graphicsmagick (1.4+really1.3.40-4) unstable; urgency=medium
* Remove development ifdef from memory leak fix.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 17 Apr 2023 19:17:10 +0200
graphicsmagick (1.4+really1.3.40-3) unstable; urgency=high
* Backport security fixes:
- MIFF reader able to provide attribute data in way which results in
a heap overflow,
- SetImageAttribute(): eliminate memory leak when handling attribute
with key "EXIF:Orientation".
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 16 Apr 2023 14:21:32 +0200
graphicsmagick (1.4+really1.3.40-2) unstable; urgency=medium
* Don't force tiff dependency, let shlibs handle it (closes: #1029212).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 19 Jan 2023 19:44:45 +0100
graphicsmagick (1.4+really1.3.40-1) unstable; urgency=medium
* New upstream release.
* Update Standards-Version to 4.6.1 .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 15 Jan 2023 08:33:55 +0100
graphicsmagick (1.4+really1.3.39-2) unstable; urgency=medium
* Backport security fix WritePCXImage(): Fix heap overflow when writing
more than 1023 scenes, and also eliminate use of uninitialized memory.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 30 Dec 2022 23:25:30 +0100
graphicsmagick (1.4+really1.3.39-1) unstable; urgency=medium
* New upstream release.
* Enable JPEG XL format support (closes: #1026220).
* Migrate gsfonts dependencies to fonts-urw-base35 (closes: #1020373).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Tue, 27 Dec 2022 08:32:14 +0100
graphicsmagick (1.4+really1.3.38+hg16870-1) unstable; urgency=high
* Mercurial snapshot, fixing several security issues.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 11 Dec 2022 07:59:31 +0100
graphicsmagick (1.4+really1.3.38+hg16739-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issue:
- ReadSVGImage(): null pointer dereference by checking return from
xmlCreatePushParserCtxt() .
* Restore non-const Image::colorMapSize() since it caused an ABI change
(closes: #1019158).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Tue, 06 Sep 2022 18:30:49 +0200
graphicsmagick (1.4+really1.3.38+hg16728-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- ThrowLoggedException(): dereference after NULL check,
- ReadJP2Image(): division by float zero,
- MagickXMakeMagnifyImage(): division by zero,
- ScaleImage(): resource leak,
- GetLocaleMessageFromTag(): out of bounds read,
- DrawPrimitive(): out of bounds access,
- ReadOnePNGImage(): use of uninitialized value,
- ReadMNGImage(): heap use after free in CloseBlob(),
- ReadMNGImage(): indirect leak,
- ReadOnePNGImage(): indirect leak in MagickMallocCleared().
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 11 Aug 2022 23:50:27 +0200
graphicsmagick (1.4+really1.3.38-1) unstable; urgency=high
* New upstream release, including many security fixes.
* Update watch file.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 27 Mar 2022 09:47:45 +0200
graphicsmagick (1.4+really1.3.37+hg16670-1) unstable; urgency=medium
* Mercurial snapshot:
- ReadJPEGImage(): Store embedded profiles in image, even if in 'ping'
mode (closes: #1006374).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 26 Feb 2022 17:55:22 +0100
graphicsmagick (1.4+really1.3.37+hg16662-1) unstable; urgency=medium
* Mercurial snapshot, fixing the following security issues:
- ReadMATImageV4(): change 'ldblk' to size_t and check related
calculations for overflow and to avoid possible negative seek offsets,
- ReadMATImage(): change 'ldblk' to size_t and check related calculations
for overflow and to avoid possible negative seek offsets,
- added a ReadResource limit via the MAGICK_LIMIT_READ environment
variable on how many uncompressed file bytes may be read while decoding
an input file,
- DecodeImage(): assure that the claimed scanline length is within the
bounds of the scanline allocation to avoid possible heap overflow,
- ReadBlob(): fix EOF logic, an use-of-uninitialized-value in
SyncImageCallBack,
- ReadBlobStream(): fix EOF logic, an use-of-uninitialized-value in
WritePNMImage.
* Build with HEIF image format support.
* Update library symbols for this release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 11 Feb 2022 18:39:16 +0100
graphicsmagick (1.4+really1.3.37-1) unstable; urgency=high
* New upstream release, including many security fixes.
* Update library symbols for this release.
[ Vagrant Cascadian <vagrant@reproducible-builds.org> ]
* Pass MVDelegate to configure for fixing reproducible builds on usrmerge
systems (closes: #990084).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 13 Dec 2021 17:50:54 +0100
graphicsmagick (1.4+really1.3.36+hg16481-2) unstable; urgency=medium
* Backport fix for use appropriate memory deallocator for memory returned
by StringToList() (closes: #991380).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 24 Jul 2021 11:42:42 +0200
graphicsmagick (1.4+really1.3.36+hg16481-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- ProcessStyleClassDefs(): fix non-terminal loop caused by a
self-referential list which results in huge memory usage,
- MSLCDataBlock(): fix leak of value from xmlNewCDataBlock(),
- ProcessStyleClassDefs(): fix memory leak upon malformed class name list,
- ProcessStyleClassDefs(): fix non-terminal loop and huge memory
allocation caused by self-referential list,
- SVGReference(): fix memory leak when parser node is null,
- MSLStartElement(): fix assertion in TranslateText() when there are no
attributes available.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 28 Feb 2021 23:26:56 +0100
graphicsmagick (1.4+really1.3.36+hg16472-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- ReadJP2Image(): validate that file header is a format we expect Jasper
to decode,
- MSLPushImage(): only clone attributes if not null,
- SVGStartElement(): reject impossibly small bounds and view_box width
or height.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 22 Feb 2021 06:54:42 +0100
graphicsmagick (1.4+really1.3.36+hg16469-1) unstable; urgency=medium
* Mercurial snapshot:
- MagickDoubleToLong(): Guard against LONG_MAX not directly representable
as a double,
- handle Ghostscript point versions added after 9.52 .
* Make libgraphicsmagick1-dev depend on pkg-config (closes: #977699).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 21 Feb 2021 08:24:57 +0100
graphicsmagick (1.4+really1.3.36+hg16462-1) unstable; urgency=medium
* Mercurial snapshot:
- ExecuteModuleProcess(): add error reporting for the case that the
expected symbol is not resolved,
- AnalyzeImage(): add OpenMP speed-ups,
- TranslateTextEx(): fabricate default resolution values if the actual
resolution values are zero.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 07 Feb 2021 15:04:57 +0100
graphicsmagick (1.4+really1.3.36+hg16448-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- coders/tiff.c: remove unintended double-charging for memory resource,
- magick/pixel_cache.c: use resource limited memory allocator,
- InverseAffineMatrix(): avoid possible division by zero or absurdly
extreme scaling.
* Add upstream metadata.
* Update watch file.
* Update packaging bits.
[ Helmut Grohne <helmut@subdivi.de> ]
* Reduce Build-Depends (closes: #980721):
+ Drop unused libexif-dev.
+ Annotate sharutils with <!nocheck> as uudecode is conditionally used in
d/rules.
+ Annotate gsfonts with <!nocheck> as it is only used in unit tests.
+ Drop unused transfig as d/rules passes --without-frozenpaths.
+ Drop unused libltdl-dev as d/rules passes --without-modules.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 23 Jan 2021 10:10:54 +0100
graphicsmagick (1.4+really1.3.36+hg16442-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- super_fgets_w() and super_fgets(): assure that returned pointer
value is the same as reported via 'b',
- ReadIdentityImage(): don't lose exception info if an image is not
returned,
- ReadMETAImage(): fix double-free if blob buffer was reallocated after
being attached to blob,
- ReadGIFImage(): fix memory leak of global_colormap if realloc of memory
for comment fails.
* Fix broken reading of planar RGB files.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 08 Jan 2021 18:02:36 +0100
graphicsmagick (1.4+really1.3.36-1) unstable; urgency=high
* New upstream release, fixing the following security issues:
- update almost all of the remaining coders to use the resource-limited
memory allocator,
- ReadMPCImage(): heap-buffer-overflow read,
- EdgeImage(): fix null pointer dereference if edge image failed to be
created,
- CompareImageCommand() and CompositeImageCommand(): fix memory leaks when
an input image failed to be read,
- fix several null pointer dereference if an image failed to be created,
- Classify(): remove variables from function global scope that don't need
outer scope,
- ReadMIFFImage() and ReadMPCImage(): arbitrarily limit the number of
header keywords to avoid DOS attempts.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 27 Dec 2020 07:44:36 +0100
graphicsmagick (1.4+really1.3.35+hg16404-1) unstable; urgency=medium
* Mercurial snapshot, fixing the following issue:
- ImportRLEPixels(): Change from C assertion to exception report.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 18 Dec 2020 20:18:42 +0100
graphicsmagick (1.4+really1.3.35+hg16397-1) unstable; urgency=medium
* Mercurial snapshot, fixing the following issue:
- fix a regression with parsing MVG and SVG files which contain a "mask"
statement.
* Update debhelper level to 13 .
* Update Standards-Version to 4.5.1 .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 12 Dec 2020 20:44:16 +0100
graphicsmagick (1.4+really1.3.35+hg16394-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- DrawImage(): Verify that affine scaling factors are not zero - fixing
divide-by-zero in InverseAffineMatrix() ,
- DrawPolygonPrimitive(): Thread error status check was at wrong scope,
resulting in code executing when it should have quit,
- DrawImage(): Use unique image attribute space for MVG symbols - fixing
stack-overflow in DrawImage() and integer-overflow in
DrawPolygonPrimitive() .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 06 Dec 2020 10:37:34 +0100
graphicsmagick (1.4+really1.3.35+hg16390-1) unstable; urgency=medium
* Mercurial snapshot, fixing the following security issues:
- DrawImage(): Reject pattern image with a dimension of zero,
- add private interfaces for allocating memory while respecting resource
limits and use them in MVG rendering and MIFF reader code,
- WriteMIFFImage(): Update to use resource-limit respecting memory
allocators,
- adjust test suite memory limit to 128/256/512MB for Q8/Q16/Q32 builds,
- ConvertPathToPolygon(): Fix memory leak upon memory reallocation
failure,
- ReadSVGImage(): Fix memory leak due to CDATA block, and some other
possible small leaks,
- WritePSImage(): Fix problem when writing PseudoClass mage with a
colormap larger than two entries as bilevel,
- DrawPolygonPrimitive(): Try to minimize the impact of too many threads
due to replicated data,
- ConvertPathToPolygon(): Make sure not to leak points from added Edge,
- DrawDashPolygon(): Place an aribrary limit on stroke dash polygon unit
maximum length,
- ConvertPathToPolygon(): Attempt to fix leak of 'points' on memory
allocation failure,
- BMP: Use resource-limited memory allocator,
- DIB: Use resource-limited memory allocator,
- FITS: Use resource-limited memory allocator,
- WriteJBIGImage(): Use resource-limited memory allocator,
- WEBP: Use resource-limited memory allocator,
- ReadGIFImage(): Use resource-limited memory allocator when reading the
comment extension,
- ReadOneJNGImage(): Fix issues related to invoking sub-decoders (which
may lead to unexpected behavior),
- MAT: Use resource-limited memory allocator.
* Update library symbols for this release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 03 Dec 2020 21:22:54 +0100
graphicsmagick (1.4+really1.3.35+hg16348-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- DrawPrimitive(): destroy composite_image since it may be a list, fixing
indirect memory leak in MagickMalloc() ,
- DrawPrimitive(): missing DestroyImageList() request if multiple-frames
were returned,
- ConstituteImage(): set image depth appropriately based on StorageType
and QuantumDepth.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 17 Oct 2020 07:49:58 +0200
graphicsmagick (1.4+really1.3.35+hg16344-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- integer overflow in DrawImage() ,
- stack-overflow due to DrawImage() / DrawClipPath() recursion,
- fix UBSAN integer overflow warning in MagickXVisualColormapSize() ,
- ExtractTokensBetweenPushPop(): verify that the expected/required pop
statement is indeed found,
- DrawImage(): handle the case that ExtractTokensBetweenPushPop() can
return NULL,
- ReadTIFFImage(): apply the same resource limits to TIFF tile sizes as
apply to the image itself,
- GetImageBoundingBox(): MagickTrimImage() with extreme fuzz can produce
image with negative width,
- ReadTIFFImage(): ignore corrupt whitepoint and primary chromaticities
tags,
- ResizeImage(): if CloneImage() of resize_image to source_image fails
then free source_image allocation before returning in order to prevent
memory leak,
- CloneImage(): free clone_image allocation if ImgExtra allocation fails
in order to prevent memory leak.
* Remove unsafe quotes from mailcap entries.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 11 Oct 2020 18:16:39 +0200
graphicsmagick (1.4+really1.3.35+hg16297-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- fix WPG heap-buffer-overflow in ImportGrayQuantumType(),
- fix WPG heap-buffer-overflow in InsertRow(),
- fix WPG thrown assertion due to a double-free of memory.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 07 Jun 2020 21:02:16 +0200
graphicsmagick (1.4+really1.3.35+hg16296-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- ReadWPGImage(): Terminate reading when a pixel cache resource limit is
hit rather than moving on to heap buffer overflow,
- WriteTIFFImage(): WebP compression only supports a depth of 8; fixes
use-of-uninitialized-value in GammaToLinear.
* Update library symbols for this release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 03 Jun 2020 17:49:58 +0200
graphicsmagick (1.4+really1.3.35-2) unstable; urgency=high
* Backport security fix for CVE-2020-12672, MNG: small heap overwrite or
assertion if magnifying and image to be magnified has rows or columns == 1
(closes: #960000).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 30 May 2020 17:41:09 +0200
graphicsmagick (1.4+really1.3.35-1) unstable; urgency=high
* New upstream release, fixing the following security issues among others:
- ReadSVGImage(): Fix dereference of NULL pointer when stopping image
timer,
- DrawImage(): Fix integer-overflow in DrawPolygonPrimitive() .
* Update library symbols for this release.
[ Nicolas Boulenguez <nicolas@debian.org> ]
* mime: improve formatting.
* mime: adjust priority for all images (closes: #951758).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 23 Feb 2020 20:42:10 +0000
graphicsmagick (1.4+really1.3.34+hg16230-1) unstable; urgency=medium
* Mercurial snapshot, fixing the following security issues:
- WritePICTImage(): Eliminating small buffer overrun when run-length
encoding pixels,
- WriteOneJNGImage(): Detect when JPEG encoder has failed, and throw
exception,
- DecodeImage(): Fix heap buffer over-reads,
- DecodeImage(): Allocate extra scanline memory to allow small
RLE overrun.
* Update library symbols for this release.
* Update Standards-Version to 4.5.0 .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 07 Feb 2020 19:02:36 +0000
graphicsmagick (1.4+really1.3.34+hg16181-1) unstable; urgency=medium
* Mercurial snapshot, fixing the following security issue:
- WritePCXImage(): Fix heap overflow in PCX writer when bytes per line
value overflows its 16-bit storage unit.
* Fix definition of ResourceInfinity.
[ Nicolas Boulenguez <nicolas@debian.org> ]
* Lower MIME priority for PS/PDF (closes: #935099).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 28 Dec 2019 18:58:57 +0000
graphicsmagick (1.4+really1.3.34-2) unstable; urgency=medium
* Still use glibc malloc allocator.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 25 Dec 2019 10:09:02 +0000
graphicsmagick (1.4+really1.3.34-1) unstable; urgency=high
* New upstream release, fixing the following security issues among others:
- PNMInteger(): Place a generous arbitrary limit on the amount of PNM
comment text to avoid DoS opportunity,
- MagickClearException(): Destroy any existing exception info before
re-initializing the exception info or else there will be a memory leak,
- HuffmanDecodeImage(): Fix signed overflow on range check which leads
to heap overflow,
- ReadMNGImage(): Only magnify the image if the requested magnification
methods are supported,
- GenerateEXIFAttribute(): Add validations to prevent heap buffer
overflow,
- DrawPatternPath(): Don't leak memory if fill_pattern or stroke_pattern
of cloned draw_info are not null,
- CVE-2019-19953: PICT: Throw a writer exception if the PICT width limit
is exceeded (closes: #947311).
* Build with Google Thread-Caching Malloc library.
* Update Standards-Version to 4.4.1 .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Tue, 24 Dec 2019 20:23:10 +0000
graphicsmagick (1.4+really1.3.33+hg16117-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issue:
- CVE-2019-16709: ReadDPSImage(): Fix memory leak when OpenBlob()
reports failure.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 10 Oct 2019 22:57:35 +0000
graphicsmagick (1.4+really1.3.33+hg16115-1) unstable; urgency=high
* Mercurial snapshot, fixing the following security issues:
- ReadMNGImage(): skip coalescing layers if there is only one layer,
- DrawStrokePolygon(): handle case where TraceStrokePolygon() returns
NULL,
- DrawDashPolygon(): handle case where DrawStrokePolygon() returns
MagickFail,
- TraceBezier(): detect arithmetic overflow and return errors via
normal error path rather than exiting,
- ExtractTokensBetweenPushPop(): fix non-terminal parsing loop,
- GenerateEXIFAttribute(): check that we are not being directed to read
an IFD that we are already parsing and quit in order to avoid a loop,
- ReallocColormap(): avoid dereferencing a NULL pointer if
image->colormap is NULL,
- png_read_raw_profile(): fix validation of raw profile length,
- TraceArcPath(): substitute a lineto command when tracing arc is
impossible,
- GenerateEXIFAttribute(): skip unsupported/invalid format 0.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 28 Sep 2019 10:57:12 +0000
graphicsmagick (1.4+really1.3.33-1) unstable; urgency=medium
* New upstream release, including many security fixes.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 25 Jul 2019 16:43:39 +0000
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog graphicsmagick`.
Generated by dwww version 1.15 on Sat May 18 11:59:59 CEST 2024.