From the ChangeLog (see the URL)... Security Fixes: - Don't translate 'comment' and 'label' attributes if the request is made while a file is being read. Only translate such attributes if they come from the command line or API user. Perhaps we should provide this version for Mageia 1 and Mageia 2. Or we could backport the patch. From the more detailed ChangeLog: http://www.graphicsmagick.org/Changelog.html 2012-06-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> - magick/attribute.c (SetImageAttribute): Don't translate 'comment' and 'label' attributes if the request is made while a file is being read. This is a temporary workaround until there is opportunity to modify the architecture so that there is a clear split between user-provided settings and values obtained from the input image. - magick/blob.c (GetBlobIsOpen): New function to return if blob is currently open. That appears to be the associated change. The Mercurial commit associated with that ChangeLog entry is here: http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/66c5296d01e7
CC: (none) => fundawangWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => mageia
Funda Wang updated the package in Cauldron.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Patched package uploaded for Mageia 1 and Mageia 2. I'm not sure how to test for this issue specifically. Advisory: ======================== Updated graphicsmagick packages fix security vulnerability: This update fixes a security issue in the SetImageAttribute function in magick/attribute.c related to translating comment and label attributes when loading images. It was fixed upstream in GraphicsMagick 1.3.16. References: http://www.graphicsmagick.org/NEWS.html#june-24-2012 ======================== Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.12-3.1.mga1 libgraphicsmagick3-1.3.12-3.1.mga1 libgraphicsmagickwand2-1.3.12-3.1.mga1 libgraphicsmagick-devel-1.3.12-3.1.mga1 perl-Graphics-Magick-1.3.12-3.1.mga1 graphicsmagick-doc-1.3.12-3.1.mga1 graphicsmagick-1.3.13-1.2.mga2 libgraphicsmagick3-1.3.13-1.2.mga2 libgraphicsmagickwand2-1.3.13-1.2.mga2 libgraphicsmagick-devel-1.3.13-1.2.mga2 perl-Graphics-Magick-1.3.13-1.2.mga2 graphicsmagick-doc-1.3.13-1.2.mga2 from SRPMS: graphicsmagick-1.3.12-3.1.mga1.src.rpm graphicsmagick-1.3.13-1.2.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Carolyn provided a testing procedure for graphicsmagick: https://wiki.mageia.org/en/QA_procedure:GraphicsMagick
CC: (none) => stormi
Whiteboard: MGA1TOO => MGA1TOO has_procedure
Testing complete for Mageia 1 32.
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA1-32-OK
Test complete for Mageia 1 64.
Whiteboard: MGA1TOO has_procedure MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK
Testing on Mageia 2 32 bits. Using gm in CLI works fine, but I can't use perl-Graphics-Magick. The following script has the following output [live@localhost ~]$ cat test.pl #!/usr/local/bin/perl # taken from http://www.graphicsmagick.org/perl.html#example-script use Graphics::Magick; my($image, $status); $image = Graphics::Magick->new; $status = $image->Read('filename.jpg', 'filename1.jpg', 'filename2.png'); warn "$status" if "$status"; $status = $image->Write('x.gif'); warn "$status" if "$status"; [live@localhost ~]$ perl test.pl perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/i386-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick It's not a regression, but any idea of where it comes from and would you like to fix it before pushing the update?
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK MGA2-32-OK?
Testing on Mageia 2 Confirm stormi's findings for the perl module. $ perl test.pl perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick Changed #!/usr/local/bin/perl to #!/usr/bin/perl in case it made any difference but it doesn't. Everything else is OK
Mageia 2 64 above
$ perl -e ' use Graphics::Magick;' perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK MGA2-32-OK? => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK MGA2-32-OK? MGA2-64-OK?
Maybe the output of this command from a Mageia 2 would help: ldd /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so
I don't see a reason to rush this update, so we should get this fixed. It looks like a linking problem, but I don't know how to fix it. Hopefully Olivier can help :o)
(In reply to comment #10) > Maybe the output of this command from a Mageia 2 would help: > ldd > /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so [samuel@localhost ~]$ ldd /usr/lib/perl5/vendor_perl/5.14.2/i386-linux-thread-multi/auto/Graphics/Magick/Magick.so linux-gate.so.1 => (0xffffe000) libm.so.6 => /lib/i686/libm.so.6 (0xb768e000) libpthread.so.0 => /lib/i686/libpthread.so.0 (0xb7674000) libc.so.6 => /lib/i686/libc.so.6 (0xb74f6000) /lib/ld-linux.so.2 (0xb76f3000)
The perl module was indeed broken: tested in cauldron, and this was likely the case in previous versions. Worse, it did not even build (or actually, link). Fixed in graphicsmagick-1.3.16-2.mga3.x86_64 You should probably backport this fix for stable releases.
Thanks Olivier! Fix backported. Advisory: ======================== Updated graphicsmagick packages fix security vulnerability: This update fixes a security issue in the SetImageAttribute function in magick/attribute.c related to translating comment and label attributes when loading images. It was fixed upstream in GraphicsMagick 1.3.16. Also, the graphicsmagick perl module was not working because it had not been linked against the graphicsmagick library. This has been fixed. References: http://www.graphicsmagick.org/NEWS.html#june-24-2012 ======================== Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.12-3.2.mga1 libgraphicsmagick3-1.3.12-3.2.mga1 libgraphicsmagickwand2-1.3.12-3.2.mga1 libgraphicsmagick-devel-1.3.12-3.2.mga1 perl-Graphics-Magick-1.3.12-3.2.mga1 graphicsmagick-doc-1.3.12-3.2.mga1 graphicsmagick-1.3.13-1.3.mga2 libgraphicsmagick3-1.3.13-1.3.mga2 libgraphicsmagickwand2-1.3.13-1.3.mga2 libgraphicsmagick-devel-1.3.13-1.3.mga2 perl-Graphics-Magick-1.3.13-1.3.mga2 graphicsmagick-doc-1.3.13-1.3.mga2 from SRPMS: graphicsmagick-1.3.12-3.2.mga1.src.rpm graphicsmagick-1.3.13-1.3.mga2.src.rpm
ok, let's test again Mageia 2!
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK MGA2-32-OK? MGA2-64-OK? => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK
Testing x86_64
# rpm -qa | grep -i magick | grep -i graphics perl-Graphics-Magick-1.3.13-1.3.mga2 lib64graphicsmagickwand2-1.3.13-1.3.mga2 lib64graphicsmagick3-1.3.13-1.3.mga2 graphicsmagick-1.3.13-1.3.mga2 $ perl -e 'use Graphics::Magick' perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick $ perl test.pl perl: symbol lookup error: /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so: undefined symbol: InitializeMagick I don't think the fix has worked unfortunately David.
# ldd /usr/lib/perl5/vendor_perl/5.14.2/x86_64-linux-thread-multi/auto/Graphics/Magick/Magick.so linux-vdso.so.1 => (0x00007fff19130000) libm.so.6 => /lib64/libm.so.6 (0x00007fa6d265c000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa6d2440000) libc.so.6 => /lib64/libc.so.6 (0x00007fa6d20b3000) /lib64/ld-linux-x86-64.so.2 (0x00007fa6d2b2f000)
I used the exact same patch on Mageia 2 as Olivier commited to Cauldron. Is this really fixed in Cauldron?
I've at least tested that this command works in Cauldron with the locally built Magick.so: perl -e 'use Graphics::Magick'
(In reply to comment #20) > I've at least tested that this command works in Cauldron with the locally built > Magick.so: perl -e 'use Graphics::Magick' Building it with your patch on Mageia 2, I get the undefined symbol error when I try that.
(In reply to comment #21) > (In reply to comment #20) > > I've at least tested that this command works in Cauldron with the locally built > > Magick.so: perl -e 'use Graphics::Magick' > > Building it with your patch on Mageia 2, I get the undefined symbol error when > I try that. OK, I see the problem. Someone deleted the linkage_fix patch before Mageia 2. That's why it's still broken. I have the fix locally, I'll upload it as soon as the Mageia infrastructure is accessible again from here.
Fix confirmed locally and uploaded for Mageia 2. Advisory: ======================== Updated graphicsmagick packages fix security vulnerability: This update fixes a security issue in the SetImageAttribute function in magick/attribute.c related to translating comment and label attributes when loading images. It was fixed upstream in GraphicsMagick 1.3.16. Also, the graphicsmagick perl module was not working on Mageia 2 because it had not been linked against the graphicsmagick library. This has been fixed. References: http://www.graphicsmagick.org/NEWS.html#june-24-2012 ======================== Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.12-3.2.mga1 libgraphicsmagick3-1.3.12-3.2.mga1 libgraphicsmagickwand2-1.3.12-3.2.mga1 libgraphicsmagick-devel-1.3.12-3.2.mga1 perl-Graphics-Magick-1.3.12-3.2.mga1 graphicsmagick-doc-1.3.12-3.2.mga1 graphicsmagick-1.3.13-1.4.mga2 libgraphicsmagick3-1.3.13-1.4.mga2 libgraphicsmagickwand2-1.3.13-1.4.mga2 libgraphicsmagick-devel-1.3.13-1.4.mga2 perl-Graphics-Magick-1.3.13-1.4.mga2 graphicsmagick-doc-1.3.13-1.4.mga2 from SRPMS: graphicsmagick-1.3.12-3.2.mga1.src.rpm graphicsmagick-1.3.13-1.4.mga2.src.rpm
Testing complete on Mageia 2 32 bits.
Whiteboard: MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA1-64-OK MGA2-32-OK
That fixed it, thanks guys. Testing complete x86_64 Validating Advisory and srpms in comment 23 Sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0192
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED