Debian Quality Assurance

imagemagick (8:6.9.12.98+dfsg1-5.2) [PTS] [DDPO]

OLD: VCS is behind the version in the archive: 8:6.9.11.60+dfsg-1.6+deb12u1 < 8:6.9.12.98+dfsg1-5.2.

• Git: https://salsa.debian.org/debian/imagemagick.git
• JSON
  Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
  For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
  The next upload will reset the information from the source package headers.
• Branch: debian/bookworm
• Path: debian/changelog
• Repo size: 5017600
• Browser: https://salsa.debian.org/debian/imagemagick
• Last scan: 2024-04-24 10:34:01+00
• Next scan: 2024-05-01 09:22:00+00
• CI pipeline status: failed
• Debian changelog in Git:

  imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high
  
    * Acknowledge NMU
    * Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder
    * Fix an heap buffer overflow in TIFF coder
    * Fix uninitialised value passing in TIFFGetField
    * Fix stack overflow in TIFF coder
    * Early exit in case of malformed TIFF file
    * Fix buffer overrun in TIFF coder
    * Fix unitialised value in TIFF coder
    * Fix CVE-2022-1115: Heap based overflow in
      TIFF coder (Closes: #1013282)
    * Fix uninitialised value in TIFF coders
    * Use salsa-ci
    * Fix CVE-2023-1289: A specially created SVG file loaded itself and
      causes a segmentation fault. This flaw allows a remote attacker
      to pass a specially crafted SVG file that leads to a segmentation
      fault, generating many trash files in "/tmp," resulting in
      a denial of service. When ImageMagick crashes,
      it generates a lot of trash files. These trash files
      can be large if the SVG file contains many render actions.
      In a denial of service attack, if a remote attacker uploads an SVG file
      of size t, ImageMagick generates files of size 103*t.
      If an attacker uploads a 100M SVG, the server will generate about 10G.
    * Fix CVE-2023-1906: A heap-based buffer overflow issue was
      discovered in ImageMagick's ImportMultiSpectralQuantum() function
      in MagickCore/quantum-import.c. An attacker could pass specially
      crafted file to convert, triggering an out-of-bounds read error,
      allowing an application to crash, resulting in a denial of service.
    * Fix CVE-2023-34151: Imagemagick was vulnerable due to
      an undefined behaviors of casting double to size_t in svg, mvg
      and other coders. (Closes: #1036999)
    * Fix CVE-2023-3428: A heap-based buffer overflow vulnerability
      was found in coders/tiff.c in ImageMagick. This issue
      may allow a local attacker to trick the user into opening
      a specially crafted file, resulting in an application crash
      and denial of service.
    * Fix CVE-2023-5341: A heap use-after-free flaw was found in
      coders/bmp.c
  
   -- Bastien Roucariès <rouca@debian.org>  Mon, 12 Feb 2024 20:15:47 +0000

• This branch is even with tag debian/8%6.9.11.60+dfsg-1.6+deb12u1

Package: JSON [Main page]

---

Back to the Debian Project homepage.

---