Bug#825800: graphicsmagick: CVE-2016-5118
László Böszörményi (GCS) writes: > On Tue, Sep 20, 2016 at 9:56 AM, Stephan Großberndt > wrote: >> Do you think 1.3.25-2 might be the used for a stable update? > Upgrade to a newer version in stable is not easy and I can remember > one, maybe two cases when it was allowed. > In this case I'm not sure it should be the path. It's done regularly with MySQL, so I'd say asking the release team wouldn't hurt. - Carsten
Bug#825800: graphicsmagick: CVE-2016-5118
On Tue, 20 Sep 2016, László Böszörményi wrote: Do you think 1.3.25-2 might be the used for a stable update? Upgrade to a newer version in stable is not easy and I can remember one, maybe two cases when it was allowed. In this case I'm not sure it should be the path. 1.3.25 is the "fix" for security issues in previous versions. 1.3.20 is the last release in the calm before GraphicsMagick entered Coverity testing (resulting in hundreds of changes) and the availability of ASAN and the subsequent flood of problem files from security researchers using fuzzers like American Fuzzy-Lop, which I fixed as quickly as I could. There are hundreds of known files (many publically available) which might cause 1.3.20 to crash or consume immense resources. Unfortunately there was a small ABI break in Magick++ (in 1.3.21) and I did bump its library major version number and reset age. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
Bug#825800: graphicsmagick: CVE-2016-5118
On Tue, Sep 20, 2016 at 9:56 AM, Stephan Großberndt wrote: > in the meantime its graphicsmagick 1.3.25-2 on Debian Stretch, but Jessie - > which is the current stable release - still has 12 security issues going > back to 2015: Yes, I consider this my fault. The other part is that there are way to many fixes to integrate to 1.3.20 and I have other things to do as well. > Do you think 1.3.25-2 might be the used for a stable update? Upgrade to a newer version in stable is not easy and I can remember one, maybe two cases when it was allowed. In this case I'm not sure it should be the path. Regards, Laszlo/GCS
Bug#825800: graphicsmagick: CVE-2016-5118
Hi, in the meantime its graphicsmagick 1.3.25-2 on Debian Stretch, but Jessie - which is the current stable release - still has 12 security issues going back to 2015: CVE-2016-5241 CVE-2016-5240 CVE-2016-5239 CVE-2016-5118 CVE-2016-3718 CVE-2016-3717 CVE-2016-3716 CVE-2016-3715 CVE-2016-3714 CVE-2016-2318 CVE-2016-2317 CVE-2015-8808 Do you think 1.3.25-2 might be the used for a stable update? Stephan On Tue, 5 Jul 2016 08:53:29 -0500 (CDT) Bob Friesenhahn wrote: On Tue, 5 Jul 2016, László Böszörményi wrote: > > I don't think 1.3.24 would be an easy target for Jessie. Maybe apply > the first set of patches, release it as a DSA, then add the others, a > new DSA... But it's also not the best idea. > I include the Security Team to this discussion, what they say about this. There are still more security related fixes in the MVG/SVG rendering code (e.g. changeset 14860:6071b5820215). Also some of the error checking which was added is apparently too strict and causing failures with SVG files which were previously accepted. It is my intention to release a 1.3.25 which primarily fixes parsing issues introduced with 1.3.24 as well as fixes heap/stack overflow/overrun issues in the rendering code. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ -- side by site GmbH & Co. KG Geo & Web Barbarastraße 3-9 (Block 6) 50735 Köln fon: +49 221 27909-68 fax: +49 221 27909-65 email: s.grossber...@sidebysite.de http://www.sidebysite.de GK2: 2568335.13239 rw / 5648797.09828 hw WGS84: 50.9703360368 br / 6.97225749493 la HR A 15202 Amtsgericht Köln persönlich haftende Gesellschafterin: side by site Verwaltungs GmbH Amtsgericht Köln HR B 33600 Geschäftsführer: Michael Schlieper
Bug#825800: graphicsmagick: CVE-2016-5118
On Tue, 5 Jul 2016, László Böszörményi wrote: I don't think 1.3.24 would be an easy target for Jessie. Maybe apply the first set of patches, release it as a DSA, then add the others, a new DSA... But it's also not the best idea. I include the Security Team to this discussion, what they say about this. There are still more security related fixes in the MVG/SVG rendering code (e.g. changeset 14860:6071b5820215). Also some of the error checking which was added is apparently too strict and causing failures with SVG files which were previously accepted. It is my intention to release a 1.3.25 which primarily fixes parsing issues introduced with 1.3.24 as well as fixes heap/stack overflow/overrun issues in the rendering code. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
Bug#825800: graphicsmagick: CVE-2016-5118
Hi Carsten, On Tue, Jul 5, 2016 at 1:13 PM, Carsten Leonhardt wrote: > maybe it would be possible to use 1.3.24 for a stable update? I think > the current situation with the unpatched graphicsmagick in stable is > quite unacceptable. I agree, graphicsmagick needs to be updated as soon as possible. I've identified all fixes that need backporting for Jessie, but those over one hundred. I had a quick mail with upstream that one fix caused regression, but as I know, it's fixed since then. I don't think 1.3.24 would be an easy target for Jessie. Maybe apply the first set of patches, release it as a DSA, then add the others, a new DSA... But it's also not the best idea. I include the Security Team to this discussion, what they say about this. Regards, Laszlo/GCS
Bug#825800: graphicsmagick: CVE-2016-5118
Hi László, maybe it would be possible to use 1.3.24 for a stable update? I think the current situation with the unpatched graphicsmagick in stable is quite unacceptable. Carsten
Bug#825800: graphicsmagick: CVE-2016-5118 on jessie
Hi Stephan, On Mon, Jun 6, 2016 at 1:43 PM, Stephan Großberndt wrote: > what is the reason there is no fix for graphicsmagick CVE-2016-5118 on > jessie? this is the current stable debian distribution, wheezy and sid have > released fixes but none for jessie? I don't want to comment on the Wheezy update. I need time with the Jessie one, it's my fault; even if it's part of the number of fixes need to be backported. Please see the Sid changelog[1]. > Is graphicsmagick no longer supported by debian? As you noted above, Sid + Wheezy already updated; so it is supported. Regards, Laszlo/GCS [1] https://packages.qa.debian.org/g/graphicsmagick/news/20160530T232158Z.html
Bug#825800: graphicsmagick: CVE-2016-5118 on jessie
Hi, what is the reason there is no fix for graphicsmagick CVE-2016-5118 on jessie? this is the current stable debian distribution, wheezy and sid have released fixes but none for jessie? https://security-tracker.debian.org/tracker/CVE-2016-5118 Apparently this is also the case for ALL security fixes in 2016: https://security-tracker.debian.org/tracker/source-package/graphicsmagick Is graphicsmagick no longer supported by debian? Regards, Stephan Großberndt -- side by site GmbH & Co. KG Geo & Web Barbarastraße 3-9 (Block 6) 50735 Köln fon: +49 221 27909-68 fax: +49 221 27909-65 email: s.grossber...@sidebysite.de http://www.sidebysite.de GK2: 2568335.13239 rw / 5648797.09828 hw WGS84: 50.9703360368 br / 6.97225749493 la HR A 15202 Amtsgericht Köln persönlich haftende Gesellschafterin: side by site Verwaltungs GmbH Amtsgericht Köln HR B 33600 Geschäftsführer: Michael Schlieper
Bug#825800: graphicsmagick: CVE-2016-5118
Source: graphicsmagick Version: 1.3.23-3 Severity: grave Tags: security upstream patch Hi, the following vulnerability was published for graphicsmagick. CVE-2016-5118[0]: popen() shell vulnerability via filename If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5118 [1] http://www.openwall.com/lists/oss-security/2016/05/29/7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore