-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 02 Aug 2018 08:13:00 -0400 Source: graphicsmagick Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg Architecture: source all Version: 1.3.20-3+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org> Changed-By: Roberto C. Sanchez <roberto@debian.org> Description: graphicsmagick - collection of image processing tools graphicsmagick-dbg - format-independent image processing - debugging symbols graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface libgraphics-magick-perl - format-independent image processing - perl interface libgraphicsmagick++1-dev - format-independent image processing - C++ development files libgraphicsmagick++3 - format-independent image processing - C++ shared library libgraphicsmagick1-dev - format-independent image processing - C development files libgraphicsmagick3 - format-independent image processing - C shared library Closes: 862967 867746 870153 870154 870155 870156 872575 872576 878511 878578 879999 Changes: graphicsmagick (1.3.20-3+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2016-5239: remove delegates support for Gnuplot and various other file types (additional fix beyond CVE-2016-3714). * Fix CVE-2017-11102: denial of service (application crash) via crafted PNG file. (Closes: #867746) * Fix CVE-2017-11140: denial of service (resource consumption) via crafted JPEG file. * Fix CVE-2017-11403, CVE-2017-18220: use-after-free vulnerability via a crafted file. * Fix CVE-2017-11637: NULL pointer dereference via crafted file. (Closes: #870153) * Fix CVE-2017-11638, CVE-2017-11642: NULL pointer dereference and segmentation violation via a crafted file. (Closes: #870154, #870156) * Fix CVE-2017-11641: memory leak during writing of Magick Persistent Cache (MPC) files. (Closes: #870155) * Fix CVE-2017-12935: invalid memory read during processing of large MNG image files. (Closes: #872576) * Fix CVE-2017-12936: use-after-free of data associated with error and exception reporting. (Closes: #872575) * Fix CVE-2017-13737: remote denial of service resulting from defective calculation of number of objects in an array. (Closes: #878511) * Fix CVE-2017-13775: denial of service (resource consumption) via crafted JNX file. * Fix CVE-2017-13776, CVE-2017-13777: denial of service (resource consumption) via crafted XMB file. * Fix CVE-2017-14504: denial of service (application crash) resulting from a NULL pointer dereference triggered by a crafted PNM file. * Fix CVE-2017-14994: denial of service (NULL pointer dereference) via a crafted DICOM file. * Fix CVE-2017-14997: denial of service (excessive memory allocation) resulting from an integer underflow triggered by a crafted PICT file. * Fix CVE-2017-15277: information disclosure via crafted GIF file with neither global nor local palette. (Closes: #878578) * Fix CVE-2017-6335: denial of service (out-of-bounds read and application crash) via a crafted TIFF file with small samples per pixel value. * Fix CVE-2017-9098: Fix information leak resulting from uninitialized memory in the RLE decoder. (Closes: #862967) * Fix CVE-2017-15930: NULL pointer dereference and segmentation violation via crafted JPEG file. (Closes: #879999) * Fix CVE-2017-16352: heap-based buffer overflow found in the "Display visual image directory" feature. * Fix CVE-2017-16547: denial of service (negative strncpy and application crash) or possible other unspecified impact via a crafted file. * Fix CVE-2017-18219: denial of service via a crafted file that triggers an attempt at excessive memory allocation. * Fix CVE-2017-18229: denial of service (memory exhaustion) via a crafted TIFF file. * Fix CVE-2017-18230: NULL pointer dereference and denial of service via a crafted CINEON file. * Fix CVE-2017-18231: NULL pointer dereference and denial of service via a crafted EMF file. * Fix CVE-2018-5685: denial of service (infinite loop and application hang) via a crafted BMP image file with a crafted bit-field mask value. * Fix CVE-2018-6799: denial of service (heap overwrite) or possibly have unspecified other impact via a crafted image file, because a pixel staging area is not used. * Fix CVE-2018-9018: denial of service (divide-by-zero and application crash) via crafted MNG file. * Note: CVE-2017-16545 was fixed in version 1.3.20-3+deb8u3 by the same patch that fixed CVE-2017-16669. Checksums-Sha1: 741649a364ec7561ee9b30bd015acfb82f16300c 2802 graphicsmagick_1.3.20-3+deb8u4.dsc ca9423b5ea1284f61b8fdceee2cffbbd37a1b836 208888 graphicsmagick_1.3.20-3+deb8u4.debian.tar.xz 2186fe9dfc564a20d387b0a0d8481290f0664344 29222 graphicsmagick-imagemagick-compat_1.3.20-3+deb8u4_all.deb b1d2dbe93712ce3c845cf260c19ea795706e6fcf 32728 graphicsmagick-libmagick-dev-compat_1.3.20-3+deb8u4_all.deb Checksums-Sha256: a519d8b851eb519957c5b225fdd893368335634316a73871c525200ecfd2a4c0 2802 graphicsmagick_1.3.20-3+deb8u4.dsc 1bf7507511310dae1ad25feb31f5109223d07a3051649544142ede8901c69099 208888 graphicsmagick_1.3.20-3+deb8u4.debian.tar.xz 42741e97f144677826cb788239442ab5b356ec499cdb6264fcef60f647a1b264 29222 graphicsmagick-imagemagick-compat_1.3.20-3+deb8u4_all.deb 1c328b091ce008c293e58d7220b39d00c14d8bac037b1935feca2dc05c8ef00d 32728 graphicsmagick-libmagick-dev-compat_1.3.20-3+deb8u4_all.deb Files: d73d7c3589972f975ebcac1558560b7b 2802 graphics optional graphicsmagick_1.3.20-3+deb8u4.dsc 8e1fc636a51513d2d10d446d9717eb0f 208888 graphics optional graphicsmagick_1.3.20-3+deb8u4.debian.tar.xz 2921624b8a3ea7757fead7413da9201e 29222 graphics extra graphicsmagick-imagemagick-compat_1.3.20-3+deb8u4_all.deb 303b53fc547a2e7f30f6c2ee03c32412 32728 graphics extra graphicsmagick-libmagick-dev-compat_1.3.20-3+deb8u4_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAltjDO0ACgkQLNd4Xt2n sg+qNRAAiakkK9EwktPnwsi9lBH75CNjs/hWmEmaH45EuAv1dGub60t9rCOx/SY1 4DfYZyA4CQkAn2791jThGvYcFHyJa7DHL3lPBX+PoBOoIE2ztMAlnq6PJhcz+clf thz9Rr41Zu8AKpxi6s1HwFroQimPzuJR3ofJ7VoSpdIhTLOHtcvl9KtZ7+i/HrU8 asux67J+tLV9CmRRnyBsW5hvO+9KZ7IGEC5N9IJpIrWCcHH5LNkZPOajPg6csMTb SUwfneOhGaXc7cYJc3m9Y6/Jc9uIdXXmLvNMZUAc8FGqrE2I8IxZ5Es5U+VUZk1R Ud87yBlwVxOBV8HfTM8kqsk1i6U7agxlXu+5byooC1pRokUp68pWiqohDZNX/nsD 6we4fz+4C/qxQi5zMyydz3gWYmv+1HrFE6RpyOCSvS+VMFBrrKCfFiRfI8qp40LM fvWcQHzvh/6nleWtu8rKAbFw0VaW/w3FWpBqkaZch52VOWC3SaY+fEQXqo5ByVIo Q814r288HZ6TUpkSn3USxCQt5sNfA/zRGTTAMM1McyD2d924SZRWu16AqwyQtSFR NUdn2rDE4gYUxsvwZTsr8zdvPuYsR7RnFdnwv9XGhZKCezJ6LjdlqpvJkmOiVzPG HbBhaiNwF6GKviYgwD/9qYf4ww+fiXWcWwmFgFzfMkHpA+ZEkJc= =l9UG -----END PGP SIGNATURE-----