Univention Bugzilla – Bug 41330
UCS 3.3 imagemagick / graphicsmagick update
Last modified: 2016-09-21 18:10:03 CEST
Upstream Debian Wheezy imagemagic package version 8:6.7.7.10-5+deb7u5 fixes several issues: Several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714), make HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move (CVE-2016-3716), or read (CVE-2016-3717) local files. Upstream Debian Wheezy graphicsmagick package version 1.3.16-1.1+deb7u1 fixes these issues: * out-of-bound read in the parsing of gif files (CVE-2015-8808) * Bug 1306148 – CVE-2016-2317 CVE-2016-2318 GraphicsMagick: SVG parsing issues (CVE-2016-2317) * Bug 1306148 – CVE-2016-2317 CVE-2016-2318 GraphicsMagick: SVG parsing issues (CVE-2016-2318) * The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coder s in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitr ary code via shell metacharacters in a crafted image, aka "ImageTragick." (CVE-2016-3714) * The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. (CVE-2016-3715) * The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image. (CVE-2016-3716) * The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image. (CVE-2016-3717) * The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. (CVE-2016-3718)
Imagemagick cherrypicked from errata4.0-5 and rebuilt as version 8:6.7.7.10-5~ucs3.3.58.201605231743. Graphicsmagick imported and built as version 1.3.16-1.1~ucs3.3.25.201605231947.
OK: DEBIAN_FRONTEND=noninteractive apt-get install --reinstall imagemagick imagemagick-common OK: manual functional test: # convert /var/www/icon/computer.png /tmp/computer.jpg # file /var/www/icon/computer.png /tmp/computer.jpg /var/www/icon/computer.png: PNG image data, 24 x 24, 16-bit/color RGBA, non-interlaced /tmp/computer.jpg: JPEG image data, JFIF standard 1.01 OK: DEBIAN_FRONTEND=noninteractive apt-get install --reinstall graphicsmagick libgraphicsmagick3 OK: manual functional test: # gm convert /var/www/icon/computer.png /tmp/computer.gif # file /var/www/icon/computer.png /tmp/computer.gif /var/www/icon/computer.png: PNG image data, 24 x 24, 16-bit/color RGBA, non-interlaced /tmp/computer.gif: GIF image data, version 89a, 24 x 24 OK: changelog entries for both packages (r69493)
The Jenkins tests failed. For example: http://jenkins.knut.univention.de:8080/job/UCS-3.3/job/UCS-3.3-0/job/AutotestUpgrade/SambaVersion=s3,Systemrolle=master/ Test case 00_base.16packages_default.test ---------------------------------------------------------------------------- Stopping periodic command scheduler: cron. done. test: univention-kde Paketlisten werden gelesen... Abhängigkeitsbaum wird aufgebaut... Statusinformationen werden eingelesen... Einige Pakete konnten nicht installiert werden. Das kann bedeuten, dass Sie eine unmögliche Situation angefordert haben oder, wenn Sie die Unstable-Distribution verwenden, dass einige erforderliche Pakete noch nicht erstellt wurden oder Incoming noch nicht verlassen haben. Die folgenden Informationen helfen Ihnen vielleicht, die Situation zu lösen: Die folgenden Pakete haben unerfüllte Abhängigkeiten: univention-kde : Hängt ab von: kde-standard (>= 5:66) soll aber nicht installiert werden Empfiehlt: okular soll aber nicht installiert werden Empfiehlt: univention-gdm soll aber nicht installiert werden Empfiehlt: univention-x-core soll aber nicht installiert werden Failed to install univention-kde ---------------------------------------------------------------------------- It looks like the graphicsmagick upgrade is responsible: ------------------------------------------------------------------------------ root@master090:~# apt-get install -s univention-kde kde-standard kde-plasma-desktop polkit-kde-1 gwenview phonon kdebase-runtime phonon-backend-xine dragonplayer libxine1 libxine1-plugins libxine1-misc-plugins libgraphicsmagick3 Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: libgraphicsmagick3 : Depends: libjbig0 but it is not installable E: Broken packages root@master090:~# apt-cache policy libgraphicsmagick3 libgraphicsmagick3: Installed: (none) Candidate: 1.3.16-1.1~ucs3.3.25.201605231947 Version table: 1.3.16-1.1~ucs3.3.25.201605231947 0 500 http://updates-test.software-univention.de/3.3/maintained/ 3.3-0/amd64/ Packages 1.3.12-1.21.201104140431 0 500 http://updates-test.software-univention.de/3.0/maintained/ 3.0-0/amd64/ Packages root@master090:~# ------------------------------------------------------------------------------ The installation works fine after activating unmaintained. So, it should work again after building a new DVD. I've started a DVD build.
UCS 3.3 has been released: https://docs.software-univention.de/release-notes-3.3-0-en.html https://docs.software-univention.de/release-notes-3.3-0-de.html If this error occurs again, please use "Clone This Bug".