imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high * Acknowledge NMU * Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder * Fix an heap buffer overflow in TIFF coder * Fix uninitialised value passing in TIFFGetField * Fix stack overflow in TIFF coder * Early exit in case of malformed TIFF file * Fix buffer overrun in TIFF coder * Fix unitialised value in TIFF coder * Fix CVE-2022-1115: Heap based overflow in TIFF coder (Closes: #1013282) * Fix uninitialised value in TIFF coders * Use salsa-ci * Fix CVE-2023-1289: A specially created SVG file loaded itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G. * Fix CVE-2023-1906: A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service. * Fix CVE-2023-34151: Imagemagick was vulnerable due to an undefined behaviors of casting double to size_t in svg, mvg and other coders. (Closes: #1036999) * Fix CVE-2023-3428: A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service. * Fix CVE-2023-5341: A heap use-after-free flaw was found in coders/bmp.c -- Bastien Roucariès <rouca@debian.org> Mon, 12 Feb 2024 20:15:47 +0000 imagemagick (8:6.9.11.60+dfsg-1.6) unstable; urgency=high * Non-maintainer upload [ Moritz Mühlenhoff ] * Fix CVE-2022-44267 / CVE-2022-44268 (Closes: #1030767) (LP: #2004580) -- Jeremy Bicha <jbicha@ubuntu.com> Thu, 16 Feb 2023 16:06:07 -0500 imagemagick (8:6.9.11.60+dfsg-1.5) unstable; urgency=high * Non-maintainer upload [ Nishit Majithia ] * SECURITY UPDATE: Multiple divide by zero issues in imagemagick allow a remote attacker to cause a denial of service via a crafted image file - debian/patches/CVE-2021-20241.patch: Use PerceptibleReciprocal() to fix division by zeros in coders/jp2.c - debian/patches/CVE-2021-20243.patch: Use PerceptibleReciprocal() to fix division by zeros in magick/resize.c - debian/patches/CVE-2021-20244.patch: Avoid division by zero in magick/fx.c - debian/patches/CVE-2021-20245.patch: Avoid division by zero in oders/webp.c - debian/patches/CVE-2021-20246.patch: Avoid division by zero in magick/resample.c - debian/patches/CVE-2021-20309.patch: Avoid division by zero in magick/fx.c - CVE-2021-20241 - CVE-2021-20243 - CVE-2021-20244 - CVE-2021-20245 - CVE-2021-20246 - CVE-2021-20309 * SECURITY UPDATE: Integer overflow, divide by zero and memory leak in imagemagick allow a remote attacker to cause a denial of service or possible leak of cryptographic information via a crafted image file - debian/patches/CVE-2021-20312_20313.patch: Avoid integer overflow in coders/thumbnail.c, division by zero in magick/colorspace.c and a potential cipher leak in magick/memory.c - CVE-2021-20312 - CVE-2021-20313 * SECURITY UPDATE: memory leaks when executing convert command - debian/patches/CVE-2021-3574.patch: fix memory leaks - CVE-2021-3574 * SECURITY UPDATE: Security Issue when Configuring the ImageMagick Security Policy - debian/patches/CVE-2021-39212.patch: Added missing policy checks in RegisterStaticModules - CVE-2021-39212 (Closes: #996588) * SECURITY UPDATE: DoS while processing crafted SVG files - debian/patches/CVE-2021-4219.patch: fix denial of service - CVE-2021-4219 * SECURITY UPDATE: use-after-free in magick - debian/patches/CVE-2022-1114.patch: fix use-after-free in magick at dcm.c - CVE-2022-1114 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2022-28463.patch: fix buffer overflow - CVE-2022-28463 (Closes: #1013282) * SECURITY UPDATE: out-of-range value - debian/patches/CVE-2022-32545.patch: addresses the possibility for the use of a value that falls outside the range of an unsigned char in coders/psd.c. - debian/patches/CVE-2022-32546.patch: addresses the possibility for the use of a value that falls outside the range of an unsigned long in coders/pcl.c. - CVE-2022-32545 - CVE-2022-32546 * SECURITY UPDATE: load of misaligned address - debian/patches/CVE-2022-32547.patch: addresses the potential for the loading of misaligned addresses in magick/property.c. - CVE-2022-32547 (Closes: #1016442) -- Jeremy Bicha <jbicha@ubuntu.com> Sat, 04 Feb 2023 21:50:44 -0500 imagemagick (8:6.9.11.60+dfsg-1.4) unstable; urgency=medium * Non-maintainer upload. [ Vagrant Cascadian ] * debian/rules: Pass MVDelegate and RMDelegate to configure. (Closes: #983303) -- Paul Gevers <elbrus@debian.org> Sat, 31 Dec 2022 22:36:57 +0100 imagemagick (8:6.9.11.60+dfsg-1.3) unstable; urgency=medium * Non-maintainer upload. * autopkgtest: Drop PDF related tests which will fail after disabling ghostscript handled formats by default (Closes: #987247) -- Salvatore Bonaccorso <carnil@debian.org> Tue, 20 Apr 2021 16:37:59 +0200 imagemagick (8:6.9.11.60+dfsg-1.2) unstable; urgency=medium * Non-maintainer upload. * Disable ghostscript handled formats based on -SAFER insecurity -- Salvatore Bonaccorso <carnil@debian.org> Mon, 19 Apr 2021 20:16:51 +0200 imagemagick (8:6.9.11.60+dfsg-1.1) unstable; urgency=medium * Non-maintainer upload. * Import upstream patch to fix font size (Closes: #980202). -- Jochen Sprickerhof <jspricke@debian.org> Tue, 13 Apr 2021 20:58:45 +0200 imagemagick (8:6.9.11.60+dfsg-1) unstable; urgency=high * New upstream version - Bug fix: "gscan2pdf tests fail", thanks to Sergio Durigan Junior (Closes: #980202). -- Bastien Roucariès <rouca@debian.org> Mon, 01 Feb 2021 16:22:02 +0000 imagemagick (8:6.9.11.58+dfsg-1) unstable; urgency=medium * New upstream version: - Fix error on i386 with php * Bug fix (workarround): "Many doubled www/www; broken links on index.html", thanks to 積丹尼 Dan Jacobson (Closes: #978138). -- Bastien Roucariès <rouca@debian.org> Fri, 22 Jan 2021 21:59:16 +0000 imagemagick (8:6.9.11.57+dfsg-1) unstable; urgency=medium * New upstream version: - Bug fix: "CVE-2020-29599", imagemagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. Thanks to Salvatore Bonaccorso (Closes: #977205). - Bug fix: "CVE-2020-27560: Division by Zero in function OptimizeLayerFrames", thanks to Salvatore Bonaccorso (Closes: #972797). * Fix dh_doxygen FTBFS (Closes: #971216) -- Bastien Roucariès <rouca@debian.org> Mon, 11 Jan 2021 22:14:26 +0000 imagemagick (8:6.9.11.24+dfsg-1) unstable; urgency=medium * Acknowledge NMU * New upstream version: - Fix CVE-2019-11470: Cineon image parsing DOS (Closes: #927830). - Fix CVE-2019-11472: XWD image parsing DOS (Closes: #927828). - Fix CVE-2020-13902: Heap based overflow in TIFF image decoding. (Closes: #928207). - Fix CVE-2019-11598: Heap-based buffer over-read in PNM image decoding (Closes: #928206). - Fix CVE-2019-12974: NULL pointer dereference in pango coder. (Closes: #931196). - Fix CVE-2019-12977: use of uninitialized value" vulnerability in the WriteJP2Image of jp2 coder (Closes: #931191). - Fix CVE-2019-12978: use of uninitialized value" vulnerability in the pango coder. (Closes: #931190). - Fix CVE-2019-12979: use of uninitialized value" vulnerability in MagickCore/image.c (Closes: #931189). - Fix CVE-2019-13135: use of uninitialized value" vulnerability in the cut coder (Closes: #932079). - Fix CVE-2019-13295: Heap-based buffer over-read in MagickCore/threshold.c (Closes: #931457). - Fix CVE-2019-13297: Heap-based buffer over-read in MagickCore/threshold.c (Closes: #931455). - Fix CVE-2019-13300: heap-based buffer overflow in MagickCore/statistic.c (Closes: #931454). - Fix CVE-2019-13304: stack-based buffer overflow for PNM image (Closes: #931453). - Fix CVE-2019-13305: stack-based buffer overflow for PNM image (Closes: #931452). - Fix CVE-2019-13306: stack-based buffer overflow for PNM image (Closes: #931449). - Fix CVE-2019-13307: heap-based buffer overflow in MagickCore/statistic.c (Closes: #931448). - Fix CVE-2019-13308: heap-based buffer overflow in MagickCore/fourier.c (Closes: #931447). - Fix CVE-2019-13391: heap-based buffer over-read (Closes: #931633). - Fix CVE-2019-13454: Division by Zero in MagickCore/layer.c (Closes: #931740). - Fix CVE-2019-14981: divide-by-zero in MeanShiftImage (Closes: #955025). - Fix CVE-2019-15139: DOS for XWD images (Closes: #941670). - Fix CVE-2019-15140: DOS for mat images (Closes: #941671). - Fix CVE-2019-19948: Heap-based buffer overflow in SGI coder (Closes: #947308). - Fix CVE-2019-19949: Heap buffer over-read in PNG coder (Closes: #947309). - Fix CVE-2020-10251: out-of-bounds read vulnerability for HEIC coder (Closes: #953741). - Fix CVE-2020-13902: heap-based buffer over-read for TIFF coder. * Bug fix: "Updating the imagemagick Uploaders list", thanks to Tobias Frost (Closes: #962110). Thanks Nelson A. de Oliveira * Add link in api doc dir to assets javascript library * Fix a typo in convert man page (Closes: #953279,#947983,#921594). * Fix a pkgconfig error that pull q16 instead of q16hdri (Closes: #950282). -- Bastien Roucariès <rouca@debian.org> Mon, 27 Jul 2020 03:13:36 +0200 # Older entries have been removed from this changelog. # To read the complete changelog use `apt changelog libmagick++-6.q16-8`.
Generated by dwww version 1.15 on Sat May 18 08:22:46 CEST 2024.