Bug 30211 - graphicsmagick 1.3.38 fixes security issues
Summary: graphicsmagick 1.3.38 fixes security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-26 17:53 CET by David Walser
Modified: 2022-04-20 16:53 CEST (History)
3 users (show)

See Also:
Source RPM: graphicsmagick-1.3.36-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-03-26 17:53:37 CET
GraphicsMagick 1.3.37 has been released on December 12:
http://www.graphicsmagick.org/NEWS.html#december-12-2021

Fedora has issued an advisory for this today (March 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2QNG6Z5S5XGO3TXEHLRZPISCIWYIL4OQ/
Comment 1 David Walser 2022-03-26 17:55:54 CET
Updated packages pushed to the build system.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerabilities:

The graphicsmagick package has been updated to version 1.3.37, fixing several
security issues and other bugs.  See the upstream NEWS file for details.

References:
http://www.graphicsmagick.org/NEWS.html#december-12-2021
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.37-1.mga8
libgraphicsmagick3-1.3.37-1.mga8
libgraphicsmagick++12-1.3.37-1.mga8
libgraphicsmagickwand2-1.3.37-1.mga8
libgraphicsmagick-devel-1.3.37-1.mga8
perl-Graphics-Magick-1.3.37-1.mga8
graphicsmagick-doc-1.3.37-1.mga8

from graphicsmagick-1.3.37-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 Thomas Andrews 2022-03-26 23:43:35 CET
i5-2500, Intel graphics, mga8-64 Plasma system.

Updated packages, no installation issues.

Followed guidance from https://wiki.mageia.org/en/QA_procedure:GraphicsMagick for testing. Issued several commands, no issues noted. This version looks OK to me.

But, http://www.graphicsmagick.org/NEWS.html#march-26-2022 indicates that version 1.3.38 was released just today, and contains more security and bug fixes in addition to the ones this update provides.

Do we want to go ahead with this one now, or use this opportunity to get the latest one?

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA8-64-OK

Comment 3 David Walser 2022-03-26 23:49:34 CET
LOL, that wasn't there when I posted this.  We should update it again.
Comment 4 David Walser 2022-03-27 00:05:57 CET
Updated packages pushed to the build system.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerabilities:

The graphicsmagick package has been updated to version 1.3.38, fixing several
security issues and other bugs.  See the upstream NEWS file for details.

References:
http://www.graphicsmagick.org/NEWS.html#march-26-2022
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.38-1.mga8
libgraphicsmagick3-1.3.38-1.mga8
libgraphicsmagick++12-1.3.38-1.mga8
libgraphicsmagickwand2-1.3.38-1.mga8
libgraphicsmagick-devel-1.3.38-1.mga8
perl-Graphics-Magick-1.3.38-1.mga8
graphicsmagick-doc-1.3.38-1.mga8

from graphicsmagick-1.3.38-1.mga8.src.rpm

Whiteboard: MGA8-64-OK => (none)
Summary: graphicsmagick 1.3.37 fixes security issues => graphicsmagick 1.3.38 fixes security issues

Comment 5 Thomas Andrews 2022-03-27 16:23:50 CEST
Waited overnight for the new update to get to my mirror.

Updated on the same system as Comment 2. No installation issues. Performed the same operations, on different images this time, with the expected results. This looks OK.

Validating. Advisory in Comment 4.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-03-28 16:11:40 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-03-28 18:24:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0120.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2022-04-20 16:33:30 CEST
CVE-2022-1270 was fixed in 1.3.38:
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010770.html

It was in one of the last commits before the release was tagged:
https://sourceforge.net/p/graphicsmagick/code/ci/94f4bcf448ad29d6d8470e444038402d34fbba12/tree/
Comment 8 David Walser 2022-04-20 16:53:23 CEST
(In reply to David Walser from comment #7)
> CVE-2022-1270 was fixed in 1.3.38:
> https://lists.suse.com/pipermail/sle-security-updates/2022-April/010770.html
> 
> It was in one of the last commits before the release was tagged:
> https://sourceforge.net/p/graphicsmagick/code/ci/
> 94f4bcf448ad29d6d8470e444038402d34fbba12/tree/

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT7EBWFKU35SW2PM3ELHR2KWX4F4JS47/

Note You need to log in before you can comment on or make changes to this bug.