| Summary: | media-gfx/imagemagick < 6.3.5.9: Multiple vulnerabilities (CVE-2007-498{5,6,7,8}) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | major | CC: | graphics+disabled, pacho, sekretarz | ||||
| Priority: | Normal | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596 | ||||||
| Whiteboard: | A2 [glsa] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Bug Depends on: | 193737 | ||||||
| Bug Blocks: | 191001 | ||||||
| Attachments: |
|
||||||
|
Description
Hans de Graaff
2007-07-20 21:26:44 UTC
Also, seems that this bump could fix: http://bugs.gentoo.org/show_bug.cgi?id=191001 As said in: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=9602&p=0&e=0&sid=179acdbb16feb516eedb6f0477471371 Thanks a lot Created attachment 131031 [details]
Ebuild for imagemagick 6.3.5-9
An updated ebuild for imagemagick-6.3.5-9.
(In reply to comment #2) > Created an attachment (id=131031) [edit] > Ebuild for imagemagick 6.3.5-9 > > An updated ebuild for imagemagick-6.3.5-9. > Couple months gone by since the original report so you could as well go ahead and do the bump yourself. Just saw the advisories about CVE-2007-4985 [1], CVE-2007-4986 [2], CVE-2007-4987 [3] and CVE-2007-4988 [4] from iDefense, so transforming this one to a security bug. [1] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596 [2] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=594 [3] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595 [4] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597 Setting whiteboard to A2 because the application itself is not actively remotely exploitable. A combination with networked applications makes this bug more serious though. graphics, please provide an updated ebuild. I've added the ebuild for imagemagick 6.3.5-9 to CVS just now, as discussed on IRC with the graphics herd. Thanks. Arches, please stabilize media-gfx/imagemagick-6.3.5.9, target keywords are: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86 ~x86-fbsd". x86 stable Sparc stable. Stable for HPPA. media-gfx/imagemagick-6.3.5.9 USE="X jpeg mpeg perl png tiff truetype xml zlib -bzip2 -doc -fpx -graphviz -gs -hdri -jbig -jpeg2k -lcms -nocxx -openexr -q32 -q8 -wmf" 1. Emerges on AMD64. 2. No collisions etc. 3. Works - have tried to convert images with convert tool. Portage 2.1.2.12 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64) ================================================================= System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Gentoo Base System release 1.12.9 Timestamp of tree: Wed, 19 Sep 2007 21:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ppc64 stable 22 Sep 2007; Luca Barbato <lu_zero@gentoo.org> imagemagick-6.3.5.9.ebuild: Marked ppc alpha/ia64 stable removing ppc64 as ranger marked stable (comment #12) amd64 done Last supported arch, ready for GLSA. glsa request filed. The thing is broken, see Bug 193737. We need this bumped to 6.3.5.10 Seems like a regression so yes we need fixed ebuild. imagemagick 6.3.5.10 is now in CVS and I got confirmation that it fixes the issues in bug 193737 Re-cc'ing arches. There was a regression in media-gfx/imagemagick-6.3.5.9, please stabilize 6.3.5.10. See comments 19 to 21 for details. Targets are still: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86" ppc64 stable thanks mips stable. Sparc stable for 6.3.5.10 alpha/ia64/x86 stable, removing bsd since they have nothing to do ppc stable Marked stable on amd64. Stable for HPPA. Oh, by the way: # ChangeLog for dev-ruby/rmagick ... *rmagick-1.15.10 (17 Sep 2007) 17 Sep 2007; Hans de Graaff <graaff@gentoo.org> +rmagick-1.15.10.ebuild: Version bump, fixes compatibility issue with ImageMagick-6.3.5-9 I will consider stabilising rmagick for hppa before it's due. Thanks Jeroen. I've now filed a stablization request as bug 194246. A2 -> GLSA request filed. GLSA 200710-27, sorry for the delay I assume it should be closed mips, you've stabled the wrong version (6.3.5.9), I guess you want 6.3.5.10 stable to not cause any breakage (see comment #22). Thanks to chithead who noticed that on #gentoo-security. |