Back to graphicsmagick PTS page

Accepted graphicsmagick 1.3.16-1.1+deb7u1 (source amd64 all) into oldstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 21 May 2016 18:41:30 +0200
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.16-1.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick++3 - format-independent image processing - C++ shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
 libgraphicsmagick3 - format-independent image processing - C shared library
Changes: 
 graphicsmagick (1.3.16-1.1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix the following security vulnerabilities in Graphicsmagick.
   * CVE-2016-3714:
     GraphicsMagick is not susceptible to remote code execution except if
     gnuplot is installed (because gnuplot executes shell commands).
     Gnuplot-shell based shell exploits are possible without a gnuplot file
     being involved although gnuplot invokes the shell.
     To fix this, the "gplt" entry in the delegates.mgk file was removed.
   * CVE-2016-3718:
     GraphicsMagick has always supported HTTP and FTP URL requests from the
     context of the executing process if it is linked with libxml2. There is no
     sandboxing or policy to determine which HTTP and FTP URLs should be
     allowed/denied because they should only be available from outside the
     system, or in the public space outside a "firewall".
     To fix this the automatic detection/execution of MVG based on file header or
     file extension feature was removed and by assuring that "magick:" prefix
     string will not be interpreted.
   * CVE-2016-3715:
     While the syntax is different from ImageMagick, GraphicsMagick does support
     a file specification syntax "tmp:" which causes the input file to be
     deleted after it is read. This has limited use to hand off responsibility
     for a temporary file to another process in order to assure that the
     temporary file will be deleted once it is no longer needed. This feature
     was removed since it is not actually necessary any more.
   * CVE-2016-3716:
     This is a two-factor attack and is actually file copying. It is not
     successful using GraphicsMagick. MSL is an XML-based "script" format which
     should never be allowed to be submitted and invoked by an untrusted party.
   * CVE-2016-3717:
     GraphicsMagick supports a "txt:" file specification syntax which enables
     rendering all the lines of a text file as an image. There is also a
     "label:" file specification syntax which is capable of rendering only the
     first line of a file. Files ending with extension ".txt" are automatically
     rendered into an image. The main concern with this is that sensitive data
     in a text file might become rendered as an image on a web site. Using an
     uploaded manual page with file extension ".man" or by reading with
     "man:filename", the 'man' delegate can be used to render any file on the
     system into Postscript if 'groff' is installed.
     This issue was fixed by removing manual page support and by adding -dSAFER to
     all ghostscript invocations.
   * CVE-2015-8808:
     Assure that GIF decoder does not use unitialized data and cause an
     out-of-bound read.
   * CVE-2016-2317 and CVE-2016-2318:
     Security vulnerabilities that allow to read or write outside memory bounds
     (heap, stack) as well as some null-pointer derreferences to cause a denial
     of service when parsing SVG files.
     http://seclists.org/oss-sec/2016/q1/297
Checksums-Sha1: 
 d3efa5f4e3b728caeea048edb13089fbb5819332 2772 graphicsmagick_1.3.16-1.1+deb7u1.dsc
 f2ec0392d7a7d5cbe0d5bdff2931edbacedd73e9 8736761 graphicsmagick_1.3.16.orig.tar.gz
 75f47814291cb428975152334efb3726ecfbb580 175418 graphicsmagick_1.3.16-1.1+deb7u1.diff.gz
 d71a1601c284fc74567dbb86d3e30d49a28e796b 1031600 graphicsmagick_1.3.16-1.1+deb7u1_amd64.deb
 1bb1d7bcdedcf68add71b77c7e9c5d0c3a9d3e58 1323712 libgraphicsmagick3_1.3.16-1.1+deb7u1_amd64.deb
 1fefad7a57e825ba38e11538db492a97cd67972b 1818564 libgraphicsmagick1-dev_1.3.16-1.1+deb7u1_amd64.deb
 0499e856362d6431a20b8bbe8d2ca16d2584d485 154062 libgraphicsmagick++3_1.3.16-1.1+deb7u1_amd64.deb
 ed793a3df23888af32659c47503361845a87e128 407540 libgraphicsmagick++1-dev_1.3.16-1.1+deb7u1_amd64.deb
 2f535a8861f4cef1f4df9b948b68f687a036146c 83118 libgraphics-magick-perl_1.3.16-1.1+deb7u1_amd64.deb
 cdbe8609895b085f33cd2af2c522dcec5d3bdb7e 3264104 graphicsmagick-dbg_1.3.16-1.1+deb7u1_amd64.deb
 f3b50b1fda5815134b133e8968b947a606121733 17248 graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u1_all.deb
 bb1e6a8cd2401bb10cfa9dc54223b69a39b1122f 20730 graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u1_all.deb
Checksums-Sha256: 
 66ac740fa42020e780be23e8574543deef7a5f3fa40347528a06e4eac9f7b619 2772 graphicsmagick_1.3.16-1.1+deb7u1.dsc
 ae2229370926dea6c2423cc1adaf551d33f38102677332294439365aaac1514b 8736761 graphicsmagick_1.3.16.orig.tar.gz
 055cdbaf2764f0b3f75eb2119d2a193dc08e275572978d2bb71de461f8029b4a 175418 graphicsmagick_1.3.16-1.1+deb7u1.diff.gz
 aa4b91e63b1dff97b656da364cd4212070dec3444fa2b6520dd7cb39c697d296 1031600 graphicsmagick_1.3.16-1.1+deb7u1_amd64.deb
 fa992e780aa7ffd60b27c41948d6490e61d95cb6cac5d47f592949d193affd5b 1323712 libgraphicsmagick3_1.3.16-1.1+deb7u1_amd64.deb
 39ebcdb51577f0b1d2cab769ebfafe50da91d805169095c89d11e1a08adc1061 1818564 libgraphicsmagick1-dev_1.3.16-1.1+deb7u1_amd64.deb
 1b8169ce26dff7f2cbf3a4d2bd8029f59597f4dfcfe7e0c0ca98c193c434fc82 154062 libgraphicsmagick++3_1.3.16-1.1+deb7u1_amd64.deb
 f01d85135ef56b0665e6de467b8a8d274671c4e7c59d7c768fc7e7e2ffb6dd21 407540 libgraphicsmagick++1-dev_1.3.16-1.1+deb7u1_amd64.deb
 d59bb282a23b8cbced21125a50e372688d47fef7a98d346263362b8538af2609 83118 libgraphics-magick-perl_1.3.16-1.1+deb7u1_amd64.deb
 faded2b67a5f06db1c93341df1545bd6f923e2402026d3b1911e22d5bea99e03 3264104 graphicsmagick-dbg_1.3.16-1.1+deb7u1_amd64.deb
 1fc31b663d290b9d968b81af3cd94c69c06af054359808c21c5457397ac1f73a 17248 graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u1_all.deb
 5431e8807c63da913549ff767ac75a04e4435eb32088bb7ec025530272ad42cd 20730 graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u1_all.deb
Files: 
 f24ce46687e5176e39b8920adf627a8f 2772 graphics optional graphicsmagick_1.3.16-1.1+deb7u1.dsc
 66a4b9c7af6165b5d293fed6ebe04e36 8736761 graphics optional graphicsmagick_1.3.16.orig.tar.gz
 c17eb61ea1fc23926616bdfc732da18d 175418 graphics optional graphicsmagick_1.3.16-1.1+deb7u1.diff.gz
 6309de974ce0c931803fe9db2f4250f7 1031600 graphics optional graphicsmagick_1.3.16-1.1+deb7u1_amd64.deb
 82800c16e4b4a85057b3abb907e82ac0 1323712 libs optional libgraphicsmagick3_1.3.16-1.1+deb7u1_amd64.deb
 901624a38702de1f3f0c4a1a39df8db0 1818564 libdevel optional libgraphicsmagick1-dev_1.3.16-1.1+deb7u1_amd64.deb
 bad2ac52baf4b9a95bfd398ee3dbccb6 154062 libs optional libgraphicsmagick++3_1.3.16-1.1+deb7u1_amd64.deb
 b2b68225c162aad8c641c41c8d99a3d9 407540 libdevel optional libgraphicsmagick++1-dev_1.3.16-1.1+deb7u1_amd64.deb
 fc6d5f1b39ed94b60fab3dea2976e5e0 83118 perl optional libgraphics-magick-perl_1.3.16-1.1+deb7u1_amd64.deb
 5ad2bdb736e631a51a9bc620e01d3c92 3264104 debug extra graphicsmagick-dbg_1.3.16-1.1+deb7u1_amd64.deb
 1aea6ca2ca5bce15e867e28366f7972d 17248 graphics extra graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u1_all.deb
 cd7d6a1db37f8e265895d69960c148e1 20730 graphics extra graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJXQJW1XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkfj4P/3kOWeKyRLBVWDG/rfRhQGNO
+YFsb2UX0TAoOjvExzHJ7hDYwBIYckux+prjwMBg0yW4OkFkB/RFdNNs6euDk6W+
Mp1/DOYGJP51LDRDVIeZpZvhF38EIFtVQUazq1Q/dEg/YS75Z2zQofXBzzOFAequ
7vzLaa2GkjdTy9szxyh09aQrqGd8dQGKRGpR09czLumP1GFoOLL6bWppuUa4CF4i
gN0dhLklQKQlnsodNtmAVa+jgNxX2yVPd6qgU0/lEwGC0t/RHX2rKxGJ5B5/vU+X
0dQw/WYdI1FH8TWFRKmlni9Gpy8B3AeLpfbVf4x5KJpyh4gHUPLIDHadxkGKCueU
6GRvIfrGYEz5oTRaSvAebylKEHxCQiMXN17sBfOD1DDVwBWu0aiPcTQVEA/ArGBp
YaZqo1bbsqM4gb2hiR2VtcZh0N1iL4nrwK0M/FZrG4YQDGUrk7vD0pXYI3R/MBPl
peICPuY05TaqQgdIf0Ia4J6eNtVlGfWNG0VL2JWS8L8JkDyjQnKInFOFCi/jhntS
ouko1DULZmVrq7Tdhc9zLD84WxU3SXEGI9rSn6sN19qGidKLX5ywFcw4VZ+bJKU9
l9FjbuZqE+1W0SQ/bTtkSEF6oC0sSEfYUOXz9DJLVkgGgxrKi2LnfJr+pHoFXm9l
fYhdFfRLo/aHfvevY2wc
=ubG0
-----END PGP SIGNATURE-----