-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.9) focal-security; urgency=medium
* SECURITY UPDATE: command injection vulnerability
- debian/patches/CVE-2020-29599-*.patch: Fix command injection issue in
-authenticate option
- CVE-2020-29599
* SECURITY UPDATE: integer overflow in ExportIndexQuantum()
- debian/patches/CVE-2021-20224.patch: outside the range of representable
values of type 'unsigned char'
- CVE-2021-20224
* SECURITY UPDATE: Multiple divide by zero issues in imagemagick allow a
remote attacker to cause a denial of service via a crafted image file
- debian/patches/CVE-2021-20241.patch: Use PerceptibleReciprocal()
to fix division by zeros in coders/jp2.c
- debian/patches/CVE-2021-20243.patch: Use PerceptibleReciprocal()
to fix division by zeros in magick/resize.c
- debian/patches/CVE-2021-20244.patch: Avoid division by zero in
magick/fx.c
- debian/patches/CVE-2021-20246.patch: Avoid division by zero in
magick/resample.c
- debian/patches/CVE-2021-20309.patch: Avoid division by zero in
magick/fx.c
- CVE-2021-20241
- CVE-2021-20243
- CVE-2021-20244
- CVE-2021-20246
- CVE-2021-20309
* SECURITY UPDATE: Integer overflow, divide by zero and memory leak in
imagemagick allow a remote attacker to cause a denial of service or
possible leak of cryptographic information via a crafted image file
- debian/patches/CVE-2021-20312_20313.patch: Avoid integer overflow in
coders/thumbnail.c, division by zero in magick/colorspace.c and
a potential cipher leak in magick/memory.c
- CVE-2021-20312
- CVE-2021-20313
* SECURITY UPDATE: Security Issue when Configuring the ImageMagick
Security Policy
- debian/patches/CVE-2021-39212.patch: Added missing policy checks in
RegisterStaticModules
- CVE-2021-39212
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2022-28463.patch: fix buffer overflow
- CVE-2022-28463
* SECURITY UPDATE: out-of-range value
- debian/patches/CVE-2022-32545.patch: addresses the possibility for the
use of a value that falls outside the range of an unsigned char in
coders/psd.c.
- debian/patches/CVE-2022-32546.patch: addresses the possibility for the
use of a value that falls outside the range of an unsigned long in
coders/pcl.c.
- CVE-2022-32545
- CVE-2022-32546
* SECURITY UPDATE: load of misaligned address
- debian/patches/CVE-2022-32547.patch: addresses the potential for the
loading of misaligned addresses in magick/property.c.
- CVE-2022-32547
* SECURITY UPDATE: DoS due to SVG parser
- debian/patches/CVE-2023-1289*.patch: erecursion detection
- CVE-2023-1289
* SECURITY UPDATE: integer overflow vulnerability
- debian/patches/CVE-2023-34151*.patch: properly cast double to size_t
- CVE-2023-34151
-- Nishit Majithia <email address hidden> Mon, 26 Jun 2023 11:23:07 +0530
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.7) focal-security; urgency=medium
* SECURITY REGRESSION: Revert additional mitigation.
- debian/patches/CVE-2022-44267_44268-2.patch: Remove bad mitigation via
a policy file.
- debian/patches/CVE-2022-44267_44268.patch: Renamed from
debian/patches/CVE-2022-44267_44268-1.patch.
-- Paulo Flabiano Smorigo <email address hidden> Thu, 30 Mar 2023 11:21:43 -0300
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.6) focal-security; urgency=medium
* SECURITY UPDATE: Additional fix from previous release
- debian/patches/CVE-2022-44267_44268-1.patch: Renamed from
debian/patches/CVE-2022-44268.patch and change the code following
discussion in comment 12 of LP: #2004580.
- debian/patches/CVE-2022-44267_44268-2.patch: Additional mitigation.
- CVE-2022-44267
- CVE-2022-44268
-- Paulo Flabiano Smorigo <email address hidden> Wed, 15 Mar 2023 15:22:06 -0300
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.5) focal-security; urgency=medium
* SECURITY UPDATE: Information Disclosure
- debian/patches/CVE-2022-44268.patch: move -set profile handler to CLI
(LP: #2004580)
- CVE-2022-44268
-- Paulo Flabiano Smorigo <email address hidden> Fri, 24 Feb 2023 11:47:55 -0300
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.4) focal-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/CVE-*.patch: backport multiple upstream commits.
- CVE-2020-19667, CVE-2020-25665, CVE-2020-25666, CVE-2020-25674,
CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-27751,
CVE-2020-27753, CVE-2020-27754, CVE-2020-27755, CVE-2020-27756,
CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27754,
CVE-2020-27760, CVE-2020-27761, CVE-2020-27762, CVE-2020-27763,
CVE-2020-27764, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767,
CVE-2020-27768, CVE-2020-27769, CVE-2020-27770, CVE-2020-27771,
CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775,
CVE-2020-27776, CVE-2021-20176
-- Marc Deslauriers <email address hidden> Thu, 10 Jun 2021 07:52:45 -0400
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.2) focal-security; urgency=medium
* SECURITY UPDATE: division by zero
- debian/patches/CVE-2020-27560.patch: Change division to multiplication in
OptimizeLayerFrames in magick/layer.c
- CVE-2020-27560
-- Avital Ostromich <email address hidden> Wed, 18 Nov 2020 08:52:45 -0500
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.1) focal-security; urgency=medium
* Merge Security patches from Debian.
* SECURITY UPDATE: Heap-based buffer overflow.
- debian/patches/CVE-2019-19948.patch: Fix heap-based buffer overflow
in coders/sgi.c.
- debian/patches/CVE-2019-19949.patch: Fix heap-based buffer overflow
in coders/png.c.
- CVE-2019-19948
- CVE-2019-19949
-- Eduardo Barretto <email address hidden> Wed, 23 Sep 2020 16:17:40 -0300
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11) focal; urgency=medium
* No-change rebuild for libgcc-s1 package name change.
-- Matthias Klose <email address hidden> Tue, 24 Mar 2020 15:05:04 +0100
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu10) focal; urgency=medium
* Rebuild with the new openexr soname
-- Sebastien Bacher <email address hidden> Thu, 05 Dec 2019 13:19:18 +0100
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu9) focal; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/CVE-*.patch: backport multiple upstream commits.
- CVE-2019-12974, CVE-2019-12975, CVE-2019-12976, CVE-2019-12977,
CVE-2019-12978, CVE-2019-12979, CVE-2019-13135, CVE-2019-13137,
CVE-2019-13295, CVE-2019-13297, CVE-2019-13300, CVE-2019-13301,
CVE-2019-13304, CVE-2019-13305, CVE-2019-13306, CVE-2019-13307,
CVE-2019-13308, CVE-2019-13309, CVE-2019-13310, CVE-2019-13311,
CVE-2019-13391, CVE-2019-13454, CVE-2019-14981, CVE-2019-15139,
CVE-2019-15140, CVE-2019-16708, CVE-2019-16709, CVE-2019-16710,
CVE-2019-16711, CVE-2019-16713
* debian/patches/200-disable-ghostscript-formats.patch: also disable
PS2 and PS3 content per VU#332928 recommendations.
-- Marc Deslauriers <email address hidden> Mon, 11 Nov 2019 08:42:03 -0500
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu8) focal; urgency=medium
* Build without libheif, to untangle the perl transition.
-- Matthias Klose <email address hidden> Mon, 21 Oct 2019 16:41:25 +0200
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu7) focal; urgency=medium
* No-change rebuild for the perl update.
-- Matthias Klose <email address hidden> Sat, 19 Oct 2019 12:17:03 +0000
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu6) eoan; urgency=medium
* Revert last upload, now the transitions have ended, and security team
thinks we have to fix packages failing to build, instead of reverting a
security fix (see: LP bug: 1839596)
-- Gianfranco Costamagna <email address hidden> Wed, 18 Sep 2019 17:18:53 +0200
-
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu3) eoan; urgency=medium
* SECURITY UPDATE: code execution vulnerabilities in ghostscript as
invoked by imagemagick
- debian/patches/200-disable-ghostscript-formats.patch: disable
ghostscript handled types by default in policy.xml
- debian/tests/rose-*: remove pdf tests.
-- Marc Deslauriers <email address hidden> Thu, 20 Jun 2019 10:40:31 -0400
