-
imagemagick (8:6.7.7.10-6ubuntu3.13) trusty-security; urgency=medium
[ Steve Beattie ]
* SECURITY UPDATE: code execution vulnerabilities in ghostscript as
invoked by imagemagick
- debian/patches/200-disable-ghostscript-formats.patch: disable
ghostscript handled types by default in policy.xml
* SECURITY UPDATE: information leak in ReadXBMImage
- debian/patches/CVE-2018-16323.patch: don't leave data
uninitialized with negative pixels
- CVE-2018-16323
* SECURITY UPDATE: memory leak of colormap in WriteMPCImage
- debian/patches/CVE-2018-14434.patch: free colormap on bad
color depth
- CVE-2018-14434
* SECURITY UPDATE: memory leak in DecodeImage
- debian/patches/CVE-2018-14435.patch: free memory when given a
bad plane
- CVE-2018-14435
* SECURITY UPDATE: memory leak in ReadMIFFImage
- debian/patches/CVE-2018-14436.patch: free memory when given a bad
depth
- CVE-2018-14436
* SECURITY UPDATE: memory leak in parse8BIM
- debian/patches/CVE-2018-14437-prereq.patch: check for negative
values
- debian/patches/CVE-2018-14437.patch: free strings in error
conditions
- CVE-2018-14437
* SECURITY UPDATE: memory leak in ReadOneJNGImage
- debian/patches/CVE-2018-16640-prereq-1.patch: define DestroyJNG()
- debian/patches/CVE-2018-16640-prereq-2.patch: fix DestroyJNG()
- debian/patches/CVE-2018-16640.patch: free memory on error
- CVE-2018-16640
* SECURITY UPDATE: denial of service due to out-of-bounds write
in InsertRow
- debian/patches/CVE-2018-16642.patch: improve checking for errors
- CVE-2018-16642
* SECURITY UPDATE: denial of service due to missing fputc checks
- debian/patches/CVE-2018-16643.patch: check fputc calls for error
- CVE-2018-16643
* SECURITY UPDATE: denial of service in ReadDCMImage and
ReadPICTImage
- debian/patches/CVE-2018-16644-prereq-1.patch: make
ReadRectangle() a boolean returning function and use it.
- debian/patches/CVE-2018-16644-prereq-2.patch: check for EOF
when reading from file
- debian/patches/CVE-2018-16644-prereq-3.patch: define
ThrowPICTException() macro and use it
- debian/patches/CVE-2018-16644-1.patch,
debian/patches/CVE-2018-16644-2.patch: check for invalid length
- CVE-2018-16644
* SECURITY UPDATE: excessive memory allocation issue in ReadBMPImage
- debian/patches/CVE-2018-16645.patch: ensure number_colors is
not too large
- CVE-2018-16645
* SECURITY UPDATE: denial of service in ReadOneJNGImage
- debian/patches/CVE-2018-16749.patch; check for NULL color_image
- CVE-2018-16749
* SECURITY UPDATE: memory leak in formatIPTCfromBuffer
- debian/patches/CVE-2018-16750.patch: free memory on error
- CVE-2018-16750
[ Marc Deslauriers ]
* SECURITY REGRESSION: segfault in png to gif conversion (LP: #1793485)
- debian/patches/0297-CVE-2017-13144.patch: removed pending further
investigation.
- debian/patches/CVE-2017-12430.patch: refreshed.
-- Steve Beattie <email address hidden> Fri, 28 Sep 2018 11:21:01 -0700
-
imagemagick (8:6.7.7.10-6ubuntu3.12) trusty-security; urgency=medium
* SECURITY UPDATE: out-of-bounds write in ReadBMPImage and WriteBMPImage
- debian/patches/CVE-2018-12599.patch: use proper lengths in
coders/bmp.c.
- CVE-2018-12599
* SECURITY UPDATE: out-of-bounds write in ReadDIBImage and WriteDIBImage
- debian/patches/CVE-2018-12600.patch: use proper lengths in
coders/dib.c.
- CVE-2018-12600
* SECURITY UPDATE: memory leak in XMagickCommand
- debian/patches/CVE-2018-13153.patch: free memory in magick/animate.c.
- CVE-2018-13153
-- Marc Deslauriers <email address hidden> Tue, 10 Jul 2018 10:15:44 -0400
-
imagemagick (8:6.7.7.10-6ubuntu3.11) trusty-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.7.7.10-5+deb7u22 release. Thanks to Markus Koschany,
Chris Lamb, and Roberto C. Sánchez for the excellent work this
update is based on!
- debian/patches/CVE-201[78]*.patch: backport large number of upstream
security patches.
- CVE-2017-10995, CVE-2017-11533, CVE-2017-11535, CVE-2017-11537,
CVE-2017-11639, CVE-2017-11640, CVE-2017-12140, CVE-2017-12429,
CVE-2017-12430, CVE-2017-12431, CVE-2017-12432, CVE-2017-12435,
CVE-2017-12563, CVE-2017-12587, CVE-2017-12640, CVE-2017-12643,
CVE-2017-12670, CVE-2017-12674, CVE-2017-12691, CVE-2017-12692,
CVE-2017-12693, CVE-2017-12875, CVE-2017-12877, CVE-2017-12983,
CVE-2017-13134, CVE-2017-13139, CVE-2017-13142, CVE-2017-13143,
CVE-2017-13144, CVE-2017-13758, CVE-2017-13768, CVE-2017-13769,
CVE-2017-14060, CVE-2017-14172, CVE-2017-14173, CVE-2017-14174,
CVE-2017-14175, CVE-2017-14224, CVE-2017-14249, CVE-2017-14325,
CVE-2017-14341, CVE-2017-14342, CVE-2017-14343, CVE-2017-14400,
CVE-2017-14505, CVE-2017-14531, CVE-2017-14607, CVE-2017-14682,
CVE-2017-14739, CVE-2017-14741, CVE-2017-14989, CVE-2017-15016,
CVE-2017-15017, CVE-2017-15277, CVE-2017-15281, CVE-2017-16546,
CVE-2017-17504, CVE-2017-17682, CVE-2017-17879, CVE-2017-17914,
CVE-2017-18252, CVE-2017-18271, CVE-2017-18273, CVE-2017-1000445,
CVE-2017-1000476, CVE-2018-7443, CVE-2018-8804, CVE-2018-8960,
CVE-2018-10177, CVE-2018-11251
-- Marc Deslauriers <email address hidden> Fri, 08 Jun 2018 12:00:47 -0400
-
imagemagick (8:6.7.7.10-6ubuntu3.9) trusty-security; urgency=medium
* SECURITY REGRESSION: image composite function regression (LP: #1707015)
- disabled the following patches which cause issue:
0224-Ensure-token-does-not-overflow.patch,
0225-Fix-off-by-one-error-when-checking-token-length.patch,
0226-Use-proper-cast.patch.
-- Marc Deslauriers <email address hidden> Mon, 31 Jul 2017 07:24:18 -0400
-
imagemagick (8:6.7.7.10-6ubuntu3.8) trusty-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u10 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2017-9261, CVE-2017-9262, CVE-2017-9405, CVE-2017-9407,
CVE-2017-9409, CVE-2017-9439, CVE-2017-9501, CVE-2017-10928,
CVE-2017-11141, CVE-2017-11170, CVE-2017-11188, CVE-2017-11352,
CVE-2017-11360, CVE-2017-11448, CVE-2017-11449, CVE-2017-11450,
CVE-2017-11478
-- Marc Deslauriers <email address hidden> Fri, 21 Jul 2017 09:58:43 -0400
-
imagemagick (8:6.7.7.10-6ubuntu3.7) trusty-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u9 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2017-7606, CVE-2017-7619, CVE-2017-7941, CVE-2017-7943,
CVE-2017-8343, CVE-2017-8344, CVE-2017-8345, CVE-2017-8346,
CVE-2017-8347, CVE-2017-8348, CVE-2017-8349, CVE-2017-8350,
CVE-2017-8351, CVE-2017-8352, CVE-2017-8353, CVE-2017-8354,
CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, CVE-2017-8765,
CVE-2017-8830, CVE-2017-9098, CVE-2017-9141, CVE-2017-9142,
CVE-2017-9143, CVE-2017-9144
-- Marc Deslauriers <email address hidden> Fri, 26 May 2017 07:55:05 -0400
-
imagemagick (8:6.7.7.10-6ubuntu3.6) trusty-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u8 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2017-6498, CVE-2017-6500
-- Marc Deslauriers <email address hidden> Tue, 14 Mar 2017 09:23:56 -0400
-
imagemagick (8:6.7.7.10-6ubuntu3.5) trusty-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: synchronize security fixes with Debian's
8:6.8.9.9-5+deb8u7 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2016-8707, CVE-2016-10062, CVE-2016-10144, CVE-2016-10145,
CVE-2016-10146, CVE-2017-5506, CVE-2017-5507, CVE-2017-5508,
CVE-2017-5510, CVE-2017-5511
-- Marc Deslauriers <email address hidden> Thu, 02 Mar 2017 15:10:05 -0500
-
imagemagick (8:6.7.7.10-6ubuntu3.4) trusty-security; urgency=medium
* SECURITY REGRESSION: test label regression (LP: #1646485)
- debian/patches/0161-Do-not-ignore-SetImageBias-bias-value.patch:
updated to fix bad backport.
- debian/patches/0162-Suspend-exception-processing-if-there-are-too-many-e.patch:
updated to apply cleanly.
* SECURITY REGRESSION: text coder issue (LP: #1589580)
- debian/patches/fix_text_coder.patch: add extra check to coders/mvg.c,
fix logic in coders/txt.c.
-- Marc Deslauriers <email address hidden> Wed, 22 Feb 2017 10:04:25 -0500
-
imagemagick (8:6.7.7.10-6ubuntu3.3) trusty-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: backport security fixes from Debian's
8:6.8.9.9-5+deb8u6 release. Once again, thanks to Bastien Roucariès
for the excellent work this update is based on!
- CVE-2016-7799, CVE-2016-8677, CVE-2016-8862, CVE-2016-9556
-- Marc Deslauriers <email address hidden> Tue, 29 Nov 2016 09:48:17 -0500
-
imagemagick (8:6.7.7.10-6ubuntu3.2) trusty-security; urgency=medium
* SECURITY UPDATE: multiple security issues
- debian/patches/*: backport large quantity of security fixes,
including fixes from Debian's 8:6.8.9.9-5+deb8u5 release. Thanks to
Bastien Roucariès for the excellent work this update is based on!
- CVE-2014-8354, CVE-2014-8355, CVE-2014-8562, CVE-2014-8716,
CVE-2014-9805, CVE-2014-9806, CVE-2014-9807, CVE-2014-9808,
CVE-2014-9809, CVE-2014-9810, CVE-2014-9811, CVE-2014-9812,
CVE-2014-9813, CVE-2014-9814, CVE-2014-9815, CVE-2014-9816,
CVE-2014-9817, CVE-2014-9818, CVE-2014-9819, CVE-2014-9820,
CVE-2014-9821, CVE-2014-9822, CVE-2014-9823, CVE-2014-9826,
CVE-2014-9828, CVE-2014-9829, CVE-2014-9830, CVE-2014-9831,
CVE-2014-9833, CVE-2014-9834, CVE-2014-9835, CVE-2014-9836,
CVE-2014-9837, CVE-2014-9838, CVE-2014-9839, CVE-2014-9840,
CVE-2014-9841, CVE-2014-9843, CVE-2014-9844, CVE-2014-9845,
CVE-2014-9846, CVE-2014-9847, CVE-2014-9848, CVE-2014-9849,
CVE-2014-9850, CVE-2014-9851, CVE-2014-9853, CVE-2014-9854,
CVE-2014-9907, CVE-2015-8894, CVE-2015-8895, CVE-2015-8896,
CVE-2015-8897, CVE-2015-8898, CVE-2015-8900, CVE-2015-8901,
CVE-2015-8902, CVE-2015-8903, CVE-2015-8957, CVE-2015-8958,
CVE-2015-8959, CVE-2016-4562, CVE-2016-4563, CVE-2016-4564,
CVE-2016-5010, CVE-2016-5687, CVE-2016-5688, CVE-2016-5689,
CVE-2016-5690, CVE-2016-5691, CVE-2016-5841, CVE-2016-5842,
CVE-2016-6491, CVE-2016-6823, CVE-2016-7101, CVE-2016-7514,
CVE-2016-7515, CVE-2016-7516, CVE-2016-7517, CVE-2016-7518,
CVE-2016-7519, CVE-2016-7520, CVE-2016-7521, CVE-2016-7522,
CVE-2016-7523, CVE-2016-7524, CVE-2016-7525, CVE-2016-7526,
CVE-2016-7527, CVE-2016-7528, CVE-2016-7529, CVE-2016-7530,
CVE-2016-7531, CVE-2016-7532, CVE-2016-7533, CVE-2016-7534,
CVE-2016-7535, CVE-2016-7537, CVE-2016-7538, CVE-2016-7539
-- Marc Deslauriers <email address hidden> Mon, 14 Nov 2016 12:37:16 -0500
-
imagemagick (8:6.7.7.10-6ubuntu3.1) trusty-security; urgency=medium
* SECURITY UPDATE: ImageTragick remote code execution
- d/p/0076-Disable-EPHEMERAL-URL-HTTPS-MVG-MSL-TEXT-SHOW-WIN-and-PLT-coders.patch
- d/p/0077-Remove-PLT-Gnuplot-decoder.patch
- d/p/0078-Sanitize-input-filename-for-http-and-https-delegates.patch
- d/p/0079-Indirect-filename-must-be-authorized-by-policy.patch
- d/p/0080-Prevent-indirect-reads-with-label-at.patch
- d/p/0081-Less-secure-coders-require-explicit-reference.patch
- CVE-2016-3714
- CVE-2016-3715
- CVE-2016-3716
- CVE-2016-3717
- CVE-2016-3718
* SECURITY UPDATE: popen() shell vulnerability
- d/p/0082-Disable-MAGICKCORE_HAVE_POPEN.patch
- CVE-2016-5118
-- Marc Deslauriers <email address hidden> Wed, 01 Jun 2016 13:13:30 -0400
-
imagemagick (8:6.7.7.10-6ubuntu3) trusty; urgency=medium
* SECURITY UPDATE: denial of service and possible code execution via psd
images processing rle decoding buffer overflow
- debian/patches/CVE-2014-1958.patch: check lengths in coders/psd.c.
- CVE-2014-1958
* SECURITY UPDATE: denial of service via jpeg images with specially-
crafted restart markers
- debian/patches/CVE-2014-2030.patch: don't overflow layer_name in
coders/psd.c.
- CVE-2014-2030
-- Marc Deslauriers <email address hidden> Thu, 06 Mar 2014 11:12:57 -0500
-
imagemagick (8:6.7.7.10-6ubuntu2) trusty; urgency=medium
* Build using dh-autoreconf.
* Configure with --disable-silent-rules
* Fix link of test cases.
* Fix freetype header detection.
-- Matthias Klose <email address hidden> Sun, 15 Dec 2013 15:40:01 +0100
-
imagemagick (8:6.7.7.10-6ubuntu1) trusty; urgency=low
* Resynchronise with Debian. Remaining changes:
- Make ufraw-batch (universe) a suggestion instead of a recommendation.
- Don't set MAKEFLAGS in debian/rules; just pass it to the build.
- Build-depend on libtiff5-dev instead of libtiff-dev.
- Depend on fftw3-dev as it's in main, not fftw-dev.
- Don't build-depend on graphicsmagick-imagemagick-compat (universe).
- Don't use graphicmagick's convert executable just to convert our svg
into a menu xpm. Instead, run the convert we build.
- Make libmagickcore-dev depend on liblcms2-dev rather than liblcms-dev.
imagemagick (8:6.7.7.10-6) unstable; urgency=high
* Security Fix: Buffer overflow "Memory corruption while processing
GIF comments.", (Closes: #721273).
-- Colin Watson <email address hidden> Tue, 29 Oct 2013 16:52:05 -0700
-
imagemagick (8:6.7.7.10-5ubuntu4) trusty; urgency=low
* Rebuild for Perl 5.18.
-- Colin Watson <email address hidden> Mon, 21 Oct 2013 21:44:32 +0100
-
imagemagick (8:6.7.7.10-5ubuntu3) saucy; urgency=low
* SECURITY UPDATE: denial of service and possible code execution in GIF
image comment decoding (LP: #1218248)
- debian/patches/CVE-2013-4298.patch: properly handle comments in
coders/gif.c.
- CVE-2013-4298
-- Marc Deslauriers <email address hidden> Mon, 09 Sep 2013 14:49:08 -0400