Bugzilla – Bug 905260
VUL-0: CVE-2014-8716: ImageMagick: Crafted jpeg file could lead to DOS
Last modified: 2014-12-15 10:51:29 UTC
Created attachment 613481 [details] Reproducer file Tried it on openSUSE 13.2 (6.8.9.8) # convert reproducer.jpg png:/dev/null [1] 11019 abort convert reproducer.jpg png:/dev/null References: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8716.html
Created attachment 613482 [details] Patch for CVE-2014-8716
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-11-27. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59636
openSUSE: mr#261433 sle12: mr#46276 11: sr#46277 10sp3: sr#46279
Why in hell do you reassign me all four bugs just because one submit request? What about needinfo? (In reply to Johannes Segitz from comment #7) > You need to redo the SLE 11 submission. ImageMagick is in in SUSE:SLE-11:GA, > not SP1. Thanks. That's not true. $ isc ls SUSE:SLE-11-SP1:Update:Test ImageMagick ImageMagick-6.4.3-6.tar.bz2 ImageMagick-6.4.3.6-CVE-2012-3437.patch ImageMagick-6.4.3.6-CVE-2014-1947.patch [...] ImageMagick.spec baselibs.conf xtp-5.4.3.tar.bz2 Nevertheless $ isc ls SUSE:SLE-11-SP1:Update:Test | grep ImageMagick $ $ isc mbranch ImageMagick home:pgajdos:ImageMagick $ isc ls home:pgajdos:ImageMagick ImageMagick.SUSE_SLE-10-SP3_Update_Test ImageMagick.SUSE_SLE-11_Update_Test ImageMagick.SUSE_SLE-12_Update $ isc ls home:pgajdos:ImageMagick ImageMagick.SUSE_SLE-11_Update_Test ImageMagick-6.4.3-6.tar.bz2 [...] ImageMagick.spec _link baselibs.conf xtp-5.4.3.tar.bz2 # -> SUSE:SLE-11-SP1:Update:Test ImageMagick (latest) [...] It seems nothing I can do here?
(In reply to Petr Gajdos from comment #8) > Why in hell do you reassign me all four bugs just because one submit request? > What about needinfo? Because we don't have all the submits we need. I don't need information from you. > That's not true. > > $ isc ls SUSE:SLE-11-SP1:Update:Test ImageMagick This is the wrong command to use. You get the same result for $ isc ls SUSE:SLE-11-SP2:Update:Test ImageMagick $ isc ls SUSE:SLE-11-SP3:Update:Test ImageMagick because of the layering. You need to check $ isc se ImageMagick there you'll see that it lives in SUSE:SLE-11:GA ImageMagick > It seems nothing I can do here? Please try $ isc sr SUSE:SLE-11:Update:Test in the directory home:pgajdos:ImageMagick/ImageMagick.SUSE_SLE-11_Update_Test
(In reply to Johannes Segitz from comment #9) > (In reply to Petr Gajdos from comment #8) > > Why in hell do you reassign me all four bugs just because one submit request? > What about needinfo? > > Because we don't have all the submits we need. I don't need information from > you. I know, but reassigning all bugs is just nonsense. (In reply to Petr Gajdos from comment #8) > $ isc mbranch ImageMagick home:pgajdos:ImageMagick > $ isc ls home:pgajdos:ImageMagick > ImageMagick.SUSE_SLE-10-SP3_Update_Test > ImageMagick.SUSE_SLE-11_Update_Test > ImageMagick.SUSE_SLE-12_Update > $ isc ls home:pgajdos:ImageMagick ImageMagick.SUSE_SLE-11_Update_Test > ImageMagick-6.4.3-6.tar.bz2 > [...] > ImageMagick.spec > _link > baselibs.conf > xtp-5.4.3.tar.bz2 > # -> SUSE:SLE-11-SP1:Update:Test ImageMagick (latest) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > [...] > > It seems nothing I can do here?
(In reply to Johannes Segitz from comment #9) > Please try > $ isc sr SUSE:SLE-11:Update:Test > in the directory home:pgajdos:ImageMagick/ImageMagick.SUSE_SLE-11_Update_Test I always do isc sr in that directory.
(In reply to Johannes Segitz from comment #9) > This is the wrong command to use. You get the same result for > $ isc ls SUSE:SLE-11-SP2:Update:Test ImageMagick > $ isc ls SUSE:SLE-11-SP3:Update:Test ImageMagick > because of the layering. You need to check This sounds like a bug, not like a feature.
Package submitted.
openSUSE-SU-2014:1492-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 905260 CVE References: CVE-2014-8716 Sources used: openSUSE 13.2 (src): ImageMagick-6.8.9.8-8.1 openSUSE 13.1 (src): ImageMagick-6.8.6.9-2.28.1 openSUSE 12.3 (src): ImageMagick-6.7.8.8-4.21.1
SUSE-SU-2014:1595-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 903204,903216,903638,905260 CVE References: CVE-2014-8354,CVE-2014-8355,CVE-2014-8562,CVE-2014-8716 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): ImageMagick-6.8.8.1-8.2 SUSE Linux Enterprise Software Development Kit 12 (src): ImageMagick-6.8.8.1-8.2 SUSE Linux Enterprise Server 12 (src): ImageMagick-6.8.8.1-8.2 SUSE Linux Enterprise Desktop 12 (src): ImageMagick-6.8.8.1-8.2
SUSE-SU-2014:1631-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 903204,903216,903638,905260 CVE References: CVE-2014-8354,CVE-2014-8355,CVE-2014-8562,CVE-2014-8716 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): ImageMagick-6.4.3.6-7.30.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): ImageMagick-6.4.3.6-7.30.1 SUSE Linux Enterprise Server 11 SP3 (src): ImageMagick-6.4.3.6-7.30.1 SUSE Linux Enterprise Desktop 11 SP3 (src): ImageMagick-6.4.3.6-7.30.1
I did osci mbranch ImageMagick home:msmeissn:branches:OBS_Maintained:ImageMagick/ImageMagick.SUSE_SLE-11_Update_Test> less _link <link project="SUSE:SLE-11:Update:Test" package="ImageMagick" baserev="d3f828bfc2275fe431a02fabc85f59f6"> looks good here. that "osci ls" works in all SPs is due to source links in the projects. (this layering is a bit confusing.) released
(In reply to Marcus Meissner from comment #18) > I did osci mbranch ImageMagick > > > home:msmeissn:branches:OBS_Maintained:ImageMagick/ImageMagick.SUSE_SLE- > 11_Update_Test> less _link > <link project="SUSE:SLE-11:Update:Test" package="ImageMagick" > baserev="d3f828bfc2275fe431a02fabc85f59f6"> > > > looks good here. Now it works for me too, maybe because of #dist irc discussion around the date of comment 8.