Bug 28462 - imagemagick new security issues CVE-2021-2024[13456]
Summary: imagemagick new security issues CVE-2021-2024[13456]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-26 22:47 CET by David Walser
Modified: 2022-03-21 21:58 CET (History)
5 users (show)

See Also:
Source RPM: imagemagick-7.0.10.57-1.mga8.src.rpm
CVE: CVE-2021-2024[1346]
Status comment:


Attachments
List of rpms for Mageia 7 x32 (1.27 KB, text/plain)
2021-03-14 13:39 CET, Len Lawrence
Details
List of rpms for Mageia 7 x64 (1.30 KB, text/plain)
2021-03-14 13:40 CET, Len Lawrence
Details
List of rpms for Mageia 8 x32 (1.25 KB, text/plain)
2021-03-14 13:40 CET, Len Lawrence
Details
List of rpms for Mageia 8 x64 (1.29 KB, text/plain)
2021-03-14 13:41 CET, Len Lawrence
Details

Description David Walser 2021-02-26 22:47:21 CET
SUSE has issued an advisory on February 25:
https://lists.suse.com/pipermail/sle-security-updates/2021-February/008374.html

The issues are fixed upstream in 7.0.10.62.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-26 22:47:42 CET

Status comment: (none) => Fixed upstream in 7.0.10.62
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Nicolas Lécureuil 2021-02-26 23:54:53 CET
fixed in cauldron

Version: Cauldron => 8
CC: (none) => mageia
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 2 Lewis Smith 2021-02-27 09:41:18 CET
Thanks Nicolas for the instant fix.
Assigning to the registered maintainer Stig to follow it through if necessary (M7, Advisory). Up to you who does what!

Assignee: bugsquad => smelror

Comment 3 Nicolas Lécureuil 2021-02-27 14:28:17 CET
too hard to fix the patches.

I will push new imagemagick with rebuild deps.
Comment 4 Nicolas Lécureuil 2021-02-27 17:29:29 CET
Here are the src.rpms for this update.

src 7:
   - imagemagick-7.0.10.62-1.mga7 ( core && tainted )
   - abydos-0.1.3-2.2.mga7 ( core && tainted )
   - converseen-0.9.7.2-2.2.mga7
   - cuneiform-linux-1.1.0-15.1.mga7
   - digikam-6.1.0-4.1.mga7
   - kxstitch-2.1.1-5.1.mga7
   - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7
   - pfstools-2.1.0-13.2.mga7
   - php-imagick-3.4.4-1.2.mga7
   - pythonmagick-0.9.19-4.1.mga7
   - synfig-1.2.2-1.2.mga7
   - windowmaker-0.95.8-5.1.mga7
   - xine-lib1.2-1.2.9-9.2.mga7 ( core && tainted )
   - zbar-0.23-1.1.mga7
src 8:
   - imagemagick-7.0.10.62-1.mga8 ( core && tainted )
   - abydos-0.2.3-4.1.mga8 ( core && tainted )
   - converseen-0.9.8.1-4.1.mga8
   - cuneiform-linux-1.1.0-18.1.mga8
   - digikam-7.1.0-4.1.mga8
   - kxstitch-2.2.0-4.1.mga8
   - libopenshot-0.2.5-5.1.mga8
   - pfstools-2.1.0-20.1.mga8 
   - php-imagick-3.4.5-0.git20201230.2.1.mga8
   - pythonmagick-0.9.19-10.1.mga8
   - synfig-1.2.2-11.1.mga8
   - windowmaker-0.95.9-3.1.mga8
   - xine-lib1.2-1.2.11-1.1.mga8 ( core && tainted )
   - zbar-0.23.1-5.1.mga8
Nicolas Lécureuil 2021-02-27 17:29:41 CET

Assignee: smelror => qa-bugs

Comment 5 David Walser 2021-02-27 17:51:22 CET
(In reply to Nicolas Lécureuil from comment #4)
>    - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7

Then that needs to be fixed.

Missing are:
mgba
sk1
uniconvertor
transcode

(see Bug 25277)

Status comment: Fixed upstream in 7.0.10.62 => (none)
Assignee: qa-bugs => mageia

David Walser 2021-02-27 17:51:48 CET

Status comment: (none) => Some more packages need rebuilt against updated libraries

Comment 6 Nicolas Lécureuil 2021-02-27 18:05:41 CET
(In reply to David Walser from comment #5)
> (In reply to Nicolas Lécureuil from comment #4)
> >    - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7
> 
> Then that needs to be fixed.

http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20210227151300.neoclust.duvel.32193/log/libopenshot-2.4.4-2.2.mga7/install_deps-2.i586.0.20210227160944.log


this is because a missing deps in mga 7 ( we weren't as perfect as for mageia 8 :-))
Comment 7 David Walser 2021-02-27 18:07:11 CET
No, libopenshot should build fine (and did last time).  It seems to be having a problem installing the zeromq update candidate from Bug 28320.
Comment 8 Nicolas Lécureuil 2021-02-27 18:11:01 CET
strange it is available 

 ls i586/media/core/updates_testing/*zmq*
i586/media/core/updates_testing/libzmq5-4.3.4-1.1.mga7.i586.rpm  i586/media/core/updates_testing/libzmq-devel-4.3.4-1.1.mga7.i586.rpm
Comment 9 Nicolas Lécureuil 2021-02-27 18:20:30 CET
Here are the src.rpms for this update.

src 7:
   - imagemagick-7.0.10.62-1.mga7 ( core && tainted )
   - abydos-0.1.3-2.2.mga7 ( core && tainted )
   - converseen-0.9.7.2-2.2.mga7
   - cuneiform-linux-1.1.0-15.1.mga7
   - digikam-6.1.0-4.1.mga7
   - kxstitch-2.1.1-5.1.mga7
   - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 still need to be fixed.
   - pfstools-2.1.0-13.2.mga7
   - php-imagick-3.4.4-1.2.mga7
   - pythonmagick-0.9.19-4.1.mga7
   - synfig-1.2.2-1.2.mga7
   - windowmaker-0.95.8-5.1.mga7
   - xine-lib1.2-1.2.9-9.2.mga7 ( core && tainted )
   - zbar-0.23-1.1.mga7
   - sk1-2.0-0.rc3.5.2.mga7
   - uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7
   - transcode-1.1.7-23.2.mga7 ( core && tainted )

src 8:
   - imagemagick-7.0.10.62-1.mga8 ( core && tainted )
   - abydos-0.2.3-4.1.mga8 ( core && tainted )
   - converseen-0.9.8.1-4.1.mga8
   - cuneiform-linux-1.1.0-18.1.mga8
   - digikam-7.1.0-4.1.mga8
   - kxstitch-2.2.0-4.1.mga8
   - libopenshot-0.2.5-5.1.mga8
   - pfstools-2.1.0-20.1.mga8 
   - php-imagick-3.4.5-0.git20201230.2.1.mga8
   - pythonmagick-0.9.19-10.1.mga8
   - synfig-1.2.2-11.1.mga8
   - windowmaker-0.95.9-3.1.mga8
   - xine-lib1.2-1.2.11-1.1.mga8 ( core && tainted )
   - zbar-0.23.1-5.1.mga8
   - transcode-1.1.7-29.1.mga8  ( core && tainted )
Comment 10 David Walser 2021-02-27 18:21:10 CET
You're still missing mgba.
Comment 11 Nicolas Lécureuil 2021-02-27 18:26:08 CET
[Update] Here are the src.rpms for this update.

src 7:
   - imagemagick-7.0.10.62-1.mga7 ( core && tainted )
   - abydos-0.1.3-2.2.mga7 ( core && tainted )
   - converseen-0.9.7.2-2.2.mga7
   - cuneiform-linux-1.1.0-15.1.mga7
   - digikam-6.1.0-4.1.mga7
   - kxstitch-2.1.1-5.1.mga7
   - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 still need to be fixed.
   - pfstools-2.1.0-13.2.mga7
   - php-imagick-3.4.4-1.2.mga7
   - pythonmagick-0.9.19-4.1.mga7
   - synfig-1.2.2-1.2.mga7
   - windowmaker-0.95.8-5.1.mga7
   - xine-lib1.2-1.2.9-9.2.mga7 ( core && tainted )
   - zbar-0.23-1.1.mga7
   - sk1-2.0-0.rc3.5.2.mga7
   - uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7
   - transcode-1.1.7-23.2.mga7 ( core && tainted ) // need to see for broken deps
   - mgba-0.6.3-5.2.mga7

src 8:
   - imagemagick-7.0.10.62-1.mga8 ( core && tainted )
   - abydos-0.2.3-4.1.mga8 ( core && tainted )
   - converseen-0.9.8.1-4.1.mga8
   - cuneiform-linux-1.1.0-18.1.mga8
   - digikam-7.1.0-4.1.mga8
   - kxstitch-2.2.0-4.1.mga8
   - libopenshot-0.2.5-5.1.mga8
   - pfstools-2.1.0-20.1.mga8 
   - php-imagick-3.4.5-0.git20201230.2.1.mga8
   - pythonmagick-0.9.19-10.1.mga8
   - synfig-1.2.2-11.1.mga8
   - windowmaker-0.95.9-3.1.mga8
   - xine-lib1.2-1.2.11-1.1.mga8 ( core && tainted )
   - zbar-0.23.1-5.1.mga8
   - transcode-1.1.7-29.1.mga8  ( core && tainted ) // need to see for broken deps
   - mgba-0.8.4-1.1.mga8
Comment 12 David Walser 2021-02-27 18:26:34 CET
windowmaker and zbar didn't need to be rebuilt.  zbar uses graphicsmagick and imagemagick uses neither.
Comment 13 David Walser 2021-02-27 18:26:53 CET
(In reply to David Walser from comment #12)
> windowmaker and zbar didn't need to be rebuilt.  zbar uses graphicsmagick
> and imagemagick uses neither.

I meant windowmaker uses neither.
Comment 14 David Walser 2021-02-27 23:37:09 CET
RPMS built so far:
libabydos0.1_0-0.1.3-2.2.mga7
libabydos0.1-devel-0.1.3-2.2.mga7
libabydos0.2-devel-0.2.3-4.1.mga8
abydos-config-0.2.3-4.1.mga8
libabydos0.2_0-0.2.3-4.1.mga8
blender-2.79b-14.git20190504.2.mga7
blender-2.83.10-3.1.mga8
converseen-0.9.7.2-2.2.mga7
converseen-0.9.8.1-4.1.mga8
cuneiform-linux-1.1.0-15.1.mga7
libcuneiform0-1.1.0-15.1.mga7
libcuneiform-devel-1.1.0-15.1.mga7
cuneiform-linux-1.1.0-18.1.mga8
libcuneiform0-1.1.0-18.1.mga8
libcuneiform-devel-1.1.0-18.1.mga8
digikam-6.1.0-4.1.mga7
showfoto-6.1.0-4.1.mga7
libdigikamdatabase6-6.1.0-4.1.mga7
libdigikamcore6-6.1.0-4.1.mga7
libdigikamgui6-6.1.0-4.1.mga7
libdigikam-devel-6.1.0-4.1.mga7
digikam-7.1.0-4.1.mga8
libdigikamgui7.1.0-7.1.0-4.1.mga8
libdigikamdatabase7.1.0-7.1.0-4.1.mga8
showfoto-7.1.0-4.1.mga8
libdigikam-devel-7.1.0-4.1.mga8
libdigikamcore7.1.0-7.1.0-4.1.mga8
kxstitch-2.1.1-5.1.mga7
kxstitch-handbook-2.1.1-5.1.mga7
kxstitch-2.2.0-4.1.mga8
kxstitch-handbook-2.2.0-4.1.mga8
python3-libopenshot-0.2.5-5.1.mga8
libopenshot19-0.2.5-5.1.mga8
libopenshot-devel-0.2.5-5.1.mga8
pfstools-2.1.0-13.2.mga7
pfscalibration-2.1.0-13.2.mga7
pfstmo-2.1.0-13.2.mga7
libpfstools2-2.1.0-13.2.mga7
pfstools-qt-2.1.0-13.2.mga7
pfstools-glview-2.1.0-13.2.mga7
pfstools-exr-2.1.0-13.2.mga7
pfstools-yuy-2.1.0-13.2.mga7
pfstools-imgmagick-2.1.0-13.2.mga7
pfstools-octave-2.1.0-13.2.mga7
libpfstools-devel-2.1.0-13.2.mga7
pfstools-2.1.0-20.1.mga8
pfstmo-2.1.0-20.1.mga8
pfstools-octave-2.1.0-20.1.mga8
pfstools-glview-2.1.0-20.1.mga8
pfstools-qt-2.1.0-20.1.mga8
pfscalibration-2.1.0-20.1.mga8
pfstools-yuy-2.1.0-20.1.mga8
libpfstools2-2.1.0-20.1.mga8
pfstools-exr-2.1.0-20.1.mga8
pfstools-imgmagick-2.1.0-20.1.mga8
libpfstools-devel-2.1.0-20.1.mga8
php-imagick-3.4.4-1.2.mga7
php-imagick-3.4.5-0.git20201230.2.1.mga8
pythonmagick-0.9.19-4.1.mga7
pythonmagick-0.9.19-10.1.mga8
spectacle-19.04.0-1.1.mga7
spectacle-20.12.0-2.1.mga8
synfig-1.2.2-1.2.mga7
libsynfig0-1.2.2-1.2.mga7
libsynfig-devel-1.2.2-1.2.mga7
synfig-1.2.2-11.1.mga8
libsynfig0-1.2.2-11.1.mga8
libsynfig-devel-1.2.2-11.1.mga8
xine1.2-common-1.2.9-9.2.mga7
libxine2-1.2.9-9.2.mga7
libxine1.2-devel-1.2.9-9.2.mga7
xine1.2-common-1.2.11-1.1.mga8
libxine1.2-devel-1.2.11-1.1.mga8
libxine2-1.2.11-1.1.mga8
sk1-2.0-0.rc3.5.2.mga7
uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7
transcode-1.1.7-23.2.mga7.tainted
mgba-0.6.3-5.2.mga7
mgba-qt-0.6.3-5.2.mga7
libmgba0.6-0.6.3-5.2.mga7
mgba-0.8.4-1.1.mga8
mgba-qt-0.8.4-1.1.mga8
libmgba0.8-0.8.4-1.1.mga8
Comment 15 David Walser 2021-03-05 23:51:16 CET
openSUSE has issued an advisory for this on March 3:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6SG6MVYKVW7O5POXSG4CGOWDIOAZCWWT/
Comment 16 Nicolas Lécureuil 2021-03-11 21:23:11 CET
 libopenshot-2.4.4-2.2.mga7 now builds fine.
Comment 17 Nicolas Lécureuil 2021-03-11 21:43:48 CET
only transcode mga8 is missing.
Comment 18 Nicolas Lécureuil 2021-03-11 22:31:25 CET
The list of the complete src.rpms.

src 7:
   - imagemagick-7.0.10.62-1.mga7 ( core && tainted )
   - abydos-0.1.3-2.2.mga7 ( core && tainted )
   - converseen-0.9.7.2-2.2.mga7
   - cuneiform-linux-1.1.0-15.1.mga7
   - digikam-6.1.0-4.1.mga7
   - kxstitch-2.1.1-5.1.mga7
   - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 still need to be fixed.
   - pfstools-2.1.0-13.2.mga7
   - php-imagick-3.4.4-1.2.mga7
   - pythonmagick-0.9.19-4.1.mga7
   - synfig-1.2.2-1.2.mga7
   - xine-lib1.2-1.2.9-9.2.mga7 ( core && tainted )
   - sk1-2.0-0.rc3.5.2.mga7
   - uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7
   - transcode-1.1.7-23.2.mga7 ( tainted )
   - mgba-0.6.3-5.2.mga7

src 8:
   - imagemagick-7.0.10.62-1.mga8 ( core && tainted )
   - abydos-0.2.3-4.1.mga8 ( core && tainted )
   - converseen-0.9.8.1-4.1.mga8
   - cuneiform-linux-1.1.0-18.1.mga8
   - digikam-7.1.0-4.1.mga8
   - kxstitch-2.2.0-4.1.mga8
   - libopenshot-0.2.5-5.1.mga8
   - pfstools-2.1.0-20.1.mga8 
   - php-imagick-3.4.5-0.git20201230.2.1.mga8
   - pythonmagick-0.9.19-10.1.mga8
   - synfig-1.2.2-11.1.mga8
   - xine-lib1.2-1.2.11-1.1.mga8 ( core && tainted )
   - transcode-1.1.7-29.1.mga8  ( tainted )
   - mgba-0.8.4-1.1.mga8

Assignee: mageia => qa-bugs
Status comment: Some more packages need rebuilt against updated libraries => (none)

Comment 19 David Walser 2021-03-12 20:41:51 CET
(In reply to David Walser from comment #14)
> RPMS built so far:
> libabydos0.1_0-0.1.3-2.2.mga7
> libabydos0.1-devel-0.1.3-2.2.mga7
> libabydos0.2-devel-0.2.3-4.1.mga8
> abydos-config-0.2.3-4.1.mga8
> libabydos0.2_0-0.2.3-4.1.mga8
> blender-2.79b-14.git20190504.2.mga7
> blender-2.83.10-3.1.mga8
> converseen-0.9.7.2-2.2.mga7
> converseen-0.9.8.1-4.1.mga8
> cuneiform-linux-1.1.0-15.1.mga7
> libcuneiform0-1.1.0-15.1.mga7
> libcuneiform-devel-1.1.0-15.1.mga7
> cuneiform-linux-1.1.0-18.1.mga8
> libcuneiform0-1.1.0-18.1.mga8
> libcuneiform-devel-1.1.0-18.1.mga8
> digikam-6.1.0-4.1.mga7
> showfoto-6.1.0-4.1.mga7
> libdigikamdatabase6-6.1.0-4.1.mga7
> libdigikamcore6-6.1.0-4.1.mga7
> libdigikamgui6-6.1.0-4.1.mga7
> libdigikam-devel-6.1.0-4.1.mga7
> digikam-7.1.0-4.1.mga8
> libdigikamgui7.1.0-7.1.0-4.1.mga8
> libdigikamdatabase7.1.0-7.1.0-4.1.mga8
> showfoto-7.1.0-4.1.mga8
> libdigikam-devel-7.1.0-4.1.mga8
> libdigikamcore7.1.0-7.1.0-4.1.mga8
> kxstitch-2.1.1-5.1.mga7
> kxstitch-handbook-2.1.1-5.1.mga7
> kxstitch-2.2.0-4.1.mga8
> kxstitch-handbook-2.2.0-4.1.mga8
> python3-libopenshot-0.2.5-5.1.mga8
> libopenshot19-0.2.5-5.1.mga8
> libopenshot-devel-0.2.5-5.1.mga8
> pfstools-2.1.0-13.2.mga7
> pfscalibration-2.1.0-13.2.mga7
> pfstmo-2.1.0-13.2.mga7
> libpfstools2-2.1.0-13.2.mga7
> pfstools-qt-2.1.0-13.2.mga7
> pfstools-glview-2.1.0-13.2.mga7
> pfstools-exr-2.1.0-13.2.mga7
> pfstools-yuy-2.1.0-13.2.mga7
> pfstools-imgmagick-2.1.0-13.2.mga7
> pfstools-octave-2.1.0-13.2.mga7
> libpfstools-devel-2.1.0-13.2.mga7
> pfstools-2.1.0-20.1.mga8
> pfstmo-2.1.0-20.1.mga8
> pfstools-octave-2.1.0-20.1.mga8
> pfstools-glview-2.1.0-20.1.mga8
> pfstools-qt-2.1.0-20.1.mga8
> pfscalibration-2.1.0-20.1.mga8
> pfstools-yuy-2.1.0-20.1.mga8
> libpfstools2-2.1.0-20.1.mga8
> pfstools-exr-2.1.0-20.1.mga8
> pfstools-imgmagick-2.1.0-20.1.mga8
> libpfstools-devel-2.1.0-20.1.mga8
> php-imagick-3.4.4-1.2.mga7
> php-imagick-3.4.5-0.git20201230.2.1.mga8
> pythonmagick-0.9.19-4.1.mga7
> pythonmagick-0.9.19-10.1.mga8
> spectacle-19.04.0-1.1.mga7
> spectacle-20.12.0-2.1.mga8
> synfig-1.2.2-1.2.mga7
> libsynfig0-1.2.2-1.2.mga7
> libsynfig-devel-1.2.2-1.2.mga7
> synfig-1.2.2-11.1.mga8
> libsynfig0-1.2.2-11.1.mga8
> libsynfig-devel-1.2.2-11.1.mga8
> xine1.2-common-1.2.9-9.2.mga7
> libxine2-1.2.9-9.2.mga7
> libxine1.2-devel-1.2.9-9.2.mga7
> xine1.2-common-1.2.11-1.1.mga8
> libxine1.2-devel-1.2.11-1.1.mga8
> libxine2-1.2.11-1.1.mga8
> sk1-2.0-0.rc3.5.2.mga7
> uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7
> transcode-1.1.7-23.2.mga7.tainted
> mgba-0.6.3-5.2.mga7
> mgba-qt-0.6.3-5.2.mga7
> libmgba0.6-0.6.3-5.2.mga7
> mgba-0.8.4-1.1.mga8
> mgba-qt-0.8.4-1.1.mga8
> libmgba0.8-0.8.4-1.1.mga8

Added to this are:
libopenshot17-2.4.4-2.2.mga7
libopenshot-devel-2.4.4-2.2.mga7
python3-libopenshot-2.4.4-2.2.mga7
transcode-1.1.7-29.1.mga8.tainted
Comment 20 Thomas Andrews 2021-03-14 00:58:34 CET
The lists of rpms in Comments 14 and 19, in their present form, are extremely difficult for QA to use with QA Repo. It will balk at mixed mga7/mga8 names, not to mention the old lib/lib64 problem. 

Can anybody suggest a way to sort them other than manually picking the ones we want for a test out one by one? 

I'm not as adept as I once was at data manipulation techniques.

CC: (none) => andrewsfarm

Comment 21 Len Lawrence 2021-03-14 10:39:19 CET
@TJ, comment 20.  I have my own methods for parsing and editing such lists and generating an installation script.  Shall try to do that today and publish the list(s).  Global editing helps with lib/lib64 but needs to be checked for outliers like python3-libopenshot = python3-libopenshot-0.2.5-5.mga8.x86_64.

CC: (none) => tarazed25

Comment 22 Len Lawrence 2021-03-14 13:37:04 CET
In response to comments 20 and 21:

Generated four lists of RPM names for mga{7,8} and arch{32,64}.
Working in mga7 just now, before updating.
Tried mga7 x64 test install (--test) here with the mga7(64) list and managed all but four:
 
The following packages can't be installed because they depend on packages
that are older than the installed ones:
lib64kf5sonnetui-devel-5.57.0-1.mga7
lib64kf5textwidgets-devel-5.57.0-1.mga7
lib64kf5xmlgui-devel-5.57.0-1.mga7
lib64digikam-devel-6.1.0-4.mga7
This might be a case of QA testing pollution where an update is not removed after tests are complete, so other testers may not see this.

I suspect that this would be sorted out if qarepo were used.
Attaching the four lists anyway.
Comment 23 Len Lawrence 2021-03-14 13:39:00 CET
Created attachment 12462 [details]
List of rpms for Mageia 7 x32
Comment 24 Len Lawrence 2021-03-14 13:40:02 CET
Created attachment 12463 [details]
List of rpms for Mageia 7 x64
Comment 25 Len Lawrence 2021-03-14 13:40:52 CET
Created attachment 12464 [details]
List of rpms for Mageia 8 x32
Comment 26 Len Lawrence 2021-03-14 13:41:46 CET
Created attachment 12465 [details]
List of rpms for Mageia 8 x64
Comment 27 Thomas Andrews 2021-03-14 14:38:39 CET
(In reply to Len Lawrence from comment #21)
> @TJ, comment 20.  I have my own methods for parsing and editing such lists
> and generating an installation script.  Shall try to do that today and
> publish the list(s).  Global editing helps with lib/lib64 but needs to be
> checked for outliers like python3-libopenshot =
> python3-libopenshot-0.2.5-5.mga8.x86_64.

Thank you, Len. I really should take this opportunity to develop my own techniques. I don't mind asking for help when something is beyond my capability, but I dislike being dependent on others to do something I should be able to do myself. I blame the farmer in me for that independent streak.

The "64" outliers aren't usually a serious problem. There usually aren't a lot of them to cause trouble. Qarepo will flag them, and they can be edited accordingly.
Comment 28 Thomas Andrews 2021-03-14 14:47:16 CET
(In reply to Len Lawrence from comment #22)
> In response to comments 20 and 21:
> 
> Generated four lists of RPM names for mga{7,8} and arch{32,64}.
> Working in mga7 just now, before updating.
> Tried mga7 x64 test install (--test) here with the mga7(64) list and managed
> all but four:
>  
> The following packages can't be installed because they depend on packages
> that are older than the installed ones:
> lib64kf5sonnetui-devel-5.57.0-1.mga7
> lib64kf5textwidgets-devel-5.57.0-1.mga7
> lib64kf5xmlgui-devel-5.57.0-1.mga7
> lib64digikam-devel-6.1.0-4.mga7
> This might be a case of QA testing pollution where an update is not removed
> after tests are complete, so other testers may not see this.
> 
> I suspect that this would be sorted out if qarepo were used.
> Attaching the four lists anyway.

Hmmm. Those are all devel packages. Could be some development package that most users wouldn't even have installed.
Comment 29 Thomas Andrews 2021-03-14 16:21:06 CET
From mga7-64 Plasma, updating tainted versions, using Len's list in qarepo, I get this:

Sorry, the following packages cannot be selected:

- lib64digikamcore6-6.1.0-4.1.mga7.x86_64 (due to unsatisfied libMagick++-7.Q16HDRI.so.5()(64bit))
- lib64xine2-1.2.9-9.2.mga7.x86_64 (due to unsatisfied libMagickWand-7.Q16HDRI.so.9()(64bit))

I looked, and those two unsatisfied packages are not on the lists in Comment 14 or 19. I attempted to copy the names from the notice and add them to the list, but qarepo can't find them.

I haven't tried it yet, but I would suspect the same packages are missing in mga8.
Comment 30 David Walser 2021-03-14 16:28:19 CET
Looks like imagemagick itself was missing from the RPMs list:
imagemagick-7.0.10.62-1.mga7
imagemagick-desktop-7.0.10.62-1.mga7
imagemagick-doc-7.0.10.62-1.mga7
libmagick++-7Q16HDRI_5-7.0.10.62-1.mga7
libmagick-7Q16HDRI_9-7.0.10.62-1.mga7
libmagick-devel-7.0.10.62-1.mga7
perl-Image-Magick-7.0.10.62-1.mga7
imagemagick-7.0.10.62-1.mga8
imagemagick-desktop-7.0.10.62-1.mga8
imagemagick-doc-7.0.10.62-1.mga8
libmagick++-7Q16HDRI_5-7.0.10.62-1.mga8
libmagick-7Q16HDRI_9-7.0.10.62-1.mga8
libmagick-devel-7.0.10.62-1.mga8
perl-Image-Magick-7.0.10.62-1.mga8
Comment 31 Thomas Andrews 2021-03-14 17:29:32 CET
That did the trick, at least for me. In mga7-64 Plasma, using qarepo with the updated list:

The following 11 packages are going to be installed:

- digikam-6.1.0-4.1.mga7.x86_64
- imagemagick-7.0.10.62-1.mga7.x86_64
- imagemagick-desktop-7.0.10.62-1.mga7.x86_64
- lib64digikamcore6-6.1.0-4.1.mga7.x86_64
- lib64digikamdatabase6-6.1.0-4.1.mga7.x86_64
- lib64digikamgui6-6.1.0-4.1.mga7.x86_64
- lib64magick++-7Q16HDRI_5-7.0.10.62-1.mga7.x86_64
- lib64magick-7Q16HDRI_9-7.0.10.62-1.mga7.x86_64
- lib64xine2-1.2.9-9.2.mga7.x86_64
- spectacle-19.04.0-1.1.mga7.x86_64
- xine1.2-common-1.2.9-9.2.mga7.x86_64

No installation issues. No devel packages installed, which would be common among our users, but it doesn't address the issue of Comment 22.

Used Print Screen to run Spectacle, captured a rectangular area of the screen, saved it as png. Loaded that into imagemagick, played around with various effects, no issues noted. I don't use Digikam as a rule, but it did run and I was able to do a minimal configuration setup.

Looks OK on this install, but I'm withholding the OK until I hear if the issue of Comment 22 needs to be addressed.
Comment 32 Len Lawrence 2021-03-14 17:41:33 CET
@TJ, comment 27.  No problem - teamwork.
Re comment 22.  Shall have another look at that.
Comment 33 Thomas Andrews 2021-03-14 19:02:30 CET
In mga8-64 Plasma:

The following 13 packages are going to be installed:

- digikam-7.1.0-4.1.mga8.x86_64
- imagemagick-7.0.10.62-1.mga8.x86_64
- imagemagick-desktop-7.0.10.62-1.mga8.x86_64
- imagemagick-doc-7.0.10.62-1.mga8.noarch
- lib64digikamcore7.1.0-7.1.0-4.1.mga8.x86_64
- lib64digikamdatabase7.1.0-7.1.0-4.1.mga8.x86_64
- lib64digikamgui7.1.0-7.1.0-4.1.mga8.x86_64
- lib64magick++-7Q16HDRI_5-7.0.10.62-1.mga8.x86_64
- lib64magick-7Q16HDRI_9-7.0.10.62-1.mga8.x86_64
- lib64xine2-1.2.11-1.1.mga8.x86_64
- spectacle-20.12.0-2.1.mga8.x86_64
- transcode-1.1.7-29.1.mga8.tainted.x86_64
- xine1.2-common-1.2.11-1.1.mga8.x86_64

No installation issues. Same tests as in Comment 31, except that Digikam had apparently already been minimally configured, probably from an earlier test. Also opened an image in xine, with no issues.

Looks OK as far as I have gone. Again, withholding the OK pending investigation of Comment 22, even though that comment did not pertain to mga8.
Comment 34 Len Lawrence 2021-03-14 22:54:15 CET
Sorry to be so long.  My original installation was for the tainted versions.  Had to install mga7.1 on a spare partition on another machine to make sure of a clean slate.  Installed the packages and updated them OK.  No problems - so OK to pass this version.

This machine has a system with the tainted version so I shall follow up by installing any missing packages on that and update it and perform some quick tests.  Later.
Comment 35 Thomas Andrews 2021-03-21 15:17:18 CET
Any progress, Len?

My tests were both with the tainted versions, but they did not involve any of the devel packages. Do you have any problem with passing it on with those?
Comment 36 Len Lawrence 2021-03-21 17:30:09 CET
Sorry TJ - forgot all about this.  Have been side-tracked by so many other things.  Shall get back to you on this, but it will not be quick.  

I do not remember which machine or which partition comment 34 referred to so may have to retrace some steps.
Comment 37 Len Lawrence 2021-03-21 19:03:48 CET
Retested the tainted updates on Mageia 8 and 7 and saw the issue reported in comment 22, in both versions.  Different partitions with different histories.
Quick tests of imagemagick with various image formats and blender looked OK.

Shall try to switch to non-tainted versions but might have to reinstall the two OSes.
Comment 38 David Walser 2021-03-21 19:12:50 CET
Is your system fully up to date before installing these updates?  KF5 5.57.0 was an update we shipped for Mageia 7.  Do you have the updates media enabled?
Comment 39 Len Lawrence 2021-03-21 19:38:26 CET
Yes, updates media are enabled.  I don't know about KF5.
Comment 40 Len Lawrence 2021-03-21 19:40:56 CET
I always run `update -a` after enabling updates testing.
Comment 41 David Walser 2021-03-21 19:58:37 CET
Does rpm -qa lib64kf5* show all 5.57.0 versions?  I think urpmi has a --debug option to better show what's going wrong.
Comment 42 Len Lawrence 2021-03-21 21:08:37 CET
$ rpm -qa lib64kf5*
lib64kf5baloocore5-5.57.0-1.mga7
lib64kf5kdelibs4support5-5.57.0-1.mga7
lib64kf5i18n-devel-5.57.0-1.mga7
lib64kf5kdegames7-19.04.0-1.mga7
lib64kf5coreaddons5-5.57.0-1.mga7
lib64kf5bluezqt5-5.57.0-1.mga7
lib64kf5mailtransport5-19.04.0-1.mga7
lib64kf5mailtransportakonadi5-19.04.0-1.mga7
...

Using urpmi --debug ....

.....
selecting lib64kf5textwidgets-devel-5.57.0-1.mga7.x86_64
requiring devel(libKF5SonnetCore(64bit)),devel(libKF5SonnetUi(64bit)) for lib64kf5textwidgets-devel-5.57.0-1.mga7.x86_64
chosen lib64kf5sonnetui-devel-5.57.0-1.mga7.x86_64 for devel(libKF5SonnetCore(64bit))
selecting lib64kf5sonnetui-devel-5.57.0-1.mga7.x86_64
requiring lib64kf5sonnetcore5[== 5.57.0-1.mga7],lib64kf5sonnetui5[== 5.57.0-1.mga7],sonnet[== 5.57.0-1.mga7] for lib64kf5sonnetui-devel-5.57.0-1.mga7.x86_64
chosen lib64kf5sonnetcore5-5.57.0-1.mga7.x86_64 for lib64kf5sonnetcore5[== 5.57.0-1.mga7]
the more recent lib64kf5sonnetcore5-5.57.0-1.1.mga7.x86_64 is installed, but does not provide lib64kf5sonnetcore5[== 5.57.0-1.mga7] whereas lib64kf5sonnetcore5-5.57.0-1.mga7.x86_64 does
selecting lib64kf5sonnetcore5-5.57.0-1.mga7.x86_64
unselecting lib64kf5sonnetcore5-5.57.0-1.mga7.x86_64
unselecting lib64kf5sonnetui-devel-5.57.0-1.mga7.x86_64
unselecting lib64kf5textwidgets-devel-5.57.0-1.mga7.x86_64
unselecting lib64kf5xmlgui-devel-5.57.0-1.mga7.x86_64
unselecting lib64kf5kio-devel-5.57.0-1.mga7.x86_64
unselecting lib64digikam-devel-6.1.0-4.1.mga7.x86_64
unselecting lib64kf5notifyconfig-devel-5.57.0-1.mga7.x86_64
The following packages can't be installed because they depend on packages
that are older than the installed ones:
lib64kf5sonnetui-devel-5.57.0-1.mga7
lib64kf5textwidgets-devel-5.57.0-1.mga7
lib64kf5xmlgui-devel-5.57.0-1.mga7
lib64kf5kio-devel-5.57.0-1.mga7
lib64digikam-devel-6.1.0-4.1.mga7
lib64kf5notifyconfig-devel-5.57.0-1.mga7
Continue installation anyway? (Y/n)
Comment 43 Len Lawrence 2021-03-21 21:20:30 CET
Comment 42 refers to the initial installation before updates testing.  The system started with a set of tainted packages which I am attempting to replace by running updates with tainted updates suppressed.
Comment 44 Len Lawrence 2021-03-21 21:22:52 CET
Arrgh!  No, sorry.  That had already been done.  The last test was with updates testing enabled.
Comment 45 David Walser 2021-03-21 22:17:03 CET
There's a problem with lib64kf5sonnetcore5, which should be 5.57.0-1.mga7, not 5.57.0-1.1.mga7.  I don't know where you got that, but you need to downgrade it, it's causing the problem.
Comment 46 Len Lawrence 2021-03-22 11:20:53 CET
mga7, x64

Made little headway with downgrading so reinstalled the OS without tainted sources.
Installed the imagemagick files from the manifest listed on the bug - close to  300 packages installed.
Enabled core updates testing and ran the exercise again.
A clean install excepting a bad signature for imagemagick-doc.

Launched blender from the menu.  Manipulated the default cube and closed down.
Ran a few simple tests on images of various formats; identify, display, convert and rotate.  To test perl functionality ran examples.pl which Lewis pointed out in earlier bugs; used in bug 24761 for instance.  That covers a lot of ground, image filtering and transformations of many kinds and eventually displays an image montage of all the products.  No regressions.

OK for core release in Mageia 7.  Testing tainted later, probably a straight update from tainted testing.
Comment 47 Len Lawrence 2021-03-22 12:49:01 CET
mga7, x64

Enabled tainted updates testing and attempted to do a full update.
A requested package cannot be installed:
imagemagick-7.0.10.62-1.mga7.tainted.x86_64 (due to unsatisfied libde265)
The H.265 video codec is open source.
$ rpm -q task-codec-video
task-codec-video-6-2.mga7
Something tells me that this has come up before but cannot remember how it was resolved.

As far as I could tell the other tainted packages installed OK.
$ rpm -q imagemagick
imagemagick-7.0.10.62-1.mga7
$ rpm -q lib64abydos0.1_0 xine1.2-common transcode
lib64abydos0.1_0-0.1.3-2.2.mga7.tainted
xine1.2-common-1.2.9-9.2.mga7.tainted
transcode-1.1.7-23.2.mga7.tainted
Comment 48 Len Lawrence 2021-03-22 12:54:42 CET
I also wonder what a video codec has to do with images?
Comment 49 Thomas Andrews 2021-03-22 13:26:32 CET
(In reply to Len Lawrence from comment #48)
> I also wonder what a video codec has to do with images?

Possibly a dependency of transcode, which I'm sure handles video as well as images. 

So for lack of something else to look at, why not start with the basics? You did remember to install the tainted versions of both task-codec-video and task-codec-audio, right?
Comment 50 Len Lawrence 2021-03-22 17:18:04 CET
Managed it in the end by a round-about path.
Downgraded th release version in favour of the tainted version and then installed the update.  No more HVE codec.
$ rpm -q imagemagick
imagemagick-7.0.10.62-1.mga7.tainted

The examples.pl script does not run.
$ perl examples.pl
Can't locate Image/Magick.pm in @INC (you may need to install the Image::Magick module) (@INC contains: .........

Perhaps it was uninstalled in all this shenanigans.  There must be a bundled module but what is it called?  DuckDuckGo found it right away.
Installed perl-Image-Magick-7.0.10.62-1.mga7.tainted.x86_64.

$ perl examples.pl
That worked and displayed the thumbnail montage.

So, tainted version is working in Mageia 7.

@TJ - yes maybe transcode has something to do with it - well spotted that man!.
Good point about the codecs - no in fact - doing it now.
Thanks TJ.
Comment 51 Thomas Andrews 2021-03-22 17:27:00 CET
Glad I could help. 

Whenever I run into trouble of this sort, I always try to check the basics first. They have tripped me up more times than I like to admit.
Comment 52 Aurelien Oudelet 2021-03-22 17:58:35 CET
Default M7 installation with tainted repos with Plasma. x86_64.
Updates are OK. No devel packages.

Fully updated M7 system before testing.

- digikam-6.1.0-4.1.mga7.x86_64
- imagemagick-7.0.10.62-1.mga7.tainted.x86_64
- lib64digikamcore6-6.1.0-4.1.mga7.x86_64
- lib64digikamdatabase6-6.1.0-4.1.mga7.x86_64
- lib64digikamgui6-6.1.0-4.1.mga7.x86_64
- lib64magick++-7Q16HDRI_5-7.0.10.62-1.mga7.tainted.x86_64
- lib64magick-7Q16HDRI_9-7.0.10.62-1.mga7.tainted.x86_64
- spectacle-19.04.0-1.1.mga7.x86_64

These install OK.
Comment 53 Aurelien Oudelet 2021-03-22 18:02:30 CET
(In reply to Thomas Andrews from comment #51)
> Glad I could help. 
> 
> Whenever I run into trouble of this sort, I always try to check the basics
> first. They have tripped me up more times than I like to admit.

Nope:
Same system above, updates_testing enabled (same for tainted_updates_testing)

# urpmi transcode

urpmi[4426]: transaction on / (remove=0, install=1, upgrade=)
[RPM][4426]: Transaction ID 6058ccea started
[RPM][4426]: install transcode-1.1.7-23.2.mga7.tainted.x86_64: success
systemd[1]: Started /usr/bin/systemctl start man-db-cache-update.
[RPM][4426]: install transcode-1.1.7-23.2.mga7.tainted.x86_64: success
[RPM][4426]: Transaction ID 6058ccea finished: 0

No error related to H.265

CC: (none) => ouaurelien

Comment 54 Len Lawrence 2021-03-22 18:59:28 CET
mga8, x64

Core release package list complete.  All updates installed cleanly.
Ran a few commands like:
$ mogrify -resize 150% JunoTemple_16.jpg
Then examples.pl to generate demo.jpg.  All functions worked fine and montage displayed correctly.

Good for Mageia 8.
Len Lawrence 2021-03-22 19:00:29 CET

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 55 Thomas Andrews 2021-03-23 13:00:31 CET
Nice work, Len! Validating. Advisory information scattered all over the place.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 56 Aurelien Oudelet 2021-03-25 15:51:20 CET
Advisory:
========================

Updated imagemagick packages fix security vulnerabilities:

A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits 
a crafted file that is processed by ImageMagick could trigger undefined 
behavior in the form of math division by zero. The highest threat from 
this vulnerability is to system availability (CVE-2021-20241).

A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits
a crafted file that is processed by ImageMagick could trigger undefined
behavior in the form of math division by zero. The highest threat from
this vulnerability is to system availability (CVE-2021-20243).

A flaw was found in ImageMagick in MagickCore/visual-effects.c. An attacker who
submits a crafted file that is processed by ImageMagick could trigger undefined
behavior in the form of math division by zero. The highest threat from this
vulnerability is to system availability (CVE-2021-20244).

A flaw was found in ImageMagick in MagickCore/resample.c. An attacker who
submits a crafted file that is processed by ImageMagick could trigger undefined
behavior in the form of math division by zero. The highest threat from this
vulnerability is to system availability (CVe-2021-20246).

Note that abydos, blender, converseen, cuneiform-linux, digikam, kxxstich,
libopenshot, pfstools, php-imagick, spectacle, synfig, xine-lib1.2, mgba,
windowmaker, zbar and transcode (and tainted conter-parts) have been rebuilt.

References:
- https://bugs.mageia.org/show_bug.cgi?id=28462
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20241
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20243 
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20244
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20246
- https://lists.suse.com/pipermail/sle-security-updates/2021-February/008374.html
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6SG6MVYKVW7O5POXSG4CGOWDIOAZCWWT/
========================

Updated packages in 7
========================
core/updates_testing:

imagemagick-7.0.10.62-1.mga7
imagemagick-desktop-7.0.10.62-1.mga7
imagemagick-doc-7.0.10.62-1.mga7
lib(64)magick++-7Q16HDRI_5-7.0.10.62-1.mga7
lib(64)magick-7Q16HDRI_9-7.0.10.62-1.mga7
lib(64)magick-devel-7.0.10.62-1.mga7
perl-Image-Magick-7.0.10.62-1.mga7
lib(64)abydos0.1_0-0.1.3-2.2.mga7
lib(64)abydos0.1-devel-0.1.3-2.2.mga7
blender-2.79b-14.git20190504.2.mga7
converseen-0.9.7.2-2.2.mga7
cuneiform-linux-1.1.0-15.1.mga7
lib(64)cuneiform0-1.1.0-15.1.mga7
lib(64)cuneiform-devel-1.1.0-15.1.mga7
digikam-6.1.0-4.1.mga7
showfoto-6.1.0-4.1.mga7
lib(64)digikamdatabase6-6.1.0-4.1.mga7
lib(64)digikamcore6-6.1.0-4.1.mga7
lib(64)digikamgui6-6.1.0-4.1.mga7
lib64digikam-devel-6.1.0-4.1.mga7
kxstitch-2.1.1-5.1.mga7
kxstitch-handbook-2.1.1-5.1.mga7
pfstools-2.1.0-13.2.mga7
pfscalibration-2.1.0-13.2.mga7
pfstmo-2.1.0-13.2.mga7
lib(64)pfstools2-2.1.0-13.2.mga7
pfstools-qt-2.1.0-13.2.mga7
pfstools-glview-2.1.0-13.2.mga7
pfstools-exr-2.1.0-13.2.mga7
pfstools-yuy-2.1.0-13.2.mga7
pfstools-imgmagick-2.1.0-13.2.mga7
pfstools-octave-2.1.0-13.2.mga7
lib(64)pfstools-devel-2.1.0-13.2.mga7
php-imagick-3.4.4-1.2.mga7
pythonmagick-0.9.19-4.1.mga7
spectacle-19.04.0-1.1.mga7
synfig-1.2.2-1.2.mga7
lib(64)synfig0-1.2.2-1.2.mga7
lib(64)synfig-devel-1.2.2-1.2.mga7
xine1.2-common-1.2.9-9.2.mga7
lib(64)xine2-1.2.9-9.2.mga7
lib(64)xine1.2-devel-1.2.9-9.2.mga7
sk1-2.0-0.rc3.5.2.mga7
uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7
mgba-0.6.3-5.2.mga7
mgba-qt-0.6.3-5.2.mga7
lib(64)mgba0.6-0.6.3-5.2.mga7
lib(64)openshot17-2.4.4-2.2.mga7
lib(64)openshot-devel-2.4.4-2.2.mga7
python3-libopenshot-2.4.4-2.2.mga7
windowmaker-0.95.8-5.1.mga7
lib(64)wings-devel-0.95.8-5.1
lib(64)wings3-0.95.8-5.1.mga7
lib(64)wmaker-devel-0.95.8-5.1.mga7
lib(64)wmaker1-0.95.8-5.1.mga7
lib(64)wraster-devel-0.95.8-5.1.mga7
lib(64)wraster6-0.95.8-5.1.mga7
lib(64)wutil-devel-0.95.8-5.1.mga7
lib(64)wutil5-0.95.8-5.1.mga7
zbar-0.23-1.1.mga7
lib(64)zbar-devel-0.23-1.1.mga7
lib(64)zbar-gir1.0-0.23-1.1.mga7
lib(64)zbar0-0.23-1.1.mga7
lib(64)zbargtk0-0.23-1.1.mga7
lib(64)zbarqt0-0.23-1.1.mga7

tainted/updates_testing:

imagemagick-7.0.10.62-1.mga7.tainted
imagemagick-desktop-7.0.10.62-1.mga7.tainted
imagemagick-doc-7.0.10.62-1.mga7.tainted
lib(64)abydos0.1-devel-0.1.3-2.2.mga7.tainted
lib(64)abydos0.1_0-0.1.3-2.2.mga7.tainted
lib(64)magick++-7Q16HDRI_5-7.0.10.62-1.mga7.tainted
lib(64)magick-7Q16HDRI_9-7.0.10.62-1.mga7.tainted
lib(64)magick-devel-7.0.10.62-1.mga7.tainted
lib(64)xine1.2-devel-1.2.9-9.2.mga7.tainted
lib(64)xine2-1.2.9-9.2.mga7.tainted
perl-Image-Magick-7.0.10.62-1.mga7.tainted
transcode-1.1.7-23.2.mga7.tainted
xine1.2-common-1.2.9-9.2.mga7.tainted

========================
from SRPM:
core:
 - imagemagick-7.0.10.62-1.mga7
 - abydos-0.1.3-2.2.mga7
 - converseen-0.9.7.2-2.2.mga7
 - cuneiform-linux-1.1.0-15.1.mga7
 - digikam-6.1.0-4.1.mga7
 - kxstitch-2.1.1-5.1.mga7
 - libopenshot-2.4.4-2.2.mga7
 - pfstools-2.1.0-13.2.mga7
 - php-imagick-3.4.4-1.2.mga7
 - pythonmagick-0.9.19-4.1.mga7
 - spectacle-19.04.0-1.1.mga7
 - synfig-1.2.2-1.2.mga7
 - xine-lib1.2-1.2.9-9.2.mga7
 - sk1-2.0-0.rc3.5.2.mga7
 - uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7
 - mgba-0.6.3-5.2.mga7
 - windowmaker-0.95.8-5.1.mga7
 - zbar-0.23-1.1.mga7

tainted:
 - imagemagick-7.0.10.62-1.mga7.tainted
 - abydos-0.1.3-2.2.mga7.tainted
 - transcode-1.1.7-23.2.mga7.tainted
 - xine-lib1.2-1.2.9-9.2.mga7.tainted


Updated packages in 8/core/updates_testing:
========================
lib(64)abydos0.2-devel-0.2.3-4.1.mga8
abydos-config-0.2.3-4.1.mga8
lib(64)abydos0.2_0-0.2.3-4.1.mga8
blender-2.83.10-3.1.mga8
converseen-0.9.8.1-4.1.mga8
cuneiform-linux-1.1.0-18.1.mga8
lib(64)cuneiform0-1.1.0-18.1.mga8
lib(64)cuneiform-devel-1.1.0-18.1.mga8
digikam-7.1.0-4.1.mga8
lib(64)digikamgui7.1.0-7.1.0-4.1.mga8
lib(64)digikamdatabase7.1.0-7.1.0-4.1.mga8
showfoto-7.1.0-4.1.mga8
lib(64)digikam-devel-7.1.0-4.1.mga8
lib(64)digikamcore7.1.0-7.1.0-4.1.mga8
kxstitch-2.2.0-4.1.mga8
kxstitch-handbook-2.2.0-4.1.mga8
python3-libopenshot-0.2.5-5.1.mga8
lib(64)openshot19-0.2.5-5.1.mga8
lib(64)openshot-devel-0.2.5-5.1.mga8
pfstools-2.1.0-20.1.mga8
pfstmo-2.1.0-20.1.mga8
pfstools-octave-2.1.0-20.1.mga8
pfstools-glview-2.1.0-20.1.mga8
pfstools-qt-2.1.0-20.1.mga8
pfscalibration-2.1.0-20.1.mga8
pfstools-yuy-2.1.0-20.1.mga8
lib(64)pfstools2-2.1.0-20.1.mga8
pfstools-exr-2.1.0-20.1.mga8
pfstools-imgmagick-2.1.0-20.1.mga8
lib(64)pfstools-devel-2.1.0-20.1.mga8
php-imagick-3.4.5-0.git20201230.2.1.mga8
pythonmagick-0.9.19-10.1.mga8
spectacle-20.12.0-2.1.mga8
synfig-1.2.2-11.1.mga8
lib(64)synfig0-1.2.2-11.1.mga8
lib(64)synfig-devel-1.2.2-11.1.mga8
xine1.2-common-1.2.11-1.1.mga8
lib(64)xine1.2-devel-1.2.11-1.1.mga8
lib(64)xine2-1.2.11-1.1.mga8
mgba-0.8.4-1.1.mga8
mgba-qt-0.8.4-1.1.mga8
lib(64)mgba0.8-0.8.4-1.1.mga8
windowmaker-0.95.9-3.1.mga8
lib(64)wings-devel-0.95.9-3.1.mga8
lib(64)wings3-0.95.9-3.1.mga8
lib(64)wmaker-devel-0.95.9-3.1.mga8
lib(64)wmaker1-0.95.9-3.1.mga8
lib(64)wraster-devel-0.95.9-3.1.mga8
lib(64)wraster6-0.95.9-3.1.mga8
lib(64)wutil-devel-0.95.9-3.1.mga8
lib(64)wutil5-0.95.9-3.1.mga8
zbar-0.23.1-5.1.mga8
lib(64)zbar-devel-0.23.1-5.1.mga8
lib(64)zbar-gir1.0-0.23.1-5.1.mga8
lib(64)zbar0-0.23.1-5.1.mga8
lib(64)zbargtk0-0.23.1-5.1.mga8
lib(64)zbarqt0-0.23.1-5.1.mga8

Updated packages in 8/tainted/updates_testing:
========================

transcode-1.1.7-29.1.mga8.tainted

from SRPM:
core:
- imagemagick-7.0.10.62-1.mga8
- abydos-0.2.3-4.1.mga8
- blender-2.83.10-3.1.mga8
- converseen-0.9.8.1-4.1.mga8
- cuneiform-linux-1.1.0-18.1.mga8
- digikam-7.1.0-4.1.mga8
- kxstitch-2.2.0-4.1.mga8
- libopenshot-0.2.5-5.1.mga8
- pfstools-2.1.0-20.1.mga8 
- php-imagick-3.4.5-0.git20201230.2.1.mga8
- pythonmagick-0.9.19-10.1.mga8
- spectacle-20.12.0-2.1.mga8
- synfig-1.2.2-11.1.mga8
- xine-lib1.2-1.2.11-1.1.mga8
- mgba-0.8.4-1.1.mga8
- windowmaker-0.95.9-3.1.mga8
- zbar-0.23.1-5.1.mga8

tainted:
imagemagick-7.0.10.62-1.mga8.tainted
abydos-0.2.3-4.1.mga8.tainted
transcode-1.1.7-29.1.mga8.tainted
xine-lib1.2-1.2.11-1.1.mga8.tainted

Keywords: (none) => advisory
CVE: (none) => CVE-2021-2024[1346]

Comment 57 Mageia Robot 2021-03-27 15:28:42 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0156.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 58 David Walser 2021-06-06 19:38:08 CEST
This update also fixed CVE-2021-20245:
https://www.debian.org/lts/security/2021/dla-2672

Summary: imagemagick new security issues CVE-2021-2024[1346] => imagemagick new security issues CVE-2021-2024[13456]

Comment 59 David Walser 2021-06-29 01:16:18 CEST
mga7 core blender package was missing from the SVN advisory so it didn't get pushed.  I fixed the SVN advisory.  Please move the blender package.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 60 Thomas Backlund 2021-06-29 21:47:33 CEST
(In reply to David Walser from comment #59)
> mga7 core blender package was missing from the SVN advisory so it didn't get
> pushed.  I fixed the SVN advisory.  Please move the blender package.


moved

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 61 David Walser 2022-03-21 21:58:19 CET
This update also fixed CVE-2021-20176:
https://ubuntu.com/security/notices/USN-5335-1

Note You need to log in before you can comment on or make changes to this bug.