graphicsmagick (1.3.30+hg15796-1+ubuntu18.04.1+deb.sury.org+2) bionic; urgency=medium
* No-change backport to bionic
graphicsmagick (1.3.30+hg15796-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- WEBP: Fix compiler warnings regarding uninitialized structure members,
- ReadJPEGImage(): Allow libjpeg to use 1/5th of the total memory limit,
- ReadJPEGImage(): Make sure that JPEG pixels array is initialized in
case libjpeg fails to completely initialize it,
- WriteOnePNGImage(): Free png_pixels as soon as possible,
- ReadMIFFImage(): Detect EOF when reading using ReadBlobZC() and avoid
subsequent heap read overflow,
- ReadMVGImage(): Don't assume that in-memory MVG blob is a
null-terminated C string,
- ReadMVGImage(): Don't allow MVG files to side-load a file as the
drawing primitive using '@' syntax,
- FileToBlob(): Use confirm access APIs to verify that read access is
allowed, and verify that file is a regular file,
- ExtractTokensBetweenPushPop() needs to always return a valid pointer
into the primitive string,
- DrawPolygonPrimitive(): Fix leak of polygon set when object is
completely outside image,
- SetNexus(): For requests one pixel tall, SetNexus() was wrongly using
pixels in-core rather than using a staging area for the case where the
nexus rows extend beyond the image raster boundary,
- ReadCINEONImage(): Quit immediately on EOF and detect short files,
- ReadMVGImage(): Fix memory leak,
- Add mechanism to approve embedded subformats in WPG,
- ReadXBMImage(): Add validations for row and column dimensions,
- MAT InsertComplexFloatRow(): Avoid signed overflow,
- InsertComplexFloatRow(): Try not to lose the previous intention while
avoiding signed overflow,
- XBMInteger(): Limit the number of hex digits parsed to avoid signed
integer overflow,
- MAT: More aggresive data corruption checking,
- MAT: Correctly check GetBlobSize(image) even for zipstreams inside
blob,
- MAT: Explicitly reject non-seekable streams,
- DrawImage(): Add missing error-reporting logic to return immediately
upon memory reallocation failure. Apply memory resource limits to
PrimitiveInfo array allocation,
- MagickAtoFChk(): Add additional validation checks for floating point
values. NAN and +/- INFINITY values also map to 0.0 ,
- ReadMPCImage()/(ReadMIFFImage(): Insist that the format be identified
prior to any comment, and that there is only one comment,
- ConvertPrimitiveToPath(): Enlarge PathInfo array allocation to avoid
possible heap write overflow,
- WPG: Fix intentional 64 bit file offset overflow,
- DrawImage(): Be more precise about error detection and reporting,
- TranslateTextEx(): Fix off-by-one in loop bounds check which allowed a
one-byte stack write overflow,
- DrawImage(): Fix excessive memory consumption due to
SetImageAttribute() appending values,
- QuantumTransferMode(): CIE Log images with an alpha channel are not
supported,
- ConvertPrimitiveToPath(): Second attempt to prevent heap write
overflow of PathInfo array,
- ExtractTileJPG(): Enforce that JPEG tiles are read by the JPEG coder,
- MIFF and MPC, need to avoid leaking value allocation (day-old bug),
- ReadSFWImage(): Enforce that file is read using the JPEG reader,
- FindEXIFAttribute()/GenerateEXIFAttribute(): Change size types from
signed to unsigned and check for unsigned overflow,
- GenerateEXIFAttribute(): Eliminate undefined shift,
- TraceEllipse(): Detect arithmetic overflow when computing the number of
points to allocate for an ellipse,
- ReadMNGImage(): mng_LOOP chunk must be at least 5 bytes long,
- ReadJPEGImage(): Apply a default limit of 100 progressive scans before
the reader quits with an error.
* Update library symbols for this release.
graphicsmagick (1.3.30-1) unstable; urgency=high
* New upstream release, including many security fixes.
* Build with all hardening enabled.
graphicsmagick (1.3.29+hg15665-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- use of uninitialized value in IsMonochromeImage() ,
- divide by zero in GetPixelOpacity() ,
- write beyond array bounds in TraceStrokePolygon() ,
- use of uninitialized value in format8BIM() ,
- assertion failure in WriteBlob() ,
- out of bounds write in TraceEllipse() ,
- memory leak and use of uninitialized memory when handling eXIf chunk
in png_malloc() ,
- floating point exception in WriteTIFFImage() ,
- leak of Image when TIFFReadRGBAImage() reports failure,
- potentional leak when compressed object is corrupted,
- floating point exception in WriteTIFFImage() ,
- heap double free in Magick::BlobRef::~BlobRef() ,
- direct leak in TIFFClientOpen() ,
- indirect leak in CloneImage() ,
- direct leak in ReadOneJNGImage() ,
- heap buffer overflow in put1bitbwtile() ,
- use of uninitialized value in SyncImageCallBack() ,
- validate tile memory requests for TIFFReadRGBATile() .
* Remove profiles/sRGB Color Space Profile.ICM and
jp2/data/colorprofiles/srgb.icm for being non-free.
* Remove zlib/contrib/dotzlib/DotZLib.chm for no source available.
graphicsmagick (1.3.29-1) unstable; urgency=high
* New upstream release, including many security fixes.
* Remove previously backported security patches.
* Update library symbols for this release.
* Update debhelper level to 11 .
* Update Standards-Version to 4.1.4 .
-- Ondřej Surý <email address hidden> Tue, 16 Oct 2018 05:31:05 +0000