SUSE has issued an advisory on February 25: https://lists.suse.com/pipermail/sle-security-updates/2021-February/008374.html The issues are fixed upstream in 7.0.10.62. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 7.0.10.62Whiteboard: (none) => MGA8TOO, MGA7TOO
fixed in cauldron
Version: Cauldron => 8CC: (none) => mageiaWhiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Thanks Nicolas for the instant fix. Assigning to the registered maintainer Stig to follow it through if necessary (M7, Advisory). Up to you who does what!
Assignee: bugsquad => smelror
too hard to fix the patches. I will push new imagemagick with rebuild deps.
Here are the src.rpms for this update. src 7: - imagemagick-7.0.10.62-1.mga7 ( core && tainted ) - abydos-0.1.3-2.2.mga7 ( core && tainted ) - converseen-0.9.7.2-2.2.mga7 - cuneiform-linux-1.1.0-15.1.mga7 - digikam-6.1.0-4.1.mga7 - kxstitch-2.1.1-5.1.mga7 - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 - pfstools-2.1.0-13.2.mga7 - php-imagick-3.4.4-1.2.mga7 - pythonmagick-0.9.19-4.1.mga7 - synfig-1.2.2-1.2.mga7 - windowmaker-0.95.8-5.1.mga7 - xine-lib1.2-1.2.9-9.2.mga7 ( core && tainted ) - zbar-0.23-1.1.mga7 src 8: - imagemagick-7.0.10.62-1.mga8 ( core && tainted ) - abydos-0.2.3-4.1.mga8 ( core && tainted ) - converseen-0.9.8.1-4.1.mga8 - cuneiform-linux-1.1.0-18.1.mga8 - digikam-7.1.0-4.1.mga8 - kxstitch-2.2.0-4.1.mga8 - libopenshot-0.2.5-5.1.mga8 - pfstools-2.1.0-20.1.mga8 - php-imagick-3.4.5-0.git20201230.2.1.mga8 - pythonmagick-0.9.19-10.1.mga8 - synfig-1.2.2-11.1.mga8 - windowmaker-0.95.9-3.1.mga8 - xine-lib1.2-1.2.11-1.1.mga8 ( core && tainted ) - zbar-0.23.1-5.1.mga8
Assignee: smelror => qa-bugs
(In reply to Nicolas Lécureuil from comment #4) > - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 Then that needs to be fixed. Missing are: mgba sk1 uniconvertor transcode (see Bug 25277)
Status comment: Fixed upstream in 7.0.10.62 => (none)Assignee: qa-bugs => mageia
Status comment: (none) => Some more packages need rebuilt against updated libraries
(In reply to David Walser from comment #5) > (In reply to Nicolas Lécureuil from comment #4) > > - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 > > Then that needs to be fixed. http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20210227151300.neoclust.duvel.32193/log/libopenshot-2.4.4-2.2.mga7/install_deps-2.i586.0.20210227160944.log this is because a missing deps in mga 7 ( we weren't as perfect as for mageia 8 :-))
No, libopenshot should build fine (and did last time). It seems to be having a problem installing the zeromq update candidate from Bug 28320.
strange it is available ls i586/media/core/updates_testing/*zmq* i586/media/core/updates_testing/libzmq5-4.3.4-1.1.mga7.i586.rpm i586/media/core/updates_testing/libzmq-devel-4.3.4-1.1.mga7.i586.rpm
Here are the src.rpms for this update. src 7: - imagemagick-7.0.10.62-1.mga7 ( core && tainted ) - abydos-0.1.3-2.2.mga7 ( core && tainted ) - converseen-0.9.7.2-2.2.mga7 - cuneiform-linux-1.1.0-15.1.mga7 - digikam-6.1.0-4.1.mga7 - kxstitch-2.1.1-5.1.mga7 - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 still need to be fixed. - pfstools-2.1.0-13.2.mga7 - php-imagick-3.4.4-1.2.mga7 - pythonmagick-0.9.19-4.1.mga7 - synfig-1.2.2-1.2.mga7 - windowmaker-0.95.8-5.1.mga7 - xine-lib1.2-1.2.9-9.2.mga7 ( core && tainted ) - zbar-0.23-1.1.mga7 - sk1-2.0-0.rc3.5.2.mga7 - uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7 - transcode-1.1.7-23.2.mga7 ( core && tainted ) src 8: - imagemagick-7.0.10.62-1.mga8 ( core && tainted ) - abydos-0.2.3-4.1.mga8 ( core && tainted ) - converseen-0.9.8.1-4.1.mga8 - cuneiform-linux-1.1.0-18.1.mga8 - digikam-7.1.0-4.1.mga8 - kxstitch-2.2.0-4.1.mga8 - libopenshot-0.2.5-5.1.mga8 - pfstools-2.1.0-20.1.mga8 - php-imagick-3.4.5-0.git20201230.2.1.mga8 - pythonmagick-0.9.19-10.1.mga8 - synfig-1.2.2-11.1.mga8 - windowmaker-0.95.9-3.1.mga8 - xine-lib1.2-1.2.11-1.1.mga8 ( core && tainted ) - zbar-0.23.1-5.1.mga8 - transcode-1.1.7-29.1.mga8 ( core && tainted )
You're still missing mgba.
[Update] Here are the src.rpms for this update. src 7: - imagemagick-7.0.10.62-1.mga7 ( core && tainted ) - abydos-0.1.3-2.2.mga7 ( core && tainted ) - converseen-0.9.7.2-2.2.mga7 - cuneiform-linux-1.1.0-15.1.mga7 - digikam-6.1.0-4.1.mga7 - kxstitch-2.1.1-5.1.mga7 - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 still need to be fixed. - pfstools-2.1.0-13.2.mga7 - php-imagick-3.4.4-1.2.mga7 - pythonmagick-0.9.19-4.1.mga7 - synfig-1.2.2-1.2.mga7 - windowmaker-0.95.8-5.1.mga7 - xine-lib1.2-1.2.9-9.2.mga7 ( core && tainted ) - zbar-0.23-1.1.mga7 - sk1-2.0-0.rc3.5.2.mga7 - uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7 - transcode-1.1.7-23.2.mga7 ( core && tainted ) // need to see for broken deps - mgba-0.6.3-5.2.mga7 src 8: - imagemagick-7.0.10.62-1.mga8 ( core && tainted ) - abydos-0.2.3-4.1.mga8 ( core && tainted ) - converseen-0.9.8.1-4.1.mga8 - cuneiform-linux-1.1.0-18.1.mga8 - digikam-7.1.0-4.1.mga8 - kxstitch-2.2.0-4.1.mga8 - libopenshot-0.2.5-5.1.mga8 - pfstools-2.1.0-20.1.mga8 - php-imagick-3.4.5-0.git20201230.2.1.mga8 - pythonmagick-0.9.19-10.1.mga8 - synfig-1.2.2-11.1.mga8 - windowmaker-0.95.9-3.1.mga8 - xine-lib1.2-1.2.11-1.1.mga8 ( core && tainted ) - zbar-0.23.1-5.1.mga8 - transcode-1.1.7-29.1.mga8 ( core && tainted ) // need to see for broken deps - mgba-0.8.4-1.1.mga8
windowmaker and zbar didn't need to be rebuilt. zbar uses graphicsmagick and imagemagick uses neither.
(In reply to David Walser from comment #12) > windowmaker and zbar didn't need to be rebuilt. zbar uses graphicsmagick > and imagemagick uses neither. I meant windowmaker uses neither.
RPMS built so far: libabydos0.1_0-0.1.3-2.2.mga7 libabydos0.1-devel-0.1.3-2.2.mga7 libabydos0.2-devel-0.2.3-4.1.mga8 abydos-config-0.2.3-4.1.mga8 libabydos0.2_0-0.2.3-4.1.mga8 blender-2.79b-14.git20190504.2.mga7 blender-2.83.10-3.1.mga8 converseen-0.9.7.2-2.2.mga7 converseen-0.9.8.1-4.1.mga8 cuneiform-linux-1.1.0-15.1.mga7 libcuneiform0-1.1.0-15.1.mga7 libcuneiform-devel-1.1.0-15.1.mga7 cuneiform-linux-1.1.0-18.1.mga8 libcuneiform0-1.1.0-18.1.mga8 libcuneiform-devel-1.1.0-18.1.mga8 digikam-6.1.0-4.1.mga7 showfoto-6.1.0-4.1.mga7 libdigikamdatabase6-6.1.0-4.1.mga7 libdigikamcore6-6.1.0-4.1.mga7 libdigikamgui6-6.1.0-4.1.mga7 libdigikam-devel-6.1.0-4.1.mga7 digikam-7.1.0-4.1.mga8 libdigikamgui7.1.0-7.1.0-4.1.mga8 libdigikamdatabase7.1.0-7.1.0-4.1.mga8 showfoto-7.1.0-4.1.mga8 libdigikam-devel-7.1.0-4.1.mga8 libdigikamcore7.1.0-7.1.0-4.1.mga8 kxstitch-2.1.1-5.1.mga7 kxstitch-handbook-2.1.1-5.1.mga7 kxstitch-2.2.0-4.1.mga8 kxstitch-handbook-2.2.0-4.1.mga8 python3-libopenshot-0.2.5-5.1.mga8 libopenshot19-0.2.5-5.1.mga8 libopenshot-devel-0.2.5-5.1.mga8 pfstools-2.1.0-13.2.mga7 pfscalibration-2.1.0-13.2.mga7 pfstmo-2.1.0-13.2.mga7 libpfstools2-2.1.0-13.2.mga7 pfstools-qt-2.1.0-13.2.mga7 pfstools-glview-2.1.0-13.2.mga7 pfstools-exr-2.1.0-13.2.mga7 pfstools-yuy-2.1.0-13.2.mga7 pfstools-imgmagick-2.1.0-13.2.mga7 pfstools-octave-2.1.0-13.2.mga7 libpfstools-devel-2.1.0-13.2.mga7 pfstools-2.1.0-20.1.mga8 pfstmo-2.1.0-20.1.mga8 pfstools-octave-2.1.0-20.1.mga8 pfstools-glview-2.1.0-20.1.mga8 pfstools-qt-2.1.0-20.1.mga8 pfscalibration-2.1.0-20.1.mga8 pfstools-yuy-2.1.0-20.1.mga8 libpfstools2-2.1.0-20.1.mga8 pfstools-exr-2.1.0-20.1.mga8 pfstools-imgmagick-2.1.0-20.1.mga8 libpfstools-devel-2.1.0-20.1.mga8 php-imagick-3.4.4-1.2.mga7 php-imagick-3.4.5-0.git20201230.2.1.mga8 pythonmagick-0.9.19-4.1.mga7 pythonmagick-0.9.19-10.1.mga8 spectacle-19.04.0-1.1.mga7 spectacle-20.12.0-2.1.mga8 synfig-1.2.2-1.2.mga7 libsynfig0-1.2.2-1.2.mga7 libsynfig-devel-1.2.2-1.2.mga7 synfig-1.2.2-11.1.mga8 libsynfig0-1.2.2-11.1.mga8 libsynfig-devel-1.2.2-11.1.mga8 xine1.2-common-1.2.9-9.2.mga7 libxine2-1.2.9-9.2.mga7 libxine1.2-devel-1.2.9-9.2.mga7 xine1.2-common-1.2.11-1.1.mga8 libxine1.2-devel-1.2.11-1.1.mga8 libxine2-1.2.11-1.1.mga8 sk1-2.0-0.rc3.5.2.mga7 uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7 transcode-1.1.7-23.2.mga7.tainted mgba-0.6.3-5.2.mga7 mgba-qt-0.6.3-5.2.mga7 libmgba0.6-0.6.3-5.2.mga7 mgba-0.8.4-1.1.mga8 mgba-qt-0.8.4-1.1.mga8 libmgba0.8-0.8.4-1.1.mga8
openSUSE has issued an advisory for this on March 3: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6SG6MVYKVW7O5POXSG4CGOWDIOAZCWWT/
libopenshot-2.4.4-2.2.mga7 now builds fine.
only transcode mga8 is missing.
The list of the complete src.rpms. src 7: - imagemagick-7.0.10.62-1.mga7 ( core && tainted ) - abydos-0.1.3-2.2.mga7 ( core && tainted ) - converseen-0.9.7.2-2.2.mga7 - cuneiform-linux-1.1.0-15.1.mga7 - digikam-6.1.0-4.1.mga7 - kxstitch-2.1.1-5.1.mga7 - libopenshot-2.4.4-2.2.mga7 // build broken on mageia 7 still need to be fixed. - pfstools-2.1.0-13.2.mga7 - php-imagick-3.4.4-1.2.mga7 - pythonmagick-0.9.19-4.1.mga7 - synfig-1.2.2-1.2.mga7 - xine-lib1.2-1.2.9-9.2.mga7 ( core && tainted ) - sk1-2.0-0.rc3.5.2.mga7 - uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7 - transcode-1.1.7-23.2.mga7 ( tainted ) - mgba-0.6.3-5.2.mga7 src 8: - imagemagick-7.0.10.62-1.mga8 ( core && tainted ) - abydos-0.2.3-4.1.mga8 ( core && tainted ) - converseen-0.9.8.1-4.1.mga8 - cuneiform-linux-1.1.0-18.1.mga8 - digikam-7.1.0-4.1.mga8 - kxstitch-2.2.0-4.1.mga8 - libopenshot-0.2.5-5.1.mga8 - pfstools-2.1.0-20.1.mga8 - php-imagick-3.4.5-0.git20201230.2.1.mga8 - pythonmagick-0.9.19-10.1.mga8 - synfig-1.2.2-11.1.mga8 - xine-lib1.2-1.2.11-1.1.mga8 ( core && tainted ) - transcode-1.1.7-29.1.mga8 ( tainted ) - mgba-0.8.4-1.1.mga8
Assignee: mageia => qa-bugsStatus comment: Some more packages need rebuilt against updated libraries => (none)
(In reply to David Walser from comment #14) > RPMS built so far: > libabydos0.1_0-0.1.3-2.2.mga7 > libabydos0.1-devel-0.1.3-2.2.mga7 > libabydos0.2-devel-0.2.3-4.1.mga8 > abydos-config-0.2.3-4.1.mga8 > libabydos0.2_0-0.2.3-4.1.mga8 > blender-2.79b-14.git20190504.2.mga7 > blender-2.83.10-3.1.mga8 > converseen-0.9.7.2-2.2.mga7 > converseen-0.9.8.1-4.1.mga8 > cuneiform-linux-1.1.0-15.1.mga7 > libcuneiform0-1.1.0-15.1.mga7 > libcuneiform-devel-1.1.0-15.1.mga7 > cuneiform-linux-1.1.0-18.1.mga8 > libcuneiform0-1.1.0-18.1.mga8 > libcuneiform-devel-1.1.0-18.1.mga8 > digikam-6.1.0-4.1.mga7 > showfoto-6.1.0-4.1.mga7 > libdigikamdatabase6-6.1.0-4.1.mga7 > libdigikamcore6-6.1.0-4.1.mga7 > libdigikamgui6-6.1.0-4.1.mga7 > libdigikam-devel-6.1.0-4.1.mga7 > digikam-7.1.0-4.1.mga8 > libdigikamgui7.1.0-7.1.0-4.1.mga8 > libdigikamdatabase7.1.0-7.1.0-4.1.mga8 > showfoto-7.1.0-4.1.mga8 > libdigikam-devel-7.1.0-4.1.mga8 > libdigikamcore7.1.0-7.1.0-4.1.mga8 > kxstitch-2.1.1-5.1.mga7 > kxstitch-handbook-2.1.1-5.1.mga7 > kxstitch-2.2.0-4.1.mga8 > kxstitch-handbook-2.2.0-4.1.mga8 > python3-libopenshot-0.2.5-5.1.mga8 > libopenshot19-0.2.5-5.1.mga8 > libopenshot-devel-0.2.5-5.1.mga8 > pfstools-2.1.0-13.2.mga7 > pfscalibration-2.1.0-13.2.mga7 > pfstmo-2.1.0-13.2.mga7 > libpfstools2-2.1.0-13.2.mga7 > pfstools-qt-2.1.0-13.2.mga7 > pfstools-glview-2.1.0-13.2.mga7 > pfstools-exr-2.1.0-13.2.mga7 > pfstools-yuy-2.1.0-13.2.mga7 > pfstools-imgmagick-2.1.0-13.2.mga7 > pfstools-octave-2.1.0-13.2.mga7 > libpfstools-devel-2.1.0-13.2.mga7 > pfstools-2.1.0-20.1.mga8 > pfstmo-2.1.0-20.1.mga8 > pfstools-octave-2.1.0-20.1.mga8 > pfstools-glview-2.1.0-20.1.mga8 > pfstools-qt-2.1.0-20.1.mga8 > pfscalibration-2.1.0-20.1.mga8 > pfstools-yuy-2.1.0-20.1.mga8 > libpfstools2-2.1.0-20.1.mga8 > pfstools-exr-2.1.0-20.1.mga8 > pfstools-imgmagick-2.1.0-20.1.mga8 > libpfstools-devel-2.1.0-20.1.mga8 > php-imagick-3.4.4-1.2.mga7 > php-imagick-3.4.5-0.git20201230.2.1.mga8 > pythonmagick-0.9.19-4.1.mga7 > pythonmagick-0.9.19-10.1.mga8 > spectacle-19.04.0-1.1.mga7 > spectacle-20.12.0-2.1.mga8 > synfig-1.2.2-1.2.mga7 > libsynfig0-1.2.2-1.2.mga7 > libsynfig-devel-1.2.2-1.2.mga7 > synfig-1.2.2-11.1.mga8 > libsynfig0-1.2.2-11.1.mga8 > libsynfig-devel-1.2.2-11.1.mga8 > xine1.2-common-1.2.9-9.2.mga7 > libxine2-1.2.9-9.2.mga7 > libxine1.2-devel-1.2.9-9.2.mga7 > xine1.2-common-1.2.11-1.1.mga8 > libxine1.2-devel-1.2.11-1.1.mga8 > libxine2-1.2.11-1.1.mga8 > sk1-2.0-0.rc3.5.2.mga7 > uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7 > transcode-1.1.7-23.2.mga7.tainted > mgba-0.6.3-5.2.mga7 > mgba-qt-0.6.3-5.2.mga7 > libmgba0.6-0.6.3-5.2.mga7 > mgba-0.8.4-1.1.mga8 > mgba-qt-0.8.4-1.1.mga8 > libmgba0.8-0.8.4-1.1.mga8 Added to this are: libopenshot17-2.4.4-2.2.mga7 libopenshot-devel-2.4.4-2.2.mga7 python3-libopenshot-2.4.4-2.2.mga7 transcode-1.1.7-29.1.mga8.tainted
The lists of rpms in Comments 14 and 19, in their present form, are extremely difficult for QA to use with QA Repo. It will balk at mixed mga7/mga8 names, not to mention the old lib/lib64 problem. Can anybody suggest a way to sort them other than manually picking the ones we want for a test out one by one? I'm not as adept as I once was at data manipulation techniques.
CC: (none) => andrewsfarm
@TJ, comment 20. I have my own methods for parsing and editing such lists and generating an installation script. Shall try to do that today and publish the list(s). Global editing helps with lib/lib64 but needs to be checked for outliers like python3-libopenshot = python3-libopenshot-0.2.5-5.mga8.x86_64.
CC: (none) => tarazed25
In response to comments 20 and 21: Generated four lists of RPM names for mga{7,8} and arch{32,64}. Working in mga7 just now, before updating. Tried mga7 x64 test install (--test) here with the mga7(64) list and managed all but four: The following packages can't be installed because they depend on packages that are older than the installed ones: lib64kf5sonnetui-devel-5.57.0-1.mga7 lib64kf5textwidgets-devel-5.57.0-1.mga7 lib64kf5xmlgui-devel-5.57.0-1.mga7 lib64digikam-devel-6.1.0-4.mga7 This might be a case of QA testing pollution where an update is not removed after tests are complete, so other testers may not see this. I suspect that this would be sorted out if qarepo were used. Attaching the four lists anyway.
Created attachment 12462 [details] List of rpms for Mageia 7 x32
Created attachment 12463 [details] List of rpms for Mageia 7 x64
Created attachment 12464 [details] List of rpms for Mageia 8 x32
Created attachment 12465 [details] List of rpms for Mageia 8 x64
(In reply to Len Lawrence from comment #21) > @TJ, comment 20. I have my own methods for parsing and editing such lists > and generating an installation script. Shall try to do that today and > publish the list(s). Global editing helps with lib/lib64 but needs to be > checked for outliers like python3-libopenshot = > python3-libopenshot-0.2.5-5.mga8.x86_64. Thank you, Len. I really should take this opportunity to develop my own techniques. I don't mind asking for help when something is beyond my capability, but I dislike being dependent on others to do something I should be able to do myself. I blame the farmer in me for that independent streak. The "64" outliers aren't usually a serious problem. There usually aren't a lot of them to cause trouble. Qarepo will flag them, and they can be edited accordingly.
(In reply to Len Lawrence from comment #22) > In response to comments 20 and 21: > > Generated four lists of RPM names for mga{7,8} and arch{32,64}. > Working in mga7 just now, before updating. > Tried mga7 x64 test install (--test) here with the mga7(64) list and managed > all but four: > > The following packages can't be installed because they depend on packages > that are older than the installed ones: > lib64kf5sonnetui-devel-5.57.0-1.mga7 > lib64kf5textwidgets-devel-5.57.0-1.mga7 > lib64kf5xmlgui-devel-5.57.0-1.mga7 > lib64digikam-devel-6.1.0-4.mga7 > This might be a case of QA testing pollution where an update is not removed > after tests are complete, so other testers may not see this. > > I suspect that this would be sorted out if qarepo were used. > Attaching the four lists anyway. Hmmm. Those are all devel packages. Could be some development package that most users wouldn't even have installed.
From mga7-64 Plasma, updating tainted versions, using Len's list in qarepo, I get this: Sorry, the following packages cannot be selected: - lib64digikamcore6-6.1.0-4.1.mga7.x86_64 (due to unsatisfied libMagick++-7.Q16HDRI.so.5()(64bit)) - lib64xine2-1.2.9-9.2.mga7.x86_64 (due to unsatisfied libMagickWand-7.Q16HDRI.so.9()(64bit)) I looked, and those two unsatisfied packages are not on the lists in Comment 14 or 19. I attempted to copy the names from the notice and add them to the list, but qarepo can't find them. I haven't tried it yet, but I would suspect the same packages are missing in mga8.
Looks like imagemagick itself was missing from the RPMs list: imagemagick-7.0.10.62-1.mga7 imagemagick-desktop-7.0.10.62-1.mga7 imagemagick-doc-7.0.10.62-1.mga7 libmagick++-7Q16HDRI_5-7.0.10.62-1.mga7 libmagick-7Q16HDRI_9-7.0.10.62-1.mga7 libmagick-devel-7.0.10.62-1.mga7 perl-Image-Magick-7.0.10.62-1.mga7 imagemagick-7.0.10.62-1.mga8 imagemagick-desktop-7.0.10.62-1.mga8 imagemagick-doc-7.0.10.62-1.mga8 libmagick++-7Q16HDRI_5-7.0.10.62-1.mga8 libmagick-7Q16HDRI_9-7.0.10.62-1.mga8 libmagick-devel-7.0.10.62-1.mga8 perl-Image-Magick-7.0.10.62-1.mga8
That did the trick, at least for me. In mga7-64 Plasma, using qarepo with the updated list: The following 11 packages are going to be installed: - digikam-6.1.0-4.1.mga7.x86_64 - imagemagick-7.0.10.62-1.mga7.x86_64 - imagemagick-desktop-7.0.10.62-1.mga7.x86_64 - lib64digikamcore6-6.1.0-4.1.mga7.x86_64 - lib64digikamdatabase6-6.1.0-4.1.mga7.x86_64 - lib64digikamgui6-6.1.0-4.1.mga7.x86_64 - lib64magick++-7Q16HDRI_5-7.0.10.62-1.mga7.x86_64 - lib64magick-7Q16HDRI_9-7.0.10.62-1.mga7.x86_64 - lib64xine2-1.2.9-9.2.mga7.x86_64 - spectacle-19.04.0-1.1.mga7.x86_64 - xine1.2-common-1.2.9-9.2.mga7.x86_64 No installation issues. No devel packages installed, which would be common among our users, but it doesn't address the issue of Comment 22. Used Print Screen to run Spectacle, captured a rectangular area of the screen, saved it as png. Loaded that into imagemagick, played around with various effects, no issues noted. I don't use Digikam as a rule, but it did run and I was able to do a minimal configuration setup. Looks OK on this install, but I'm withholding the OK until I hear if the issue of Comment 22 needs to be addressed.
@TJ, comment 27. No problem - teamwork. Re comment 22. Shall have another look at that.
In mga8-64 Plasma: The following 13 packages are going to be installed: - digikam-7.1.0-4.1.mga8.x86_64 - imagemagick-7.0.10.62-1.mga8.x86_64 - imagemagick-desktop-7.0.10.62-1.mga8.x86_64 - imagemagick-doc-7.0.10.62-1.mga8.noarch - lib64digikamcore7.1.0-7.1.0-4.1.mga8.x86_64 - lib64digikamdatabase7.1.0-7.1.0-4.1.mga8.x86_64 - lib64digikamgui7.1.0-7.1.0-4.1.mga8.x86_64 - lib64magick++-7Q16HDRI_5-7.0.10.62-1.mga8.x86_64 - lib64magick-7Q16HDRI_9-7.0.10.62-1.mga8.x86_64 - lib64xine2-1.2.11-1.1.mga8.x86_64 - spectacle-20.12.0-2.1.mga8.x86_64 - transcode-1.1.7-29.1.mga8.tainted.x86_64 - xine1.2-common-1.2.11-1.1.mga8.x86_64 No installation issues. Same tests as in Comment 31, except that Digikam had apparently already been minimally configured, probably from an earlier test. Also opened an image in xine, with no issues. Looks OK as far as I have gone. Again, withholding the OK pending investigation of Comment 22, even though that comment did not pertain to mga8.
Sorry to be so long. My original installation was for the tainted versions. Had to install mga7.1 on a spare partition on another machine to make sure of a clean slate. Installed the packages and updated them OK. No problems - so OK to pass this version. This machine has a system with the tainted version so I shall follow up by installing any missing packages on that and update it and perform some quick tests. Later.
Any progress, Len? My tests were both with the tainted versions, but they did not involve any of the devel packages. Do you have any problem with passing it on with those?
Sorry TJ - forgot all about this. Have been side-tracked by so many other things. Shall get back to you on this, but it will not be quick. I do not remember which machine or which partition comment 34 referred to so may have to retrace some steps.
Retested the tainted updates on Mageia 8 and 7 and saw the issue reported in comment 22, in both versions. Different partitions with different histories. Quick tests of imagemagick with various image formats and blender looked OK. Shall try to switch to non-tainted versions but might have to reinstall the two OSes.
Is your system fully up to date before installing these updates? KF5 5.57.0 was an update we shipped for Mageia 7. Do you have the updates media enabled?
Yes, updates media are enabled. I don't know about KF5.
I always run `update -a` after enabling updates testing.
Does rpm -qa lib64kf5* show all 5.57.0 versions? I think urpmi has a --debug option to better show what's going wrong.
$ rpm -qa lib64kf5* lib64kf5baloocore5-5.57.0-1.mga7 lib64kf5kdelibs4support5-5.57.0-1.mga7 lib64kf5i18n-devel-5.57.0-1.mga7 lib64kf5kdegames7-19.04.0-1.mga7 lib64kf5coreaddons5-5.57.0-1.mga7 lib64kf5bluezqt5-5.57.0-1.mga7 lib64kf5mailtransport5-19.04.0-1.mga7 lib64kf5mailtransportakonadi5-19.04.0-1.mga7 ... Using urpmi --debug .... ..... selecting lib64kf5textwidgets-devel-5.57.0-1.mga7.x86_64 requiring devel(libKF5SonnetCore(64bit)),devel(libKF5SonnetUi(64bit)) for lib64kf5textwidgets-devel-5.57.0-1.mga7.x86_64 chosen lib64kf5sonnetui-devel-5.57.0-1.mga7.x86_64 for devel(libKF5SonnetCore(64bit)) selecting lib64kf5sonnetui-devel-5.57.0-1.mga7.x86_64 requiring lib64kf5sonnetcore5[== 5.57.0-1.mga7],lib64kf5sonnetui5[== 5.57.0-1.mga7],sonnet[== 5.57.0-1.mga7] for lib64kf5sonnetui-devel-5.57.0-1.mga7.x86_64 chosen lib64kf5sonnetcore5-5.57.0-1.mga7.x86_64 for lib64kf5sonnetcore5[== 5.57.0-1.mga7] the more recent lib64kf5sonnetcore5-5.57.0-1.1.mga7.x86_64 is installed, but does not provide lib64kf5sonnetcore5[== 5.57.0-1.mga7] whereas lib64kf5sonnetcore5-5.57.0-1.mga7.x86_64 does selecting lib64kf5sonnetcore5-5.57.0-1.mga7.x86_64 unselecting lib64kf5sonnetcore5-5.57.0-1.mga7.x86_64 unselecting lib64kf5sonnetui-devel-5.57.0-1.mga7.x86_64 unselecting lib64kf5textwidgets-devel-5.57.0-1.mga7.x86_64 unselecting lib64kf5xmlgui-devel-5.57.0-1.mga7.x86_64 unselecting lib64kf5kio-devel-5.57.0-1.mga7.x86_64 unselecting lib64digikam-devel-6.1.0-4.1.mga7.x86_64 unselecting lib64kf5notifyconfig-devel-5.57.0-1.mga7.x86_64 The following packages can't be installed because they depend on packages that are older than the installed ones: lib64kf5sonnetui-devel-5.57.0-1.mga7 lib64kf5textwidgets-devel-5.57.0-1.mga7 lib64kf5xmlgui-devel-5.57.0-1.mga7 lib64kf5kio-devel-5.57.0-1.mga7 lib64digikam-devel-6.1.0-4.1.mga7 lib64kf5notifyconfig-devel-5.57.0-1.mga7 Continue installation anyway? (Y/n)
Comment 42 refers to the initial installation before updates testing. The system started with a set of tainted packages which I am attempting to replace by running updates with tainted updates suppressed.
Arrgh! No, sorry. That had already been done. The last test was with updates testing enabled.
There's a problem with lib64kf5sonnetcore5, which should be 5.57.0-1.mga7, not 5.57.0-1.1.mga7. I don't know where you got that, but you need to downgrade it, it's causing the problem.
mga7, x64 Made little headway with downgrading so reinstalled the OS without tainted sources. Installed the imagemagick files from the manifest listed on the bug - close to 300 packages installed. Enabled core updates testing and ran the exercise again. A clean install excepting a bad signature for imagemagick-doc. Launched blender from the menu. Manipulated the default cube and closed down. Ran a few simple tests on images of various formats; identify, display, convert and rotate. To test perl functionality ran examples.pl which Lewis pointed out in earlier bugs; used in bug 24761 for instance. That covers a lot of ground, image filtering and transformations of many kinds and eventually displays an image montage of all the products. No regressions. OK for core release in Mageia 7. Testing tainted later, probably a straight update from tainted testing.
mga7, x64 Enabled tainted updates testing and attempted to do a full update. A requested package cannot be installed: imagemagick-7.0.10.62-1.mga7.tainted.x86_64 (due to unsatisfied libde265) The H.265 video codec is open source. $ rpm -q task-codec-video task-codec-video-6-2.mga7 Something tells me that this has come up before but cannot remember how it was resolved. As far as I could tell the other tainted packages installed OK. $ rpm -q imagemagick imagemagick-7.0.10.62-1.mga7 $ rpm -q lib64abydos0.1_0 xine1.2-common transcode lib64abydos0.1_0-0.1.3-2.2.mga7.tainted xine1.2-common-1.2.9-9.2.mga7.tainted transcode-1.1.7-23.2.mga7.tainted
I also wonder what a video codec has to do with images?
(In reply to Len Lawrence from comment #48) > I also wonder what a video codec has to do with images? Possibly a dependency of transcode, which I'm sure handles video as well as images. So for lack of something else to look at, why not start with the basics? You did remember to install the tainted versions of both task-codec-video and task-codec-audio, right?
Managed it in the end by a round-about path. Downgraded th release version in favour of the tainted version and then installed the update. No more HVE codec. $ rpm -q imagemagick imagemagick-7.0.10.62-1.mga7.tainted The examples.pl script does not run. $ perl examples.pl Can't locate Image/Magick.pm in @INC (you may need to install the Image::Magick module) (@INC contains: ......... Perhaps it was uninstalled in all this shenanigans. There must be a bundled module but what is it called? DuckDuckGo found it right away. Installed perl-Image-Magick-7.0.10.62-1.mga7.tainted.x86_64. $ perl examples.pl That worked and displayed the thumbnail montage. So, tainted version is working in Mageia 7. @TJ - yes maybe transcode has something to do with it - well spotted that man!. Good point about the codecs - no in fact - doing it now. Thanks TJ.
Glad I could help. Whenever I run into trouble of this sort, I always try to check the basics first. They have tripped me up more times than I like to admit.
Default M7 installation with tainted repos with Plasma. x86_64. Updates are OK. No devel packages. Fully updated M7 system before testing. - digikam-6.1.0-4.1.mga7.x86_64 - imagemagick-7.0.10.62-1.mga7.tainted.x86_64 - lib64digikamcore6-6.1.0-4.1.mga7.x86_64 - lib64digikamdatabase6-6.1.0-4.1.mga7.x86_64 - lib64digikamgui6-6.1.0-4.1.mga7.x86_64 - lib64magick++-7Q16HDRI_5-7.0.10.62-1.mga7.tainted.x86_64 - lib64magick-7Q16HDRI_9-7.0.10.62-1.mga7.tainted.x86_64 - spectacle-19.04.0-1.1.mga7.x86_64 These install OK.
(In reply to Thomas Andrews from comment #51) > Glad I could help. > > Whenever I run into trouble of this sort, I always try to check the basics > first. They have tripped me up more times than I like to admit. Nope: Same system above, updates_testing enabled (same for tainted_updates_testing) # urpmi transcode urpmi[4426]: transaction on / (remove=0, install=1, upgrade=) [RPM][4426]: Transaction ID 6058ccea started [RPM][4426]: install transcode-1.1.7-23.2.mga7.tainted.x86_64: success systemd[1]: Started /usr/bin/systemctl start man-db-cache-update. [RPM][4426]: install transcode-1.1.7-23.2.mga7.tainted.x86_64: success [RPM][4426]: Transaction ID 6058ccea finished: 0 No error related to H.265
CC: (none) => ouaurelien
mga8, x64 Core release package list complete. All updates installed cleanly. Ran a few commands like: $ mogrify -resize 150% JunoTemple_16.jpg Then examples.pl to generate demo.jpg. All functions worked fine and montage displayed correctly. Good for Mageia 8.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
Nice work, Len! Validating. Advisory information scattered all over the place.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability (CVE-2021-20241). A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability (CVE-2021-20243). A flaw was found in ImageMagick in MagickCore/visual-effects.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability (CVE-2021-20244). A flaw was found in ImageMagick in MagickCore/resample.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability (CVe-2021-20246). Note that abydos, blender, converseen, cuneiform-linux, digikam, kxxstich, libopenshot, pfstools, php-imagick, spectacle, synfig, xine-lib1.2, mgba, windowmaker, zbar and transcode (and tainted conter-parts) have been rebuilt. References: - https://bugs.mageia.org/show_bug.cgi?id=28462 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20241 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20243 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20244 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20246 - https://lists.suse.com/pipermail/sle-security-updates/2021-February/008374.html - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6SG6MVYKVW7O5POXSG4CGOWDIOAZCWWT/ ======================== Updated packages in 7 ======================== core/updates_testing: imagemagick-7.0.10.62-1.mga7 imagemagick-desktop-7.0.10.62-1.mga7 imagemagick-doc-7.0.10.62-1.mga7 lib(64)magick++-7Q16HDRI_5-7.0.10.62-1.mga7 lib(64)magick-7Q16HDRI_9-7.0.10.62-1.mga7 lib(64)magick-devel-7.0.10.62-1.mga7 perl-Image-Magick-7.0.10.62-1.mga7 lib(64)abydos0.1_0-0.1.3-2.2.mga7 lib(64)abydos0.1-devel-0.1.3-2.2.mga7 blender-2.79b-14.git20190504.2.mga7 converseen-0.9.7.2-2.2.mga7 cuneiform-linux-1.1.0-15.1.mga7 lib(64)cuneiform0-1.1.0-15.1.mga7 lib(64)cuneiform-devel-1.1.0-15.1.mga7 digikam-6.1.0-4.1.mga7 showfoto-6.1.0-4.1.mga7 lib(64)digikamdatabase6-6.1.0-4.1.mga7 lib(64)digikamcore6-6.1.0-4.1.mga7 lib(64)digikamgui6-6.1.0-4.1.mga7 lib64digikam-devel-6.1.0-4.1.mga7 kxstitch-2.1.1-5.1.mga7 kxstitch-handbook-2.1.1-5.1.mga7 pfstools-2.1.0-13.2.mga7 pfscalibration-2.1.0-13.2.mga7 pfstmo-2.1.0-13.2.mga7 lib(64)pfstools2-2.1.0-13.2.mga7 pfstools-qt-2.1.0-13.2.mga7 pfstools-glview-2.1.0-13.2.mga7 pfstools-exr-2.1.0-13.2.mga7 pfstools-yuy-2.1.0-13.2.mga7 pfstools-imgmagick-2.1.0-13.2.mga7 pfstools-octave-2.1.0-13.2.mga7 lib(64)pfstools-devel-2.1.0-13.2.mga7 php-imagick-3.4.4-1.2.mga7 pythonmagick-0.9.19-4.1.mga7 spectacle-19.04.0-1.1.mga7 synfig-1.2.2-1.2.mga7 lib(64)synfig0-1.2.2-1.2.mga7 lib(64)synfig-devel-1.2.2-1.2.mga7 xine1.2-common-1.2.9-9.2.mga7 lib(64)xine2-1.2.9-9.2.mga7 lib(64)xine1.2-devel-1.2.9-9.2.mga7 sk1-2.0-0.rc3.5.2.mga7 uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7 mgba-0.6.3-5.2.mga7 mgba-qt-0.6.3-5.2.mga7 lib(64)mgba0.6-0.6.3-5.2.mga7 lib(64)openshot17-2.4.4-2.2.mga7 lib(64)openshot-devel-2.4.4-2.2.mga7 python3-libopenshot-2.4.4-2.2.mga7 windowmaker-0.95.8-5.1.mga7 lib(64)wings-devel-0.95.8-5.1 lib(64)wings3-0.95.8-5.1.mga7 lib(64)wmaker-devel-0.95.8-5.1.mga7 lib(64)wmaker1-0.95.8-5.1.mga7 lib(64)wraster-devel-0.95.8-5.1.mga7 lib(64)wraster6-0.95.8-5.1.mga7 lib(64)wutil-devel-0.95.8-5.1.mga7 lib(64)wutil5-0.95.8-5.1.mga7 zbar-0.23-1.1.mga7 lib(64)zbar-devel-0.23-1.1.mga7 lib(64)zbar-gir1.0-0.23-1.1.mga7 lib(64)zbar0-0.23-1.1.mga7 lib(64)zbargtk0-0.23-1.1.mga7 lib(64)zbarqt0-0.23-1.1.mga7 tainted/updates_testing: imagemagick-7.0.10.62-1.mga7.tainted imagemagick-desktop-7.0.10.62-1.mga7.tainted imagemagick-doc-7.0.10.62-1.mga7.tainted lib(64)abydos0.1-devel-0.1.3-2.2.mga7.tainted lib(64)abydos0.1_0-0.1.3-2.2.mga7.tainted lib(64)magick++-7Q16HDRI_5-7.0.10.62-1.mga7.tainted lib(64)magick-7Q16HDRI_9-7.0.10.62-1.mga7.tainted lib(64)magick-devel-7.0.10.62-1.mga7.tainted lib(64)xine1.2-devel-1.2.9-9.2.mga7.tainted lib(64)xine2-1.2.9-9.2.mga7.tainted perl-Image-Magick-7.0.10.62-1.mga7.tainted transcode-1.1.7-23.2.mga7.tainted xine1.2-common-1.2.9-9.2.mga7.tainted ======================== from SRPM: core: - imagemagick-7.0.10.62-1.mga7 - abydos-0.1.3-2.2.mga7 - converseen-0.9.7.2-2.2.mga7 - cuneiform-linux-1.1.0-15.1.mga7 - digikam-6.1.0-4.1.mga7 - kxstitch-2.1.1-5.1.mga7 - libopenshot-2.4.4-2.2.mga7 - pfstools-2.1.0-13.2.mga7 - php-imagick-3.4.4-1.2.mga7 - pythonmagick-0.9.19-4.1.mga7 - spectacle-19.04.0-1.1.mga7 - synfig-1.2.2-1.2.mga7 - xine-lib1.2-1.2.9-9.2.mga7 - sk1-2.0-0.rc3.5.2.mga7 - uniconvertor-2.0-0.1.rc3_20171226.2.2.mga7 - mgba-0.6.3-5.2.mga7 - windowmaker-0.95.8-5.1.mga7 - zbar-0.23-1.1.mga7 tainted: - imagemagick-7.0.10.62-1.mga7.tainted - abydos-0.1.3-2.2.mga7.tainted - transcode-1.1.7-23.2.mga7.tainted - xine-lib1.2-1.2.9-9.2.mga7.tainted Updated packages in 8/core/updates_testing: ======================== lib(64)abydos0.2-devel-0.2.3-4.1.mga8 abydos-config-0.2.3-4.1.mga8 lib(64)abydos0.2_0-0.2.3-4.1.mga8 blender-2.83.10-3.1.mga8 converseen-0.9.8.1-4.1.mga8 cuneiform-linux-1.1.0-18.1.mga8 lib(64)cuneiform0-1.1.0-18.1.mga8 lib(64)cuneiform-devel-1.1.0-18.1.mga8 digikam-7.1.0-4.1.mga8 lib(64)digikamgui7.1.0-7.1.0-4.1.mga8 lib(64)digikamdatabase7.1.0-7.1.0-4.1.mga8 showfoto-7.1.0-4.1.mga8 lib(64)digikam-devel-7.1.0-4.1.mga8 lib(64)digikamcore7.1.0-7.1.0-4.1.mga8 kxstitch-2.2.0-4.1.mga8 kxstitch-handbook-2.2.0-4.1.mga8 python3-libopenshot-0.2.5-5.1.mga8 lib(64)openshot19-0.2.5-5.1.mga8 lib(64)openshot-devel-0.2.5-5.1.mga8 pfstools-2.1.0-20.1.mga8 pfstmo-2.1.0-20.1.mga8 pfstools-octave-2.1.0-20.1.mga8 pfstools-glview-2.1.0-20.1.mga8 pfstools-qt-2.1.0-20.1.mga8 pfscalibration-2.1.0-20.1.mga8 pfstools-yuy-2.1.0-20.1.mga8 lib(64)pfstools2-2.1.0-20.1.mga8 pfstools-exr-2.1.0-20.1.mga8 pfstools-imgmagick-2.1.0-20.1.mga8 lib(64)pfstools-devel-2.1.0-20.1.mga8 php-imagick-3.4.5-0.git20201230.2.1.mga8 pythonmagick-0.9.19-10.1.mga8 spectacle-20.12.0-2.1.mga8 synfig-1.2.2-11.1.mga8 lib(64)synfig0-1.2.2-11.1.mga8 lib(64)synfig-devel-1.2.2-11.1.mga8 xine1.2-common-1.2.11-1.1.mga8 lib(64)xine1.2-devel-1.2.11-1.1.mga8 lib(64)xine2-1.2.11-1.1.mga8 mgba-0.8.4-1.1.mga8 mgba-qt-0.8.4-1.1.mga8 lib(64)mgba0.8-0.8.4-1.1.mga8 windowmaker-0.95.9-3.1.mga8 lib(64)wings-devel-0.95.9-3.1.mga8 lib(64)wings3-0.95.9-3.1.mga8 lib(64)wmaker-devel-0.95.9-3.1.mga8 lib(64)wmaker1-0.95.9-3.1.mga8 lib(64)wraster-devel-0.95.9-3.1.mga8 lib(64)wraster6-0.95.9-3.1.mga8 lib(64)wutil-devel-0.95.9-3.1.mga8 lib(64)wutil5-0.95.9-3.1.mga8 zbar-0.23.1-5.1.mga8 lib(64)zbar-devel-0.23.1-5.1.mga8 lib(64)zbar-gir1.0-0.23.1-5.1.mga8 lib(64)zbar0-0.23.1-5.1.mga8 lib(64)zbargtk0-0.23.1-5.1.mga8 lib(64)zbarqt0-0.23.1-5.1.mga8 Updated packages in 8/tainted/updates_testing: ======================== transcode-1.1.7-29.1.mga8.tainted from SRPM: core: - imagemagick-7.0.10.62-1.mga8 - abydos-0.2.3-4.1.mga8 - blender-2.83.10-3.1.mga8 - converseen-0.9.8.1-4.1.mga8 - cuneiform-linux-1.1.0-18.1.mga8 - digikam-7.1.0-4.1.mga8 - kxstitch-2.2.0-4.1.mga8 - libopenshot-0.2.5-5.1.mga8 - pfstools-2.1.0-20.1.mga8 - php-imagick-3.4.5-0.git20201230.2.1.mga8 - pythonmagick-0.9.19-10.1.mga8 - spectacle-20.12.0-2.1.mga8 - synfig-1.2.2-11.1.mga8 - xine-lib1.2-1.2.11-1.1.mga8 - mgba-0.8.4-1.1.mga8 - windowmaker-0.95.9-3.1.mga8 - zbar-0.23.1-5.1.mga8 tainted: imagemagick-7.0.10.62-1.mga8.tainted abydos-0.2.3-4.1.mga8.tainted transcode-1.1.7-29.1.mga8.tainted xine-lib1.2-1.2.11-1.1.mga8.tainted
Keywords: (none) => advisoryCVE: (none) => CVE-2021-2024[1346]
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0156.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2021-20245: https://www.debian.org/lts/security/2021/dla-2672
Summary: imagemagick new security issues CVE-2021-2024[1346] => imagemagick new security issues CVE-2021-2024[13456]
mga7 core blender package was missing from the SVN advisory so it didn't get pushed. I fixed the SVN advisory. Please move the blender package.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
(In reply to David Walser from comment #59) > mga7 core blender package was missing from the SVN advisory so it didn't get > pushed. I fixed the SVN advisory. Please move the blender package. moved
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2021-20176: https://ubuntu.com/security/notices/USN-5335-1