[Pkg-gmagick-im-team] imagemagick_6.9.7.4+dfsg-12_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Fri Jul 14 13:55:16 UTC 2017



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jul 2017 15:35:15 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-12
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca at debian.org>
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-3 - image manipulation library -- quantum depth Q16
 libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
 libmagickwand-6.q16hdri-3 - image manipulation library -- quantum depth Q16HDRI
 libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 863126 864273 864274 867367 867721 867778 867798 867806 867808 867810 867811 867812 867821 867823 867824 867825 867826 867893 867894 867896 867897 868184 868264
Changes:
 imagemagick (8:6.9.7.4+dfsg-12) unstable; urgency=medium
 .
   * Fix security bugs:
     +  Previous CVE-2017-9144 fix was incomplete.
        A crafted RLE image can trigger a crash because of incorrect
        EOF handling in coders/rle.c
        (Closes: #863126)
     +  CVE-2017-10928:
        A heap-based buffer over-read in the GetNextToken
        function in token.c allows remote attackers to obtain
        sensitive information from process memory or possibly have
        unspecified other impact via a crafted SVG document
        that is mishandled in the GetUserSpaceCoordinateValue
        function in coders/svg.c.
        (Closes: #867367).
      + CVE-2017-9500:
        An assertion failure was found in the function
        ResetImageProfileIterator, which allows attackers to cause
        a denial of service via a crafted file.
        (Closes: #867778).
      + CVE-2017-9501:
        An assertion failure was found in the function LockSemaphoreInfo,
        which allows attackers to cause a denial of service via a crafted
        file.
        (Closes: #867721).
      + CVE-2017-9440:
        A memory leak was found in the function ReadPSDChannel
        in coders/psd.c, which allows attackers to cause a denial
        of service via a crafted file.
        (Closes: 864273).
      + CVE-2017-9439:
        A memory leak was found in the function ReadPDBImage in
        coders/pdb.c, which allows attackers to cause a denial of
        service via a crafted file.
        (Closes: #864274).
      + CVE-2017-11188: CPU exhaustion in ReadDPXImage
        Because dpx.file.image_offset is a unsigned int, it can be controlled
        as large as 4294967295.
        This will cause ImageMagick spend a lot of time to process a crafted
        DPX imagefile, even if the imagefile is very small.
        (Closes: #867806)
      + CVE-2017-11141: memory exhaustion in ReadMATImage
        When identify MAT file, imagemagick will allocate memory to store data
        in function ReadMATImage.
        Modifying MAT's MATLAB_HDR field can cause ImageMagick to allocate
        a anysize amount of memory, this may cause a memory exhaustion
        (Closes: #868264)
      + CVE-2017-11170: memory exhaustion in ReadTGAImage
        When identify VST file, imagemagick will allocate memory to store
        data in function ReadTGAImage in coders/tga.c
        using tga_info.bits_per_pixel field diretly from VST file without
        checking in tga.c
        By review the founction code, tga_info.bits_per_pixel max valid
        value is 32.
        On 32bit os, size_t one will be 32bit, so image->colors can be
        overflow to 0.
        On 64bit os, size_t one will be 64bit, so image->colors
        can be large as 0x100000000(64GB).
        (Closes: #868184)
      + Memory exhaustion in ReadCINImage
        When identify CIN file that contains User defined data,
        imagemagick will allocate memory to store the
        data in function ReadCINImage in coders\inc.c
        There is a security checking in the function SetImageExtent,
        but it after memory allocation, so IM can not control the memory usage
        (Closes: #867810)
      + CPU exhaustion in ReadRLEImage
        A corrupted rle file could trigger a DOS
        (Closes: #867808)
      + Memory leak in ReadDIBImage in dib.c
        The ReadDIBImage function in dib.c allows attackers
        to cause a denial of service (memory leak)
        via a small crafted dib file.
        (Closes: #867811)
      + Memory exhaustion in ReadDPXImage in dpx.c
        When identify DPX file that contains user header data,
        imagemagick will allocate memory to store the data in function
        ReadDPXImage in coders\dpx.c
        There is a security checking in the function SetImageExtent,
        but it is too late, so IM can not control the memory usage.
        (Closes: #867812)
      + Enable heap overflow check for stdin for mpc files
        Enabling seekable streams is required to ensure checking
        the blob size works when an image is streamed on stdin.
        (Closes: #867896)
      + Assertion failure in WriteBlob
        A crafted file revealed an assertion failure in blob.c.
        (Closes: #867798)
      + Memory exhaustion in ReadEPTImage in ept.c
        When identify EPT file , imagemagick will allocate memory
        to store the data.
        There is a security checking in the function SetImageExtent,
        but it is not used in the allocation function,
        so IM can not control the memory usage.
        (Closes: #867821)
      + CPU exhaustion in ReadOneJNGImage
        Due to lack of validation of PNG format, imagemagick could loop
        2^32 in a CPU intensive loop.
        (Closes:  #867824, #867825).
      + CPU exhaustion in ReadOneDJVUImag
        Due to lack of format validation, a crafted file will cause a
        loop to run endless.
        (Closes: #867826).
      + Zero pixel buffer
        Avoid a data leak in case of incorrect file by clearing a buffer
        (Closes: #867893).
      + memory leak in ReadMATImage in mat.c
        The ReadMATImage function in mat.c allows attackers to cause a
        denial of service (memory leak) via a small crafted mat file.
        (Closes: #867823).
      + Avoid heap based overflow for jpeg
        A corrupted jpeg file could trigger an heap overflow
        (Closes: #867894).
      + Fix a memory leak in screenshot coder
        (Closes: #867897)
Checksums-Sha1:
 3d90914c6d86d4b36fbc80400725b25384f8735c 5137 imagemagick_6.9.7.4+dfsg-12.dsc
 893fa5b030147239ca39394dc7a335dc7aa4934e 230416 imagemagick_6.9.7.4+dfsg-12.debian.tar.xz
 a59faecc6842d8fc0b26d6e9c3280dd73be53207 12956 imagemagick_6.9.7.4+dfsg-12_source.buildinfo
Checksums-Sha256:
 f445c59ca48e8869b7676ed7336295c780478acfef00161a652f5a228a34cec3 5137 imagemagick_6.9.7.4+dfsg-12.dsc
 8b91345baf34eeeadc6ea8e744a4d0f57ebf976c386833b55411b5faa862aa65 230416 imagemagick_6.9.7.4+dfsg-12.debian.tar.xz
 856cd6486e65aa3170819b0430e65fcaeb59a8474f857ef4ee71295852ba18c8 12956 imagemagick_6.9.7.4+dfsg-12_source.buildinfo
Files:
 a6227a37d15c2b19bf999fe91d4b373b 5137 graphics optional imagemagick_6.9.7.4+dfsg-12.dsc
 20c4df2b2199408aee6abea9baacaed4 230416 graphics optional imagemagick_6.9.7.4+dfsg-12.debian.tar.xz
 e005c9489d784877411aef2032dd4b55 12956 graphics optional imagemagick_6.9.7.4+dfsg-12_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlloyNcACgkQADoaLapB
CF92VA/6AsGc6Ezo71sxhMxClnTl6tentb3Zv+KAujRiNyOe8qwrdppL40mAYvaV
NImBUxk26Fbypbvs9UxzBEb52BP5ZcOS7t/e/De5SPYdMlDpdzOFFs5ygvVU9MmZ
eDAz3lRfnEAIVtLwrhYbxzfhsRNkXqrsmmSKge90Zc28VSO1vibE3Tu1VCYQJPzx
gEe2K5ghTrbG/DRF6L96u+bilajP76GUQFbbTEjtd8XLczmrAMZgpWEXiG5ZqQBh
OhvgjATw5WbiSbenErnxciCxu82wAOetsLtGwzwfrfDcOwqzfI6J5Oss6C1pf9uB
YNbrP6EwmUzjm23qDunnyZdOUZngNs7JOJvN9MhK3udBOU0tqvEsq+qAtv89wnTi
X7mWlHl5DAStNYFUIGgRnezJ+4IzXJHh5qsRC2WD3C8ebizvuRWUMy1RbT+07QaD
5D4lFuu3XQldfpmb/N3cGGPsD6WiwrigQeEdjA7XmDJbSmj2pACuuu+JJWq33dHU
3vLwND2qHBEBW9yaeQZf3zYYV22XzWxfu3s/a3PZZ/j88mHDrAWhCS3PEIvzi2g5
D0z/dJwt0/oykRPJAMln80eBqKnBdbeYKcwpE8IUM/pq/dg3y21diJj/fAaNbv36
FNmW9mELe3ZVTEBqkDITD054q1fJYKuCT8uBIZ0ElnP8o8hRZk4=
=m2Hc
-----END PGP SIGNATURE-----


Thank you for your contribution to Debian.



More information about the Pkg-gmagick-im-team mailing list