Ubuntu has issued an advisory on July 4: https://ubuntu.com/security/notices/USN-6200-1 CVE-2021-3610 is fixed upstream in 7.0.11-14 (only affecting Mageia 8). The other issues appear to be fixed upstream in 7.1.1-12.
Status comment: (none) => Fixed upstream in 7.1.1-12Whiteboard: (none) => MGA8TOO
Stig looks after this, so over to you.
Assignee: bugsquad => smelror
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault. (CVE-2021-3610) A stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service. (CVE-2023-3195) A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service. (CVE-2023-3428) This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546). (CVE-2023-34151) References: https://ubuntu.com/security/notices/USN-6200-1 ======================== Updated packages in core/updates_testing: ======================== imagemagick-7.1.1.29-1.mga9 imagemagick-desktop-7.1.1.29-1.mga9 imagemagick-doc-7.1.1.29-1.mga9 lib(64)magick++-7Q16HDRI_5-7.1.1.29-1.mga9 lib(64)magick-7Q16HDRI_10-7.1.1.29-1.mga9 lib(64)magick-devel-7.1.1.29-1.mga9 perl-Image-Magick-7.1.1.29-1.mga9 from SRPM: imagemagick-7.1.1.29-1.mga9.src.rpm Updated packages in tainted/updates_testing: ======================== imagemagick-7.1.1.29-1.mga9.tainted imagemagick-desktop-7.1.1.29-1.mga9.tainted imagemagick-doc-7.1.1.29-1.mga9.tainted lib(64)magick++-7Q16HDRI_5-7.1.1.29-1.mga9.tainted lib(64)magick-7Q16HDRI_10-7.1.1.29-1.mga9.tainted lib(64)magick-devel-7.1.1.29-1.mga9.tainted perl-Image-Magick-7.1.1.29-1.mga9.tainted from SRPM: imagemagick-7.1.1.29-1.mga9.tainted.src.rpm
Assignee: smelror => qa-bugsWhiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 7.1.1-12 => (none)Source RPM: imagemagick-7.1.1.11-2.mga9.src.rpm => imagemagick-7.1.1.11-2.1.mga9.src.rpmVersion: Cauldron => 9Status: NEW => ASSIGNEDCVE: (none) => CVE-2021-3610, CVE-2023-3195, CVE-2023-3428, CVE-2023-34151
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion First installed core versions and followed some examples from bug 31817; $ convert voss1001.jpeg test1.png $ convert voss1001.jpeg -background grey44 -vignette 0x5 test2.gif $ mogrify -rotate 270 voss1002.jpeg $ mogrify -rotate 90 voss1002.jpeg [tester9@mach4 testfiles]$ conv convbkmk convbkmk.rb convert convertgls2bib convertquota convertsession $ convert voss1002.jpeg voss2.tiff $ identify voss2.tiff voss2.tiff TIFF 3248x2136 3248x2136+0+0 8-bit sRGB 19.8495MiB 0.000u 0:00.000 $ convert -resize 120%x80% voss2.tiff voss2.jpg $ identify voss2.jpg voss2.jpg JPEG 3898x1709 3898x1709+0+0 8-bit sRGB 991489B 0.000u 0:00.000 All generated files display correctly. Continuing later fro tainted versions
CC: (none) => herman.viaene
Installed tainted versions, deleted the generated images from first test and repeated the same commands with the same corect results. Fair enough
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0064.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED