imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high
* Acknowledge NMU
* Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder
* Fix an heap buffer overflow in TIFF coder
* Fix uninitialised value passing in TIFFGetField
* Fix stack overflow in TIFF coder
* Early exit in case of malformed TIFF file
* Fix buffer overrun in TIFF coder
* Fix unitialised value in TIFF coder
* Fix CVE-2022-1115: Heap based overflow in
TIFF coder (Closes: #1013282)
* Fix uninitialised value in TIFF coders
* Use salsa-ci
* Fix CVE-2023-1289: A specially created SVG file loaded itself and
causes a segmentation fault. This flaw allows a remote attacker
to pass a specially crafted SVG file that leads to a segmentation
fault, generating many trash files in "/tmp," resulting in
a denial of service. When ImageMagick crashes,
it generates a lot of trash files. These trash files
can be large if the SVG file contains many render actions.
In a denial of service attack, if a remote attacker uploads an SVG file
of size t, ImageMagick generates files of size 103*t.
If an attacker uploads a 100M SVG, the server will generate about 10G.
* Fix CVE-2023-1906: A heap-based buffer overflow issue was
discovered in ImageMagick's ImportMultiSpectralQuantum() function
in MagickCore/quantum-import.c. An attacker could pass specially
crafted file to convert, triggering an out-of-bounds read error,
allowing an application to crash, resulting in a denial of service.
* Fix CVE-2023-34151: Imagemagick was vulnerable due to
an undefined behaviors of casting double to size_t in svg, mvg
and other coders. (Closes: #1036999)
* Fix CVE-2023-3428: A heap-based buffer overflow vulnerability
was found in coders/tiff.c in ImageMagick. This issue
may allow a local attacker to trick the user into opening
a specially crafted file, resulting in an application crash
and denial of service.
* Fix CVE-2023-5341: A heap use-after-free flaw was found in
coders/bmp.c
-- Bastien Roucariès <rouca@debian.org> Mon, 12 Feb 2024 20:15:47 +0000
imagemagick (8:6.9.11.60+dfsg-1.6) unstable; urgency=high
* Non-maintainer upload
[ Moritz Mühlenhoff ]
* Fix CVE-2022-44267 / CVE-2022-44268 (Closes: #1030767) (LP: #2004580)
-- Jeremy Bicha <jbicha@ubuntu.com> Thu, 16 Feb 2023 16:06:07 -0500
imagemagick (8:6.9.11.60+dfsg-1.5) unstable; urgency=high
* Non-maintainer upload
[ Nishit Majithia ]
* SECURITY UPDATE: Multiple divide by zero issues in imagemagick allow a
remote attacker to cause a denial of service via a crafted image file
- debian/patches/CVE-2021-20241.patch: Use PerceptibleReciprocal()
to fix division by zeros in coders/jp2.c
- debian/patches/CVE-2021-20243.patch: Use PerceptibleReciprocal()
to fix division by zeros in magick/resize.c
- debian/patches/CVE-2021-20244.patch: Avoid division by zero in
magick/fx.c
- debian/patches/CVE-2021-20245.patch: Avoid division by zero in
oders/webp.c
- debian/patches/CVE-2021-20246.patch: Avoid division by zero in
magick/resample.c
- debian/patches/CVE-2021-20309.patch: Avoid division by zero in
magick/fx.c
- CVE-2021-20241
- CVE-2021-20243
- CVE-2021-20244
- CVE-2021-20245
- CVE-2021-20246
- CVE-2021-20309
* SECURITY UPDATE: Integer overflow, divide by zero and memory leak in
imagemagick allow a remote attacker to cause a denial of service or
possible leak of cryptographic information via a crafted image file
- debian/patches/CVE-2021-20312_20313.patch: Avoid integer overflow in
coders/thumbnail.c, division by zero in magick/colorspace.c and
a potential cipher leak in magick/memory.c
- CVE-2021-20312
- CVE-2021-20313
* SECURITY UPDATE: memory leaks when executing convert command
- debian/patches/CVE-2021-3574.patch: fix memory leaks
- CVE-2021-3574
* SECURITY UPDATE: Security Issue when Configuring the ImageMagick
Security Policy
- debian/patches/CVE-2021-39212.patch: Added missing policy checks in
RegisterStaticModules
- CVE-2021-39212 (Closes: #996588)
* SECURITY UPDATE: DoS while processing crafted SVG files
- debian/patches/CVE-2021-4219.patch: fix denial of service
- CVE-2021-4219
* SECURITY UPDATE: use-after-free in magick
- debian/patches/CVE-2022-1114.patch: fix use-after-free in magick at
dcm.c
- CVE-2022-1114
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2022-28463.patch: fix buffer overflow
- CVE-2022-28463 (Closes: #1013282)
* SECURITY UPDATE: out-of-range value
- debian/patches/CVE-2022-32545.patch: addresses the possibility for the
use of a value that falls outside the range of an unsigned char in
coders/psd.c.
- debian/patches/CVE-2022-32546.patch: addresses the possibility for the
use of a value that falls outside the range of an unsigned long in
coders/pcl.c.
- CVE-2022-32545
- CVE-2022-32546
* SECURITY UPDATE: load of misaligned address
- debian/patches/CVE-2022-32547.patch: addresses the potential for the
loading of misaligned addresses in magick/property.c.
- CVE-2022-32547 (Closes: #1016442)
-- Jeremy Bicha <jbicha@ubuntu.com> Sat, 04 Feb 2023 21:50:44 -0500
imagemagick (8:6.9.11.60+dfsg-1.4) unstable; urgency=medium
* Non-maintainer upload.
[ Vagrant Cascadian ]
* debian/rules: Pass MVDelegate and RMDelegate to configure. (Closes:
#983303)
-- Paul Gevers <elbrus@debian.org> Sat, 31 Dec 2022 22:36:57 +0100
imagemagick (8:6.9.11.60+dfsg-1.3) unstable; urgency=medium
* Non-maintainer upload.
* autopkgtest: Drop PDF related tests which will fail after disabling
ghostscript handled formats by default (Closes: #987247)
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 20 Apr 2021 16:37:59 +0200
imagemagick (8:6.9.11.60+dfsg-1.2) unstable; urgency=medium
* Non-maintainer upload.
* Disable ghostscript handled formats based on -SAFER insecurity
-- Salvatore Bonaccorso <carnil@debian.org> Mon, 19 Apr 2021 20:16:51 +0200
imagemagick (8:6.9.11.60+dfsg-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Import upstream patch to fix font size (Closes: #980202).
-- Jochen Sprickerhof <jspricke@debian.org> Tue, 13 Apr 2021 20:58:45 +0200
imagemagick (8:6.9.11.60+dfsg-1) unstable; urgency=high
* New upstream version
- Bug fix: "gscan2pdf tests fail", thanks to Sergio Durigan Junior
(Closes: #980202).
-- Bastien Roucariès <rouca@debian.org> Mon, 01 Feb 2021 16:22:02 +0000
imagemagick (8:6.9.11.58+dfsg-1) unstable; urgency=medium
* New upstream version:
- Fix error on i386 with php
* Bug fix (workarround): "Many doubled www/www; broken links on
index.html", thanks to 積丹尼 Dan Jacobson (Closes: #978138).
-- Bastien Roucariès <rouca@debian.org> Fri, 22 Jan 2021 21:59:16 +0000
imagemagick (8:6.9.11.57+dfsg-1) unstable; urgency=medium
* New upstream version:
- Bug fix: "CVE-2020-29599", imagemagick mishandles the
-authenticate option, which allows setting a password
for password-protected PDF files. The user-controlled
password was not properly escaped/sanitized and it
was therefore possible to inject additional shell commands
via coders/pdf.c. Thanks to Salvatore Bonaccorso
(Closes: #977205).
- Bug fix: "CVE-2020-27560: Division by Zero in function
OptimizeLayerFrames", thanks to Salvatore Bonaccorso
(Closes: #972797).
* Fix dh_doxygen FTBFS (Closes: #971216)
-- Bastien Roucariès <rouca@debian.org> Mon, 11 Jan 2021 22:14:26 +0000
imagemagick (8:6.9.11.24+dfsg-1) unstable; urgency=medium
* Acknowledge NMU
* New upstream version:
- Fix CVE-2019-11470: Cineon image parsing DOS (Closes: #927830).
- Fix CVE-2019-11472: XWD image parsing DOS (Closes: #927828).
- Fix CVE-2020-13902: Heap based overflow in TIFF image decoding.
(Closes: #928207).
- Fix CVE-2019-11598: Heap-based buffer over-read in PNM image
decoding (Closes: #928206).
- Fix CVE-2019-12974: NULL pointer dereference in pango coder.
(Closes: #931196).
- Fix CVE-2019-12977: use of uninitialized value" vulnerability
in the WriteJP2Image of jp2 coder (Closes: #931191).
- Fix CVE-2019-12978: use of uninitialized value" vulnerability
in the pango coder. (Closes: #931190).
- Fix CVE-2019-12979: use of uninitialized value" vulnerability
in MagickCore/image.c (Closes: #931189).
- Fix CVE-2019-13135: use of uninitialized value" vulnerability
in the cut coder (Closes: #932079).
- Fix CVE-2019-13295: Heap-based buffer over-read in
MagickCore/threshold.c (Closes: #931457).
- Fix CVE-2019-13297: Heap-based buffer over-read in
MagickCore/threshold.c (Closes: #931455).
- Fix CVE-2019-13300: heap-based buffer overflow in
MagickCore/statistic.c (Closes: #931454).
- Fix CVE-2019-13304: stack-based buffer overflow for
PNM image (Closes: #931453).
- Fix CVE-2019-13305: stack-based buffer overflow for
PNM image (Closes: #931452).
- Fix CVE-2019-13306: stack-based buffer overflow for
PNM image (Closes: #931449).
- Fix CVE-2019-13307: heap-based buffer overflow in
MagickCore/statistic.c (Closes: #931448).
- Fix CVE-2019-13308: heap-based buffer overflow in
MagickCore/fourier.c (Closes: #931447).
- Fix CVE-2019-13391: heap-based buffer over-read (Closes: #931633).
- Fix CVE-2019-13454: Division by Zero in MagickCore/layer.c
(Closes: #931740).
- Fix CVE-2019-14981: divide-by-zero in MeanShiftImage
(Closes: #955025).
- Fix CVE-2019-15139: DOS for XWD images (Closes: #941670).
- Fix CVE-2019-15140: DOS for mat images (Closes: #941671).
- Fix CVE-2019-19948: Heap-based buffer overflow in SGI coder
(Closes: #947308).
- Fix CVE-2019-19949: Heap buffer over-read in PNG coder
(Closes: #947309).
- Fix CVE-2020-10251: out-of-bounds read vulnerability for HEIC
coder (Closes: #953741).
- Fix CVE-2020-13902: heap-based buffer over-read for TIFF coder.
* Bug fix: "Updating the imagemagick Uploaders list", thanks to Tobias
Frost (Closes: #962110). Thanks Nelson A. de Oliveira
* Add link in api doc dir to assets javascript library
* Fix a typo in convert man page (Closes: #953279,#947983,#921594).
* Fix a pkgconfig error that pull q16 instead of q16hdri (Closes: #950282).
-- Bastien Roucariès <rouca@debian.org> Mon, 27 Jul 2020 03:13:36 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libmagick++-6.q16-8`.
Generated by dwww version 1.15 on Sat May 18 08:22:46 CEST 2024.