Bug 6561 - graphicsmagick new security issue fixed in 1.3.16
: graphicsmagick new security issue fixed in 1.3.16
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://www.graphicsmagick.org/NEWS.ht...
: MGA1TOO has_procedure MGA1-32-OK MGA1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-25 01:48 CEST by David Walser
Modified: 2012-08-02 22:09 CEST (History)
5 users (show)

See Also:
Source RPM: graphicsmagick-1.3.15-3.mga3.src.rpm
CVE:


Attachments

Description David Walser 2012-06-25 01:48:14 CEST
From the ChangeLog (see the URL)...

Security Fixes:
- Don't translate 'comment' and 'label' attributes if the request is made
  while a file is being read. Only translate such attributes if they come
  from the command line or API user.

Perhaps we should provide this version for Mageia 1 and Mageia 2.

Or we could backport the patch.  From the more detailed ChangeLog:
http://www.graphicsmagick.org/Changelog.html

2012-06-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
- magick/attribute.c (SetImageAttribute): Don't translate 'comment' and 'label' attributes if the request is made while a file is being read. This is a temporary workaround until there is opportunity to modify the architecture so that there is a clear split between user-provided settings and values obtained from the input image.
- magick/blob.c (GetBlobIsOpen): New function to return if blob is currently open.

That appears to be the associated change.

The Mercurial commit associated with that ChangeLog entry is here:
http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/66c5296d01e7
Comment 1 David Walser 2012-06-25 14:56:38 CEST
Funda Wang updated the package in Cauldron.
Comment 2 David Walser 2012-07-26 17:32:55 CEST
Patched package uploaded for Mageia 1 and Mageia 2.

I'm not sure how to test for this issue specifically.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

This update fixes a security issue in the SetImageAttribute function in
magick/attribute.c related to translating comment and label attributes
when loading images.  It was fixed upstream in GraphicsMagick 1.3.16.

References:
http://www.graphicsmagick.org/NEWS.html#june-24-2012
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.12-3.1.mga1
libgraphicsmagick3-1.3.12-3.1.mga1
libgraphicsmagickwand2-1.3.12-3.1.mga1
libgraphicsmagick-devel-1.3.12-3.1.mga1
perl-Graphics-Magick-1.3.12-3.1.mga1
graphicsmagick-doc-1.3.12-3.1.mga1
graphicsmagick-1.3.13-1.2.mga2
libgraphicsmagick3-1.3.13-1.2.mga2
libgraphicsmagickwand2-1.3.13-1.2.mga2
libgraphicsmagick-devel-1.3.13-1.2.mga2
perl-Graphics-Magick-1.3.13-1.2.mga2
graphicsmagick-doc-1.3.13-1.2.mga2

from SRPMS:
graphicsmagick-1.3.12-3.1.mga1.src.rpm
graphicsmagick-1.3.13-1.2.mga2.src.rpm
Comment 3 Samuel Verschelde 2012-07-29 19:13:23 CEST
Carolyn provided a testing procedure for graphicsmagick: 
https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
Comment 4 Samuel Verschelde 2012-07-30 19:26:25 CEST
Testing complete for Mageia 1 32.
Comment 5 Samuel Verschelde 2012-07-31 14:08:48 CEST
Test complete for Mageia 1 64.
Comment 6 Samuel Verschelde 2012-07-31 16:47:02 CEST
Testing on Mageia 2 32 bits. 

Using gm in CLI works fine, but I can't use perl-Graphics-Magick.

The following script has the following output

[live@localhost ~]$ cat test.pl
#!/usr/local/bin/perl
# taken from http://www.graphicsmagick.org/perl.html#example-script
use Graphics::Magick;
my($image, $status);
$image = Graphics::Magick->new;
$status = $image->Read('filename.jpg', 'filename1.jpg', 'filename2.png');
warn "$status" if "$status";
$status = $image->Write('x.gif');
warn "$status" if "$status";
[live@localhost ~]$ perl test.pl
perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/i386-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick

It's not a regression, but any idea of where it comes from and would you like to fix it before pushing the update?
Comment 7 claire robinson 2012-07-31 18:10:23 CEST
Testing on Mageia 2 

Confirm stormi's findings for the perl module.

$ perl test.pl 
perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick

Changed #!/usr/local/bin/perl to #!/usr/bin/perl in case it made any difference but it doesn't.

Everything else is OK
Comment 8 claire robinson 2012-07-31 18:10:40 CEST
Mageia 2 64 above
Comment 9 claire robinson 2012-07-31 18:32:09 CEST
$ perl -e ' use Graphics::Magick;'
perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick
Comment 10 Olivier Blin 2012-07-31 19:38:41 CEST
Maybe the output of this command from a Mageia 2 would help:
ldd /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so
Comment 11 David Walser 2012-07-31 19:41:25 CEST
I don't see a reason to rush this update, so we should get this fixed.

It looks like a linking problem, but I don't know how to fix it.  Hopefully Olivier can help :o)
Comment 12 Samuel Verschelde 2012-07-31 20:26:19 CEST
(In reply to comment #10)
> Maybe the output of this command from a Mageia 2 would help:
> ldd
> /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so

[samuel@localhost ~]$ ldd /usr/lib/perl5/vendor_perl/5.14.2/i386-linux-thread-multi/auto/Graphics/Magick/Magick.so
        linux-gate.so.1 =>  (0xffffe000)
        libm.so.6 => /lib/i686/libm.so.6 (0xb768e000)
        libpthread.so.0 => /lib/i686/libpthread.so.0 (0xb7674000)
        libc.so.6 => /lib/i686/libc.so.6 (0xb74f6000)
        /lib/ld-linux.so.2 (0xb76f3000)
Comment 13 Olivier Blin 2012-08-01 01:12:36 CEST
The perl module was indeed broken: tested in cauldron, and this was likely the case in previous versions.
Worse, it did not even build (or actually, link).

Fixed in graphicsmagick-1.3.16-2.mga3.x86_64
You should probably backport this fix for stable releases.
Comment 14 David Walser 2012-08-01 01:44:15 CEST
Thanks Olivier!  Fix backported.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

This update fixes a security issue in the SetImageAttribute function in
magick/attribute.c related to translating comment and label attributes
when loading images.  It was fixed upstream in GraphicsMagick 1.3.16.

Also, the graphicsmagick perl module was not working because it had not
been linked against the graphicsmagick library.  This has been fixed.

References:
http://www.graphicsmagick.org/NEWS.html#june-24-2012
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.12-3.2.mga1
libgraphicsmagick3-1.3.12-3.2.mga1
libgraphicsmagickwand2-1.3.12-3.2.mga1
libgraphicsmagick-devel-1.3.12-3.2.mga1
perl-Graphics-Magick-1.3.12-3.2.mga1
graphicsmagick-doc-1.3.12-3.2.mga1
graphicsmagick-1.3.13-1.3.mga2
libgraphicsmagick3-1.3.13-1.3.mga2
libgraphicsmagickwand2-1.3.13-1.3.mga2
libgraphicsmagick-devel-1.3.13-1.3.mga2
perl-Graphics-Magick-1.3.13-1.3.mga2
graphicsmagick-doc-1.3.13-1.3.mga2

from SRPMS:
graphicsmagick-1.3.12-3.2.mga1.src.rpm
graphicsmagick-1.3.13-1.3.mga2.src.rpm
Comment 15 Samuel Verschelde 2012-08-01 08:48:19 CEST
ok, let's test again Mageia 2!
Comment 16 claire robinson 2012-08-01 17:15:48 CEST
Testing x86_64
Comment 17 claire robinson 2012-08-01 17:19:25 CEST
# rpm -qa | grep -i magick | grep -i graphics
perl-Graphics-Magick-1.3.13-1.3.mga2
lib64graphicsmagickwand2-1.3.13-1.3.mga2
lib64graphicsmagick3-1.3.13-1.3.mga2
graphicsmagick-1.3.13-1.3.mga2

$ perl -e 'use Graphics::Magick'
perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick

$ perl test.pl
perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick

I don't think the fix has worked unfortunately David.
Comment 18 claire robinson 2012-08-01 17:20:45 CEST
# ldd /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so
        linux-vdso.so.1 =>  (0x00007fff19130000)
        libm.so.6 => /lib64/libm.so.6 (0x00007fa6d265c000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa6d2440000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fa6d20b3000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fa6d2b2f000)
Comment 19 David Walser 2012-08-01 18:04:44 CEST
I used the exact same patch on Mageia 2 as Olivier commited to Cauldron.

Is this really fixed in Cauldron?
Comment 20 Olivier Blin 2012-08-01 18:12:42 CEST
I've at least tested that this command works in Cauldron with the locally built Magick.so: perl -e 'use Graphics::Magick'
Comment 21 David Walser 2012-08-01 19:04:21 CEST
(In reply to comment #20)
> I've at least tested that this command works in Cauldron with the locally built
> Magick.so: perl -e 'use Graphics::Magick'

Building it with your patch on Mageia 2, I get the undefined symbol error when I try that.
Comment 22 David Walser 2012-08-01 20:56:02 CEST
(In reply to comment #21)
> (In reply to comment #20)
> > I've at least tested that this command works in Cauldron with the locally built
> > Magick.so: perl -e 'use Graphics::Magick'
> 
> Building it with your patch on Mageia 2, I get the undefined symbol error when
> I try that.

OK, I see the problem.  Someone deleted the linkage_fix patch before Mageia 2.  That's why it's still broken.  I have the fix locally, I'll upload it as soon as the Mageia infrastructure is accessible again from here.
Comment 23 David Walser 2012-08-01 21:10:32 CEST
Fix confirmed locally and uploaded for Mageia 2.

Advisory:
========================

Updated graphicsmagick packages fix security vulnerability:

This update fixes a security issue in the SetImageAttribute function in
magick/attribute.c related to translating comment and label attributes
when loading images.  It was fixed upstream in GraphicsMagick 1.3.16.

Also, the graphicsmagick perl module was not working on Mageia 2 because
it had not been linked against the graphicsmagick library.  This has been
fixed.

References:
http://www.graphicsmagick.org/NEWS.html#june-24-2012
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.12-3.2.mga1
libgraphicsmagick3-1.3.12-3.2.mga1
libgraphicsmagickwand2-1.3.12-3.2.mga1
libgraphicsmagick-devel-1.3.12-3.2.mga1
perl-Graphics-Magick-1.3.12-3.2.mga1
graphicsmagick-doc-1.3.12-3.2.mga1
graphicsmagick-1.3.13-1.4.mga2
libgraphicsmagick3-1.3.13-1.4.mga2
libgraphicsmagickwand2-1.3.13-1.4.mga2
libgraphicsmagick-devel-1.3.13-1.4.mga2
perl-Graphics-Magick-1.3.13-1.4.mga2
graphicsmagick-doc-1.3.13-1.4.mga2

from SRPMS:
graphicsmagick-1.3.12-3.2.mga1.src.rpm
graphicsmagick-1.3.13-1.4.mga2.src.rpm
Comment 24 Samuel Verschelde 2012-08-02 09:52:16 CEST
Testing complete on Mageia 2 32 bits.
Comment 25 claire robinson 2012-08-02 10:20:40 CEST
That fixed it, thanks guys.

Testing complete x86_64

Validating

Advisory and srpms in comment 23

Sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 26 Thomas Backlund 2012-08-02 22:09:55 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0192

Note You need to log in before you can comment on or make changes to this bug.