subject:"Bug#825800\: graphicsmagick\: CVE\-2016\-5118"

Bug#825800: graphicsmagick: CVE-2016-5118

2016-09-20 Thread Carsten Leonhardt

László Böszörményi (GCS)  writes:

> On Tue, Sep 20, 2016 at 9:56 AM, Stephan Großberndt
>  wrote:

>> Do you think 1.3.25-2 might be the used for a stable update?
>  Upgrade to a newer version in stable is not easy and I can remember
> one, maybe two cases when it was allowed.
> In this case I'm not sure it should be the path.

It's done regularly with MySQL, so I'd say asking the release team
wouldn't hurt.

 - Carsten

Bug#825800: graphicsmagick: CVE-2016-5118

2016-09-20 Thread Bob Friesenhahn


On Tue, 20 Sep 2016, László Böszörményi wrote:



Do you think 1.3.25-2 might be the used for a stable update?

Upgrade to a newer version in stable is not easy and I can remember
one, maybe two cases when it was allowed.
In this case I'm not sure it should be the path.


1.3.25 is the "fix" for security issues in previous versions.  1.3.20 
is the last release in the calm before GraphicsMagick entered Coverity 
testing (resulting in hundreds of changes) and the availability of 
ASAN and the subsequent flood of problem files from security 
researchers using fuzzers like American Fuzzy-Lop, which I fixed as 
quickly as I could.


There are hundreds of known files (many publically available) which 
might cause 1.3.20 to crash or consume immense resources.


Unfortunately there was a small ABI break in Magick++ (in 1.3.21) and 
I did bump its library major version number and reset age.


Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/

Bug#825800: graphicsmagick: CVE-2016-5118

2016-09-20 Thread GCS

On Tue, Sep 20, 2016 at 9:56 AM, Stephan Großberndt
 wrote:
> in the meantime its graphicsmagick 1.3.25-2 on Debian Stretch, but Jessie -
> which is the current stable release - still has 12 security issues going
> back to 2015:
 Yes, I consider this my fault. The other part is that there are way
to many fixes to integrate to 1.3.20 and I have other things to do as
well.

> Do you think 1.3.25-2 might be the used for a stable update?
 Upgrade to a newer version in stable is not easy and I can remember
one, maybe two cases when it was allowed.
In this case I'm not sure it should be the path.

Regards,
Laszlo/GCS

Bug#825800: graphicsmagick: CVE-2016-5118

2016-09-20 Thread Stephan Großberndt


Hi,

in the meantime its graphicsmagick 1.3.25-2 on Debian Stretch, but 
Jessie - which is the current stable release - still has 12 security 
issues going back to 2015:


CVE-2016-5241
CVE-2016-5240
CVE-2016-5239
CVE-2016-5118
CVE-2016-3718
CVE-2016-3717
CVE-2016-3716
CVE-2016-3715
CVE-2016-3714
CVE-2016-2318
CVE-2016-2317
CVE-2015-8808

Do you think 1.3.25-2 might be the used for a stable update?

Stephan

On Tue, 5 Jul 2016 08:53:29 -0500 (CDT) Bob Friesenhahn 
 wrote:

On Tue, 5 Jul 2016, LÃ¡szlÃ³ BÃ¶szÃ¶rmÃ©nyi wrote:
>
> I don't think 1.3.24 would be an easy target for Jessie. Maybe apply
> the first set of patches, release it as a DSA, then add the others, a
> new DSA... But it's also not the best idea.
> I include the Security Team to this discussion, what they say about this.

There are still more security related fixes in the MVG/SVG rendering
code (e.g. changeset 14860:6071b5820215).  Also some of the error
checking which was added is apparently too strict and causing failures
with SVG files which were previously accepted.  It is my intention to
release a 1.3.25 which primarily fixes parsing issues introduced with
1.3.24 as well as fixes heap/stack overflow/overrun issues in the
rendering code.

Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/

--
side by site GmbH & Co. KG
Geo & Web

Barbarastraße 3-9 (Block 6)
50735 Köln

fon: +49 221 27909-68
fax: +49 221 27909-65
email: s.grossber...@sidebysite.de
http://www.sidebysite.de

GK2:
2568335.13239 rw / 5648797.09828 hw

WGS84:
50.9703360368 br / 6.97225749493 la

HR A 15202
Amtsgericht Köln

persönlich haftende Gesellschafterin:
side by site Verwaltungs GmbH
Amtsgericht Köln HR B 33600
Geschäftsführer: Michael Schlieper

Bug#825800: graphicsmagick: CVE-2016-5118

2016-07-05 Thread Bob Friesenhahn


On Tue, 5 Jul 2016, László Böszörményi wrote:


I don't think 1.3.24 would be an easy target for Jessie. Maybe apply
the first set of patches, release it as a DSA, then add the others, a
new DSA... But it's also not the best idea.
I include the Security Team to this discussion, what they say about this.


There are still more security related fixes in the MVG/SVG rendering 
code (e.g. changeset 14860:6071b5820215).  Also some of the error 
checking which was added is apparently too strict and causing failures 
with SVG files which were previously accepted.  It is my intention to 
release a 1.3.25 which primarily fixes parsing issues introduced with 
1.3.24 as well as fixes heap/stack overflow/overrun issues in the 
rendering code.


Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/

Bug#825800: graphicsmagick: CVE-2016-5118

2016-07-05 Thread GCS

Hi Carsten,

On Tue, Jul 5, 2016 at 1:13 PM, Carsten Leonhardt  wrote:
> maybe it would be possible to use 1.3.24 for a stable update? I think
> the current situation with the unpatched graphicsmagick in stable is
> quite unacceptable.
 I agree, graphicsmagick needs to be updated as soon as possible. I've
identified all fixes that need backporting for Jessie, but those over
one hundred. I had a quick mail with upstream that one fix caused
regression, but as I know, it's fixed since then.

I don't think 1.3.24 would be an easy target for Jessie. Maybe apply
the first set of patches, release it as a DSA, then add the others, a
new DSA... But it's also not the best idea.
I include the Security Team to this discussion, what they say about this.

Regards,
Laszlo/GCS

Bug#825800: graphicsmagick: CVE-2016-5118

2016-07-05 Thread Carsten Leonhardt

Hi László,

maybe it would be possible to use 1.3.24 for a stable update? I think
the current situation with the unpatched graphicsmagick in stable is
quite unacceptable.

Carsten

Bug#825800: graphicsmagick: CVE-2016-5118 on jessie

2016-06-07 Thread GCS

Hi Stephan,

On Mon, Jun 6, 2016 at 1:43 PM, Stephan Großberndt
 wrote:
> what is the reason there is no fix for graphicsmagick CVE-2016-5118 on
> jessie? this is the current stable debian distribution, wheezy and sid have
> released fixes but none for jessie?
 I don't want to comment on the Wheezy update. I need time with the
Jessie one, it's my fault; even if it's part of the number of fixes
need to be backported. Please see the Sid changelog[1].

> Is graphicsmagick no longer supported by debian?
 As you noted above, Sid + Wheezy already updated; so it is supported.

Regards,
Laszlo/GCS
[1] https://packages.qa.debian.org/g/graphicsmagick/news/20160530T232158Z.html

Bug#825800: graphicsmagick: CVE-2016-5118 on jessie

2016-06-06 Thread Stephan Großberndt


Hi,

what is the reason there is no fix for graphicsmagick CVE-2016-5118 on 
jessie? this is the current stable debian distribution, wheezy and sid 
have released fixes but none for jessie?


https://security-tracker.debian.org/tracker/CVE-2016-5118

Apparently this is also the case for ALL security fixes in 2016:

https://security-tracker.debian.org/tracker/source-package/graphicsmagick

Is graphicsmagick no longer supported by debian?

Regards,
Stephan Großberndt

--
side by site GmbH & Co. KG
Geo & Web

Barbarastraße 3-9 (Block 6)
50735 Köln

fon: +49 221 27909-68
fax: +49 221 27909-65
email: s.grossber...@sidebysite.de
http://www.sidebysite.de

GK2:
2568335.13239 rw / 5648797.09828 hw

WGS84:
50.9703360368 br / 6.97225749493 la

HR A 15202
Amtsgericht Köln

persönlich haftende Gesellschafterin:
side by site Verwaltungs GmbH
Amtsgericht Köln HR B 33600
Geschäftsführer: Michael Schlieper

Bug#825800: graphicsmagick: CVE-2016-5118

2016-05-29 Thread Salvatore Bonaccorso

Source: graphicsmagick
Version: 1.3.23-3
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for graphicsmagick.

CVE-2016-5118[0]:
popen() shell vulnerability via filename

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5118
[1] http://www.openwall.com/lists/oss-security/2016/05/29/7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#825800: graphicsmagick: CVE-2016-5118

Bug#825800: graphicsmagick: CVE-2016-5118

Bug#825800: graphicsmagick: CVE-2016-5118

Bug#825800: graphicsmagick: CVE-2016-5118

Bug#825800: graphicsmagick: CVE-2016-5118

Bug#825800: graphicsmagick: CVE-2016-5118

Bug#825800: graphicsmagick: CVE-2016-5118

Bug#825800: graphicsmagick: CVE-2016-5118 on jessie

Bug#825800: graphicsmagick: CVE-2016-5118 on jessie

Bug#825800: graphicsmagick: CVE-2016-5118

10 matches

Site Navigation

Mail list logo

Footer information