888545 – <media-gfx/graphicsmagick-1.3.39: multiple vulnerabilities

Bug 888545 - <media-gfx/graphicsmagick-1.3.39: multiple vulnerabilities

Summary: <media-gfx/graphicsmagick-1.3.39: multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://sourceforge.net/p/graphicsmag...
Whiteboard:	B2 [glsa?]
Keywords:

Depends on:	889232
Blocks:
	Show dependency tree

Reported:	2022-12-26 20:56 UTC by John Helmert III
Modified:	2023-03-09 06:41 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-26 20:56:49 UTC

"Security Fixes:

* GraphicsMagick is participating in Google's oss-fuzz project since
  February 4 2018 due to the contributions and assistance of Alex
  Gaynor and Paul Kehrer. The issues list is available at
  https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
  "graphicsmagick".  Issues are available for anyone to view and
  duplicate if they have been in "Verified" status for 30 days, or if
  they have been in "New" status for 90 days.  Please consult the
  GraphicsMagick ChangeLog file, Mercurial repository commit log, and
  the oss-fuzz issues list for details.

Security Fixes:

* oss-fuzz: Several security fixes originating from oss-fuzz testing.

* ALL: Replace strcpy() with strlcpy(), replace strcat() with
  strlcat(), replace sprintf() with snprintf().  Prefer using bounded
  string functions.  This change is made for the purpose of increasing
  safety than to address any existing demonstrated concern."

Please bump to 1.3.39.

Comment 1 Larry the Git Cow gentoo-dev

2022-12-27 10:12:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07bcc7e82426848db147d8d2fd67ef40e722ce93

commit 07bcc7e82426848db147d8d2fd67ef40e722ce93
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-27 10:07:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-27 10:07:16 +0000

    media-gfx/graphicsmagick: add 1.3.39
    
    Bug: https://bugs.gentoo.org/888545
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/graphicsmagick/Manifest                  |   2 +
 .../graphicsmagick/graphicsmagick-1.3.39.ebuild    | 160 +++++++++++++++++++++
 .../graphicsmagick/graphicsmagick-9999.ebuild      |   2 +-
 3 files changed, 163 insertions(+), 1 deletion(-)

Comment 2 Larry the Git Cow gentoo-dev

2023-03-09 06:41:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a80a21a605475095d050ea14833d354338fc9e86

commit a80a21a605475095d050ea14833d354338fc9e86
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-03-09 06:41:18 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-09 06:41:18 +0000

    media-gfx/graphicsmagick: drop 1.3.38-r5, 1.3.39
    
    Bug: https://bugs.gentoo.org/888545
    Bug: https://bugs.gentoo.org/890851
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/graphicsmagick/Manifest                  |   4 -
 .../graphicsmagick-1.3.38-configure-bashism.patch  |  34 -----
 .../graphicsmagick/graphicsmagick-1.3.38-r5.ebuild | 161 ---------------------
 .../graphicsmagick/graphicsmagick-1.3.39.ebuild    | 160 --------------------
 4 files changed, 359 deletions(-)