July 2023 - Epel-packagers-sig - Fedora mailing-lists

[Bug 2210667] New: CVE-2023-34151 ImageMagick: Undefined behaviors of casting double to size_t in svg, mvg and other coders [epel-8]
by bugzilla＠redhat.com 31 Aug '23

31 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2210667 Bug ID: 2210667 Summary: CVE-2023-34151 ImageMagick: Undefined behaviors of casting double to size_t in svg, mvg and other coders [epel-8] Product: Fedora EPEL Version: epel8 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: luya_tfz(a)thefinalzone.net Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2210657 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2210667

1 5

[Bug 2210661] New: CVE-2023-34153 ImageMagick: Shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding [epel-8]
by bugzilla＠redhat.com 31 Aug '23

31 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2210661 Bug ID: 2210661 Summary: CVE-2023-34153 ImageMagick: Shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding [epel-8] Product: Fedora EPEL Version: epel8 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: luya_tfz(a)thefinalzone.net Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2210660 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2210661

1 8

[Bug 2138645] New: python-utils-3.4.5 is available
by bugzilla＠redhat.com 30 Aug '23

30 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2138645 Bug ID: 2138645 Summary: python-utils-3.4.5 is available Product: Fedora Version: rawhide Status: NEW Component: python-utils Keywords: FutureFeature, Triaged Assignee: mhroncok(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, mhroncok(a)redhat.com, python-packagers-sig(a)lists.fedoraproject.org, thomas.andrejak(a)gmail.com Target Milestone: --- Classification: Fedora Releases retrieved: 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5 Upstream release that is considered latest: 3.4.5 Current version/release in rawhide: 3.3.3-1.fc38 URL: https://github.com/WoLpH/python-utils Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/12707/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-utils -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2138645

1 19

[Bug 2150064] New: python-twine-4.0.2 is available
by bugzilla＠redhat.com 29 Aug '23

29 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2150064 Bug ID: 2150064 Summary: python-twine-4.0.2 is available Product: Fedora Version: rawhide Status: NEW Component: python-twine Keywords: FutureFeature, Triaged Assignee: cstratak(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: cstratak(a)redhat.com, epel-packagers-sig(a)lists.fedoraproject.org, python-packagers-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Releases retrieved: 4.0.2 Upstream release that is considered latest: 4.0.2 Current version/release in rawhide: 4.0.1-2.fc37 URL: https://github.com/pypa/twine Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/11165/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-twine -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2150064

1 5

[Bug 2217558] New: ImageMagick-7.1.1.12 is available
by bugzilla＠redhat.com 24 Aug '23

24 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2217558 Bug ID: 2217558 Summary: ImageMagick-7.1.1.12 is available Product: Fedora Version: rawhide Status: NEW Component: ImageMagick Keywords: FutureFeature, Triaged Assignee: luya_tfz(a)thefinalzone.net Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora Releases retrieved: 7.1.1.12 Upstream release that is considered latest: 7.1.1.12 Current version/release in rawhide: 7.1.1.11-2.fc39 URL: https://imagemagick.org Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/328484/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/ImageMagick -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2217558 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 14

[Bug 2214159] New: CVE-2023-34475 ImageMagick: heap use-after-free issue in ReplaceXmpValue() function in MagickCore/profile.c. [fedora-38]
by bugzilla＠redhat.com 24 Aug '23

24 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2214159 Bug ID: 2214159 Summary: CVE-2023-34475 ImageMagick: heap use-after-free issue in ReplaceXmpValue() function in MagickCore/profile.c. [fedora-38] Product: Fedora Version: 38 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: luya_tfz(a)thefinalzone.net Reporter: trathi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2214149 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2214159 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 5

[Bug 2214157] New: CVE-2023-34474 ImageMagick: heap-based buffer overflow in ReadTIM2ImageData() function in coders/tim2.c [fedora-38]
by bugzilla＠redhat.com 24 Aug '23

24 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2214157 Bug ID: 2214157 Summary: CVE-2023-34474 ImageMagick: heap-based buffer overflow in ReadTIM2ImageData() function in coders/tim2.c [fedora-38] Product: Fedora Version: 38 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: luya_tfz(a)thefinalzone.net Reporter: trathi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2214148 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2214157 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 5

[Bug 2214143] New: CVE-2023-3195 ImageMagick: stack overflow in coders/tiff.c while parsing malicious tiff file [fedora-38]
by bugzilla＠redhat.com 24 Aug '23

24 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2214143 Bug ID: 2214143 Summary: CVE-2023-3195 ImageMagick: stack overflow in coders/tiff.c while parsing malicious tiff file [fedora-38] Product: Fedora Version: 38 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: luya_tfz(a)thefinalzone.net Reporter: trathi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2214141 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2214143 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 5

[Bug 2208543] New: CVE-2023-2157 ImageMagick: heap overflow vulnerability [fedora-all]
by bugzilla＠redhat.com 24 Aug '23

24 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2208543 Bug ID: 2208543 Summary: CVE-2023-2157 ImageMagick: heap overflow vulnerability [fedora-all] Product: Fedora Version: 38 Status: NEW Component: ImageMagick Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: luya_tfz(a)thefinalzone.net Reporter: mrehak(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2208537 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2208543

1 5

[Bug 2195906] New: ImageMagick creates big-endian tiff images on aarch64
by bugzilla＠redhat.com 24 Aug '23

24 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2195906 Bug ID: 2195906 Summary: ImageMagick creates big-endian tiff images on aarch64 Product: Fedora Version: 38 Hardware: aarch64 OS: Linux Status: NEW Component: ImageMagick Severity: medium Assignee: luya_tfz(a)thefinalzone.net Reporter: fedora(a)georg.so QA Contact: extras-qa(a)fedoraproject.org CC: blaise(a)gmail.com, davide(a)cavalca.name, epel-packagers-sig(a)lists.fedoraproject.org, fedora(a)famillecollet.com, luya_tfz(a)thefinalzone.net, michel(a)michel-slm.name, ngompa13(a)gmail.com, pampelmuse(a)gmx.at, sergio(a)serjux.com Target Milestone: --- Classification: Fedora When converting a PNG image to a TIFF image, ImageMagick unexpectedly creates the image with big-endian byteorder although aarch64 is a little-endian architecture. Input test image is attached. Reproducible: Always Steps to Reproduce: 1. /usr/bin/convert normal.png -depth 32 -define quantum:format=floating-point out.tiff 2. /usr/bin/convert out.tiff json: | grep endian -i 3. lscpu | grep 'Architecture\|Byte Order' 4. ls -lh out.tiff Actual Results: "endianness": "MSB", "tiff:endian": "msb", Architecture: aarch64 Byte Order: Little Endian -rw-r--r--. 1 juser juser 43K May 6 12:40 out.tiff Expected Results: "endianness": "LSB", "tiff:endian": "lsb", Architecture: aarch64 Byte Order: Little Endian -rw-r--r--. 1 juser juser 5.9K May 6 12:40 out.tiff NB: Also, the file size of the resulting tiff is much bigger than on x86_64 (f37), where it's just 5.9 KiB. $ rpm -q ImageMagick ImageMagick-7.1.1.4-3.fc38.aarch64 $ uname -a Linux f38-aarch64 6.2.14-300.fc38.aarch64 #1 SMP PREEMPT_DYNAMIC Mon May 1 00:58:31 UTC 2023 aarch64 GNU/Linux This issue also affects python3-img2pdf has this breaks a few of its unittests, if they are running on aarch64. See also: https://koji.fedoraproject.org/koji/taskinfo?taskID=100027658 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2195906

1 5

2024

2023

2022

2021

Epel-packagers-sig July 2023