Suggested advisory:
========================

The updated packages fix a security vulnerability:

JBIG-KIT could be made to crash if it opened a specially crafted file. (CVE-2017-9937)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9937
https://ubuntu.com/security/notices/USN-5742-1
========================

Updated packages in core/updates_testing:
========================
jbigkit-2.1-7.1.mga8
lib(64)jbig1-2.1-7.1.mga8
lib(64)jbig-devel-2.1-7.1.mga8

from SRPM:
jbigkit-2.1-7.1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Source RPM: jbigkit-2.1-8.mga9.src.rpm => jbigkit-2.1-7.mga8.src.rpm
CC: (none) => nicolas.salguero
Version: Cauldron => 8
CVE: (none) => CVE-2017-9937

JBIG is a lossless file compression format, used primarily on scanned documents and for faxing.

Using urpmq --whatrequires lib64jbig1 lists some specialized printer drivers, as well as imagemagick and graphicsmagick. I chose a blank New York State sales tax form as the object of manipulation. It's a simple form, with no fill-in fields.

Before the update, I was able to use both graphicsmagick and imagemagick to convert the pdf to JBIG (jbg file extension) format, display it, and convert it to another format. Files created with one application were usable by the other.

There were no installation issues, using qarepo.

This is what happened AFTER the update:

[tom@localhost ~]$ convert st125.pdf st125.jbg
[tom@localhost ~]$ gm display st125.jbg
*** stack smashing detected ***: terminated
gm display: abort due to signal 6 (SIGABRT) "Abort"...
Aborted (core dumped)
[tom@localhost ~]$ display st125.jbg
*** stack smashing detected ***: terminated
Aborted (core dumped)
[tom@localhost ~]$ gm convert st125.jbg st125.jpg
*** stack smashing detected ***: terminated
gm convert: abort due to signal 6 (SIGABRT) "Abort"...
Aborted (core dumped)

The conversion appeared to go OK, but any manipulation of the jbg file resulted in the same "stack smashing" error.

CC: (none) => andrewsfarm

Created attachment 13538 [details]
The pdf used to test with imagemagick and graphicsmagick

Hi,

I found that imagemagick and graphicsmagick needed to be rebuilt with the new jbigkit library.

Best regards,

Nico.

Blocks: (none) => 29054

Updated packages in core/updates_testing:
========================
jbigkit-2.1-7.1.mga8
lib(64)jbig1-2.1-7.1.mga8
lib(64)jbig-devel-2.1-7.1.mga8

imagemagick-7.1.0.52-1.1.mga8
imagemagick-desktop-7.1.0.52-1.1.mga8
imagemagick-doc-7.1.0.52-1.1.mga8
lib64magick++-7Q16HDRI_5-7.1.0.52-1.1.mga8
lib64magick-7Q16HDRI_10-7.1.0.52-1.1.mga8
lib64magick-devel-7.1.0.52-1.1.mga8
perl-Image-Magick-7.1.0.52-1.1.mga8

graphicsmagick-1.3.38-1.1.mga8
graphicsmagick-doc-1.3.38-1.1.mga8
lib(64)graphicsmagick3-1.3.38-1.1.mga8
lib(64)graphicsmagick-devel-1.3.38-1.1.mga8
lib(64)graphicsmagick++12-1.3.38-1.1.mga8
lib(64)graphicsmagickwand2-1.3.38-1.1.mga8
perl-Graphics-Magick-1.3.38-1.1.mga8

from SRPMS:
jbigkit-2.1-7.1.mga8.src.rpm
imagemagick-7.1.0.52-1.1.mga8.src.rpm
graphicsmagick-1.3.38-1.1.mga8.src.rpm

Updated packages in tainted/updates_testing:
========================
imagemagick-7.1.0.52-1.1.mga8.tainted
imagemagick-desktop-7.1.0.52-1.1.mga8.tainted
imagemagick-doc-7.1.0.52-1.1.mga8.tainted
lib64magick++-7Q16HDRI_5-7.1.0.52-1.1.mga8.tainted
lib64magick-7Q16HDRI_10-7.1.0.52-1.1.mga8.tainted
lib64magick-devel-7.1.0.52-1.1.mga8.tainted
perl-Image-Magick-7.1.0.52-1.1.mga8.tainted

from SRPM:
imagemagick-7.1.0.52-1.1.mga8.tainted.src.rpm

(In reply to Nicolas Salguero from comment #4)
> 
> I found that imagemagick and graphicsmagick needed to be rebuilt with the
> new jbigkit library.
> 
I didn't know I was opening up such a Pandora's Box, but if it needs to be opened I suppose that's what QA is for. Anyway, now I have a question:

Are you sure the list in comment 5 goes far enough? In Bug 29054, several packages had to be rebuilt because of the imagemagick update. What about graphicksmagick? I see this with urpmq on two of the graphicsmagick libraries (packages from comment 5 and duplicates removed from the list):

[tom@localhost ~]$ urpmq --whatrequires lib64graphicsmagick3
darktable
dvdauthor
octave
pdf2djvu
php-gmagick
scribus

[tom@localhost ~]$ urpmq --whatrequires lib64graphicsmagick++12
gnudl
inkscape
octave
pdf2djvu
photoqt
vdr-plugin-skinelchi
vdr-plugin-skinenigmang

And I didn't even get into a recursive query. Do any of those need to be rebuilt?

(In reply to Thomas Andrews from comment #6)
> Are you sure the list in comment 5 goes far enough?

You are right: urpmq --whatrequires lib64jbig1|sort -u
cups-drivers-foo2kyo
cups-drivers-foo2zjs
cups-drivers-magicolor2430dl
cups-drivers-magicolor2530dl
cups-drivers-magicolor5430dl
cups-drivers-magicolor5440dl
cups-drivers-splix
graphicsmagick
imagemagick
jbigkit
lib64hylafax+7
lib64jbig1
lib64jbig-devel
lib64tiff5
netpbm
pbmtozjs

So there are several other package that need to be rebuilt.

To explain a bit: in a normal situation, imagemagick and graphicsmagick, for example, should not have required a rebuild.

In that particular case, one of the two patches needed to solve CVE-2017-9937 have added a member in a public C structure, resulting in a crash because the memory reserved in the stack by imagemagick and graphicsmagick was too small as  those programs were not aware of that structure being bigger now.

Normally, in such a situation, the major number of the jbigkit library should have been increased.

But programs depending on imagemagick or graphicsmagick libraries do not use the jbigkit library directly so, normally, they should not need being rebuilt too.

Keywords: (none) => feedback

The package list in Comment 5 is wrong.  Imagemagick is in another bug.

Updated packages in core/updates_testing:
========================
jbigkit-2.1-7.1.mga8
lib(64)jbig1-2.1-7.1.mga8
lib(64)jbig-devel-2.1-7.1.mga8

graphicsmagick-1.3.38-1.1.mga8
graphicsmagick-doc-1.3.38-1.1.mga8
lib(64)graphicsmagick3-1.3.38-1.1.mga8
lib(64)graphicsmagick-devel-1.3.38-1.1.mga8
lib(64)graphicsmagick++12-1.3.38-1.1.mga8
lib(64)graphicsmagickwand2-1.3.38-1.1.mga8
perl-Graphics-Magick-1.3.38-1.1.mga8

cups-drivers-foo2kyo-0.1.0a-17.1.mga8

cups-drivers-foo2zjs-0.0-1.20121012.12.1.mga8

cups-drivers-magicolor2430dl-1.6.1-23.1.mga8

cups-drivers-magicolor2530dl-2.1.1-23.1.mga8

cups-drivers-magicolor5430dl-1.8.1-23.1.mga8

cups-drivers-magicolor5440dl-1.2.1-23.1.mga8

cups-drivers-splix-2.0.1-0.20130826svn315.12.1.mga8

hylafax+-7.0.4-1.1.mga8
hylafax+-client-7.0.4-1.1.mga8
lib(64)hylafax+7-7.0.4-1.1.mga8
lib(64)hylafax+-devel-7.0.4-1.1.mga8

lib(64)netpbm11-10.87.01-3.1.mga8
lib(64)netpbm-devel-10.87.01-3.1.mga8
netpbm-10.87.01-3.1.mga8

pbmtozjs-0-19.1.mga8

from SRPMS:
jbigkit-2.1-7.1.mga8.src.rpm
graphicsmagick-1.3.38-1.1.mga8.src.rpm
cups-drivers-foo2kyo-0.1.0a-17.1.mga8.src.rpm
cups-drivers-foo2zjs-0.0-1.20121012.12.1.mga8.src.rpm
cups-drivers-magicolor2430dl-1.6.1-23.1.mga8.src.rpm
cups-drivers-magicolor2530dl-2.1.1-23.1.mga8.src.rpm
cups-drivers-magicolor5430dl-1.8.1-23.1.mga8.src.rpm
cups-drivers-magicolor5440dl-1.2.1-23.1.mga8.src.rpm
cups-drivers-splix-2.0.1-0.20130826svn315.12.1.mga8.src.rpm
hylafax+-7.0.4-1.1.mga8.src.rpm
netpbm-10.87.01-3.1.mga8.src.rpm
pbmtozjs-0-19.1.mga8.src.rpm

"So there are several other package that need to be rebuilt."

FWIW: from the READ.ME of cups-drivers-foo2zjs:

 FOO2HP
    ------
    foo2hp converts pbm (B/W) images and N-bit-per-pixel cmyk images
    (both produced by ghostscript) to Zenographics ZJ-stream format. There
    is some information about the ZJS format at http://ddk.zeno.com.

    With foo2hp, you can print to some HP ZjStream printers, such as these:

	- HP Color LaserJet CP1215		B/W and color
	- HP Color LaserJet 1600		B/W and color
	- HP Color LaserJet 2600n		B/W and color

My main printer is the Laserjet CP1215, and installing it with MCC uses the foo2hp driver. So if that needs to be rebuilt, I can test it - But I may need some guidance for the best procedure to make sure I test the jbig part.

If I'm reading things correctly, the printer driver uses jbig compression when sending monochrome images to the printer, so it would seem that all I have to do is print something. I'll get to that, in good time.

First, I'm updating all packages in Comment 9 that were already installed:

- cups-drivers-foo2zjs-0.0-1.20121012.12.1.mga8.x86_64
- graphicsmagick-1.3.38-1.1.mga8.x86_64
- graphicsmagick-doc-1.3.38-1.1.mga8.noarch
- lib64graphicsmagick3-1.3.38-1.1.mga8.x86_64
- lib64netpbm11-10.87.01-3.1.mga8.x86_64
- netpbm-10.87.01-3.1.mga8.x86_64

The jbigkit packages had already been updated.

I ran a few gm commands, converted from pdf to jbg, displayed it, converted to jpg, displayed that. The converted file matched the original closely enough to be workable, but was far from identical. Might be better when used with the printer, but I can't do that yet. I need to update the packages in bug 29054 first, as imagemagick is a requirement of task-printing-hp.

So off to do that first, then I'll be back.

Updated imagemagick, from bug 29054, ran a few conversion and display commands on the test pdf. No crashing this time. Conversion quality of the pdf to jbg was MUCH better with imagemagick than with graphicsmagick. 

I opened the pdf with Okular, and printed it with the Laserjet CP1215 and the foo2hp driver. It looks perfect. 

Going now to get the tainted versions of the packages from bug 29054.

Wait... Shouldn't there be tainted versions here, too? At least of graphicsmagick?

I checked, and didn't find any tainted graphicsmagick packages, so I guess there aren't any.

After installing the tainted packages from bug 29054, I once again tried some conversion/display commands, with no issues. And I printed both monochrome and color images using the foo2hp driver from the foo2zjs package with no issues.

I did not test any of the other packages in this bug. I don't have the proper printers to test the various drivers. I remember trying to use Hylafax for another update a while back, and I got nowhere with it. So, as far as I have gone, this looks OK.

Giving this an OK, and validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0449.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED