imagemagick 8:6.9.7.4+dfsg-12 source package in Debian

Changelog

imagemagick (8:6.9.7.4+dfsg-12) unstable; urgency=medium

  * Fix security bugs:
    +  Previous CVE-2017-9144 fix was incomplete.
       A crafted RLE image can trigger a crash because of incorrect
       EOF handling in coders/rle.c
       (Closes: #863126)
    +  CVE-2017-10928:
       A heap-based buffer over-read in the GetNextToken
       function in token.c allows remote attackers to obtain
       sensitive information from process memory or possibly have
       unspecified other impact via a crafted SVG document
       that is mishandled in the GetUserSpaceCoordinateValue
       function in coders/svg.c.
       (Closes: #867367).
     + CVE-2017-9500:
       An assertion failure was found in the function
       ResetImageProfileIterator, which allows attackers to cause
       a denial of service via a crafted file.
       (Closes: #867778).
     + CVE-2017-9501:
       An assertion failure was found in the function LockSemaphoreInfo,
       which allows attackers to cause a denial of service via a crafted
       file.
       (Closes: #867721).
     + CVE-2017-9440:
       A memory leak was found in the function ReadPSDChannel
       in coders/psd.c, which allows attackers to cause a denial
       of service via a crafted file.
       (Closes: 864273).
     + CVE-2017-9439:
       A memory leak was found in the function ReadPDBImage in
       coders/pdb.c, which allows attackers to cause a denial of
       service via a crafted file.
       (Closes: #864274).
     + CVE-2017-11188: CPU exhaustion in ReadDPXImage
       Because dpx.file.image_offset is a unsigned int, it can be controlled
       as large as 4294967295.
       This will cause ImageMagick spend a lot of time to process a crafted
       DPX imagefile, even if the imagefile is very small.
       (Closes: #867806)
     + CVE-2017-11141: memory exhaustion in ReadMATImage
       When identify MAT file, imagemagick will allocate memory to store data
       in function ReadMATImage.
       Modifying MAT's MATLAB_HDR field can cause ImageMagick to allocate
       a anysize amount of memory, this may cause a memory exhaustion
       (Closes: #868264)
     + CVE-2017-11170: memory exhaustion in ReadTGAImage
       When identify VST file, imagemagick will allocate memory to store
       data in function ReadTGAImage in coders/tga.c
       using tga_info.bits_per_pixel field diretly from VST file without
       checking in tga.c
       By review the founction code, tga_info.bits_per_pixel max valid
       value is 32.
       On 32bit os, size_t one will be 32bit, so image->colors can be
       overflow to 0.
       On 64bit os, size_t one will be 64bit, so image->colors
       can be large as 0x100000000(64GB).
       (Closes: #868184)
     + Memory exhaustion in ReadCINImage
       When identify CIN file that contains User defined data,
       imagemagick will allocate memory to store the
       data in function ReadCINImage in coders\inc.c
       There is a security checking in the function SetImageExtent,
       but it after memory allocation, so IM can not control the memory usage
       (Closes: #867810)
     + CPU exhaustion in ReadRLEImage
       A corrupted rle file could trigger a DOS
       (Closes: #867808)
     + Memory leak in ReadDIBImage in dib.c
       The ReadDIBImage function in dib.c allows attackers
       to cause a denial of service (memory leak)
       via a small crafted dib file.
       (Closes: #867811)
     + Memory exhaustion in ReadDPXImage in dpx.c
       When identify DPX file that contains user header data,
       imagemagick will allocate memory to store the data in function
       ReadDPXImage in coders\dpx.c
       There is a security checking in the function SetImageExtent,
       but it is too late, so IM can not control the memory usage.
       (Closes: #867812)
     + Enable heap overflow check for stdin for mpc files
       Enabling seekable streams is required to ensure checking
       the blob size works when an image is streamed on stdin.
       (Closes: #867896)
     + Assertion failure in WriteBlob
       A crafted file revealed an assertion failure in blob.c.
       (Closes: #867798)
     + Memory exhaustion in ReadEPTImage in ept.c
       When identify EPT file , imagemagick will allocate memory
       to store the data.
       There is a security checking in the function SetImageExtent,
       but it is not used in the allocation function,
       so IM can not control the memory usage.
       (Closes: #867821)
     + CPU exhaustion in ReadOneJNGImage
       Due to lack of validation of PNG format, imagemagick could loop
       2^32 in a CPU intensive loop.
       (Closes:  #867824, #867825).
     + CPU exhaustion in ReadOneDJVUImag
       Due to lack of format validation, a crafted file will cause a
       loop to run endless.
       (Closes: #867826).
     + Zero pixel buffer
       Avoid a data leak in case of incorrect file by clearing a buffer
       (Closes: #867893).
     + memory leak in ReadMATImage in mat.c
       The ReadMATImage function in mat.c allows attackers to cause a
       denial of service (memory leak) via a small crafted mat file.
       (Closes: #867823).
     + Avoid heap based overflow for jpeg
       A corrupted jpeg file could trigger an heap overflow
       (Closes: #867894).
     + Fix a memory leak in screenshot coder
       (Closes: #867897)

 -- Bastien Roucariès <email address hidden>  Fri, 14 Jul 2017 15:35:15 +0200