Bug 41330 - UCS 3.3 imagemagick / graphicsmagick update
UCS 3.3 imagemagick / graphicsmagick update
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Upstream packages
UCS 3.3
Other Linux
: P5 enhancement (vote)
: UCS 3.3
Assigned To: Arvid Requate
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-23 19:35 CEST by Arvid Requate
Modified: 2016-09-21 18:10 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-05-23 19:35:03 CEST
Upstream Debian Wheezy imagemagic package version 8:6.7.7.10-5+deb7u5 fixes several issues:

Several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714), make HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move (CVE-2016-3716), or read (CVE-2016-3717) local files.

Upstream Debian Wheezy graphicsmagick package version 1.3.16-1.1+deb7u1 fixes these issues:

* out-of-bound read in the parsing of gif files (CVE-2015-8808)
* Bug 1306148 – CVE-2016-2317 CVE-2016-2318 GraphicsMagick: SVG parsing issues (CVE-2016-2317)
* Bug 1306148 – CVE-2016-2317 CVE-2016-2318 GraphicsMagick: SVG parsing issues (CVE-2016-2318)
* The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coder
s in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitr
ary code via shell metacharacters in a crafted image, aka "ImageTragick." (CVE-2016-3714)
* The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. (CVE-2016-3715)
* The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image. (CVE-2016-3716)
* The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image. (CVE-2016-3717)
* The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. (CVE-2016-3718)
Comment 1 Arvid Requate univentionstaff 2016-05-23 20:04:37 CEST
Imagemagick cherrypicked from errata4.0-5 and rebuilt as version 8:6.7.7.10-5~ucs3.3.58.201605231743.

Graphicsmagick imported and built as version 1.3.16-1.1~ucs3.3.25.201605231947.
Comment 2 Daniel Tröder univentionstaff 2016-05-24 08:55:03 CEST
OK: DEBIAN_FRONTEND=noninteractive apt-get install --reinstall imagemagick imagemagick-common
OK: manual functional test:
# convert /var/www/icon/computer.png /tmp/computer.jpg
# file /var/www/icon/computer.png /tmp/computer.jpg
/var/www/icon/computer.png: PNG image data, 24 x 24, 16-bit/color RGBA, non-interlaced
/tmp/computer.jpg:          JPEG image data, JFIF standard 1.01

OK: DEBIAN_FRONTEND=noninteractive apt-get install --reinstall graphicsmagick libgraphicsmagick3
OK: manual functional test:
# gm convert /var/www/icon/computer.png /tmp/computer.gif
# file /var/www/icon/computer.png /tmp/computer.gif
/var/www/icon/computer.png: PNG image data, 24 x 24, 16-bit/color RGBA, non-interlaced
/tmp/computer.gif:          GIF image data, version 89a, 24 x 24

OK: changelog entries for both packages (r69493)
Comment 3 Stefan Gohmann univentionstaff 2016-05-24 09:30:57 CEST
The Jenkins tests failed. For example:
http://jenkins.knut.univention.de:8080/job/UCS-3.3/job/UCS-3.3-0/job/AutotestUpgrade/SambaVersion=s3,Systemrolle=master/

Test case 00_base.16packages_default.test
----------------------------------------------------------------------------
Stopping periodic command scheduler: cron.
done.
test: univention-kde
Paketlisten werden gelesen...
Abhängigkeitsbaum wird aufgebaut...
Statusinformationen werden eingelesen...
Einige Pakete konnten nicht installiert werden. Das kann bedeuten, dass
Sie eine unmögliche Situation angefordert haben oder, wenn Sie die
Unstable-Distribution verwenden, dass einige erforderliche Pakete noch
nicht erstellt wurden oder Incoming noch nicht verlassen haben.
Die folgenden Informationen helfen Ihnen vielleicht, die Situation zu lösen:

Die folgenden Pakete haben unerfüllte Abhängigkeiten:
 univention-kde : Hängt ab von: kde-standard (>= 5:66) soll aber nicht installiert werden
                  Empfiehlt: okular soll aber nicht installiert werden
                  Empfiehlt: univention-gdm soll aber nicht installiert werden
                  Empfiehlt: univention-x-core soll aber nicht installiert werden
Failed to install univention-kde
----------------------------------------------------------------------------

It looks like the graphicsmagick upgrade is responsible:
------------------------------------------------------------------------------
root@master090:~# apt-get install -s univention-kde kde-standard kde-plasma-desktop polkit-kde-1 gwenview phonon kdebase-runtime phonon-backend-xine dragonplayer libxine1 libxine1-plugins libxine1-misc-plugins libgraphicsmagick3 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libgraphicsmagick3 : Depends: libjbig0 but it is not installable
E: Broken packages
root@master090:~# apt-cache policy libgraphicsmagick3
libgraphicsmagick3:
  Installed: (none)
  Candidate: 1.3.16-1.1~ucs3.3.25.201605231947
  Version table:
     1.3.16-1.1~ucs3.3.25.201605231947 0
        500 http://updates-test.software-univention.de/3.3/maintained/ 3.3-0/amd64/ Packages
     1.3.12-1.21.201104140431 0
        500 http://updates-test.software-univention.de/3.0/maintained/ 3.0-0/amd64/ Packages
root@master090:~# 
------------------------------------------------------------------------------

The installation works fine after activating unmaintained. So, it should work again after building a new DVD. I've started a DVD build.
Comment 4 Stefan Gohmann univentionstaff 2016-06-07 21:35:48 CEST
UCS 3.3 has been released:
 https://docs.software-univention.de/release-notes-3.3-0-en.html
 https://docs.software-univention.de/release-notes-3.3-0-de.html

If this error occurs again, please use "Clone This Bug".