2009
graphicsmagick (1.1.7-13+etch1) oldstable-security; urgency=high
* Non-maintainer upload by the Security Team. * Fixed CVE-2007-1667: Multiple integer overflows in the XInitImage function (Closes: #417862) * Fixed CVE-2007-1797: Multiple integer overflows in the ReadDCMImage function and in the ReadXWDImage function * Fixed CVE-2007-4985: denial of service via a crafted image file that triggers an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls. (Closes: #444266) * Fixed CVE-2007-4986: integer overflows in multiple coders * Fixed CVE-2007-4988: sign extension error when reading DIB images. * Fixed CVE-2008-1096: XCF Buffer overflow (Closes: #414370) * Fixed CVE-2008-3134: Multiple errors within the processing of various formats can be exploited to crash the application (Closes: 491439) * Fixed CVE-2008-6070: Multiple heap-based buffer underflows in the ReadPALMImage function * Fixed CVE-2008-6071: Heap-based buffer overflow in the DecodeImage function * Fixed CVE-2008-6072: Multiple errors within the processing of XCF and CINEON images can be exploited to crash the application. * Fixed CVE-2008-6621: Multiple errors within the processing of DPX images can be exploited to crash the application. * Fixed CVE-2009-1882: Integer overflow in the XMakeImage function (Closes: 530946)
-- Giuseppe Iuculano <iuculano@debian.org> Mon, 05 Oct 2009 21:37:33 +0200
2007
graphicsmagick (1.1.7-13) unstable; urgency=high
* The following problems were found thanks to numerous testcases provided
by Sami Liedes:
+ coders/pcx.c: Fix heap overflow vulnerability of scanline array
with user-supplied input. Closes: #413034
Also adds error checks and caps maximum number of colours to prevent
segfaults with further testcases. Closes: #414058
+ coders/pict.c: Fix integer overflow to prevent overflowing a
heap buffer with user-supplied input. Closes: #413036
Validate header information to prevent segfaults with further
testcases. Closes: #414059
+ coders/xwd.c: Check image data more strictly before passing it on to
XGetPixel() to circumvent buffer overflow in libX11. Closes: #413040
+ Fix various segfaults with corrupt image data due to insufficient
validation of return values from SeekBlob(). None of these are
currently known to allow code injection.
- coders/bmp.c: Add error checks to SeekBlob() calls. Closes: #413031
- coders/cineon.c: Likewise. Closes: #413038
- coders/icon.c: Likewise. Closes: #413032
Extend validation checks to prevent segfaults with
further testcases. Closes: #414057
- magick/blob.c: Increase robustness of function ReadBlobStream() to
mitigate the impact of missing error checks on SeekBlob() calls.
+ coders/png.c: Fix NULL pointer dereference due to insufficient
validation of image data. Closes: #413035
+ coders/pnm.c: Fix segfault on out-of-bounds read access due to
insufficient validation of image data. Closes: #413037
+ coders/sun.c: Fix segfaults on out-of-bounds read access due to
insufficient validation of image data. Closes: #413039
* utilities/miff.4: Trim name section of man page, and move overlong
line to description. Closes: #390501
* debian/graphicsmagick.menu: Show logo on startup from menu, rather
than quitting immediately. Thanks Justin B. Rye. Closes: #407464
-- Daniel Kobras <kobras@debian.org> Sat, 10 Mar 2007 23:52:50 +0100
graphicsmagick (1.1.7-12) unstable; urgency=high
* coders/palm.c: Fix regression introduced in patch for CVE-2006-5456. Avoid bogus second read in macro call. Patch thanks to Vladimir Nadvornik. (CVE-2007-0770)
-- Daniel Kobras <kobras@debian.org> Sat, 10 Feb 2007 15:50:53 +0100
graphicsmagick (1.1.7-11) unstable; urgency=medium
* config/delegates.mgk.in: Lose obsolete option -2 when calling dcraw
delegate. Fixes support for raw image data from digital cameras.
Closes: #405960
-- Daniel Kobras <kobras@debian.org> Sun, 7 Jan 2007 17:59:16 +0100
2006
graphicsmagick (1.1.7-10) unstable; urgency=high
* coders/png.c: Fix syntax errors in asm controlling code of PNG
coder.
* debian/changelog: Add recently assigned CVE references to security
fixes in previous changelog entry.
* debian/control: Recommend package gsfonts that provides the fonts
referenced in the default type map.
* debian/control: Adjust (build-)dependencies as x-dev package was
superseded by x11proto-core-dev. Closes: #397770
* debian/Magick.pm: Fix typo in POD section.
-- Daniel Kobras <kobras@debian.org> Wed, 13 Dec 2006 19:38:31 +0100
graphicsmagick (1.1.7-9) unstable; urgency=high
* coders/dcm.c: Fix buffer overflow, thanks to M Joonas Pihlaja.
(CVE-2006-5456)
* coders/palm.c: Fix multiple heap overflows, again thanks to M Joonas
Pihlaja. (CVE-2006-5456)
-- Daniel Kobras <kobras@debian.org> Fri, 29 Sep 2006 15:52:41 +0200
graphicsmagick (1.1.7-8) unstable; urgency=high
* coders/xcf.c: Fix buffer overflow in XCF coder (CVE-2006-3743). * It seems I've fixed the vulnerabilities described in CVE-2006-3744 (coders/sgi.c) independently in the previous upload already while the original report had been embargoed.
-- Daniel Kobras <kobras@debian.org> Wed, 6 Sep 2006 18:24:36 +0200
graphicsmagick (1.1.7-7) unstable; urgency=high
* coders/sgi.c: Fix multiple heap overflow vulnerabilities in SGI coder
due to
+ missing boundary checks in SGIDecode();
+ missing validation of pixel depth field;
+ integer overflow via large columns and rows fields (CVE-2006-4144)
Closes: #383333
+ missing validation of chunk size fields (variable 'runlength') in
run-length encoded images.
* coders/sgi.c: Check for bogus values of 'bytes_per_pixel' and 'depth'.
* coders/sgi.c: Fix calculation of internal depth value.
-- Daniel Kobras <kobras@debian.org> Fri, 18 Aug 2006 11:50:42 +0200
graphicsmagick (1.1.7-6) unstable; urgency=low
* debian/compat: Bump debhelper compatibility level to 5.
* debian/control: Build-depend on debhelper version 5 and up.
* debian/control: Remove redundant Build-Depends-Indep.
* debian/control: Add new package graphicsmagick-dbg containing debugging
symbols for all language bindings and the main executable.
* debian/control: Suggest debugging package where appropriate.
* debian/control: Build-depend on sharutils for uudecode.
* debian/control: Version build-dependency on libwmf-dev. Earlier versions
will fail the testsuite.
* debian/libgraphicsmagick++1.install: There is no libGraphicsMagickWand++,
so don't try to install it.
* debian/libgraphicsmagick{,++}1-dev.install: Remove .la files as long as
nobody's using them.
* debian/rules: Give in and disable strict aliasing for the moment until
we get fixes for all instances that currently break the rules.
* debian/rules: Place all debugging symbols into graphicsmagick-dbg.
* debian/rules: New libwmf yields better image quality than old reference
image in regression test. We cannot patch the binary image directly in
the Debian diff, so add uudecode magic to check and clean targets.
* debian/ski.miff.uu: Updated version of reference image in WMF regression
test. Uuencoded to fit into the Debian diff.
* magick/cache.c: Include definition of HAVE_PREAD before checking its
value. Now really pulls in proper declarations of pread() and pwrite().
-- Daniel Kobras <kobras@debian.org> Tue, 1 Aug 2006 14:00:30 +0200
graphicsmagick (1.1.7-5) unstable; urgency=low
* coders/wpg.c: Fix segfault in WPG decoder. Closes: #366191 * debian/control: Fix typo 'thumnails' in package description. Closes: #363623 * debian/control: Prefer real package zlib1g-dev over virtual libz-dev in (build-)dependencies. * debian/control: Add (build-)dependency on libjasper-1.701-dev to support JPEG2000 images. * debian/rules: Change X11 directories from /usr/X11R6/{include,lib} to /usr/{include,lib}/X11. * debian/control: X11 change makes package comply with policy 3.7.2. Bump Standards-Version accordingly.
-- Daniel Kobras <kobras@debian.org> Sat, 6 May 2006 16:28:08 +0200
graphicsmagick (1.1.7-4) unstable; urgency=low
* debian/rules: Lower optimisation level on magick/draw.c and
wand/drawing_wand.c on arm to work around a compiler issue
when calling variadic functions. Fixes crashes of the test suite
on arm.
-- Daniel Kobras <kobras@debian.org> Tue, 28 Mar 2006 21:49:16 +0200
graphicsmagick (1.1.7-3) unstable; urgency=low
* debian/control: Replace pre-etch versions of imagemagick to prevent
file conflicts with miff.4 and quantize.5 man pages during partial
upgrade. Closes: #351262
* tests/drawtest.c: Make sure filename strings do not run out of bounds.
* magick/cache.c: Define as _XOPEN_SOURCE to pull in declarations for
Unix98 extensions pread() and pwrite().
* magick/montage.c: Fix bogus modulation of brightness when creating
shadows around tiles in montage. Instead, drop constant grey shadow
like current ImageMagick.
* PerlMagick/t/montage.t: Update reference signatures for montage test
cases with shadow according to above change.
-- Daniel Kobras <kobras@debian.org> Sun, 5 Feb 2006 21:57:14 +0100
graphicsmagick (1.1.7-2) unstable; urgency=low
* magick/tempfile.c: Canonify relative paths before referring to
them in a symlink.
* debian/control: Add transfig to build dependencies for xfig regression
test.
* debian/control: Recommend gs in libgraphicsmagick1 package as it's a
commonly used delegate.
-- Daniel Kobras <kobras@debian.org> Thu, 12 Jan 2006 12:32:11 +0100
graphicsmagick (1.1.7-1) unstable; urgency=low
* First upload to official Debian archives. Closes: #345017 * New upstream version. * debian/*: Major overhaul to comply with packaging standards. Apart from the changelog, few lines have survived the clean-up. Still, we try to ensure smooth upgrade from the previous, unofficial packages. Most notable packaging changes: + Names of library packages are properly versioned. + Name of compatibility package expanded to -imagemagick-compat. + Removed compatibility shell script, and replaced with simple symlinks to gm. Extra functionality from wrapper was only required by old versions of typo3 according to previous maintainers. + New compatibility package -libmagick-dev-compat providing wrappers for package development. + Build separate packages for C++ library. + Drop separate -doc package. + More verbose package descriptions. + Run test suite at build time. + Disable support for obsolete libdps. Build-depend on ghostscript instead for ps/pdf regression tests. + New maintainer. * PerlMagick/t/ttf/read.t: Disabled ttf testcase that is known to fail because of problems with special characters. * magick/{blob.c,command.c,image.c,log.c,utility.c,utility.h}: FormatString() was called with unsanitized user input. Introduced new helper function FormatStringNumeric() to allow a single numeric format expansion. (This is a more complete fix for CAN-2005-0397 reported against ImageMagick.) * magick/attribute.c: Apply missing piece of fix for heap overflow in EXIF parser from ImageMagick patch. (CAN-2004-0981) * configure.ac, configure: Fix typo that lead to an undefined delegate for HTML conversion. * magick/constitute.c: Apply upstream fix for potential NULL pointer dereference in ReadImage(). * magick/{delegate.c,symbols.h,tempfile.h,tempfile.c}: When calling external delegates, check filename against whitelist of safe characters, and pass securely named symlink to delegate if check fails. (CVE-2005-4601)
-- Daniel Kobras <kobras@debian.org> Mon, 9 Jan 2006 22:19:07 +0100
2005
graphicsmagick (1.1.6-3) unstable; urgency=low
* Added colors.mgk to libgraphicsmagick
-- Michael Stucki <michael@typo3.org> Sun, 15 May 2005 22:15:02 +0200
graphicsmagick (1.1.6-2) unstable; urgency=low
* changed value for MagickLibSubdir and MagickShareSubdir in configure.ac
* changed value for includedir in Makefile.am in
- magick/Makefile.am
- Magick++/lib/Magick++/Makefile.am
- Magick++/lib/Makefile.am
- wand/Makefile.am
-- Michael Stucki <michael@typo3.org> Sun, 15 May 2005 15:00:48 +0200
graphicsmagick (1.1.6-1) unstable; urgency=low
* New upstream release
-- Michael Stucki <michael@typo3.org> Sun, 15 May 2005 04:48:06 +0200
2004
graphicsmagick (1.1.2-5) unstable; urgency=low
* Backport on Debian Sarge * Fixed a bug in -im-compat * Renamed gm-wrapper to graphicsmagick_wrapper
-- Michael Stucki <mundaun@gmx.ch> Thu, 12 Aug 2004 00:55:27 +0200
graphicsmagick (1.1.2-4) unstable; urgency=low
* Fixed package -im-compat, shell-script was not executable
-- Sven Wilhelm <wilhelm@icecrash.com> Fri, 6 Aug 2004 19:56:38 +0200
graphicsmagick (1.1.2-3) unstable; urgency=low
* Added wrapper script for im compatibility * Fixed descriptions in control file * Changed to library libtiff4
-- Sven Wilhelm <wilhelm@icecrash.com> Fri, 6 Aug 2004 16:01:43 +0200
graphicsmagick (1.1.2-2) unstable; urgency=low
* Fixed missing *.mgk files * -doc package now has its content
-- Sven Wilhelm <wilhelm@icecrash.com> Fri, 6 Aug 2004 14:34:33 +0200
graphicsmagick (1.1.2-1) unstable; urgency=low
* Initial Release.
* changed value for MagickLibSubdir in configure.ac
* changed value for includedir in Makefile.am in
- magick/Makefile.am
- Magick++/lib/Magick++/Makefile.am
- Magick++/lib/Makefile.am
- wand/Makefile.am
-- Sven Wilhelm <wilhelm@icecrash.com> Mon, 7 Jun 2004 02:23:06 +0200