Upstream fix: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb

Status comment: (none) => Patch available from upstream and openSUSE
Source RPM: (none) => graphicsmagick-1.3.45-3.mga10.src.rpm, graphicsmagick-1.3.40-1.1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-32460

Debian has issued an advisory on April 17:
https://lists.debian.org/debian-security-announce/2025/msg00067.html

SUSE has issued an advisory on April 18:
https://lists.suse.com/pipermail/sle-updates/2025-April/039065.html

Thanks for the upstream fix URL.
Assigning globally as different packagers commit this.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

GraphicsMagick before 8e56520 has a heap-based buffer over-read in ReadJXLImage in coders/jxl.c, related to an ImportViewPixelArea call. (CVE-2025-32460)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6QYCKFE7IU3HOGGUF42EURRWALAXSG4Z/
https://lists.debian.org/debian-security-announce/2025/msg00067.html
https://lists.suse.com/pipermail/sle-updates/2025-April/039065.html
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.40-1.2.mga9
graphicsmagick-doc-1.3.40-1.2.mga9
lib(64)graphicsmagick++12-1.3.40-1.2.mga9
lib(64)graphicsmagick-devel-1.3.40-1.2.mga9
lib(64)graphicsmagick3-1.3.40-1.2.mga9
lib(64)graphicsmagickwand2-1.3.40-1.2.mga9
perl-Graphics-Magick-1.3.40-1.2.mga9

from SRPM:
graphicsmagick-1.3.40-1.2.mga9.src.rpm

Updated packages in tainted/updates_testing:
========================
graphicsmagick-1.3.40-1.2.mga9.tainted
graphicsmagick-doc-1.3.40-1.2.mga9.tainted
lib(64)graphicsmagick++12-1.3.40-1.2.mga9.tainted
lib(64)graphicsmagick-devel-1.3.40-1.2.mga9.tainted
lib(64)graphicsmagick3-1.3.40-1.2.mga9.tainted
lib(64)graphicsmagickwand2-1.3.40-1.2.mga9.tainted
perl-Graphics-Magick-1.3.40-1.2.mga9.tainted

from SRPM:
graphicsmagick-1.3.40-1.2.mga9.tainted.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status comment: Patch available from upstream and openSUSE => (none)
Source RPM: graphicsmagick-1.3.45-3.mga10.src.rpm, graphicsmagick-1.3.40-1.1.mga9.src.rpm => graphicsmagick-1.3.40-1.1.mga9.src.rpm
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Thanks katnatek - beat me to it.  I shall test it.

CC: (none) => tarazed25

If the mirror ever syncs.

This beats me.  Cannot find the packages on my usual mirror (cz.muni 2nd tier) or distrib-coffee.  Visited both sites -> core/updates-testing, both up-to-date.

(In reply to Len Lawrence from comment #8)
> This beats me.  Cannot find the packages on my usual mirror (cz.muni 2nd
> tier) or distrib-coffee.  Visited both sites -> core/updates-testing, both
> up-to-date.

Neither distrib-coffee or cz.muni are update , you can find packages in 

http://mirror.accum.se/mirror/mageia/ 		2025-04-30 16:40 		  	  	  	  		  	  	  	 
https://mirror.math.princeton.edu/pub/mageia/ 		  		  	  	  	  		  	  	  	 
http://ftp.proxad.net/mirrors/mageia.org/ 		2025-04-30 17:00 		  	  	  	  		  	  	  	 
http://mirrors.kernel.org/mageia/ 		  		  	  	  	  		  	  	  	 
http://mageia.c3sl.ufpr.br/

(in reply to katnatek in comment #9)
Thanks for the information.  I must be misinterpreting the colour codes - looked to me that they had been updated within the last 12 hours.  Ah well!

mga9, x86_64
Updated the core packages and ran a series of simple tests.

$ gm display BenBois_Clock.svg
Displays a rudimentary image of a clock face.
eom shows a blue clock with detailed shapes and depth.
This accords with historical tests, so no regression.
$ gm display diagonal_gradient.jpg
Perfect.
gm display works well with several other types of image; tif, png, ppm, jp2, bmp, gif and an image coded in a PDF.  Animated GIFs display literally, as a series of frames containing the image elements which change between frames.

$ gm convert maple.jp2 maple_2.tga
$ gm display maple_2.tga
The the generated targa file replaces the chequered background by an orange background but the maple leaf is still apparent.

Installed pdf2djvu.
$ urpmq --requires pdf2djvu
djvulibre
libGraphicsMagick++.so.12()(64bit)
....

$ pdf2djvu -o sales.receipt 172754656.pdf
172754656.pdf:
- page #1 -> #1
0.015 bits/pixel; 1.308:1, 23.57% saved, 21343 bytes in, 16313 bytes out
$ file sales.receipt
sales.receipt: DjVu multiple page document

Installed photoqt, which requires graphicsmagick and its library.  It is an immersive image viewer which works very well and shows metadata if required.

$ gm convert bbc2.jpg bbc2.tif
gm convert: bbc2.tif: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField).
This message changes over the years.  The exact same test 9 years ago said 
"BadFaxLines".
However, the TIFF file looks perfect and `gm display` does not complain, which is an advance.

$ gm display {Glen,glen}*.jpg
showed a sequence of Scottish views using the Next menu command.
$ gm convert -magnify kappaCrucis.jpg CruxKappa.png
CruxKappa.png could be displayed OK.
$ gm identify kappaCrucis.jpg
kappaCrucis.jpg JPEG 2552x1702+0+0 DirectClass 8-bit 4.8Mi 0.000u 0m:0.000004s
$ gm identify CruxKappa.png
CruxKappa.png PNG 5104x3404+0+0 DirectClass 8-bit 18.3Mi 0.000u 0m:0.000004s
gm identify: iCCP: known incorrect sRGB profile (CruxKappa.png).

$ gm convert -rotate 270 mageia.jpg tipped.png
$ gm display tipped.png
That showed the Mageia logo pointing up the page, clockwise rotation by 270°.
$ gm convert -rotate -90 mageia.jpg tipped_left.png
That had the same effect on the original image.
$ gm convert -swirl 50 rainbow_2.jpg swirly.jpg
rainbow_2 is a full colour spectrum and the conversion distorts the colour distribution.

Leaving the tainted packages until later.

(In reply to katnatek from comment #9)
> (In reply to Len Lawrence from comment #8)
> > This beats me.  Cannot find the packages on my usual mirror (cz.muni 2nd
> > tier) or distrib-coffee.  Visited both sites -> core/updates-testing, both
> > up-to-date.
> 
> Neither distrib-coffee or cz.muni are update , you can find packages in 
> 
I ran into problems with distrib-coffee a couple of days ago. Then I heard there had been a massive power outage in Spain, Portugal, and parts of France, so I put it down to that.

CC: (none) => andrewsfarm

MGA9-64 Plasma Wayland on Compaq H000SB
First installed the core versions and followed the wiki as in bug 30211, with the same remark as in bug 28088
$ gm convert D053.jpg d053.tiff
gm convert: d053.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField).

but the resulting tiff image is OK, so no regression.
Test includes the perl test.
Continuing for the tainted versions.

CC: (none) => herman.viaene

Installed tainted without problems and rerun the above tests with the same results.
In view of Len's tests above, this should go.

Whiteboard: (none) => MGA9-64-OK

Just adding a few comments:
The tainted updates went well.
Simple cli tests, as before, worked fine in most cases.
Tried photoqt again:
$ [01/05/2025 13:22:48:571] ImageProviderThumbnail: ERROR creating new thumbnail file: colourmap
[01/05/2025 13:22:48:594] ImageProviderThumbnail: ERROR creating new thumbnail file: composite.miff
error: missing IHDR box
jas_image_decode: decode operation failed
[01/05/2025 13:22:48:678] PQLoadImageMagick::load(): Exception (1): Magick: Unable to decode image file (/home/lcl/qa/images/balloon.jpm) reported by coders/jp2.c:879 (ReadJP2Image)
error: missing IHDR box
[...]
[01/05/2025 13:22:48:990] PQLoadImageFreeImage::load(): FreeImage_FIFSupportsReading: F (image type: 31)
[01/05/2025 13:22:48:990] PQLoadImage::load(): failed to load image with freeimage
WARNING: YOUR CODE IS RELYING ON DEPRECATED FUNCTIONALITY IN THE JASPER
LIBRARY.  THIS FUNCTIONALITY WILL BE REMOVED IN THE NEAR FUTURE. PLEASE
FIX THIS PROBLEM BEFORE YOUR CODE STOPS WORKING.
deprecation warning: use of jas_init is deprecated
photoqt: /home/iurt/rpmbuild/BUILD/jasper-3.0.6/src/libjasper/base/jas_init.c:505: jas_init_library: Assertion `!jas_global.initialized' failed.
Magick: abort due to signal 6 (SIGABRT) "Abort"...

[1]+  Aborted                 (core dumped) photoqt

If a particular file in a supported format is selected photoqt runs quietly.
$ photoqt tenlakes.png
which displayed a ten image montage, as does the following:
$ gm display tenlakes.png
$ gm convert -magnify JessicaAlba.jpg JA.jpg
creates a double-sized copy of the original.
$ gm convert -resize 300% JessicaAlba.jpg JAx3.jpg
generates a new image with 9 times the area.

Use some of the built-in "formats" to generate images:
$ gm convert GRANITE: granite.png
$ gm convert -resize 300% ROSE: rosy.jpg

$ gm convert -resize 20% LochLubnaig*.jpg -append lochs.png
$ gm display lochs.png
That showed a set of resized pictures top to bottom.
$ gm convert -resize 20% LochLubnaig*.jpg +append sideways.png
$ gm display sideways.png
Similarly, a left-to-right montage of the originals reduced in size.

$ gm montage -background LightSteelBlue LochLubnaig*.jpg mosaic.png
mosaic.png displays as a set of images disposed in two rows of 6 and 4 on a pale blue background.

$ cat ../graffiti.pl
#!/bin/env perl
use Graphics::Magick;
my($image, $p, $q);
$image = Graphics::Magick->new;
$image->Set(size=>'100x100');
$image->ReadImage('xc:white');
#$image->Set('pixel[49,49]'=>'red');
$image->Draw(stroke=>'red', primitive=>'rectangle', points=>'20,20 80,80');
$image->Write('x.ppm');
undef $image;    
$p = Graphics::Magick->new;
$p->Read('J*.jpg');
$p->Draw(stroke=>'red', primitive=>'rectangle', points=>'20,20 80,80');
$p->Write('xyz.ppm');
undef $p;

Running the graffiti.pl script generates xyz.ppm which displays as a stack of three images accessed through the 'Next' command.  Each image has a hollow red square in the top left corner.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0148.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED