imagemagick (8:6.9.12.98+dfsg1-5.2)
[PTS] [DDPO]
OLD: VCS is behind the version in the archive: 8:6.9.11.60+dfsg-1.6+deb12u1 < 8:6.9.12.98+dfsg1-5.2.
- Git: https://salsa.debian.org/debian/imagemagick.git
-
- Branch: debian/bookworm
- Path: debian/changelog
- Repo size: 5017600
- Browser: https://salsa.debian.org/debian/imagemagick
- Last scan: 2024-04-24 10:34:01+00
- Next scan: 2024-05-01 09:22:00+00
- CI pipeline status: failed
- Debian changelog in Git:
imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high
* Acknowledge NMU
* Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder
* Fix an heap buffer overflow in TIFF coder
* Fix uninitialised value passing in TIFFGetField
* Fix stack overflow in TIFF coder
* Early exit in case of malformed TIFF file
* Fix buffer overrun in TIFF coder
* Fix unitialised value in TIFF coder
* Fix CVE-2022-1115: Heap based overflow in
TIFF coder (Closes: #1013282)
* Fix uninitialised value in TIFF coders
* Use salsa-ci
* Fix CVE-2023-1289: A specially created SVG file loaded itself and
causes a segmentation fault. This flaw allows a remote attacker
to pass a specially crafted SVG file that leads to a segmentation
fault, generating many trash files in "/tmp," resulting in
a denial of service. When ImageMagick crashes,
it generates a lot of trash files. These trash files
can be large if the SVG file contains many render actions.
In a denial of service attack, if a remote attacker uploads an SVG file
of size t, ImageMagick generates files of size 103*t.
If an attacker uploads a 100M SVG, the server will generate about 10G.
* Fix CVE-2023-1906: A heap-based buffer overflow issue was
discovered in ImageMagick's ImportMultiSpectralQuantum() function
in MagickCore/quantum-import.c. An attacker could pass specially
crafted file to convert, triggering an out-of-bounds read error,
allowing an application to crash, resulting in a denial of service.
* Fix CVE-2023-34151: Imagemagick was vulnerable due to
an undefined behaviors of casting double to size_t in svg, mvg
and other coders. (Closes: #1036999)
* Fix CVE-2023-3428: A heap-based buffer overflow vulnerability
was found in coders/tiff.c in ImageMagick. This issue
may allow a local attacker to trick the user into opening
a specially crafted file, resulting in an application crash
and denial of service.
* Fix CVE-2023-5341: A heap use-after-free flaw was found in
coders/bmp.c
-- Bastien Roucariès <rouca@debian.org> Mon, 12 Feb 2024 20:15:47 +0000
- This branch is even with tag debian/8%6.9.11.60+dfsg-1.6+deb12u1