UbuntuUpdates.org

Package "graphicsmagick-imagemagick-compat"

Name: graphicsmagick-imagemagick-compat

Description:

image processing tools providing ImageMagick interface

Latest version: 1.3.23-1ubuntu0.6
Release: xenial (16.04)
Level: security
Repository: universe
Head package: graphicsmagick
Homepage: http://www.graphicsmagick.org/

Links


Download "graphicsmagick-imagemagick-compat"


Other versions of "graphicsmagick-imagemagick-compat" in Xenial

Repository Area Version
base universe 1.3.23-1build1
updates universe 1.3.23-1ubuntu0.6

Changelog

Version: 1.3.23-1ubuntu0.1 2018-11-05 14:07:07 UTC

  graphicsmagick (1.3.23-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS (crash) via a crafted SVG file.
    - debian/patches/CVE-2016-2317_part1.patch: Fix heap buffer overflow
    - debian/patches/CVE-2016-2317_part2.patch: Fix stack buffer overflow
    - debian/patches/CVE-2016-2317_part3.patch: Fix segmentation violation
    - CVE-2016-2317
  * SECURITY UPDATE: DoS (NULL pointer dereference) via a crafted SVG
    file.
    - debian/patches/CVE-2016-2318.patch: Make SVG path and other
      primitive parsing more robust
    - CVE-2016-2318
  * SECURITY UPDATE: Arbitrary code execution via shell metacharacters in
    a crafted image file.
    - debian/patches/CVE-2016-3714.patch: Remove delegates support for
      reading gnuplot files.
    - CVE-2016-3714
  * SECURITY UPDATE: Remote attackers are able to delete arbitrary files
    via a crafted image.
    - debian/patches/CVE-2016-3715.patch: remove undocumented "TMP" magic
      prefix.
    - CVE-2016-3715
  * SECURITY UPDATE: Remote attackers can move arbitrary files via a
    crafted image.
    - debian/patches/CVE-2016-3716_part1.patch: Ignore the file extension
      on MSL files.
    - debian/patches/CVE-2016-3716_part2.patch: Do not auto-detect MVG
      format based on file extension.
    - CVE-2016-3716
  * SECURITY UPDATE: Remote attackers can read arbitrary files via a
    crafted image.
    - debian/patches/CVE-2016-3717.patch: fix in delegates.mgk.in
    - CVE-2016-3717
  * SECURITY UPDATE: Remote attackers can conduct server-side request
    forgery (SSRF) attacks via a crafted image.
    - debian/patches/CVE-2016-3718.patch: fix in render.c
    - CVE-2016-3718
  * SECURITY UPDATE: Remote attackers can execute arbitrary files via a
    pipe character at the start of a filename.
    - debian/patches/CVE-2016-5118.patch: remove support for reading
      input from a shell command or writing output to a shell command
    - CVE-2016-5118
  * SECURITY UPDATE: Remote attackers can execute arbitrary commands via
    unspecified vectors.
    - debian/patches/CVE-2016-5239.patch: remove delegates support for
      Gnuplot and varios other file types.
    - CVE-2016-5239
  * SECURITY UPDATE: Remote attackers to cause a DoS (infinite loop) by
    converting a circularly defined SVG file.
    - debian/patches/CVE-2016-5240.patch: endless loop problem caused by
      negative stroke-dasharray arguments
    - CVE-2016-5240
  * SECURITY UPDATE: Remote attackers to cause DoS (arithmetic exception
    and application crash) via a crafted svg file.
    - debian/patches/CVE-2016-5241.patch: Fix divide-by-zero problem if
      fill or stroke pattern image has zero columns or rows
    - CVE-2016-5241
  * SECURITY UPDATE: Buffer overflow in MVG and SVG rendering code.
    - debian/patches/CVE-2016-7446.patch: fix in svg.c
    - CVE-2016-7446
  * SECURITY UPDATE: Heap buffer overflow in the EscapeParenthesis.
    - debian/patches/CVE-2016-7447.patch: re-wrote the implementation of
      EscapeParenthesis() in annotate.c
    - CVE-2016-7447
  * SECURITY UPDATE: DoS (CPU consumption or large memory allocations)
    via vectors involving the header information and the file size.
    - debian/patches/CVE-2016-7448_part1.patch: fix in rle.c
    - debian/patches/CVE-2016-7448_part2.patch: fix in rle.c
    - CVE-2016-7448
  * SECURITY UPDATE: DoS (out-of-bounds heap read) via a file containing
    an "unterminated" string.
    - debian/patches/CVE-2016-7449.patch: fix a heap buffer read overrun
      if buffer not null terminated
    - CVE-2016-7449
  * SECURITY UPDATE: Integer underflow in the parse8BIM function.
    - debian/patches/CVE-2016-7800.patch: fix unsigned underflow.
    - CVE-2016-7800
  * SECURITY UPDATE: Heap buffer overflow and DoS in the WPG format
    reader.
    - debian/patches/CVE-2016-7996_CVE-2016-7997.patch: fix in wpg.c
    - CVE-2016-7996
    - CVE-2016-7997
  * SECURITY UPDATE: DoS (out-of-bounds read) via a crafted SCT header.
    - debian/patches/CVE-2016-8682.patch: Fix stack-buffer read overflow
      while reading SCT file header.
    - CVE-2016-8682
  * SECURITY UPDATE: Memory allocation failure and a "file truncation
    error for corrupt file" via a crafted PCX image.
    - debian/patches/CVE-2016-8683.patch: check that filesize is
      reasonable given header.
    - CVE-2016-8683
  * SECURITY UPDATE: Memory allocation failure and a "file truncation
    error for corrupt file" via a crafted SGI image.
    - debian/patches/CVE-2016-8684.patch: Check that filesize is
      reasonable given header.
    - CVE-2016-8684
  * SECURITY UPDATE: DoS (crash) via a large dimensions in a jpeg image.
    - debian/patches/CVE-2016-9830.patch: enforce spec requirement that
      the dimensions of the JPEG embedded in a JDAT chunk must match the
      JHDR dimensions.
    - CVE-2016-9830

 -- Eduardo Barretto <email address hidden> Thu, 01 Nov 2018 15:03:05 -0300

CVE-2016-2317 Multiple buffer overflows in GraphicsMagick 1.3.23 allow remote attackers to cause a denial of service (crash) via a crafted SVG file, related to the
CVE-2016-2318 GraphicsMagick 1.3.23 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted SVG file, related to the (1) Draw
CVE-2016-3714 The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1
CVE-2016-3715 The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.
CVE-2016-3716 The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image.
CVE-2016-3717 The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.
CVE-2016-3718 The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (
CVE-2016-5118 popen() shell vulnerability via filename
CVE-2016-5239 The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspeci
CVE-2016-5240 The DrawDashPolygon function in magick/render.c in GraphicsMagick before 1.3.24 and the SVG renderer in ImageMagick allow remote attackers to cause a
CVE-2016-5241 magick/render.c in GraphicsMagick before 1.3.24 allows remote attackers to cause a denial of service (arithmetic exception and application crash) via
CVE-2016-7446 Buffer overflow in the MVG and SVG rendering code in GraphicsMagick 1.3.24 allows remote attackers to have unspecified impact via unknown vectors. No
CVE-2016-7447 Heap-based buffer overflow in the EscapeParenthesis function in GraphicsMagick before 1.3.25 allows remote attackers to have unspecified impact via u
CVE-2016-7448 The Utah RLE reader in GraphicsMagick before 1.3.25 allows remote attackers to cause a denial of service (CPU consumption or large memory allocations
CVE-2016-7449 The TIFFGetField function in coders/tiff.c in GraphicsMagick 1.3.24 allows remote attackers to cause a denial of service (out-of-bounds heap read) vi
CVE-2016-7800 Integer underflow in the parse8BIM function in coders/meta.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of servic
CVE-2016-7996 Heap-based buffer overflow in the WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to have unspecified impact via a col
CVE-2016-7997 The WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (assertion failure and crash) via vec
CVE-2016-8682 The ReadSCTImage function in coders/sct.c in GraphicsMagick 1.3.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a cr
CVE-2016-8683 The ReadPCXImage function in coders/pcx.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which trig
CVE-2016-8684 The MagickMalloc function in magick/memory.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which t
CVE-2016-9830 The MagickRealloc function in memory.c in Graphicsmagick 1.3.25 allows remote attackers to cause a denial of service (crash) via large dimensions in



About   -   Send Feedback to @ubuntu_updates