[Bug 1923350] Re: FFe: sync/merge imagemagick form unstable
Launchpad Bug Tracker
1923350 at bugs.launchpad.net
Tue Apr 13 16:16:46 UTC 2021
This bug was fixed in the package imagemagick - 8:6.9.11.60+dfsg-
1ubuntu1
---------------
imagemagick (8:6.9.11.60+dfsg-1ubuntu1) hirsute; urgency=medium
* FFe: LP: #1923350.
* Merge with Debian; remaining changes:
- SECURITY UPDATE: code execution vulnerabilities in ghostscript as
invoked by imagemagick
- debian/patches/200-disable-ghostscript-formats.patch: disable
ghostscript handled types by default in policy.xml
- debian/tests/rose-*: remove pdf tests.
* imagemagick is now in universe, so drop all the the patches removing
build dependencies for main packages.
imagemagick (8:6.9.11.60+dfsg-1) unstable; urgency=high
* New upstream version
- Bug fix: "gscan2pdf tests fail", thanks to Sergio Durigan Junior
(Closes: #980202).
imagemagick (8:6.9.11.58+dfsg-1) unstable; urgency=medium
* New upstream version:
- Fix error on i386 with php
* Bug fix (workarround): "Many doubled www/www; broken links on
index.html", thanks to 積丹尼 Dan Jacobson (Closes: #978138).
imagemagick (8:6.9.11.57+dfsg-1) unstable; urgency=medium
* New upstream version:
- Bug fix: "CVE-2020-29599", imagemagick mishandles the
-authenticate option, which allows setting a password
for password-protected PDF files. The user-controlled
password was not properly escaped/sanitized and it
was therefore possible to inject additional shell commands
via coders/pdf.c. Thanks to Salvatore Bonaccorso
(Closes: #977205).
- Bug fix: "CVE-2020-27560: Division by Zero in function
OptimizeLayerFrames", thanks to Salvatore Bonaccorso
(Closes: #972797).
* Fix dh_doxygen FTBFS (Closes: #971216)
imagemagick (8:6.9.11.24+dfsg-1) unstable; urgency=medium
* Acknowledge NMU
* New upstream version:
- Fix CVE-2019-11470: Cineon image parsing DOS (Closes: #927830).
- Fix CVE-2019-11472: XWD image parsing DOS (Closes: #927828).
- Fix CVE-2020-13902: Heap based overflow in TIFF image decoding.
(Closes: #928207).
- Fix CVE-2019-11598: Heap-based buffer over-read in PNM image
decoding (Closes: #928206).
- Fix CVE-2019-12974: NULL pointer dereference in pango coder.
(Closes: #931196).
- Fix CVE-2019-12977: use of uninitialized value" vulnerability
in the WriteJP2Image of jp2 coder (Closes: #931191).
- Fix CVE-2019-12978: use of uninitialized value" vulnerability
in the pango coder. (Closes: #931190).
- Fix CVE-2019-12979: use of uninitialized value" vulnerability
in MagickCore/image.c (Closes: #931189).
- Fix CVE-2019-13135: use of uninitialized value" vulnerability
in the cut coder (Closes: #932079).
- Fix CVE-2019-13295: Heap-based buffer over-read in
MagickCore/threshold.c (Closes: #931457).
- Fix CVE-2019-13297: Heap-based buffer over-read in
MagickCore/threshold.c (Closes: #931455).
- Fix CVE-2019-13300: heap-based buffer overflow in
MagickCore/statistic.c (Closes: #931454).
- Fix CVE-2019-13304: stack-based buffer overflow for
PNM image (Closes: #931453).
- Fix CVE-2019-13305: stack-based buffer overflow for
PNM image (Closes: #931452).
- Fix CVE-2019-13306: stack-based buffer overflow for
PNM image (Closes: #931449).
- Fix CVE-2019-13307: heap-based buffer overflow in
MagickCore/statistic.c (Closes: #931448).
- Fix CVE-2019-13308: heap-based buffer overflow in
MagickCore/fourier.c (Closes: #931447).
- Fix CVE-2019-13391: heap-based buffer over-read (Closes: #931633).
- Fix CVE-2019-13454: Division by Zero in MagickCore/layer.c
(Closes: #931740).
- Fix CVE-2019-14981: divide-by-zero in MeanShiftImage
(Closes: #955025).
- Fix CVE-2019-15139: DOS for XWD images (Closes: #941670).
- Fix CVE-2019-15140: DOS for mat images (Closes: #941671).
- Fix CVE-2019-19948: Heap-based buffer overflow in SGI coder
(Closes: #947308).
- Fix CVE-2019-19949: Heap buffer over-read in PNG coder
(Closes: #947309).
- Fix CVE-2020-10251: out-of-bounds read vulnerability for HEIC
coder (Closes: #953741).
- Fix CVE-2020-13902: heap-based buffer over-read for TIFF coder.
* Bug fix: "Updating the imagemagick Uploaders list", thanks to Tobias
Frost (Closes: #962110). Thanks Nelson A. de Oliveira
* Add link in api doc dir to assets javascript library
* Fix a typo in convert man page (Closes: #953279,#947983,#921594).
* Fix a pkgconfig error that pull q16 instead of q16hdri (Closes: #950282).
-- Matthias Klose <doko at ubuntu.com> Sun, 11 Apr 2021 14:32:48 +0200
** Changed in: imagemagick (Ubuntu)
Status: Triaged => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11470
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11472
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11598
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12974
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12977
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12978
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-12979
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13135
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13295
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13297
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13300
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13304
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13305
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13306
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13307
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13308
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13391
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13454
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14981
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-15139
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-15140
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19948
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19949
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10251
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13902
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27560
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-29599
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1923350
Title:
FFe: sync/merge imagemagick form unstable
Status in imagemagick package in Ubuntu:
Fix Released
Bug description:
imagemagick is now in universe again, and wasn't merged / updated and
only saw security updates since 2019. The package is mostly in sync
with unstable, except for
- SECURITY UPDATE: code execution vulnerabilities in ghostscript as
invoked by imagemagick
- debian/patches/200-disable-ghostscript-formats.patch: disable
ghostscript handled types by default in policy.xml
- debian/tests/rose-*: remove pdf tests.
I kept that patch, but it's one of this kind which breaks package builds, as seen at
Debian #986686.
Package builds, test builds available at
https://launchpad.net/~doko/+archive/ubuntu/toolchain/+sourcepub/12284194/+listing-archive-extra
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1923350/+subscriptions
More information about the foundations-bugs
mailing list