-
imagemagick (8:6.8.9.9-7ubuntu5.16) xenial-security; urgency=medium
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2019-19948.patch: Fix heap-based buffer overflow in
coders/sgi.c.
- debian/patches/CVE-2019-19949.patch: Fix heap-based buffer overflow in
coders/png.c.
- CVE-2019-19948
- CVE-2019-19949
* SECURITY UPDATE: division by zero
- debian/patches/CVE-2020-27560.patch: Change division to multiplication in
OptimizeLayerFrames in magick/layer.c
- CVE-2020-27560
-- Avital Ostromich <email address hidden> Tue, 17 Nov 2020 17:22:09 -0500
-
imagemagick (8:6.8.9.9-7ubuntu5.15) xenial-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/CVE-*.patch: backport multiple upstream commits.
- CVE-2019-12974, CVE-2019-12975, CVE-2019-12976, CVE-2019-12977,
CVE-2019-12978, CVE-2019-12979, CVE-2019-13135, CVE-2019-13137,
CVE-2019-13295, CVE-2019-13297, CVE-2019-13300, CVE-2019-13301,
CVE-2019-13304, CVE-2019-13305, CVE-2019-13306, CVE-2019-13307,
CVE-2019-13309, CVE-2019-13310, CVE-2019-13311, CVE-2019-13391,
CVE-2019-13454, CVE-2019-14981, CVE-2019-15139, CVE-2019-15140,
CVE-2019-16708, CVE-2019-16709, CVE-2019-16710, CVE-2019-16711,
CVE-2019-16713
* debian/patches/300-disable-ghostscript-formats.patch: also disable
PS2 and PS3 content per VU#332928 recommendations.
-- Marc Deslauriers <email address hidden> Mon, 11 Nov 2019 13:57:08 -0500
-
imagemagick (8:6.8.9.9-7ubuntu5.14) xenial-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/CVE-*.patch: backport multiple upstream commits.
- CVE-2017-12805, CVE-2017-12806, CVE-2018-16412, CVE-2018-16413,
CVE-2018-17965, CVE-2018-17966, CVE-2018-18016, CVE-2018-18024,
CVE-2018-18025, CVE-2018-20467, CVE-2019-7175, CVE-2019-7396,
CVE-2019-7397, CVE-2019-7398, CVE-2019-9956, CVE-2019-10131,
CVE-2019-10650, CVE-2019-11470, CVE-2019-11472, CVE-2019-11597,
CVE-2019-11598
-- Marc Deslauriers <email address hidden> Fri, 14 Jun 2019 13:58:31 -0400
-
imagemagick (8:6.8.9.9-7ubuntu5.13) xenial-security; urgency=medium
[ Steve Beattie ]
* SECURITY UPDATE: code execution vulnerabilities in ghostscript as
invoked by imagemagick
- debian/patches/200-disable-ghostscript-formats.patch: disable
ghostscript handled types by default in policy.xml
* SECURITY UPDATE: information leak in ReadXBMImage
- debian/patches/CVE-2018-16323.patch: don't leave data
uninitialized with negative pixels
- CVE-2018-16323
* SECURITY UPDATE: memory leak of colormap in WriteMPCImage
- debian/patches/CVE-2018-14434.patch: free colormap on bad
color depth
- CVE-2018-14434
* SECURITY UPDATE: memory leak in DecodeImage
- debian/patches/CVE-2018-14435.patch: free memory when given a
bad plane
- CVE-2018-14435
* SECURITY UPDATE: memory leak in ReadMIFFImage
- debian/patches/CVE-2018-14436.patch: free memory when given a
bad depth
- CVE-2018-14436
* SECURITY UPDATE: memory leak in parse8BIM
- debian/patches/CVE-2018-14437-prereq.patch: check for negative
values
- debian/patches/CVE-2018-14437.patch: free strings in error
conditions
- CVE-2018-14437
* SECURITY UPDATE: memory leak in ReadOneJNGImage
- debian/patches/CVE-2018-16640-prereq-1.patch: define DestroyJNG()
- debian/patches/CVE-2018-16640-prereq-2.patch: fix DestroyJNG()
- debian/patches/CVE-2018-16640.patch: free memory on error
- CVE-2018-16640
* SECURITY UPDATE: denial of service due to out-of-bounds write
in InsertRow
- debian/patches/CVE-2018-16642.patch: improve checking for errors
- CVE-2018-16642
* SECURITY UPDATE: denial of service due to missing fputc checks
- debian/patches/CVE-2018-16643.patch: check fputc calls for error
- CVE-2018-16643
* SECURITY UPDATE: denial of service in ReadDCMImage and
ReadPICTImage
- debian/patches/CVE-2018-16644-prereq-1.patch: check for EOF
when reading from file
- debian/patches/CVE-2018-16644-prereq-2.patch: define
ThrowPICTException() macro and use it
- debian/patches/CVE-2018-16644-1.patch,
debian/patches/CVE-2018-16644-2.patch: check for invalid length
- CVE-2018-16644
* SECURITY UPDATE: excessive memory allocation issue in ReadBMPImage
- debian/patches/CVE-2018-16645.patch: ensure number_colors is
not too large
- CVE-2018-16645
* SECURITY UPDATE: denial of service in ReadOneJNGImage
- debian/patches/CVE-2018-16749.patch; check for NULL color_image
- CVE-2018-16749
* SECURITY UPDATE: memory leak in formatIPTCfromBuffer
- debian/patches/CVE-2018-16750.patch: free memory on error
- CVE-2018-16750
[ Marc Deslauriers ]
* SECURITY REGRESSION: segfault in png to gif conversion (LP: #1793485)
- debian/patches/0261-CVE-2017-13144.patch: removed pending
further investigation.
- debian/patches/CVE-2017-12430.patch: refreshed.
-- Steve Beattie <email address hidden> Fri, 28 Sep 2018 11:19:54 -0700
-
imagemagick (8:6.8.9.9-7ubuntu5.12) xenial-security; urgency=medium
* SECURITY UPDATE: out-of-bounds write in ReadBMPImage and WriteBMPImage
- debian/patches/CVE-2018-12599.patch: use proper lengths in
coders/bmp.c.
- CVE-2018-12599
* SECURITY UPDATE: out-of-bounds write in ReadDIBImage and WriteDIBImage
- debian/patches/CVE-2018-12600.patch: use proper lengths in
coders/dib.c.
- CVE-2018-12600
* SECURITY UPDATE: memory leak in XMagickCommand
- debian/patches/CVE-2018-13153.patch: free memory in magick/animate.c.
- CVE-2018-13153
-- Marc Deslauriers <email address hidden> Tue, 10 Jul 2018 10:10:29 -0400
-
imagemagick (8:6.8.9.9-7ubuntu5.11) xenial-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/02*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u12 release. Thanks to Markus Koschany and
Moritz Muehlenhoff for the excellent work this update is based on!
- debian/patches/CVE-201[78]*.patch: backport large number of upstream
security patches.
- CVE-2017-10995, CVE-2017-11352, CVE-2017-11533, CVE-2017-11535,
CVE-2017-11537, CVE-2017-11639, CVE-2017-11640, CVE-2017-12140,
CVE-2017-12429, CVE-2017-12430, CVE-2017-12431, CVE-2017-12432,
CVE-2017-12435, CVE-2017-12563, CVE-2017-12587, CVE-2017-12640,
CVE-2017-12643, CVE-2017-12670, CVE-2017-12674, CVE-2017-12691,
CVE-2017-12692, CVE-2017-12693, CVE-2017-12875, CVE-2017-12877,
CVE-2017-12983, CVE-2017-13134, CVE-2017-13139, CVE-2017-13142,
CVE-2017-13143, CVE-2017-13144, CVE-2017-13145, CVE-2017-13758,
CVE-2017-13768, CVE-2017-13769, CVE-2017-14060, CVE-2017-14172,
CVE-2017-14173, CVE-2017-14174, CVE-2017-14175, CVE-2017-14224,
CVE-2017-14249, CVE-2017-14325, CVE-2017-14341, CVE-2017-14342,
CVE-2017-14343, CVE-2017-14400, CVE-2017-14505, CVE-2017-14531,
CVE-2017-14532, CVE-2017-14607, CVE-2017-14624, CVE-2017-14625,
CVE-2017-14626, CVE-2017-14682, CVE-2017-14739, CVE-2017-14741,
CVE-2017-14989, CVE-2017-15015, CVE-2017-15016, CVE-2017-15017,
CVE-2017-15277, CVE-2017-15281, CVE-2017-16546, CVE-2017-17504,
CVE-2017-17681, CVE-2017-17682, CVE-2017-17879, CVE-2017-17914,
CVE-2017-18209, CVE-2017-18211, CVE-2017-18252, CVE-2017-18271,
CVE-2017-18273, CVE-2017-1000445, CVE-2017-1000476, CVE-2018-5248,
CVE-2018-7443, CVE-2018-8804, CVE-2018-8960, CVE-2018-9133,
CVE-2018-10177, CVE-2018-11251
-- Marc Deslauriers <email address hidden> Fri, 08 Jun 2018 09:35:43 -0400
-
imagemagick (8:6.8.9.9-7ubuntu5.9) xenial-security; urgency=medium
* SECURITY REGRESSION: image composite function regression (LP: #1707015)
- disabled the following patches which cause issue:
0224-Ensure-token-does-not-overflow.patch,
0225-Fix-off-by-one-error-when-checking-token-length.patch,
0226-Use-proper-cast.patch.
-- Marc Deslauriers <email address hidden> Fri, 28 Jul 2017 14:22:17 -0400
-
imagemagick (8:6.8.9.9-7ubuntu5.8) xenial-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u10 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2017-9261, CVE-2017-9262, CVE-2017-9405, CVE-2017-9407,
CVE-2017-9409, CVE-2017-9439, CVE-2017-9440, CVE-2017-9501,
CVE-2017-10928, CVE-2017-11141, CVE-2017-11170, CVE-2017-11188,
CVE-2017-11352, CVE-2017-11360, CVE-2017-11447, CVE-2017-11448,
CVE-2017-11449, CVE-2017-11450, CVE-2017-11478
-- Marc Deslauriers <email address hidden> Fri, 21 Jul 2017 09:03:52 -0400
-
imagemagick (8:6.8.9.9-7ubuntu5.7) xenial-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u9 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2017-7606, CVE-2017-7619, CVE-2017-7941, CVE-2017-7943,
CVE-2017-8343, CVE-2017-8344, CVE-2017-8345, CVE-2017-8346,
CVE-2017-8347, CVE-2017-8348, CVE-2017-8349, CVE-2017-8350,
CVE-2017-8351, CVE-2017-8352, CVE-2017-8353, CVE-2017-8354,
CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, CVE-2017-8765,
CVE-2017-8830, CVE-2017-9098, CVE-2017-9141, CVE-2017-9142,
CVE-2017-9143, CVE-2017-9144
-- Marc Deslauriers <email address hidden> Fri, 26 May 2017 07:53:43 -0400
-
imagemagick (8:6.8.9.9-7ubuntu5.6) xenial-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u8 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2017-6498, CVE-2017-6499, CVE-2017-6500
-- Marc Deslauriers <email address hidden> Tue, 14 Mar 2017 09:05:24 -0400
-
imagemagick (8:6.8.9.9-7ubuntu5.5) xenial-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u7 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2016-8707, CVE-2016-10062, CVE-2016-10144, CVE-2016-10145,
CVE-2016-10146, CVE-2017-5506, CVE-2017-5507, CVE-2017-5508,
CVE-2017-5510, CVE-2017-5511
-- Marc Deslauriers <email address hidden> Thu, 02 Mar 2017 14:59:46 -0500
-
imagemagick (8:6.8.9.9-7ubuntu5.4) xenial-security; urgency=medium
* SECURITY REGRESSION: text coder issue (LP: #1589580)
- debian/patches/fix_text_coder.patch: add extra check to coders/mvg.c,
fix logic in coders/txt.c.
-- Marc Deslauriers <email address hidden> Wed, 22 Feb 2017 11:41:06 -0500
-
imagemagick (8:6.8.9.9-7ubuntu5.3) xenial-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u6 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2016-7799, CVE-2016-7906, CVE-2016-8677, CVE-2016-8862,
CVE-2016-9556
* debian/patches/0070-Fix-PixelColor-off-by-one-on-i386.patch: add back
changes from 8:6.8.9.9-7ubuntu1 lost during the previous update.
-- Marc Deslauriers <email address hidden> Tue, 29 Nov 2016 07:51:53 -0500
-
imagemagick (8:6.8.9.9-7ubuntu5.2) xenial-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize large quantity of security fixes with
Debian's 8:6.8.9.9-5+deb8u5 release. Thanks to Bastien Roucariès for
the excellent work this update is based on!
- CVE-2014-9907, CVE-2015-8957, CVE-2015-8958, CVE-2015-8959,
CVE-2016-4562, CVE-2016-4563, CVE-2016-4564, CVE-2016-5010,
CVE-2016-5687, CVE-2016-5688, CVE-2016-5689, CVE-2016-5690,
CVE-2016-5691, CVE-2016-5841, CVE-2016-5842, CVE-2016-6491,
CVE-2016-6823, CVE-2016-7101, CVE-2016-7513, CVE-2016-7514,
CVE-2016-7515, CVE-2016-7516, CVE-2016-7517, CVE-2016-7518,
CVE-2016-7519, CVE-2016-7520, CVE-2016-7521, CVE-2016-7522,
CVE-2016-7523, CVE-2016-7524, CVE-2016-7525, CVE-2016-7526,
CVE-2016-7527, CVE-2016-7528, CVE-2016-7529, CVE-2016-7530,
CVE-2016-7531, CVE-2016-7532, CVE-2016-7533, CVE-2016-7534,
CVE-2016-7535, CVE-2016-7536, CVE-2016-7537, CVE-2016-7538,
CVE-2016-7539, CVE-2016-7540
-- Marc Deslauriers <email address hidden> Thu, 10 Nov 2016 11:00:17 -0500
-
imagemagick (8:6.8.9.9-7ubuntu5.1) xenial-security; urgency=medium
* SECURITY UPDATE: ImageTragick remote code execution
- d/p/0076-Disable-EPHEMERAL-URL-HTTPS-MVG-MSL-TEXT-SHOW-WIN-and-PLT-coders.patch
- d/p/0077-Remove-PLT-Gnuplot-decoder.patch
- d/p/0078-Sanitize-input-filename-for-http-and-https-delegates.patch
- d/p/0079-Indirect-filename-must-be-authorized-by-policy.patch
- d/p/0080-Prevent-indirect-reads-with-label-at.patch
- d/p/0081-Less-secure-coders-require-explicit-reference.patch
- debian/rules: build with --with-rsvg.
- CVE-2016-3714
- CVE-2016-3715
- CVE-2016-3716
- CVE-2016-3717
- CVE-2016-3718
* SECURITY UPDATE: popen() shell vulnerability
- d/p/0082-Disable-MAGICKCORE_HAVE_POPEN.patch
- CVE-2016-5118
-- Marc Deslauriers <email address hidden> Wed, 01 Jun 2016 13:02:37 -0400
-
imagemagick (8:6.8.9.9-7ubuntu5) xenial; urgency=medium
* debian/rules: Use LCQUANTUMDEPTH when generating display-im6.desktop too.
Fixes broken icon in .desktop file. (LP: #1558409)
-- Iain Lane <email address hidden> Mon, 18 Apr 2016 13:29:50 +0100
-
imagemagick (8:6.8.9.9-7ubuntu4) xenial; urgency=medium
* Fix backport of d6054824 to include dropped parentheses
(LP: #1549942).
-- Nishanth Aravamudan <email address hidden> Wed, 16 Mar 2016 09:44:09 -0700
-
imagemagick (8:6.8.9.9-7ubuntu3) xenial; urgency=medium
* Add backport of 54b752c3 to fix color behavior (LP: #1549942).
-- Nishanth Aravamudan <email address hidden> Tue, 08 Mar 2016 09:22:10 -0800
-
imagemagick (8:6.8.9.9-7ubuntu2) xenial; urgency=medium
* Add backport of a54fe0e8 to fix segmentation faults during
php-imagick tests (LP: #1549942).
-- Nishanth Aravamudan <email address hidden> Wed, 02 Mar 2016 15:45:35 -0800
-
imagemagick (8:6.8.9.9-7ubuntu1) xenial; urgency=medium
* Add backports of d6054824, 95c8394e and 68c6a7d to
0070-Fix-PixelColor-off-by-one-on-i386.patch (LP: #1549942)
which were missed in "PixelColor off by one on i386
(closes: #811308)
https://github.com/ImageMagick/ImageMagick/issues/54".
-- Nishanth Aravamudan <email address hidden> Thu, 25 Feb 2016 09:11:02 -0800
-
imagemagick (8:6.8.9.9-7) unstable; urgency=low
* Fix various minor security issues
- Fix an integer overflow that can lead to a buffer overrun
in the icon parsing code (LP: #1459747, closes: #806441)
- Fix an integer overflow that can lead to a double free in
pict parsing (LP: #1448803, closes: #806441).
- Memory Leak while handle psd file (closes: #811308)
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
- IM 6.9.2 crash with some PNG (closes: #811308, LP: #1492881)
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
- Null pointer access in magick/constitute.c (closes: #811308)
https://github.com/ImageMagick/ImageMagick/pull/34
- PixelColor off by one on i386 (closes: #811308)
https://github.com/ImageMagick/ImageMagick/issues/54
- Fixed other memory leaks (closes: #811308)
-- Vincent Fourmond <email address hidden> Sun, 17 Jan 2016 21:18:19 +0100
-
imagemagick (8:6.8.9.9-6build1) xenial; urgency=medium
* Rebuild for Perl 5.22.1.
-- Colin Watson <email address hidden> Fri, 18 Dec 2015 01:17:33 +0000
-
imagemagick (8:6.8.9.9-6) unstable; urgency=high
* Fix build on mips by printing progress (Closes: #770009).
* Fix a few security bugs: (closes: #799524)
- A DOS on specially crafted MIFF file (TEMP-0000000-FDAC72).
- A DOS on specially crafted Vicar file (TEMP-0000000-EEF23C).
- A DOS on specially crafted HDR file (TEMP-0000000-7C079F).
- A DOS on specially crafted PDB file (TEMP-0000000-2FC21E).
- Avoid a null pointer dereference in JNG decoder.
- Avoid a DOS for RLE file.
- Avoid double free on TGA file.
- Avoid a bufer overflow by using field limit in sprintf.
- Avoid a stack overflow in fx handling.
* Replace density of 1 for JPEG by unknown working around
a TeX bug (Closes: #763799).
-- Bastien Roucariès <email address hidden> Sat, 12 Sep 2015 23:06:08 +0200
-
imagemagick (8:6.8.9.9-5ubuntu2) wily; urgency=medium
* No-change rebuild against libopenexr22.
-- Martin Pitt <email address hidden> Thu, 06 Aug 2015 12:28:02 +0200