Publishing details

Changelog

graphicsmagick (1.3.25-8~ubuntu14.04.1+deb.sury.org+2) trusty; urgency=medium

  * No-change backport to trusty

graphicsmagick (1.3.25-8) unstable; urgency=high

  * Backport security fix for out of bounds access when reading CMYKA tiff.

graphicsmagick (1.3.25-7) unstable; urgency=medium

  * Add hack to build self-tests on mips* architectures.

graphicsmagick (1.3.25-6) unstable; urgency=high

  * Fix CVE-2016-9830: memory allocation failure in MagickRealloc
    (closes: #847072).

graphicsmagick (1.3.25-5) unstable; urgency=high

  * Fix CVE-2016-8682: stack-based buffer overflow in ReadSCTImage (sct.c).
  * Fix CVE-2016-8683: memory allocation failure in ReadPCXImage (pcx.c).
  * Fix CVE-2016-8684: memory allocation failure in MagickMalloc (memory.c).

graphicsmagick (1.3.25-4) unstable; urgency=high

  * Fix CVE-2016-7997: correctly flip image->blob and rotated_image->blob.

graphicsmagick (1.3.25-3) unstable; urgency=high

  * Fix CVE-2016-7800: unsigned underflow leading to heap overflow when
    parsing 8BIM chunk.

graphicsmagick (1.3.25-2) unstable; urgency=medium

  * Compile magick/semaphore.c without optimization on ppc64el to prevent
    Perl self-test segfaults (closes: #837719).

graphicsmagick (1.3.25-1) unstable; urgency=high

  * New upstream release, with the following security updates:
    - fix heap overflow in EscapeParenthesis() used in the text annotation
      code,
    - Utah RLE: Reject truncated/absurd files which caused huge memory
      allocations and/or consumed huge CPU,
    - SVG/MVG: Fix another case of CVE-2016-2317 (heap buffer overflow) in
      the MVG rendering code (also impacts SVG),
    - TIFF: Fix heap buffer read overflow while copying sized TIFF attributes.

graphicsmagick (1.3.24+hg20160808-1) unstable; urgency=low

  * New upstream, Mercurial snapshot release.
  * Fixes DrawPrimitive() issue (closes: #829063).

graphicsmagick (1.3.24-2) unstable; urgency=low

  * Backport upstream fix for DrawPrimitive() (closes: #829063).

graphicsmagick (1.3.24-1) unstable; urgency=high

  * New upstream release, focusing on security fixes for the following image
    formats:
    - DIB: fix out of bound reads and add more header validations,
    - JNG: file size limits are enforced,
    - MATLAB: fix DoS and hang on corrupt deflate stream,
    - META (Embedded Image Profiles): fix out of bounds reads and writes,
    - MIFF (Magick): fix thrown assertion,
    - CVE-2016-3716: Magick Scripting Language file processing is not done by
      default but need to be prefixed with 'msl:',
    - Magick Vector Graphics file processing is not done by default but need
      to be prefixed with 'mvg:' and prevent head overflow problems,
    - PCX: fix unreasonable memory allocation due to intentionally corrupt
      file,
    - PDB: fix heap buffer overflow and out of bounds read,
    - PICT: fix out of bounds write,
    - CVE-2016-3717: for PostScript files always run Ghostscript with -dSAFER
      for safer execution,
    - PSD: fix segmentation violations, heap buffer overflows and out of
      bound writes,
    - RLE: fix out of bounds reads and writes,
    - ReadImages(): fix possible infinite recursion due to a crafted input
      file,
    - RotateImage(): fix thrown assertion,
    - SGI: fix out of bounds writes,
    - SUN: fix out of bounds reads and writes,
    - SVG: fix CVE-2016-2317 and CVE-2016-2318, heap and stack buffer
      overflows, as well as segmentation violations (closes: #814732);
      also fix endless loop, unexpectedly large memory allocation, divide by
      zero and recursion issues,
    - TIFF: fix assertion while reading and fix benign heap overflow,
    - VIFF: fix excessive memory allocation with intentonally corrupted
      input file,
    - XCF: fix heap buffer overflow,
    - XPM: fix several heap buffer overflows and out of bound reads/writes;
      also fix a case of excessive memory allocation,
    - CVE-2016-5118: popen() shell vulnerability via filename that contains
      '|', remove pipe support entirely (closes: #825800);
      file names starting with a '|' character are no longer interpreted as
      shell commands to be executed as input or output,
    - default.mgk file has been pared down in order to reduce security
      exposure,
    - CVE-2016-3714: Gnuplot ('gplt' delegate) support for rendering these
      files is removed since the format is inherently insecure,
    - CVE-2016-3715: adding a 'tmp:' prefix to a filename no longer removes
      the file since this seems dangerous,
    - CVE-2016-3718: sanity check the image file path or URL before passing
      it to ReadImage(),
    - fix several Coverity issues like dereference after null check, multiple
      resource leaks and logically dead code.
  * Update library symbols for this release.

graphicsmagick (1.3.23-3) unstable; urgency=low

  * Remove JasPer JPEG-2000 codec support build dependency and remove its
    symbols from the libgraphicsmagick-q16-3 library (closes: #818199).
  * Update Standards-Version to 3.9.8 .

graphicsmagick (1.3.23-2) unstable; urgency=low

  * Add previously transient gsfonts build dependency (closes: #815736).

graphicsmagick (1.3.23-1) unstable; urgency=medium

  * New upstream release.

graphicsmagick (1.3.22-2) unstable; urgency=low

  * Transition libgraphicsmagick++-q16-11 to libgraphicsmagick++-q16-12
    (closes: #803958).
  * Conflict and replace version 1.3.22-1 of libgraphicsmagick++-q16-11 .

graphicsmagick (1.3.22-1) unstable; urgency=low

  * New upstream release.
  * Update libgraphicsmagick-q16-3 symbols file.
  * Update watch file.

graphicsmagick (1.3.21-4) unstable; urgency=low

  * Change C library name to ending with -q16 for QuantumDepth=16 ABI change
    and compile shared library to include the QuantumDepth value
    (closes: #796310).
  * Remove breaks on pdf2djvu.
  * Make rebuildable (closes: #796307).

  [ Jakub Wilk <email address hidden> ]
  * Remove obsolete conflicts/replaces on libgraphicsmagick.
  * Version conflicts/replaces on libgraphicsmagick3.
  * No longer need to pass -l and -L switches to dh_shlibdeps.

graphicsmagick (1.3.21-3) unstable; urgency=medium

  * libgraphicsmagick++3 and libgraphicsmagick++11 are co-installable
    (closes: #795099).
  * libgraphicsmagick1-dev needs recent libgraphicsmagick++1-dev
    (closes: #795102).
  * Fix images symlink for development packages (closes: #795172).
  * libgraphicsmagick3 breaks old versions of pdf2djvu .

graphicsmagick (1.3.21-2) unstable; urgency=medium

  * Upload to unstable for GCC 5 transition.
  * Enable WebP support (closes: #789745).
  * Make rebuildable.

graphicsmagick (1.3.21-1) experimental; urgency=high

  * New upstream release, including many security fixes.
  * Start transition from libgraphicsmagick++3 to libgraphicsmagick++11 .
  * Update libgraphicsmagick3 symbols.

graphicsmagick (1.3.20-4) experimental; urgency=low

  * Test build with QuantumDepth 16 (closes: #557879).
  * Update Standards-Version to 3.9.6 .

graphicsmagick (1.3.20-3) unstable; urgency=medium

  * Use upstream fix for AnnotateImage() return value (closes: #759956).

graphicsmagick (1.3.20-2) unstable; urgency=medium

  * Change binary libtiff4-dev dependency to libtiff-dev as well
    (closes: #759595).
  * Version perl build dependency to 5.20 or later.

graphicsmagick (1.3.20-1) unstable; urgency=medium

  * New upstream release (closes: #710716).
  * Use GraphicsMagick-1.3.20-CVE-2014-1947.patch from Fedora to fix
    CVE-2014-1947.
  * Add homepage field.
  * Disable update_freetype.h_location.patch , upstream solved freetype
    detection.
  * Sync with Ubuntu.

  [ Matthias Klose <email address hidden> ]
  * Build-depend/depend on libtiff-dev rather than libtiff4-dev.
  * Build-depend/depend on lcms2.
  * Build using dh-autoreconf.
  * Fix link error building the demo and test files.

  [ Bart Martens <email address hidden> ]
  * Add watch file.

 -- Ondřej Surý <email address hidden>  Wed, 21 Jun 2017 13:02:37 +0200

Available diffs

Builds

Built packages

Package files