Bug 203975
| Summary: | Undefined symbol: InitializeMagick in | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stuart Rauh <Stuart> | ||||||||
| Component: | ImageMagick | Assignee: | Norm Murray <nmurray> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Mike McLean <mikem> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | 5 | CC: | bbaetz, ed, funkyblues, lapham, mtasaka, nicku, patmans, thomasz, tjb, tmus, toby, wwoods | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | i386 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2006-09-28 05:09:09 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Stuart Rauh
2006-08-24 19:19:03 UTC
This is a serious bug since the update was for a security fix. So you can down rev and run with the security bug, or run with the ones that don't work at all :-( Stuart - you opened two bugs, you should close the other one, bug 203977. *** Bug 203977 has been marked as a duplicate of this bug. *** Hi folks, any progres here? This bug breaks a bunch of scripts and the older version is disappearing from the repos... Just for reference, heres a one-liner that triggers the problem: perl -e ' use Image::Magick;' *** Bug 203966 has been marked as a duplicate of this bug. *** *** Bug 204201 has been marked as a duplicate of this bug. *** I've got the problem reproduced and have tracked down that it seems to be a missing dependency where /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/auto/Image/Magick/Magick.so in ImageMagick-6.2.5.4-4.2.1.fc5.4 has not picked up the dependency on /usr/lib64/libMagick.so.9 Working on figuring out why that has happened now. Just in case someone's reading this thread and doesn't know what to do, here's
what I've done/am doing:
* Check what ImageMagick modules are on your machines:
rpm -qa --queryformat='%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' | grep
ImageMagick
I get the list:
ImageMagick-perl-6.2.5.4-4.2.1.fc5.4.x86_64
ImageMagick-6.2.5.4-4.2.1.fc5.4.x86_64
ImageMagick-6.2.5.4-4.2.1.fc5.4.i386
* Download the older updates from
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/ (i386 or
x86_64 as appropriate). You want the ones dated around May 25. You should
have one for each of the modules installed on your machine.
* Uninstall the existing ImageMagick stuff - rpm -e followed by each of the
above. For instance:
rpm -e ImageMagick-perl-6.2.5.4-4.2.1.fc5.4.x86_64 ImageMagick-6.2.5.4-
4.2.1.fc5.4.x86_64 ImageMagick-6.2.5.4-4.2.1.fc5.4.i386
* Install the newly downloaded RPMs (easiest to do all at once - you can do
something like:
rpm -i ImageMagick*6.2.5.4-4.2.1.fc5.3*
* Until this issue is resolved, exclude ImageMagick from yum updates like so:
yum update --exclude='ImageMagick*'
Could this bug get the severity raised to *urgent* please? (or *regression*, but that doesn't seem to be an option in the popup menu) Could this bug get the priority raised to *high* please? Thanks Hi folks, I've upped the priority/severity since the perl functionality here is completely borked -- it completely breaks a lot of scripts. Also, I'd like to point out that you can download the older RPMs: ImageMagick*6.2.5.4-4.2.1.fc5.3* as described in comment #8 above and then install them immediately (without first removing them and any dependencies) using the rpm "--oldpackage" option. This makes it just a little easier to get rid of the broken .4 RPMs and replace with the working (but apparently with security flaw-ed?) .3 ones. According to https://rhn.redhat.com/errata/RHSA-2006-0633.html, the security flaw is exploitable only if the attacker can convince you (or your code) to use ImageMagick to decode "XCF, SGI, and Sun bitmap graphic files." If you do not allow untrusted individuals to upload or process image files, my understanding is that the risk is mitigated. I don't know how ImageMagick handles image decoding, so it is conceivable that allowing untrusted individuals to upload (for instance) JPG files might allow them to upload a malicious XCF file that had a .jpg extension, but ImageMagick might still process it as an XCF file because the first few bytes look like an XCF file, and thus the vulnerability might be exploitable. ldd and objdump show that Magick.so is not linked against libMagick.so, *none* of the ImageMagick symbols are defined. A quick fix, if you really need the security fixes (and who doesn't need security fixes?) is to create a new Magick.so that is linked against it: cd `find /usr/lib/perl5 -name "Magick.so" | xargs dirname` mv Magick.so Magick-0.so ld -shared -o Magick.so `pwd`/Magick-0.so /usr/lib/libMagick.so.9 Unfortunately, you can't just use -lMagick because for some reason /usr/lib/libMagick.so doesn't exist, just /usr/lib/libMagick.so.9. The resultant Magick.so is successfully loaded by perl and reads and generates images in scripts that worked fine with the 6.2.5.4-4.2.1.fc5.3 version. I have not tested it extensively, nor have I tested it against the buffer/integer overflow problems that .4 is supposed to fix. This is only a stop-gap measure -- this really needs to be properly fixed. I have had the same problem on x86_64; solved it by rebuilding the update from the source package; the same solution worked on a i386 system; I guess the update was built on a machine that has some inofficial updates installed. Norm, Any updates from you as per comment #7. There's a lot of chatter about this bug. Between it and all of its duplicates, it's kind of crazy that we haven't managed to fix it yet. What's blocking us from getting an update here? This is related to a security fix, right? It's kind of embarassing that it's taking this long. Set to block FC6. If this really is a security issue, I encourage wwoods not to certify FC6 unless it has fixed code. We shouldn't ship with a known security issue. Just to explain the situation a bit Max. The last working packages of ImageMagick (6.2.5.4-4.2.1.fc5.3) have the security issue. The "updated" package that Matthias Clasen made on August 23 (6.2.5.4-4.2.1.fc5.4)... https://www.redhat.com/archives/fedora-package-announce/2006-August/msg00089.html ...do not have the security issue, but the packages simply don't work. You may already understand that, if so I apologize. To wit, your last sentence in comment #14 should read "We shouldn't ship with non-functioning software". Has anyone here tried my solution from comment #13 yet? Just "rpmbuild --rebuild" the SRPM from http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/SRPMS/ImageMagick-6.2.5.4-4.2.1.fc5.4.src.rpm and install the resulting packages with "rpm --install --force" This worked on both (x86_64 and i386) of my fedory systems. If this turns out to work, everything the fedora people have to do is to bump up the version number and rebuild the packages on a CLEAN FC5 installation. Tom (In reply to comment #16) > Has anyone here tried my solution from comment #13 yet? > > Just "rpmbuild --rebuild" the SRPM from > http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/SRPMS/ImageMagick-6.2.5.4-4.2.1.fc5.4.src.rpm > and install the resulting packages with "rpm --install --force" > > This worked on both (x86_64 and i386) of my fedory systems. If this turns out to > work, everything the fedora people have to do is to bump up the version number > and rebuild the packages on a CLEAN FC5 installation. > > Tom I tried to rebuild ImageMagick-6.2.5.4-4.2.1.fc5.4 with just release number incremented, and the answer was _NO_ . To be more precise, rebuilding this srpm by normal rpmbuild seems okay, however, rebuilding this srpm IN MOCK leaves this problem unsolved. This means that the compilation of ImageMagick-6.2.5.4-4.2.1.fc5.4 needs ImageMagick itself pre-installed. Note: I don't see any problem in rawhide ImageMagick rpms. Now I am trying to rebuild rawhide ImageMagick (this version is 6.2.8) in FC5 mock envorinment to see if this problem disappears. Created attachment 136831 [details]
rebuild log of fc5 ImageMagick by normal rpmbuild
rebuild log of ImageMagick-6.2.5.4-4.2.1.fc5.4 by normal
ImageMagick (under the envoronment that ImageMagick itself
is already installed).
Created attachment 136833 [details]
rebuild log of fc5 ImageMagick IN MOCK
Rebuild log of ImageMagick-6.2.5.4-4.2.1.fc5.4 in fc5 mock environment.
You can see the important difference:
@@ -1363,14 +1761,15 @@
/usr/bin/install -c 'magick/Magick-config'
'/var/tmp/ImageMagick-6.2.5.4-root/usr/bin/Magick-config'
/usr/bin/install -c 'Magick++/bin/Magick++-config'
'/var/tmp/ImageMagick-6.2.5.4-root/usr/bin/Magick++-config'
/usr/bin/install -c 'wand/Wand-config'
'/var/tmp/ImageMagick-6.2.5.4-root/usr/bin/Wand-config'
-cd PerlMagick && /usr/bin/perl Makefile.PL INSTALLDIRS=vendor CC='gcc
-L/home/tasaka1/rpmbuild/BUILD/ImageMagick-6.2.5/magick
/.libs' LDDLFLAGS='-shared
-L/home/tasaka1/rpmbuild/BUILD/ImageMagick-6.2.5/magick/.libs'
+cd PerlMagick && /usr/bin/perl Makefile.PL INSTALLDIRS=vendor CC='gcc
-L/builddir/build/BUILD/ImageMagick-6.2.5/magick/.libs'
LDDLFLAGS='-shared -L/builddir/build/BUILD/ImageMagick-6.2.5/magick/.libs'
Checking if your kit is complete...
Looks good
+Note (probably harmless): No library found for -lMagick
Writing Makefile for Image::Magick
( cd PerlMagick && make CC='gcc' && \
make CC='gcc' install && \
make clean && rm -f Makefile.old )
-make[2]: Entering directory
`/home/tasaka1/rpmbuild/BUILD/ImageMagick-6.2.5/PerlMagick'
+make[2]: Entering directory
`/builddir/build/BUILD/ImageMagick-6.2.5/PerlMagick'
cp Magick.pm blib/lib/Image/Magick.pm
AutoSplitting blib/lib/Image/Magick.pm (blib/lib/auto/Image/Magick)
/usr/bin/perl /usr/lib/perl5/5.8.8/ExtUtils/xsubpp -typemap
/usr/lib/perl5/5.8.8/ExtUtils/typemap Magick.xs > Magick.xsc &&
mv Magick.xsc Magick.c
@@ -1475,15 +1874,15 @@
Running Mkbootstrap for Image::Magick ()
chmod 644 Magick.bs
rm -f blib/arch/auto/Image/Magick/Magick.so
-gcc -shared -L/home/tasaka1/rpmbuild/BUILD/ImageMagick-6.2.5/magick/.libs
Magick.o -o blib/arch/auto/Image/Magick/Magick.so
\
- -L/usr/lib -lMagick -lfreetype -lz -L/usr/lib -ltiff -lfreetype -ljpeg -lgs
-lXext -lSM -lICE -lX11 -lXt -lbz2 -lz -lpthrea
d -lm -lpthread \
+gcc -shared -L/builddir/build/BUILD/ImageMagick-6.2.5/magick/.libs Magick.o
-o blib/arch/auto/Image/Magick/Magick.so
\
+ -L/usr/lib -lfreetype -lz -L/usr/lib -ltiff -lfreetype -ljpeg -lgs -lXext
-lSM -lICE -lX11 -lXt -lbz2 -lz -lpthread -lm -lp
thread \
Created attachment 136845 [details]
patch to link against libMagick.so.9
Backported from ImageMagick-6.2.8
This patch seems to work for me.
Removing dependency for FC6Blocker. Rawhide ImageMagick (ImageMagick-6.2.8.0-3.fc6) does not have this problem. ImageMagick-6.2.5.4-4.2.1.fc5.6 has been pushed for fc5, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. Well, ImageMagick-perl-6.2.5.4-4.2.1.fc5.6 seems okay for me. |