Page MenuHomePhabricator
Create Task
Maniphest T334863

libmagickcore / libmagickwand 8:6.9.10.23+dfsg-2.1+deb10u4 causing test failures
Closed, ResolvedPublic
Actions

Description

Since the introduction of these packages, we are seeing test failures for PNG images.

Reproduction

docker run --user root --entrypoint /bin/bash -it docker-registry.wikimedia.org/wikimedia/operations-software-thumbor-plugins:2023-02-27-151612-production
# our prod images don't have any build tools
apt update; apt install make python3-pytest flake8; ln -s /usr/bin/pytest-3 /usr/bin/pytest 
# successfully run the test
make test
apt install -y libmagickcore-6.q16-6 apt install -y libmagickwand-6.q16-6
# tests will now fail
make test

Some failures we see:

tests/integration/test_png.py:58:
tests/integration/__init__.py:182: in run_and_check_ssim_and_size
    raise e

self = <tests.integration.test_png.WikimediaTest testMethod=test_transparent>, url = '/thumbor/unsafe/400x/PNG_transparency_demonstration_1.png', mediawiki_reference_thumbnail = '400px-PNG_transparency_demonstration_1.png', perfect_reference_thumbnail = '400px-PNG_transparency_demonstration_1.png', expected_width = 400, expected_height = 300
expected_ssim = 0.97, size_tolerance = 1.1

        try:
>           assert ssim >= expected_ssim, 'Images too dissimilar: %f (should be >= %f)\n' % (ssim, expected_ssim)
E           AssertionError: Images too dissimilar: 0.951071 (should be >= 0.970000)

tests/integration/test_vips.py:175:

self = <tests.integration.test_vips.WikimediaVipsTest testMethod=test_skip_factor_1>, url = '/thumbor/unsafe/2000x/filters:format(png)/Lakedaimoniergrab_Zeichnung_und_Steinplan.png', mediawiki_reference_thumbnail = '2000px-Lakedaimoniergrab_Zeichnung_und_Steinplan.png', perfect_reference_thumbnail = '2000px-Lakedaimoniergrab_Zeichnung_und_Steinplan.png'
expected_width = 2000, expected_height = 987, expected_ssim = 0.99, size_tolerance = 1.01

SNIP
        expected_filesize = os.path.getsize(expected_path)
        generated_filesize = len(result.buffer.getvalue())

        ratio = generated_filesize / expected_filesize
        assert ratio <= size_tolerance, \
>           'Generated file bigger than size tolerance: %f (should be <= %f)' % (ratio, size_tolerance)
E       AssertionError: Generated file bigger than size tolerance: 1.014739 (should be <= 1.010000)

self = <tests.integration.test_webp.WikimediaTest testMethod=test_webp>, url = '/thumbor/unsafe/300x/filters:format(png)/Album_en_blanco_y_negro.webp', mediawiki_reference_thumbnail = '300px-Album_en_blanco_y_negro.webp.png', perfect_reference_thumbnail = '300px-Album_en_blanco_y_negro.webp.png', expected_width = 300, expected_height = 202, expected_ssim = 0.99
size_tolerance = 1.06

 <SNIP>

        expected_filesize = os.path.getsize(expected_path)
        generated_filesize = len(result.buffer.getvalue())

        ratio = generated_filesize / expected_filesize
        assert ratio <= size_tolerance, \
>           'Generated file bigger than size tolerance: %f (should be <= %f)' % (ratio, size_tolerance)
E       AssertionError: Generated file bigger than size tolerance: 1.065725 (should be <= 1.060000)

tests/integration/__init__.py:189: AssertionError

Details

SubjectRepoBranchLines +/-
imagemagick: update test cases for fixes within librariesoperations/software/thumbor-pluginsmaster+5 -5
thumbor: new image versionoperations/deployment-chartsmaster+1 -1
pin libmagickore-6 and libmagickwand-6operations/software/thumbor-pluginsmaster+6 -1
Customize query in gerrit

Related Objects

Event Timeline

hnowlan created this task.Apr 17 2023, 3:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 17 2023, 3:05 PM
Ladsgroup subscribed.Apr 17 2023, 3:31 PM
hnowlan added a project: Platform Team Workboards (Platform Engineering Reliability).Apr 17 2023, 4:01 PM
hnowlan moved this task from Backlog to In Progress on the Thumbor Migration board.
hnowlan moved this task from Backlog to Doing 🔨 on the Platform Team Workboards (Platform Engineering Reliability) board.Apr 17 2023, 4:05 PM
gerritbot added a comment.Apr 26 2023, 11:26 AM

Change 912267 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/software/thumbor-plugins@master] pin libmagickore-6 and libmagickwand-6

https://gerrit.wikimedia.org/r/912267

gerritbot added a project: Patch-For-Review.Apr 26 2023, 11:26 AM
gerritbot added a comment.Apr 26 2023, 2:27 PM

Change 912267 merged by jenkins-bot:

[operations/software/thumbor-plugins@master] pin libmagickore-6 and libmagickwand-6

https://gerrit.wikimedia.org/r/912267

Maintenance_bot removed a project: Patch-For-Review.Apr 26 2023, 2:30 PM
gerritbot added a comment.Apr 27 2023, 10:06 AM

Change 912801 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/deployment-charts@master] thumbor: new image version

https://gerrit.wikimedia.org/r/912801

gerritbot added a project: Patch-For-Review.Apr 27 2023, 10:06 AM
gerritbot added a comment.Apr 27 2023, 10:52 AM

Change 912801 merged by jenkins-bot:

[operations/deployment-charts@master] thumbor: new image version

https://gerrit.wikimedia.org/r/912801

Maintenance_bot removed a project: Patch-For-Review.Apr 27 2023, 11:10 AM
MoritzMuehlenhoff subscribed.Apr 28 2023, 1:48 PM

So far I've managed to narrow it down to one of those patches out of the 47 patches which got applied between +deb10u1 and +deb10u4, hopefully with 2-3 further iteration we've found the faulty patch:

CVE-2020-19667.patch
CVE-2020-25665.patch
CVE-2020-25666.patch
CVE-2020-25674.patch
CVE-2020-25675.patch
CVE-2020-25676.patch
CVE-2020-27560.patch
CVE-2020-27750.patch
CVE-2020-27757.patch
CVE-2020-27751.patch
CVE-2020-27759-1.patch
CVE-2020-27759-2.patch
CVE-2020-27754.patch
CVE-2020-27756.patch
CVE-2020-27758.patch
CVE-2020-27760.patch
CVE-2020-27761.patch
CVE-2020-27762.patch
CVE-2020-27763.patch

MoritzMuehlenhoff added a comment.Apr 28 2023, 2:59 PM

Narrowed down to these five patches:

CVE-2020-27751.patch
CVE-2020-27759-1.patch
CVE-2020-27759-2.patch
CVE-2020-27754.patch
CVE-2020-27756.patch

MoritzMuehlenhoff added a comment.Apr 28 2023, 3:28 PM

Narrowed down to these three patches:

CVE-2020-27751.patch
CVE-2020-27759-1.patch
CVE-2020-27759-2.patch

FJoseph-WMF subscribed.May 2 2023, 1:15 PM
hnowlan moved this task from Doing 🔨 to In review on the Platform Team Workboards (Platform Engineering Reliability) board.May 2 2023, 1:17 PM
MoritzMuehlenhoff added a comment.May 3 2023, 10:07 AM

I could track this down to the upstream security fix for https://www.cve.org/CVERecord?id=CVE-2020-27759.

The upstream report is https://github.com/ImageMagick/ImageMagick/issues/1720 and for Imagemagick 6 this was fixed in the following commits which are correctly applied as CVE-2020-27759-1.patch and CVE-2020-27759-2.patch in Debian (-2 squashes two commits together):

Given the underlying type change from a double to the ssize_t the ripple effect to the Thumbor test images isn't surprising. And given that this is now the established behaviour (I compared against the latest version of Imagemagick in Debian bookworm and it continue to use that type), can we can consider this the new intended behaviour of Thumbor and should adapt the test data in operations-software-thumbor-plugins

hnowlan mentioned this in T336881: [XL] Upgrade Thumbor to bullseye.May 18 2023, 4:34 PM
gerritbot added a comment.May 19 2023, 10:33 AM

Change 921255 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/software/thumbor-plugins@master] imagemagick: update test cases for fixes within libraries

https://gerrit.wikimedia.org/r/921255

gerritbot added a project: Patch-For-Review.May 19 2023, 10:33 AM
gerritbot added a comment.May 19 2023, 12:34 PM

Change 921255 merged by jenkins-bot:

[operations/software/thumbor-plugins@master] imagemagick: update test cases for fixes within libraries

https://gerrit.wikimedia.org/r/921255

Maintenance_bot removed a project: Patch-For-Review.May 19 2023, 1:10 PM
FJoseph-WMF added a project: Thumbor.Jun 26 2023, 2:04 PM
FJoseph-WMF removed subscribers: Hokwelum, Atieno.
hnowlan closed this task as Resolved.Jul 3 2023, 4:02 PM
hnowlan claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL