-
imagemagick (8:6.9.7.4+dfsg-16ubuntu2.3) artful-security; urgency=medium
* SECURITY UPDATE: out-of-bounds write in ReadBMPImage and WriteBMPImage
- debian/patches/CVE-2018-12599.patch: use proper lengths in
coders/bmp.c.
- CVE-2018-12599
* SECURITY UPDATE: out-of-bounds write in ReadDIBImage and WriteDIBImage
- debian/patches/CVE-2018-12600.patch: use proper lengths in
coders/dib.c.
- CVE-2018-12600
* SECURITY UPDATE: memory leak in XMagickCommand
- debian/patches/CVE-2018-13153.patch: free memory in magick/animate.c.
- CVE-2018-13153
-- Marc Deslauriers <email address hidden> Tue, 10 Jul 2018 10:09:43 -0400
-
imagemagick (8:6.9.7.4+dfsg-16ubuntu2.2) artful-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/CVE-201[78]*.patch: backport large number of upstream
security patches.
- CVE-2017-12140, CVE-2017-12418, CVE-2017-12433, CVE-2017-12644,
CVE-2017-12674, CVE-2017-12691, CVE-2017-12692, CVE-2017-12693,
CVE-2017-12875, CVE-2017-12877, CVE-2017-12983, CVE-2017-13058,
CVE-2017-13059, CVE-2017-13060, CVE-2017-13061, CVE-2017-13062,
CVE-2017-13131, CVE-2017-13134, CVE-2017-13758, CVE-2017-13768,
CVE-2017-13769, CVE-2017-14060, CVE-2017-14172, CVE-2017-14173,
CVE-2017-14174, CVE-2017-14175, CVE-2017-14224, CVE-2017-14249,
CVE-2017-14325, CVE-2017-14326, CVE-2017-14341, CVE-2017-14342,
CVE-2017-14343, CVE-2017-14400, CVE-2017-14505, CVE-2017-14531,
CVE-2017-14532, CVE-2017-14533, CVE-2017-14607, CVE-2017-14624,
CVE-2017-14625, CVE-2017-14626, CVE-2017-14682, CVE-2017-14684,
CVE-2017-14739, CVE-2017-14741, CVE-2017-14989, CVE-2017-15015,
CVE-2017-15016, CVE-2017-15017, CVE-2017-15032, CVE-2017-15033,
CVE-2017-15217, CVE-2017-15218, CVE-2017-15277, CVE-2017-15281,
CVE-2017-16546, CVE-2017-17499, CVE-2017-17504, CVE-2017-17680,
CVE-2017-17681, CVE-2017-17682, CVE-2017-17879, CVE-2017-17881,
CVE-2017-17882, CVE-2017-17884, CVE-2017-17885, CVE-2017-17886,
CVE-2017-17887, CVE-2017-17914, CVE-2017-17934, CVE-2017-18008,
CVE-2017-18022, CVE-2017-18027, CVE-2017-18028, CVE-2017-18029,
CVE-2017-18209, CVE-2017-18211, CVE-2017-18251, CVE-2017-18252,
CVE-2017-18254, CVE-2017-18271, CVE-2017-18273, CVE-2017-1000445,
CVE-2017-1000476, CVE-2018-5246, CVE-2018-5247, CVE-2018-5248,
CVE-2018-5357, CVE-2018-5358, CVE-2018-6405, CVE-2018-7443,
CVE-2018-8804, CVE-2018-8960, CVE-2018-9133, CVE-2018-10177,
CVE-2018-10804, CVE-2018-10805, CVE-2018-11251, CVE-2018-11625,
CVE-2018-11655, CVE-2018-11656
-- Marc Deslauriers <email address hidden> Thu, 07 Jun 2018 19:56:33 -0400
-
imagemagick (8:6.9.7.4+dfsg-16ubuntu2) artful; urgency=medium
* No-change rebuild for GCC 7 abi mangling change.
-- Matthias Klose <email address hidden> Mon, 07 Aug 2017 15:21:52 +0000
-
imagemagick (8:6.9.7.4+dfsg-16ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
-- Gianfranco Costamagna <email address hidden> Thu, 03 Aug 2017 14:54:15 +0200
-
imagemagick (8:6.9.7.4+dfsg-15ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
-- Gianfranco Costamagna <email address hidden> Mon, 31 Jul 2017 14:55:21 +0200
-
imagemagick (8:6.9.7.4+dfsg-14ubuntu2) artful; urgency=medium
* Fix build, due to bad patch
-- Gianfranco Costamagna <email address hidden> Sat, 29 Jul 2017 12:12:32 +0200
-
imagemagick (8:6.9.7.4+dfsg-14ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
-- Gianfranco Costamagna <email address hidden> Sat, 29 Jul 2017 11:22:46 +0200
-
imagemagick (8:6.9.7.4+dfsg-13ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
imagemagick (8:6.9.7.4+dfsg-13) unstable; urgency=high
* Fix a typo in changelog about CVE numbers
* Security fixes:
+ Really Fix CVE-2017-9500 (Closes: #867778)
An assertion failure was found in the function
ResetImageProfileIterator, which allows attackers to cause a denial
of service via a crafted file.
+ Fix CVE-2017-11446 (Closes: #868950)
The ReadPESImage function in coders\pes.c has an infinite
loop vulnerability that can cause CPU exhaustion via a crafted
PES file.
+ CVE-2017-11523: endless loop in ReadTXTImage
If text image file only contains "MagickID..." line,
it will cause ReadTXTImage to infinite loop.
(Closes: #869210).
+ Use after free in ReadWMFImage
When identify WMF file, a crafted file revealed a use-after-free
vulnerability. (Closes: #869715).
+ CVE-2017-11534: Memory-Leak in lite_font_map()
In coders/wmf.c a memory leak is triggered by a crafted file.
(Closes: #869711).
+ CVE-2017-11537: palm coder FPE
When ImageMagick processes a crafted file in convert, it can
lead to a Floating Point Exception (FPE) in the WritePALMImage()
function in coders/palm.c, related to an incorrect bits-per-pixel
calculation.
(Closes: #869712)
+ Memory leak in WritePALMImage
Fix memory leak due to crafted file in palm coder.
(Closes: #869721)
+ Fix another memory leak in quantize.c
(Closes: #869722)
+ CVE-2017-11531 Memory-Leak in WriteHISTOGRAMImage()
A crafted file could trigger a
Memory-Leak in WriteHISTOGRAMImage() coders/histogram.c
(Closes: #869725)
+ Avoid a crash in mpc coder
A crafted file could trigger a crash in the mpc coder.
(Closes: #869728).
+ Fix a memory leak in enhance.c
Fix a potential memory leak if memory could not be allocated for one
of histogram or stretch_map.
If both cannot be allocated, there is no memory leak. If only one is
allocated and the other fails,
there is a memory leak of the one that could not be allocated. There
is very little chance the allocations would fail.
(Closes: #869769).
+ Fix a memory leak in jpeg and mpc coder
A leak due to exception handling exist in MPC and JPEG coder.
This could be triggerd by a crafted file.
(Closes: #869791).
+ Fix memory exhaustion in mpc coder
When identify MPC file , imagemagick will allocate memory to store the
data.
The function StringToUnsignedLong convert string to unsigned long
type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit
can be bypassed.
(Closes: #869727).
+ Fix a leak in mpc file due to corrupted profiles
(Closes: #869796).
+ CVE-2017-11532: memory leak
When Imagemagick processes a crafted file in convert,
it can lead to a Memory Leak in the WriteMPCImage() function in coders/mpc.c.
(Closes: #869726)
+ CVE-2017-11535: heap based overflow in ps.c
When ImageMagick processes a crafted file in
convert, it can lead to a heap-based buffer over-read in the
WritePSImage() function in coders/ps.c.
(Closes: #869827)
+ CVE-2017-11536 memory leak in jp2 coder
When ImageMagick processes a crafted file in convert, it
can lead to a Memory Leak in the WriteJP2Image() function in
coders/jp2.c.
(Closes: #869831)
+ Fix a crash in jp2 codec
Lack of validation of jp2 could lead to a crash
(Closes: #869830)
+ CVE-2017-11533: heap buffer overflow in uil coder
When ImageMagick processes a crafted file in convert, it can
lead to a heap-based buffer over-read in the WriteUILImage() function
in coders/uil.c.
(Closes: #869834)
-- Gianfranco Costamagna <email address hidden> Fri, 28 Jul 2017 10:51:57 +0200
-
imagemagick (8:6.9.7.4+dfsg-12ubuntu2) artful; urgency=medium
* No-change rebuild for perl 5.26.0.
-- Matthias Klose <email address hidden> Wed, 26 Jul 2017 20:03:07 +0000
-
imagemagick (8:6.9.7.4+dfsg-12ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
-- Gianfranco Costamagna <email address hidden> Sat, 15 Jul 2017 22:17:06 +0200
-
imagemagick (8:6.9.7.4+dfsg-11ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
-- Gianfranco Costamagna <email address hidden> Tue, 06 Jun 2017 11:04:42 +0200
-
imagemagick (8:6.9.7.4+dfsg-10ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
-- Gianfranco Costamagna <email address hidden> Sat, 03 Jun 2017 11:17:10 +0200
-
imagemagick (8:6.9.7.4+dfsg-9ubuntu1) artful; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
imagemagick (8:6.9.7.4+dfsg-9) unstable; urgency=high
* Security fixes assertion failure and memory leaks:
+ Check for EOF conditions for RLE image format. (Closes: #863126).
Fix CVE-2017-9144.
+ A crafted file revealed an assertion failure in blob.c.
(Closes: #863125).
Fix CVE-2017-9142.
+ A crafted file revealed an assertion failure in profile.c.
(Closes: #863124). Fix CVE-2017-9142.
+ Specially crafted arts file could lead to memory leak.
(Closes: #863123). Fix CVE-2017-9143.
* Fix an information leak due to the use of uninitialized memory
in RLE decoder. (Closes: #862967). Fix CVE-2017-9098.
imagemagick (8:6.9.7.4+dfsg-8) unstable; urgency=high
* Bug fix: "Built-Using field with binary version", thanks to Aurelien
Jarno (Closes: #862690).
imagemagick (8:6.9.7.4+dfsg-7) unstable; urgency=medium
* Fix a few securities bug:
+ Fix CVE-2017-8343: The ReadAAIImage function in
aai.c allows attackers to cause a denial of service
(memory leak) via a crafted file. (Closes: #862572).
+ Fix CVE-2017-8344: Fix DOS in PCX file coders.
(Closes: #862574).
+ Fix CVE-2017-8345: The ReadMNGImage function in png.c allows
attackers to cause a denial of service (memory leak)
via a crafted file. (Closes: #862573)
+ Fix CVE-2017-8346: The ReadDCMImage function in dcm.c allows
attackers to cause a denial of service (memory leak) via a crafted
file. (Closes: #862575).
+ Fix CVE-2017-8347: Fix DOS in EXR file coders. (Closes: #862577).
+ Fix CVE-2017-8348: Fix DOS in MAT file coders. (Closes: #862578).
+ Fix CVE-2017-8349: Fix DOS in SWF file coders. (Closes: #862579).
+ Fix CVE-2017-8350: Fix DOS in png file coders. (Closes: #862587).
+ Fix CVE-2017-8351: Fix DOS in pcd file coders. (Closes: #862589).
+ Fix CVE-2017-8352: Fix DOS in xwd file coders. (Closes: #862590).
+ Fix CVE-2017-8353: Fix DOS in pict file coders. (Closes: #862632).
+ Fix CVE-2017-8354: Fix DOS in bmp file coders. (Closes: #862633).
+ Fix CVE-2017-8355: Fix DOS in mtv file coders. (Closes: #862634).
+ Fix CVE-2017-8356: Fix DOS in sun file coders. (Closes: #862635).
+ Fix CVE-2017-8357: Fix DOS in ept file coders. (Closes: #862636).
+ Fix CVE-2017-8765: Fix DOS in icon file coders. (Closes: #862653).
+ Fix CVE-2017-8830: Fix DOS in bmp file coders. (Closes: #862637).
-- Marc Deslauriers <email address hidden> Tue, 30 May 2017 10:24:23 -0400
-
imagemagick (8:6.9.7.4+dfsg-6ubuntu2) artful; urgency=medium
* Re-demote libjxr-tools Recommends to Suggests; dropped in merge.
-- Adam Conrad <email address hidden> Sat, 22 Apr 2017 17:40:34 -0600
-
imagemagick (8:6.9.7.4+dfsg-6ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main (LP: #711061).
+ Regenerate d/control file with `debian/rules update_pkg`
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
-- Gianfranco Costamagna <email address hidden> Sat, 22 Apr 2017 14:48:26 +0200
-
imagemagick (8:6.9.7.4+dfsg-3ubuntu1) zesty; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main (LP: #711061).
+ Regenerate d/control file with `debian/rules update_pkg`
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
-- Gianfranco Costamagna <email address hidden> Fri, 07 Apr 2017 23:25:27 +0200
