3.35-1.1.mga7
libgraphicsmagick++12-1.3.35-1.1.mga7
libgraphicsmagickwand2-1.3.35-1.1.mga7
libgraphicsmagick-devel-1.3.35-1.1.mga7
perl-Graphics-Magick-1.3.35-1.1.mga7
graphicsmagick-doc-1.3.35-1.1.mga7

from graphicsmagick-1.3.35-1.1.mga7.src.rpm

Assignee: smelror => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Thomas Andrews 2020-12-27 23:00:30 CET
Tested on a 64-bit Plasma system, amd HD8490 graphics.

The following 2 packages are going to be installed:

- graphicsmagick-1.3.35-1.1.mga7.x86_64
- lib64graphicsmagick3-1.3.35-1.1.mga7.x86_64

No installation issues.

Referred to https://bugs.mageia.org/show_bug.cgi?id=26094#c4 for testing procedure. In addion manipulated an image in various ways from the gui.

All tests were successful. Biving this an OK and validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 4 Aurelien Oudelet 2020-12-29 10:49:00 CET
Advisory pushed to SVN.

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-12-29 12:58:38 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0472.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.