[ubuntu/artful-proposed] imagemagick 8:6.9.7.4+dfsg-13ubuntu1 (Accepted)
Gianfranco Costamagna
locutusofborg at debian.org
Fri Jul 28 08:54:16 UTC 2017
imagemagick (8:6.9.7.4+dfsg-13ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
imagemagick (8:6.9.7.4+dfsg-13) unstable; urgency=high
* Fix a typo in changelog about CVE numbers
* Security fixes:
+ Really Fix CVE-2017-9500 (Closes: #867778)
An assertion failure was found in the function
ResetImageProfileIterator, which allows attackers to cause a denial
of service via a crafted file.
+ Fix CVE-2017-11446 (Closes: #868950)
The ReadPESImage function in coders\pes.c has an infinite
loop vulnerability that can cause CPU exhaustion via a crafted
PES file.
+ CVE-2017-11523: endless loop in ReadTXTImage
If text image file only contains "MagickID..." line,
it will cause ReadTXTImage to infinite loop.
(Closes: #869210).
+ Use after free in ReadWMFImage
When identify WMF file, a crafted file revealed a use-after-free
vulnerability. (Closes: #869715).
+ CVE-2017-11534: Memory-Leak in lite_font_map()
In coders/wmf.c a memory leak is triggered by a crafted file.
(Closes: #869711).
+ CVE-2017-11537: palm coder FPE
When ImageMagick processes a crafted file in convert, it can
lead to a Floating Point Exception (FPE) in the WritePALMImage()
function in coders/palm.c, related to an incorrect bits-per-pixel
calculation.
(Closes: #869712)
+ Memory leak in WritePALMImage
Fix memory leak due to crafted file in palm coder.
(Closes: #869721)
+ Fix another memory leak in quantize.c
(Closes: #869722)
+ CVE-2017-11531 Memory-Leak in WriteHISTOGRAMImage()
A crafted file could trigger a
Memory-Leak in WriteHISTOGRAMImage() coders/histogram.c
(Closes: #869725)
+ Avoid a crash in mpc coder
A crafted file could trigger a crash in the mpc coder.
(Closes: #869728).
+ Fix a memory leak in enhance.c
Fix a potential memory leak if memory could not be allocated for one
of histogram or stretch_map.
If both cannot be allocated, there is no memory leak. If only one is
allocated and the other fails,
there is a memory leak of the one that could not be allocated. There
is very little chance the allocations would fail.
(Closes: #869769).
+ Fix a memory leak in jpeg and mpc coder
A leak due to exception handling exist in MPC and JPEG coder.
This could be triggerd by a crafted file.
(Closes: #869791).
+ Fix memory exhaustion in mpc coder
When identify MPC file , imagemagick will allocate memory to store the
data.
The function StringToUnsignedLong convert string to unsigned long
type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit
can be bypassed.
(Closes: #869727).
+ Fix a leak in mpc file due to corrupted profiles
(Closes: #869796).
+ CVE-2017-11532: memory leak
When Imagemagick processes a crafted file in convert,
it can lead to a Memory Leak in the WriteMPCImage() function in coders/mpc.c.
(Closes: #869726)
+ CVE-2017-11535: heap based overflow in ps.c
When ImageMagick processes a crafted file in
convert, it can lead to a heap-based buffer over-read in the
WritePSImage() function in coders/ps.c.
(Closes: #869827)
+ CVE-2017-11536 memory leak in jp2 coder
When ImageMagick processes a crafted file in convert, it
can lead to a Memory Leak in the WriteJP2Image() function in
coders/jp2.c.
(Closes: #869831)
+ Fix a crash in jp2 codec
Lack of validation of jp2 could lead to a crash
(Closes: #869830)
+ CVE-2017-11533: heap buffer overflow in uil coder
When ImageMagick processes a crafted file in convert, it can
lead to a heap-based buffer over-read in the WriteUILImage() function
in coders/uil.c.
(Closes: #869834)
Date: Fri, 28 Jul 2017 10:51:57 +0200
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-13ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 28 Jul 2017 10:51:57 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-13ubuntu1
Distribution: artful
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6-common - image manipulation programs -- infrastructure
imagemagick-6-doc - document files of ImageMagick
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
imagemagick-common - image manipulation programs -- infrastructure dummy package
imagemagick-doc - document files of ImageMagick -- dummy package
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth Q16
libmagickcore-6.q16-3-extra - low-level image manipulation library - extra codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum depth Q16HDRI
libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra codecs (Q16HDRI)
libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
libmagickcore-dev - low-level image manipulation library -- dummy package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-3 - image manipulation library -- quantum depth Q16
libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
libmagickwand-6.q16hdri-3 - image manipulation library -- quantum depth Q16HDRI
libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
libmagickwand-dev - image manipulation library -- dummy package
perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 867778 868950 869210 869711 869712 869715 869721 869722 869725 869726 869727 869728 869769 869791 869796 869827 869830 869831 869834
Changes:
imagemagick (8:6.9.7.4+dfsg-13ubuntu1) artful; urgency=low
.
* Merge from Debian unstable. Remaining changes:
- Drop dependency on libopenjp2-7-dev, which is needed for JPEG2000
but is not in main.
- demote libmagickcore-6.q16hdri-3-extra and libmagickcore-6.q16-3-extra
Recommends on libjxr-tools to Suggests, as it is in universe.
.
imagemagick (8:6.9.7.4+dfsg-13) unstable; urgency=high
.
* Fix a typo in changelog about CVE numbers
* Security fixes:
+ Really Fix CVE-2017-9500 (Closes: #867778)
An assertion failure was found in the function
ResetImageProfileIterator, which allows attackers to cause a denial
of service via a crafted file.
+ Fix CVE-2017-11446 (Closes: #868950)
The ReadPESImage function in coders\pes.c has an infinite
loop vulnerability that can cause CPU exhaustion via a crafted
PES file.
+ CVE-2017-11523: endless loop in ReadTXTImage
If text image file only contains "MagickID..." line,
it will cause ReadTXTImage to infinite loop.
(Closes: #869210).
+ Use after free in ReadWMFImage
When identify WMF file, a crafted file revealed a use-after-free
vulnerability. (Closes: #869715).
+ CVE-2017-11534: Memory-Leak in lite_font_map()
In coders/wmf.c a memory leak is triggered by a crafted file.
(Closes: #869711).
+ CVE-2017-11537: palm coder FPE
When ImageMagick processes a crafted file in convert, it can
lead to a Floating Point Exception (FPE) in the WritePALMImage()
function in coders/palm.c, related to an incorrect bits-per-pixel
calculation.
(Closes: #869712)
+ Memory leak in WritePALMImage
Fix memory leak due to crafted file in palm coder.
(Closes: #869721)
+ Fix another memory leak in quantize.c
(Closes: #869722)
+ CVE-2017-11531 Memory-Leak in WriteHISTOGRAMImage()
A crafted file could trigger a
Memory-Leak in WriteHISTOGRAMImage() coders/histogram.c
(Closes: #869725)
+ Avoid a crash in mpc coder
A crafted file could trigger a crash in the mpc coder.
(Closes: #869728).
+ Fix a memory leak in enhance.c
Fix a potential memory leak if memory could not be allocated for one
of histogram or stretch_map.
If both cannot be allocated, there is no memory leak. If only one is
allocated and the other fails,
there is a memory leak of the one that could not be allocated. There
is very little chance the allocations would fail.
(Closes: #869769).
+ Fix a memory leak in jpeg and mpc coder
A leak due to exception handling exist in MPC and JPEG coder.
This could be triggerd by a crafted file.
(Closes: #869791).
+ Fix memory exhaustion in mpc coder
When identify MPC file , imagemagick will allocate memory to store the
data.
The function StringToUnsignedLong convert string to unsigned long
type, but the return value was not checked.
Here is my policy.xml to limit memory usage,but 256MB limit
can be bypassed.
(Closes: #869727).
+ Fix a leak in mpc file due to corrupted profiles
(Closes: #869796).
+ CVE-2017-11532: memory leak
When Imagemagick processes a crafted file in convert,
it can lead to a Memory Leak in the WriteMPCImage() function in coders/mpc.c.
(Closes: #869726)
+ CVE-2017-11535: heap based overflow in ps.c
When ImageMagick processes a crafted file in
convert, it can lead to a heap-based buffer over-read in the
WritePSImage() function in coders/ps.c.
(Closes: #869827)
+ CVE-2017-11536 memory leak in jp2 coder
When ImageMagick processes a crafted file in convert, it
can lead to a Memory Leak in the WriteJP2Image() function in
coders/jp2.c.
(Closes: #869831)
+ Fix a crash in jp2 codec
Lack of validation of jp2 could lead to a crash
(Closes: #869830)
+ CVE-2017-11533: heap buffer overflow in uil coder
When ImageMagick processes a crafted file in convert, it can
lead to a heap-based buffer over-read in the WriteUILImage() function
in coders/uil.c.
(Closes: #869834)
Checksums-Sha1:
ee9b3bf9dd67fa8b59ad1b5a35520609805dc54b 5194 imagemagick_6.9.7.4+dfsg-13ubuntu1.dsc
40938b9ef9f361ea131ec1ee37f9ba72dc93c45e 245632 imagemagick_6.9.7.4+dfsg-13ubuntu1.debian.tar.xz
Checksums-Sha256:
5d940fd2cd84ee80beac816fde76aabcd35e0270799f68cb7c1caa08ef7edeb5 5194 imagemagick_6.9.7.4+dfsg-13ubuntu1.dsc
7841629ac3e99f0ef7f1d86860a0a98445ccd65fa488cc0deae8ddfe389c6399 245632 imagemagick_6.9.7.4+dfsg-13ubuntu1.debian.tar.xz
Files:
59dafa1063cb15eea8c8a875e0b2acef 5194 graphics optional imagemagick_6.9.7.4+dfsg-13ubuntu1.dsc
f08645afae56f38e255ac22f1d05ac57 245632 graphics optional imagemagick_6.9.7.4+dfsg-13ubuntu1.debian.tar.xz
Original-Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJZevtoAAoJEPNPCXROn13ZcVwP/j7RFZuMj/c7wCbWGHHcyVMV
1ZeZ42EZTwBxR+x1idswD7AwK3wuBnhRU94KzfMVKfxX0t49Yu1E2/c77FNeGTKN
u9zEJQzPG2GxUF3uOSBSriZiRwW/i38NiwQzS2nAL9GzbeRa0J6DFf+ru4xMaD6R
2oguRmrmkB20AB4tY29x3nrENARc+rWve0+MXiggaL4JfC3F7AqjaXEvqGWlptB5
j2aJyuLfScR9s9fGRDxfUf1kF4/N/0UaI+EKnsppZXCh/T8f/Svhfl1yqMdS53fN
WDXI3JeKhIaEdPjFcvKMjD8XhhNox/b96U++sWv8+ALzBtib3GpyVisQCmaf2t+V
s0Ns+uLhR4+QVMqCBNULSfbInZkuuWCTy1P9gkN3ouw/wdSQuy0JDIPqQwK5c2Wf
2CXSJg9a07pCQd94EswBv4Ss+XQLQmQCi0PJ5s5X0krQSUJ/cZTPSNCWjktin7qW
DI/o6b403Wbet/NkHfCoxaTf4jC9mxPxGJWkJb/3N+bIdylmNeZ/EZFrkOXMSepD
cNgs32Ey2l/th9oyHwrw9NezC1GJlHCH7b6wT7SJbyCvmskN9paveItp3o8O+H8m
xbD44DUvaB8n0yksnPDJRvv83rYuOoODaXxjWGndqcTH1ii2hjXPdg0+VoEkmggH
MeDumuq4e5KvzQrw4dfj
=OqOB
-----END PGP SIGNATURE-----
More information about the Artful-changes
mailing list