[Pkg-gmagick-im-team] Bug#1037219: bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2

Bastien Roucariès rouca at debian.org
Thu Jun 8 07:57:56 BST 2023 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: imagemagick at packages.debian.org
Control: affects -1 + src:imagemagick

[ Reason ]
Imagemagick is affected in stable by a few securities problems.

[ Impact ]
Security problems with some exploit (image) in the wild

[ Tests ]
Yes testsuite is included in the package and autopkgtest

[ Risks ]
Code is complex,I prefer to not solve in a single step all the security bugs.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
+  * Fix CVE-2021-3574: memory leak was found in TIFF coder
+  * Fix CVE-2021-4219: a special crafted file could lead to a DOS.
+  * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in
+    some coders (Closes: #1013282)
+  * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c
+  * Fix CVE-2021-20245: Fix a divide by zero in webp coder
+  * Fix CVE-2021-20246: Fix a divide by zero in resample code.
+  * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function.
+  * Fix CVE-2021-39212: Postscript files could be read and written
+    when specifically excluded by a module policy in policy.xml file.
+    (Closes: #996588)
+  * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo()
+    (Closes: #1013282)
+  * Fix CVE-2022-28463: Buffer overflow in cin coder.
+  * Fix CVE-2022-32545: Value outside the range of unsigned char
+    (Closes: #1016442)
+  * Fix CVE-2022-32546: Value outside the range of representable
+    values of type 'unsigned long' at coders/pcl.c,
+  * Use Salsa CI

[ Other info ]
Security team is ok with this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff.diff
Type: text/x-patch
Size: 42431 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20230608/01a7aa2a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20230608/01a7aa2a/attachment-0001.sig>

More information about the Pkg-gmagick-im-team mailing list