diff -Nru imagemagick-6.6.9.7/debian/changelog imagemagick-6.6.9.7/debian/changelog --- imagemagick-6.6.9.7/debian/changelog 2017-03-02 20:20:05.000000000 +0000 +++ imagemagick-6.6.9.7/debian/changelog 2017-03-14 13:55:55.000000000 +0000 @@ -1,3 +1,13 @@ +imagemagick (8:6.6.9.7-5ubuntu3.9) precise-security; urgency=medium + + * SECURITY UPDATE: multiple security issues + - debian/patches/*: synchronize security fixes with Debian's + 8:6.8.9.9-5+deb8u8 release. Once again, thanks to Bastien Roucariès + for the excellent work this update is based on! + - CVE-2017-6498, CVE-2017-6500 + + -- Marc Deslauriers Tue, 14 Mar 2017 09:55:55 -0400 + imagemagick (8:6.6.9.7-5ubuntu3.8) precise-security; urgency=medium * SECURITY UPDATE: multiple security issues diff -Nru imagemagick-6.6.9.7/debian/patches/0183-Fix-an-assertion-faillure-in-TGA.patch imagemagick-6.6.9.7/debian/patches/0183-Fix-an-assertion-faillure-in-TGA.patch --- imagemagick-6.6.9.7/debian/patches/0183-Fix-an-assertion-faillure-in-TGA.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.6.9.7/debian/patches/0183-Fix-an-assertion-faillure-in-TGA.patch 2017-03-14 13:55:21.000000000 +0000 @@ -0,0 +1,50 @@ +Backport of: + +From e75ebf3c9b30444948a90ad59e8cd83ea1f28e38 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 19 Jan 2017 19:30:48 -0500 +Subject: [PATCH] Fix an assertion faillure in TGA + +bug: https://github.com/ImageMagick/ImageMagick/pull/359 +bug-debian: https://bugs.debian.org/856878 +origin: https://github.com/ImageMagick/ImageMagick/commit/65f75a32a93ae4044c528a987a68366ecd4b46b9 + +(cherry picked from commit 65f75a32a93ae4044c528a987a68366ecd4b46b9) +--- + coders/tga.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +Index: imagemagick-6.6.9.7/coders/tga.c +=================================================================== +--- imagemagick-6.6.9.7.orig/coders/tga.c 2017-03-14 09:55:18.100385245 -0400 ++++ imagemagick-6.6.9.7/coders/tga.c 2017-03-14 09:55:18.076384971 -0400 +@@ -640,6 +640,7 @@ + } TargaInfo; + + const char ++ *comment, + *value; + + MagickBooleanType +@@ -690,9 +691,9 @@ + if (image->colorspace != RGBColorspace) + (void) TransformImageColorspace(image,RGBColorspace); + targa_info.id_length=0; +- value=GetImageProperty(image,"comment"); +- if (value != (const char *) NULL) +- targa_info.id_length=(unsigned char) MagickMin(strlen(value),255); ++ comment=GetImageProperty(image,"comment"); ++ if (comment != (const char *) NULL) ++ targa_info.id_length=(unsigned char) MagickMin(strlen(comment),255); + targa_info.colormap_type=0; + targa_info.colormap_index=0; + targa_info.colormap_length=0; +@@ -750,7 +751,7 @@ + (void) WriteBlobByte(image,targa_info.attributes); + if (targa_info.id_length != 0) + (void) WriteBlob(image,targa_info.id_length,(unsigned char *) +- value); ++ comment); + if (targa_info.image_type == TargaColormap) + { + unsigned char diff -Nru imagemagick-6.6.9.7/debian/patches/0184-Fix-an-out-of-bound-error-in-sun-file-handling.patch imagemagick-6.6.9.7/debian/patches/0184-Fix-an-out-of-bound-error-in-sun-file-handling.patch --- imagemagick-6.6.9.7/debian/patches/0184-Fix-an-out-of-bound-error-in-sun-file-handling.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.6.9.7/debian/patches/0184-Fix-an-out-of-bound-error-in-sun-file-handling.patch 2017-03-14 15:01:04.000000000 +0000 @@ -0,0 +1,69 @@ +Backport of: + +From 54f90717c1d4e5846d8f99c212048f26796beef4 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 8 Feb 2017 13:38:04 -0500 +Subject: [PATCH] Fix an out of bound error in sun file handling + +bug: https://github.com/ImageMagick/ImageMagick/issues/375 +bug: https://github.com/ImageMagick/ImageMagick/issues/376 +bug-debian: https://bugs.debian.org/856879 +origin: https://github.com/ImageMagick/ImageMagick/commit/3007531bfd326c5c1e29cd41d2cd80c166de8528 + +(cherry picked from commit 3007531bfd326c5c1e29cd41d2cd80c166de8528) +--- + coders/sun.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +Index: imagemagick-6.6.9.7/coders/sun.c +=================================================================== +--- imagemagick-6.6.9.7.orig/coders/sun.c 2017-03-14 10:30:27.888471826 -0400 ++++ imagemagick-6.6.9.7/coders/sun.c 2017-03-14 11:01:00.085389263 -0400 +@@ -181,6 +181,21 @@ + return(MagickTrue); + } + ++static MagickBooleanType HeapOverflowSanityCheck(const size_t count, ++ const size_t quantum) ++{ ++ size_t ++ size; ++ ++ size=count*quantum; ++ if ((count == 0) || (quantum != (size/count))) ++ { ++ errno=ENOMEM; ++ return(MagickTrue); ++ } ++ return(MagickFalse); ++} ++ + /* + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + % % +@@ -257,7 +272,8 @@ + size_t + bytes_per_line, + extent, +- height; ++ height, ++ pixels_length; + + ssize_t + count, +@@ -429,8 +445,13 @@ + if ((bytes_per_line >> 1) != (sun_info.width*sun_info.depth+15)) + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + bytes_per_line>>=4; +- sun_pixels=(unsigned char *) AcquireQuantumMemory(height, +- (MagickMax(image->columns,bytes_per_line)+1)*sizeof(*sun_pixels)); ++ if (HeapOverflowSanityCheck(height,MagickMax(image->columns,bytes_per_line)+1) != MagickFalse) ++ { ++ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); ++ ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); ++ } ++ pixels_length=height*(MagickMax(image->columns,bytes_per_line)+1); ++ sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length,sizeof(*sun_pixels)); + if (sun_pixels == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + ResetMagickMemory(sun_pixels,0,height*(MagickMax(image->columns, diff -Nru imagemagick-6.6.9.7/debian/patches/series imagemagick-6.6.9.7/debian/patches/series --- imagemagick-6.6.9.7/debian/patches/series 2017-03-02 20:19:28.000000000 +0000 +++ imagemagick-6.6.9.7/debian/patches/series 2017-03-14 13:55:49.000000000 +0000 @@ -172,3 +172,5 @@ 0180-Fix-improper-cast-that-could-cause-an-overflow-as-de.patch 0181-Fix-memory-corruption-heap-overflow-in-psb-file.patch 0182-Detect-write-error-in-ReadGROUP4Image.patch +0183-Fix-an-assertion-faillure-in-TGA.patch +0184-Fix-an-out-of-bound-error-in-sun-file-handling.patch