Debian Package Tracker - graphicsmagick

general

source: graphicsmagick (main)
version: 1.3.30-1
maintainer: Laszlo Boszormenyi (GCS) [DMD]
arch: all any
std-ver: 4.1.4
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.3.16-1.1
o-o-sec: 1.3.16-1.1+deb7u19
oldstable: 1.3.20-3+deb8u2
old-sec: 1.3.20-3+deb8u4
stable: 1.3.25-8
testing: 1.3.30-1
unstable: 1.3.30-1

versioned links

1.3.16-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.16-1.1+deb7u19: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.20-3+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.20-3+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.20-3+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.25-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.30-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

graphicsmagick
graphicsmagick-dbg
graphicsmagick-imagemagick-compat
graphicsmagick-libmagick-dev-compat
libgraphics-magick-perl
libgraphicsmagick++-q16-12
libgraphicsmagick++1-dev
libgraphicsmagick-q16-3
libgraphicsmagick1-dev

action needed

56 security issues in stretch high

There are 56 open security issues in stretch.

53 important issues:

CVE-2017-11636: GraphicsMagick 1.3.26 has a heap overflow in the WriteRGBImage() function in coders/rgb.c when processing multiple frames that have non-identical widths.
CVE-2017-18229: An issue was discovered in GraphicsMagick 1.3.26. An allocation failure vulnerability was found in the function ReadTIFFImage in coders/tiff.c, which allows attackers to cause a denial of service via a crafted file, because file size is not properly used to restrict scanline, strip, and tile allocations.
CVE-2017-18219: An issue was discovered in GraphicsMagick 1.3.26. An allocation failure vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted file that triggers an attempt at a large png_pixels array allocation.
CVE-2017-17500: ReadRGBImage in coders/rgb.c in GraphicsMagick 1.3.26 has a magick/import.c ImportRGBQuantumType heap-based buffer over-read via a crafted file.
CVE-2017-17502: ReadCMYKImage in coders/cmyk.c in GraphicsMagick 1.3.26 has a magick/import.c ImportCMYKQuantumType heap-based buffer over-read via a crafted file.
CVE-2017-14314: Off-by-one error in the DrawImage function in magick/render.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (DrawDashPolygon heap-based buffer over-read and application crash) via a crafted file.
CVE-2017-11642: GraphicsMagick 1.3.26 has a NULL pointer dereference in the WriteMAPImage() function in coders/map.c when processing a non-colormapped image, a different vulnerability than CVE-2017-11638.
CVE-2017-16545: The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does not properly validate colormapped images, which allows remote attackers to cause a denial of service (ImportIndexQuantumType invalid write and application crash) or possibly have unspecified other impact via a malformed WPG image.
CVE-2017-13065: GraphicsMagick 1.3.26 has a NULL pointer dereference vulnerability in the function SVGStartElement in coders/svg.c.
CVE-2018-9018: In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage function of coders/png.c. Remote attackers could leverage this vulnerability to cause a crash and denial of service via a crafted mng file.
CVE-2017-17503: ReadGRAYImage in coders/gray.c in GraphicsMagick 1.3.26 has a magick/import.c ImportGrayQuantumType heap-based buffer over-read via a crafted file.
CVE-2017-13134: In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer over-read was found in the function SFWScan in coders/sfw.c, which allows attackers to cause a denial of service via a crafted file.
CVE-2017-10794: When GraphicsMagick 1.3.25 processes an RGB TIFF picture (with metadata indicating a single sample per pixel) in coders/tiff.c, a buffer overflow occurs, related to QuantumTransferMode.
CVE-2017-17498: WritePNMImage in coders/pnm.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (bit_stream.c MagickBitStreamMSBWrite heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2017-17915: In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadMNGImage in coders/png.c, related to accessing one byte before testing whether a limit has been reached.
CVE-2017-16547: The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 does not properly look for pop keywords that are associated with push keywords, which allows remote attackers to cause a denial of service (negative strncpy and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2017-15277: ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.
CVE-2017-12935: The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 mishandles large MNG images, leading to an invalid memory read in the SetImageColorCallBack function in magick/image.c.
CVE-2017-11641: GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function in magick/pixel_cache.c during writing of Magick Persistent Cache (MPC) files.
CVE-2017-11722: The WriteOnePNGImage function in coders/png.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file, because the program's actual control flow was inconsistent with its indentation. This resulted in a logging statement executing outside of a loop, and consequently using an invalid array index corresponding to the loop's exit condition.
CVE-2017-17501: WriteOnePNGImage in coders/png.c in GraphicsMagick 1.3.26 has a heap-based buffer over-read via a crafted file.
CVE-2017-18230: An issue was discovered in GraphicsMagick 1.3.26. A NULL pointer dereference vulnerability was found in the function ReadCINEONImage in coders/cineon.c, which allows attackers to cause a denial of service via a crafted file.
CVE-2017-17913: In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based buffer over-read in WriteWEBPImage in coders/webp.c, related to an incompatibility with libwebp versions, 0.5.0 and later, that use a different structure type.
CVE-2018-5685: In GraphicsMagick 1.3.27, there is an infinite loop and application hang in the ReadBMPImage function (coders/bmp.c). Remote attackers could leverage this vulnerability to cause a denial of service via an image file with a crafted bit-field mask value.
CVE-2017-16352: GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
CVE-2017-13063: GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability in the function GetStyleTokens in coders/svg.c:314:12.
CVE-2017-11638: GraphicsMagick 1.3.26 has a segmentation violation in the WriteMAPImage() function in coders/map.c when processing a non-colormapped image, a different vulnerability than CVE-2017-11642.
CVE-2017-12937: The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has a colormap heap-based buffer over-read.
CVE-2017-18220: The ReadOneJNGImage and ReadJNGImage functions in coders/png.c in GraphicsMagick 1.3.26 allow remote attackers to cause a denial of service (magick/blob.c CloseBlob use-after-free) or possibly have unspecified other impact via a crafted file, a related issue to CVE-2017-11403.
CVE-2017-13064: GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability in the function GetStyleTokens in coders/svg.c:311:12.
CVE-2017-14733: ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles RLE headers that specify too few colors, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVE-2017-11637: GraphicsMagick 1.3.26 has a NULL pointer dereference in the WritePCLImage() function in coders/pcl.c during writes of monochrome images.
CVE-2017-11643: GraphicsMagick 1.3.26 has a heap overflow in the WriteCMYKImage() function in coders/cmyk.c when processing multiple frames that have non-identical widths.
CVE-2017-11140: The ReadJPEGImage function in coders/jpeg.c in GraphicsMagick 1.3.26 creates a pixel cache before a successful read of a scanline, which allows remote attackers to cause a denial of service (resource consumption) via crafted JPEG files.
CVE-2017-13737: There is an invalid free in the MagickFree function in magick/memory.c in GraphicsMagick 1.3.26 that will lead to a remote denial of service attack.
CVE-2017-17782: In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in ReadOneJNGImage in coders/png.c, related to oFFs chunk allocation.
CVE-2017-16353: GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked.
CVE-2017-13777: GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version==10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it.
CVE-2017-11403: The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file.
CVE-2017-16669: coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file, related to the AcquireCacheNexus function in magick/pixel_cache.c.
CVE-2017-13775: GraphicsMagick 1.3.26 has a denial of service issue in ReadJNXImage() in coders/jnx.c whereby large amounts of CPU and memory resources may be consumed although the file itself does not support the requests.
CVE-2017-11139: GraphicsMagick 1.3.26 has double free vulnerabilities in the ReadOneJNGImage() function in coders/png.c.
CVE-2018-6799: The AcquireCacheNexus function in magick/pixel_cache.c in GraphicsMagick before 1.3.28 allows remote attackers to cause a denial of service (heap overwrite) or possibly have unspecified other impact via a crafted image file, because a pixel staging area is not used.
CVE-2017-15930: In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Pointer Dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer.
CVE-2017-11102: The ReadOneJNGImage function in coders/png.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (application crash) during JNG reading via a zero-length color_image data structure.
CVE-2017-15238: ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26 has a use-after-free issue when the height or width is zero, related to ReadJNGImage.
CVE-2017-18231: An issue was discovered in GraphicsMagick 1.3.26. A NULL pointer dereference vulnerability was found in the function ReadEnhMetaFile in coders/emf.c, which allows attackers to cause a denial of service via a crafted file.
CVE-2017-17912: In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadNewsProfile in coders/tiff.c, in which LocaleNCompare reads heap data beyond the allocated region.
CVE-2017-14994: ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted DICOM image, related to the ability of DCM_ReadNonNativeImages to yield an image list with zero frames.
CVE-2017-13776: GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it.
CVE-2017-14504: ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not ensure the correct number of colors for the XV 332 format, leading to a NULL Pointer Dereference.
CVE-2017-14997: GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (excessive memory allocation) because of an integer underflow in ReadPICTImage in coders/pict.c.
CVE-2017-12936: The ReadWMFImage function in coders/wmf.c in GraphicsMagick 1.3.26 has a use-after-free issue for data associated with exception reporting.

3 issues skipped by the security teams:

CVE-2017-10799: When GraphicsMagick 1.3.25 processes a DPX image (with metadata indicating a large width) in coders/dpx.c, a denial of service (OOM) can occur in ReadDPXImage().
CVE-2017-10800: When GraphicsMagick 1.3.25 processes a MATLAB image in coders/mat.c, it can lead to a denial of service (OOM) in ReadMATImage() if the size specified for a MAT Object is larger than the actual amount of data.
CVE-2017-17783: In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPALMImage in coders/palm.c when QuantumDepth is 8.

Please fix them.

Created: 2017-07-03 Last update: 2018-08-03 08:07

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

graphicsmagick-dbg could be marked Multi-Arch: same
libgraphics-magick-perl could be marked Multi-Arch: same

Created: 2018-05-29 Last update: 2018-08-14 02:34

Depends on packages which need a new maintainer normal

The packages that graphicsmagick depends on which need a new maintainer are:

libtool (#905994)
- Build-Depends: libltdl-dev
- Depends: libltdl-dev
libwmf (#866817)
- Build-Depends: libwmf-dev
- Depends: libwmf0.2-7 libwmf0.2-7 libwmf-dev

Created: 2017-12-02 Last update: 2018-08-14 02:27

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs, consider including or untagging them.

Created: 2017-11-21 Last update: 2018-08-14 01:48

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-04-08 Last update: 2018-06-25 01:53

3 ignored security issues in jessie low

There are 3 open security issues in jessie.

3 issues skipped by the security teams:

CVE-2017-10799: When GraphicsMagick 1.3.25 processes a DPX image (with metadata indicating a large width) in coders/dpx.c, a denial of service (OOM) can occur in ReadDPXImage().
CVE-2017-10800: When GraphicsMagick 1.3.25 processes a MATLAB image in coders/mat.c, it can lead to a denial of service (OOM) in ReadMATImage() if the size specified for a MAT Object is larger than the actual amount of data.
CVE-2017-17783: In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPALMImage in coders/palm.c when QuantumDepth is 8.

Please fix them.

Created: 2016-02-06 Last update: 2018-08-03 08:07

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2017-10-26 Last update: 2018-04-01 13:51

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.2.0 instead of 4.1.4).

Created: 2018-08-03 Last update: 2018-08-03 07:38

testing migrations

This package will soon be part of the perl5.28 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2018-08-03] Accepted graphicsmagick 1.3.20-3+deb8u4 (source all) into oldstable (Roberto C. Sanchez)
[2018-06-27] Accepted graphicsmagick 1.3.20-3+deb8u3 (source amd64 all) into oldstable (Markus Koschany)
[2018-06-26] graphicsmagick 1.3.30-1 MIGRATED to testing (Debian testing watch)
[2018-06-26] graphicsmagick 1.3.30-1 MIGRATED to testing (Debian testing watch)
[2018-06-24] Accepted graphicsmagick 1.3.30-1 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-06-17] Accepted graphicsmagick 1.3.20-3+deb8u2 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Laszlo Boszormenyi (GCS)) (signed by: Luciano Bello)
[2018-05-30] graphicsmagick 1.3.29+hg15665-1 MIGRATED to testing (Debian testing watch)
[2018-05-27] Accepted graphicsmagick 1.3.29+hg15665-1 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-05-11] graphicsmagick 1.3.29-1 MIGRATED to testing (Debian testing watch)
[2018-05-08] Accepted graphicsmagick 1.3.29-1 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-04-03] graphicsmagick 1.3.28-2 MIGRATED to testing (Debian testing watch)
[2018-03-31] Accepted graphicsmagick 1.3.28-2 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-03-28] Accepted graphicsmagick 1.3.16-1.1+deb7u19 (source amd64 all) into oldoldstable (Markus Koschany)
[2018-03-28] Accepted graphicsmagick 1.3.16-1.1+deb7u19 (source amd64 all) into oldoldstable (Markus Koschany)
[2018-02-14] Accepted graphicsmagick 1.3.16-1.1+deb7u18 (source amd64 all) into oldoldstable (Roberto C. Sanchez)
[2018-01-23] graphicsmagick 1.3.28-1 MIGRATED to testing (Debian testing watch)
[2018-01-20] Accepted graphicsmagick 1.3.28-1 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-01-18] graphicsmagick 1.3.27-4 MIGRATED to testing (Debian testing watch)
[2018-01-16] Accepted graphicsmagick 1.3.16-1.1+deb7u17 (source amd64 all) into oldoldstable (Roberto C. Sanchez)
[2018-01-15] Accepted graphicsmagick 1.3.27-4 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-01-08] Accepted graphicsmagick 1.3.16-1.1+deb7u16 (source amd64 all) into oldoldstable (Markus Koschany)
[2017-12-30] graphicsmagick 1.3.27-3 MIGRATED to testing (Debian testing watch)
[2017-12-28] Accepted graphicsmagick 1.3.27-3 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-12-28] graphicsmagick 1.3.27-2 MIGRATED to testing (Debian testing watch)
[2017-12-25] Accepted graphicsmagick 1.3.27-2 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-12-16] graphicsmagick 1.3.27-1 MIGRATED to testing (Debian testing watch)
[2017-12-10] Accepted graphicsmagick 1.3.27-1 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-11-15] graphicsmagick 1.3.26-19 MIGRATED to testing (Debian testing watch)
[2017-11-14] Accepted graphicsmagick 1.3.16-1.1+deb7u15 (source amd64 all) into oldoldstable (Roberto C. Sanchez)
[2017-11-12] Accepted graphicsmagick 1.3.26-19 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)

bugs [bug history graph]

all: 33
RC: 1
I&N: 24
M&W: 5
F&P: 0
patch: 3

links

homepage
lintian (0, 12)
buildd: logs, checks, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.3.30-1
3 bugs