-
graphicsmagick (1.4+really1.3.35-1~deb10u2) buster; urgency=high
[ Thorsten Alteholz <email address hidden> ]
* CVE-2020-12672
Fix for a heap-based buffer overflow in ReadMNGImage() in coders/png.c.
-- Laszlo Boszormenyi (GCS) <email address hidden> Fri, 31 Dec 2021 16:41:12 +0100
-
graphicsmagick (1.4+really1.3.35-1~deb10u1) buster-security; urgency=high
* Security backport for Buster.
* Relax Standards-Version to 4.3.0 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Sat, 18 Apr 2020 16:30:17 +0000
-
graphicsmagick (1.4~hg15978-1+deb10u1) unstable; urgency=medium
* Non-maintainer upload by the LTS Team.
* CVE-2019-19953
heap-based buffer over-read in the function EncodeImage
* CVE-2019-19951
heap-based buffer overflow in the function ImportRLEPixels
* CVE-2019-19950
use-after-free in ThrowException and ThrowLoggedException
-- Thorsten Alteholz <email address hidden> Wed, 29 Jan 2020 19:03:02 +0100
-
graphicsmagick (1.4~hg15978-1) unstable; urgency=medium
* Mercurial snapshot, fixing uninitialized integer value of log_configured.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sat, 27 Apr 2019 07:06:40 +0000
-
graphicsmagick (1.4~hg15976-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- ReadXWDImage(): Potential for heap overflow; Address header-directed
arbitrary memory allocation,
- ReadXWDImage(): Address segmentation violation and invalid memory
reads with more validations,
- Make built-in color tables fully const.
* Break gnudatalanguage versions that doesn't initialize GraphicsMagick
library (closes: #927688).
* Update library symbols for this release.
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 22 Apr 2019 14:41:32 +0000
-
graphicsmagick (1.4~hg15916-2) unstable; urgency=medium
* Declare break on python{,3}-pgmagick versions compiled with GCC 7
compiled versions of GraphicsMagick (closes: #915603, #915606).
-- Laszlo Boszormenyi (GCS) <email address hidden> Tue, 02 Apr 2019 18:49:40 +0000
-
graphicsmagick (1.4~hg15916-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- ReadTIFFImage(): Only disassociate alpha channel for images where
photometic is PHOTOMETRIC_RGB,
- DrawDashPolygon(): Heap buffer overflow when parsing SVG images,
- DrawPrimitive(): Add arithmetic overflow checks when converting
computed coordinates from 'double' to 'long',
- DrawImage(): Don't destroy draw_info in graphic_context when draw_info
has not been allocated yet,
- RenderFreetype(): Eliminate memory leak of GlyphInfo.image,
- DrawDashPolygon(): Heap-buffer-overflow via read beyond end of dash
pattern array,
- ReadMIFFImage(): Tally directory length to avoid death by strlen(),
- ReadMPCImage(): Tally directory length to avoid death by strlen(),
- ReallocColormap(): Make sure that there is not a heap overwrite if the
number of colors has been reduced.
* Update library symbols for this release.
-- Laszlo Boszormenyi (GCS) <email address hidden> Thu, 28 Feb 2019 17:50:19 +0000
-
graphicsmagick (1.4~hg15896-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- ReadMNGImage(): Quit processing and report error upon failure to insert
MNG background layer preventing out of memory issues,
- ReadMIFFImage(): Improve pixel buffer calculations to defend against
overflow,
- ReadTIFFImage(): Make sure that image is in DirectClass mode and ignore
any claimed colormap when the image is read using various functions,
- ReadWPGImage(): Assure that all colormap entries are initialized,
- DecodeImage(): Avoid a one-byte over-read of pixels heap allocation,
- ReadTIFFImage(): Assure that opacity channel is initialized in the
RGBAStrippedMethod case,
- ReadMNGImage(): Bound maximum loop iterations by subrange as a
primitive means of limiting resource consumption preventing out of
memory issues,
- CVE-2019-7397: WritePDFImage(): Make sure to free 'xref' before
returning preventing several memory leaks,
- ReadTIFFImage(): For planar TIFF, make sure that pixels are initialized
in case some planes are missing.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sat, 16 Feb 2019 15:19:56 +0000
-
graphicsmagick (1.4~hg15880-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- SetNexus(): Merge IsNexusInCore() implementation code into SetNexus()
and add check for if cache_info->pixels is null,
- CVE-2018-20185: BMP and DIB: Improve buffer size calculations to guard
against arithmetic overflow.
* Update Standards-Version to 4.3.0 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Tue, 05 Feb 2019 20:44:14 +0000
-
graphicsmagick (1.4~hg15873-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- WriteImage(): Eliminate use of just-freed memory in clone_info->magick,
- ReadMIFFImage(): Fix memory leak of profiles 'name' when claimed length
is zero,
- WriteXPMImage(): Assure that added colormap entry for transparent XPM
is initialized,
- ReadMNGImage(): Fix non-terminal MNG looping,
- ReadMIFFImage(): Sanitize claimed profile size before allocating memory
for it,
- CVE-2018-20185: ReadBMPImage(): Fix heap overflow in 32-bit build due
to arithmetic overflow (closes: #916719),
- CVE-2018-20184: WriteTGAImage(): Image rows/columns must not be larger
than 65535 (closes: #916721),
- ReadTIFFImage(): More validations and stricter error reporting,
- ReadMIFFImage(): Detect and reject zero-length deflate-encoded row in
MIFF version 0,
- CVE-2018-20189: ReadDIBImage(): DIB images claiming more than 8-bits
per pixel are not colormapped (closes: #916752).
* Add pkg-config to build dependency for FreeType 2.9.1+ detection.
* Update library symbols for this release.
-- Laszlo Boszormenyi (GCS) <email address hidden> Thu, 20 Dec 2018 19:04:33 +0000
-
graphicsmagick (1.3.31-1) unstable; urgency=high
* New upstream release.
* Fix CVE-2018-18544: memory leak of msl_image if OpenBlob() fails in
ProcessMSLScript() .
* Can detect FreeType via pkg-config (closes: #887720).
* Enable Zstandard, the fast lossless compression algorithm support.
* Update library symbols for this release.
* Update Standards-Version to 4.2.1 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Tue, 20 Nov 2018 17:16:37 +0000
-
graphicsmagick (1.3.30+hg15796-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- WEBP: Fix compiler warnings regarding uninitialized structure members,
- ReadJPEGImage(): Allow libjpeg to use 1/5th of the total memory limit,
- ReadJPEGImage(): Make sure that JPEG pixels array is initialized in
case libjpeg fails to completely initialize it,
- WriteOnePNGImage(): Free png_pixels as soon as possible,
- ReadMIFFImage(): Detect EOF when reading using ReadBlobZC() and avoid
subsequent heap read overflow,
- ReadMVGImage(): Don't assume that in-memory MVG blob is a
null-terminated C string,
- ReadMVGImage(): Don't allow MVG files to side-load a file as the
drawing primitive using '@' syntax,
- FileToBlob(): Use confirm access APIs to verify that read access is
allowed, and verify that file is a regular file,
- ExtractTokensBetweenPushPop() needs to always return a valid pointer
into the primitive string,
- DrawPolygonPrimitive(): Fix leak of polygon set when object is
completely outside image,
- SetNexus(): For requests one pixel tall, SetNexus() was wrongly using
pixels in-core rather than using a staging area for the case where the
nexus rows extend beyond the image raster boundary,
- ReadCINEONImage(): Quit immediately on EOF and detect short files,
- ReadMVGImage(): Fix memory leak,
- Add mechanism to approve embedded subformats in WPG,
- ReadXBMImage(): Add validations for row and column dimensions,
- MAT InsertComplexFloatRow(): Avoid signed overflow,
- InsertComplexFloatRow(): Try not to lose the previous intention while
avoiding signed overflow,
- XBMInteger(): Limit the number of hex digits parsed to avoid signed
integer overflow,
- MAT: More aggresive data corruption checking,
- MAT: Correctly check GetBlobSize(image) even for zipstreams inside
blob,
- MAT: Explicitly reject non-seekable streams,
- DrawImage(): Add missing error-reporting logic to return immediately
upon memory reallocation failure. Apply memory resource limits to
PrimitiveInfo array allocation,
- MagickAtoFChk(): Add additional validation checks for floating point
values. NAN and +/- INFINITY values also map to 0.0 ,
- ReadMPCImage()/(ReadMIFFImage(): Insist that the format be identified
prior to any comment, and that there is only one comment,
- ConvertPrimitiveToPath(): Enlarge PathInfo array allocation to avoid
possible heap write overflow,
- WPG: Fix intentional 64 bit file offset overflow,
- DrawImage(): Be more precise about error detection and reporting,
- TranslateTextEx(): Fix off-by-one in loop bounds check which allowed a
one-byte stack write overflow,
- DrawImage(): Fix excessive memory consumption due to
SetImageAttribute() appending values,
- QuantumTransferMode(): CIE Log images with an alpha channel are not
supported,
- ConvertPrimitiveToPath(): Second attempt to prevent heap write
overflow of PathInfo array,
- ExtractTileJPG(): Enforce that JPEG tiles are read by the JPEG coder,
- MIFF and MPC, need to avoid leaking value allocation (day-old bug),
- ReadSFWImage(): Enforce that file is read using the JPEG reader,
- FindEXIFAttribute()/GenerateEXIFAttribute(): Change size types from
signed to unsigned and check for unsigned overflow,
- GenerateEXIFAttribute(): Eliminate undefined shift,
- TraceEllipse(): Detect arithmetic overflow when computing the number of
points to allocate for an ellipse,
- ReadMNGImage(): mng_LOOP chunk must be at least 5 bytes long,
- ReadJPEGImage(): Apply a default limit of 100 progressive scans before
the reader quits with an error.
* Update library symbols for this release.
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 24 Sep 2018 21:54:36 +0000
-
graphicsmagick (1.3.30-1) unstable; urgency=high
* New upstream release, including many security fixes.
* Build with all hardening enabled.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 24 Jun 2018 08:20:31 +0000
-
graphicsmagick (1.3.29+hg15665-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- use of uninitialized value in IsMonochromeImage() ,
- divide by zero in GetPixelOpacity() ,
- write beyond array bounds in TraceStrokePolygon() ,
- use of uninitialized value in format8BIM() ,
- assertion failure in WriteBlob() ,
- out of bounds write in TraceEllipse() ,
- memory leak and use of uninitialized memory when handling eXIf chunk
in png_malloc() ,
- floating point exception in WriteTIFFImage() ,
- leak of Image when TIFFReadRGBAImage() reports failure,
- potentional leak when compressed object is corrupted,
- floating point exception in WriteTIFFImage() ,
- heap double free in Magick::BlobRef::~BlobRef() ,
- direct leak in TIFFClientOpen() ,
- indirect leak in CloneImage() ,
- direct leak in ReadOneJNGImage() ,
- heap buffer overflow in put1bitbwtile() ,
- use of uninitialized value in SyncImageCallBack() ,
- validate tile memory requests for TIFFReadRGBATile() .
* Remove profiles/sRGB Color Space Profile.ICM and
jp2/data/colorprofiles/srgb.icm for being non-free.
* Remove zlib/contrib/dotzlib/DotZLib.chm for no source available.
-- Laszlo Boszormenyi (GCS) <email address hidden> Fri, 25 May 2018 19:21:07 +0000
-
graphicsmagick (1.3.29-1) unstable; urgency=high
* New upstream release, including many security fixes.
* Remove previously backported security patches.
* Update library symbols for this release.
* Update debhelper level to 11 .
* Update Standards-Version to 4.1.4 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Tue, 08 May 2018 20:33:46 +0000
-
graphicsmagick (1.3.28-2) unstable; urgency=high
* Backport security fixes:
- don't use rescale map if it was not allocated,
- validate number of colormap bits to avoid undefined shift behavior,
- defend against partial scanf() expression matching, resulting in benign
use of uninitialized data,
- don't use rescale map if it was not allocated,
- fix tile index overflow,
- reject XPM if it contains non-whitespace control characters,
- fix forged amount of frames 6755,
- validate header length and offset properties,
- fixed memory leak when tile overflows,
- fix forged amount of frames 7076,
- check for forged image that overflows file size,
- validate size request prior to allocation,
- validate that file size is sufficient for claimed image properties,
- fix signed integer overflow when computing pixels size,
- include number of FITS scenes in file size validations,
- allocate space for null termination and null terminate string,
- validate that samples per pixel is in valid range,
- check whether datablock is really read,
- verify that sufficient backing data exists before allocating memory to
read it,
- duplicate image check for data with fixed geometry,
- CVE-2018-9018: avoid divide-by-zero if delay or timeout properties
changed while ticks_per_second is zero (closes: #894396),
- add checks for EOF,
- validate that PICT rectangles do not have zero dimensions,
- check image pixel limits before allocating memory for tile.
* Backport patch to redesign ReadBlobDwordLSB() to be more effective.
* Backport patch to destroy tile_image in ThrowPICTReaderException() macro
to simplify logic.
* Backport patch to remove shadowed tile_image variable which defeats new
ThrowPICTReaderException() implementation.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sat, 31 Mar 2018 11:05:51 +0000
-
graphicsmagick (1.3.28-1) unstable; urgency=high
* New upstream release, fixing the following security issues among others:
- BMP: Fix non-terminal loop due to unexpected bit-field mask value
(DOS opportunity),
- PALM: Fix heap buffer underflow in builds with QuantumDepth=8,
- SetNexus() Fix heap overwrite under certain conditions due to using a
wrong destination buffer,
- TIFF: Fix heap buffer read overflow in LocaleNCompare() when parsing
NEWS profile.
* Remove previously backported security patches.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sat, 20 Jan 2018 20:19:29 +0000
-
graphicsmagick (1.3.27-4) unstable; urgency=high
* Fix CVE-2018-5685: infinite loop in ReadBMPImage() (closes: #887158).
* Fix memory leak of global colormap.
* Fix memory leak of chunk and mng_info in error path.
* Update Standards-Version to 4.1.3 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 15 Jan 2018 19:06:43 +0000
-
graphicsmagick (1.3.27-3) unstable; urgency=high
* Fix heap-buffer-overflow on LocaleNCompare() .
* Add some assertions to verify that the image pointer provided by libwebp
is valid.
* Fix NULL pointer dereference in ReadMNGImage() .
* Fix CVE-2017-17913: stack-buffer-overflow in WriteWEBPImage() .
* Fix CVE-2017-17915: heap-buffer-overflow in ReadMNGImage() .
-- Laszlo Boszormenyi (GCS) <email address hidden> Wed, 27 Dec 2017 22:12:30 +0000
-
graphicsmagick (1.3.27-2) unstable; urgency=high
* Fix CVE-2017-17782: heap-based buffer over-read in ReadOneJNGImage()
(closes: #884905).
* Fix CVE-2017-17783: buffer over-read in ReadPALMImage() (closes: #884904).
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 25 Dec 2017 17:18:01 +0000
-
graphicsmagick (1.3.27-1) unstable; urgency=medium
* New upstream release.
* Remove previously backported security patches.
* Update library symbols for this release.
* Add libwebp-dev dependency to libgraphicsmagick1-dev (closes: #863564).
* Update Standards-Version to 4.1.2 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 10 Dec 2017 17:12:28 +0000
-
graphicsmagick (1.3.26-19) unstable; urgency=high
* Fix CVE-2017-16669: heap buffer overflow in AcquireCacheNexus()
(closes: #881391).
* Fix CVE-2017-13134: heap buffer overflow in SFWScan() (closes: #881524).
-- Laszlo Boszormenyi (GCS) <email address hidden> Sat, 11 Nov 2017 09:12:53 +0000
-
graphicsmagick (1.3.26-18) unstable; urgency=high
* Fix CVE-2017-16547: remote denial of service (negative strncpy and
application crash).
* Fix CVE-2017-16545: NULL pointer dereference (write) with malformed WPG
image.
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 06 Nov 2017 17:02:07 +0000
-
graphicsmagick (1.3.26-17) unstable; urgency=high
* Fix CVE-2017-16353: heap read overflow vulnerability in DescribeImage() .
* Fix CVE-2017-16352: heap-based buffer overflow vulnerability in
DescribeImage() .
-- Laszlo Boszormenyi (GCS) <email address hidden> Thu, 02 Nov 2017 05:57:25 +0000
-
graphicsmagick (1.3.26-15) unstable; urgency=high
* Fix CVE-2017-13737: invalid free in MagickFree() (closes: #878511).
-- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 15 Oct 2017 20:03:26 +0000
-
graphicsmagick (1.3.26-14) unstable; urgency=high
* Fix CVE-2017-15277: assure that global colormap is fully initialized in
ReadGIFImage() .
* Fix memory leak in WriteGIFImage() .
* Fix CVE-2017-15238: use after free in ReadJNGImage() .
-- Laszlo Boszormenyi (GCS) <email address hidden> Thu, 12 Oct 2017 18:50:19 +0000
-
graphicsmagick (1.3.26-13) unstable; urgency=high
* Fix CVE-2017-14733: heap out of bounds read in ReadRLEImage() .
* Fix CVE-2017-14994: NULL pointer dereference in DICOM Decoder.
* Fix CVE-2017-14997: memory allocation error due to malformed image file.
* Update Standards-Version to 4.1.1 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Wed, 04 Oct 2017 20:42:21 +0000
-
graphicsmagick (1.3.26-12) unstable; urgency=high
* Update upstream changelog for CVE-2017-14103 .
* Fix CVE-2017-14649: denial of service due to assertion failure in
AcquireImagePixels() (closes: #876460).
* Update Standards-Version to 4.1.0:
- change graphicsmagick-dbg priority to optional.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 24 Sep 2017 08:14:32 +0000
-
graphicsmagick (1.3.26-11) unstable; urgency=high
* Fix CVE-2017-14504: NULL pointer dereference triggered by malformed file.
-- Laszlo Boszormenyi (GCS) <email address hidden> Thu, 21 Sep 2017 16:22:42 +0000
-
graphicsmagick (1.3.26-9) unstable; urgency=high
* Fix CVE-2017-14165: remote denial of service due to memory allocation
failure in magickmalloc (closes: #874724).
* Fix CVE-2017-14042: memory allocation failure in MagickRealloc()
(closes: #873538).
-- Laszlo Boszormenyi (GCS) <email address hidden> Sat, 09 Sep 2017 12:45:00 +0000
-
graphicsmagick (1.3.26-8) unstable; urgency=high
* Fix CVE-2017-13775: denial of service issue in ReadJNXImage() .
* Fix CVE-2017-13776 and CVE-2017-13777: denial of service issue in
ReadXBMImage() .
* Fix memory leak vulnerability in ReadJNGImage() which allow attackers to
cause a denial of service via a crafted file.
* Fix double-free after reading a malformed JNG.
* Fix CVE-2017-14103: the ReadJNGImage() and ReadOneJNGImage() functions do
not properly manage image pointers after certain error conditions, which
allows remote use-after-free attacks via a crafted file, related to a
ReadMNGImage() out-of-order CloseBlob() call. This vulnerability exists
because of an incomplete fix for CVE-2017-11403 .
* Fix CVE-2017-8350: crash while reading a malformed JNG file.
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 04 Sep 2017 18:50:34 +0000
-
graphicsmagick (1.3.26-7) unstable; urgency=high
* Fix CVE-2017-13063: heap-based buffer overflow vulnerability in the
GetStyleTokens() function (closes: #873130).
* Fix CVE-2017-13064: another heap-based buffer overflow vulnerability in
the GetStyleTokens() function (closes: #873129).
* Fix CVE-2017-13065: NULL pointer dereference vulnerability in the
SVGStartElement() function (closes: #873119).
-- Laszlo Boszormenyi (GCS) <email address hidden> Thu, 24 Aug 2017 19:53:07 +0000
-
graphicsmagick (1.3.26-5) unstable; urgency=medium
* Handle mangling change for conversion operators in GCC 7 (closes: #871306).
[ John Paul Adrian Glaubitz <email address hidden> ]
* Honor 'nocheck' in DEB_BUILD_OPTIONS (closes: #842787).
-- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 07 Aug 2017 19:25:42 +0000
-
graphicsmagick (1.3.26-3) unstable; urgency=high
* Fix CVE-2017-11140: denial of service (resource consumption) via crafted
JPEG files.
* Fix apparent off-by-one error in MNG FRAM change_clipping processing.
* Fix out-of-order CloseBlob() and DestroyImageList() .
-- Laszlo Boszormenyi (GCS) <email address hidden> Wed, 12 Jul 2017 16:27:23 +0000