-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 30 May 2016 20:02:31 +0000 Source: graphicsmagick Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg Architecture: source amd64 all Version: 1.3.24-1 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org> Description: graphicsmagick - collection of image processing tools graphicsmagick-dbg - format-independent image processing - debugging symbols graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface libgraphics-magick-perl - format-independent image processing - perl interface libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library libgraphicsmagick++1-dev - format-independent image processing - C++ development files libgraphicsmagick-q16-3 - format-independent image processing - C shared library libgraphicsmagick1-dev - format-independent image processing - C development files Closes: 814732 825800 Changes: graphicsmagick (1.3.24-1) unstable; urgency=high . * New upstream release, focusing on security fixes for the following image formats: - DIB: fix out of bound reads and add more header validations, - JNG: file size limits are enforced, - MATLAB: fix DoS and hang on corrupt deflate stream, - META (Embedded Image Profiles): fix out of bounds reads and writes, - MIFF (Magick): fix thrown assertion, - CVE-2016-3716: Magick Scripting Language file processing is not done by default but need to be prefixed with 'msl:', - Magick Vector Graphics file processing is not done by default but need to be prefixed with 'mvg:' and prevent head overflow problems, - PCX: fix unreasonable memory allocation due to intentionally corrupt file, - PDB: fix heap buffer overflow and out of bounds read, - PICT: fix out of bounds write, - CVE-2016-3717: for PostScript files always run Ghostscript with -dSAFER for safer execution, - PSD: fix segmentation violations, heap buffer overflows and out of bound writes, - RLE: fix out of bounds reads and writes, - ReadImages(): fix possible infinite recursion due to a crafted input file, - RotateImage(): fix thrown assertion, - SGI: fix out of bounds writes, - SUN: fix out of bounds reads and writes, - SVG: fix CVE-2016-2317 and CVE-2016-2318, heap and stack buffer overflows, as well as segmentation violations (closes: #814732); also fix endless loop, unexpectedly large memory allocation, divide by zero and recursion issues, - TIFF: fix assertion while reading and fix benign heap overflow, - VIFF: fix excessive memory allocation with intentonally corrupted input file, - XCF: fix heap buffer overflow, - XPM: fix several heap buffer overflows and out of bound reads/writes; also fix a case of excessive memory allocation, - CVE-2016-5118: popen() shell vulnerability via filename that contains '|', remove pipe support entirely (closes: #825800); file names starting with a '|' character are no longer interpreted as shell commands to be executed as input or output, - default.mgk file has been pared down in order to reduce security exposure, - CVE-2016-3714: Gnuplot ('gplt' delegate) support for rendering these files is removed since the format is inherently insecure, - CVE-2016-3715: adding a 'tmp:' prefix to a filename no longer removes the file since this seems dangerous, - CVE-2016-3718: sanity check the image file path or URL before passing it to ReadImage(), - fix several Coverity issues like dereference after null check, multiple resource leaks and logically dead code. * Update library symbols for this release. Checksums-Sha1: 0140a2b366b42b3a80ffcd3b6eb5847567193d38 2792 graphicsmagick_1.3.24-1.dsc 2ec6c00365e8db8a008307a0541d1b5929ca0fd2 7673463 graphicsmagick_1.3.24.orig.tar.bz2 de14256aab4c9852a17911cfabde2341f7b4016f 137424 graphicsmagick_1.3.24-1.debian.tar.xz 604c7d6fac51d0d521c69ce529642cd1b0bf7389 2994580 graphicsmagick-dbg_1.3.24-1_amd64.deb ede7a676cf2bcf30b1ba4f595f53d358b84cc07e 23174 graphicsmagick-imagemagick-compat_1.3.24-1_all.deb 0b650027c992d27580553ca28fc29b8852ea5d41 26654 graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb aff706ad89e419ade9b9e932cc71d99135ce26a8 850216 graphicsmagick_1.3.24-1_amd64.deb 48bccbbe432d6ed13810db14ebb63864c62f0753 70636 libgraphics-magick-perl_1.3.24-1_amd64.deb 89a4e30b63548030b8aaec411b15925e73787246 117428 libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb 008a4fd6651db6e20df09079035a755a427c7f93 300266 libgraphicsmagick++1-dev_1.3.24-1_amd64.deb e6377c8db5b1a8ab8ce83ac0964a8e3a354bd129 1106494 libgraphicsmagick-q16-3_1.3.24-1_amd64.deb 4107bba00babeaa4c340a8f90cd0429e0641efc4 1296128 libgraphicsmagick1-dev_1.3.24-1_amd64.deb Checksums-Sha256: 536288f4304702480a6e89e2265606bcea8118af2527c9eb1cb27d5ad01b1621 2792 graphicsmagick_1.3.24-1.dsc b060a4076308f93c25d52c903ad9a07e71b402dcb2a5c62356384865c129dff2 7673463 graphicsmagick_1.3.24.orig.tar.bz2 4c7642a8f148d09fd8c2f079c0c245d3e167a5465c2694afc204e11723ffe745 137424 graphicsmagick_1.3.24-1.debian.tar.xz febf3dfafebb5112b5b8a39fa12b80df27dc824f493709ac7a81980b5a953953 2994580 graphicsmagick-dbg_1.3.24-1_amd64.deb 7046124e4fbe63f31727c69ed29dadcb2609ac7492a56a123036f092aedd5f57 23174 graphicsmagick-imagemagick-compat_1.3.24-1_all.deb fe7646b2d2857ccb1fbd2d19c84c7bca50fea41140029779d3ca3e5c1da94a3c 26654 graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb 772cc43b378b2aa17f901e318a05224426d20042ae82b8d27f569fdff2f4e6a6 850216 graphicsmagick_1.3.24-1_amd64.deb efb55ebfb9c0e0a5bafbbb19643fcde020c0f5fc76d9bc41676d8198dfd9858f 70636 libgraphics-magick-perl_1.3.24-1_amd64.deb 2707042a57adea4f9d63882a38ba53056fd1def55d7c89d24029c4820c6334bb 117428 libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb ea5eb6d86f0885249074ca857287f54b47504289c48a43be26dcd681ea04a26c 300266 libgraphicsmagick++1-dev_1.3.24-1_amd64.deb 971345d63993e9e0c623d261c27f9c6fdba5504331b1e31b6efb8b47e4b3b631 1106494 libgraphicsmagick-q16-3_1.3.24-1_amd64.deb a63cacee3750d907ff4a2f1f019dacbd468f87196b329d38da54575ae7701250 1296128 libgraphicsmagick1-dev_1.3.24-1_amd64.deb Files: a3cd87ca8cbe0dcddcc87beff2b4ff86 2792 graphics optional graphicsmagick_1.3.24-1.dsc 08e2d3126ba83ba29caea3a503b96b1a 7673463 graphics optional graphicsmagick_1.3.24.orig.tar.bz2 9b19b2c5f5d83b0954e9c1c980253a32 137424 graphics optional graphicsmagick_1.3.24-1.debian.tar.xz adf3e806b31d72d8077a9bd801eb185a 2994580 debug extra graphicsmagick-dbg_1.3.24-1_amd64.deb f0a927c5af135d0632c34ccd5905c0a5 23174 graphics extra graphicsmagick-imagemagick-compat_1.3.24-1_all.deb 3047be06ef6e01f0783ef5bea362de33 26654 graphics extra graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb d6381ebd28f91340b512034528828da5 850216 graphics optional graphicsmagick_1.3.24-1_amd64.deb 57e552e3f0ef92465ac1fe0aae2789dc 70636 perl optional libgraphics-magick-perl_1.3.24-1_amd64.deb d8dd2bfcd7e672a269192a525104591d 117428 libs optional libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb 6361b1a3f5998f37f444dc085424eb27 300266 libdevel optional libgraphicsmagick++1-dev_1.3.24-1_amd64.deb 82d13931e7af4d14ee5b7f5945e89076 1106494 libs optional libgraphicsmagick-q16-3_1.3.24-1_amd64.deb 9cfd4f45e01e72322c430565f09f1ffa 1296128 libdevel optional libgraphicsmagick1-dev_1.3.24-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXTMMpAAoJENzjEOeGTMi/zfIP/R/szOnw56jSrSWK+Y2ueDod 7XMsUSt24iHk9C3KQB3CyZXVULiUS8GctbklNWe5lSyhZemUv6n/B6RYTO8kCjWy aHxyaaPDWFwX48rdDg04w+0hC8CFyu7Ay40GcF/k8DBgGtIUXF8Q3iidYfQk1UBc 7yVlgJkkGVjgwMDRxYDxSnrFMctsM9sIpQBJaZnMAsBtb+c9nok9vrjrovPCZqrq 1Qh/fCk/2U2Hrs+HIpTeWDK0sMskl4yHld5eY+EmqFv0BtDqFqhHP0EEGxQzCNR/ us+x7+WnTfkjbFl+ph6ECAFmQFqrGlZsdWwIh6sk03vOsIWmWQvB0eDp7Qu/QTqg 2xATBqZTD/nKEfcWCuYqJm9qyYMb2pdGUElG8NN5zYhd5h4zsBgYw51cUqpx6rCF 7ialOfOUififxpeLhRLHblYASf2ElA3UZsZdtL7yJt1McSH+IUT20lR6iI+x+FE8 YScQF29Yzv53CbM17Y0bPulBrTvOvRkY9TZJfEvUxuUy+ZsJoMNG50oNwXrZ6BCT FJWJt/LDDvlSSYj7JIvTXyV/keSuJgchjvWWgY4cOmXa5twrGNsrkzji/+BiReRt mqDhX9HPaXX6tWa1rscubWi+U06WKDsNMTwK+6QPCfs9NnuhCpUjujwWQYRlIEOb ia7y8TTG4XC3ePI9L/bO =Cxll -----END PGP SIGNATURE-----
