[CVE-2006-0082] imagemagick: New format string vulnerability in SetImageInfo().

Debian Bug report logs - #345876
[CVE-2006-0082] imagemagick: New format string vulnerability in SetImageInfo().

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: imagemagick: New format string vulnerability in SetImageInfo().

Date: Wed, 4 Jan 2006 02:05:20 +0100

[Message part 1 (text/plain, inline)]

Package: imagemagick
Version: 6:6.2.3.0-1
Severity: grave
Tags: security patch
Justification: user security hole

Specially crafted file names cause programs using ImageMagick to crash
due to a format string vulnerability. It might be possible to execute
arbitrary code due to this bug.

I've discovered the vulnerability while investigating the upstream fix
for #297990 (CAN-2005-0397). It turns out that this fix is buggy and
doesn't plug the security hole. Originally, the format string
vulnerability could be demonstrated with

convert foo.jpg foo%n.jpg	# (or several %n until overflow happens)

Now all we need is one additional, valid, numeric format string, eg.

convert foo.jpg foo%d%n.jpg	# (or several %n until overflow happens)

The new code just checks for the presence of any of %%, %d, %o, or %x.
If one if them is found, it passes the rest of the string as a format
string to an sprintf()-style function just like in the CAN-2005-0397
vulnerability. It all happens in SetImageInfo() that is usually called
on the target filename in write operations, eg. the target filename of a
'convert'.

I'm not sure which upstream version was the first to contain this new
incarnation of the vulnerability, but 6:6.2.3.0-1 was the first that
appeared in Debian. While sarge contains an earlier version, etch and
sid are affected. As this is really is a new vulnerability, I assume
CAN-2005-0397 should not be reused. Security team, can you please
confirm and possibly provide a new CVE ID?

I'm attaching an untested patch that should give an idea on how to plug
this hole once and for all. Note that the original fix that went into
sarge was buggy as well: The code is actually supposed to expand an
optional numeric format specifier to support multi-frame images. The
sarge security patch broke this by preventing any format string
expansion, but that's a different story.

Regards,

Daniel.

[diff (text/plain, inline)]

diff -rN -u old-imagemagick/magick/image.c new-imagemagick/magick/image.c
--- old-imagemagick/magick/image.c	2006-01-04 01:23:29.000000000 +0100
+++ new-imagemagick/magick/image.c	2006-01-04 01:23:31.000000000 +0100
@@ -2881,8 +2881,16 @@
             char
               format[MaxTextExtent];
 
+	    /* Extract first numeric format specifier */
             (void) CopyMagickString(format,p,MaxTextExtent);
+	    if (q-p+1 < MaxTextExtent)
+		    format[q-p+1]='\0';
+	    /* Expand format */
             (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene);
+	    /* Copy rest of string verbatim without further expansion */
+	    (void) ConcatenateMagickString(filename,
+	                                   image_info->filename+(q-filename)+1,
+					   MaxTextExtent);
             break;
           }
       }

Message #10 received at 345876@bugs.debian.org (full text, mbox, reply):

From: Matthias Clasen <mclasen@redhat.com>

To: 345876@bugs.debian.org

Subject: a more complete fix

Date: Wed, 04 Jan 2006 12:04:46 -0500

[Message part 1 (text/plain, inline)]

The same code is repeated in blob.c. Here is a more complete fix.

[ImageMagick-6.2.5-format-string-again.patch (text/x-patch, attachment)]

Message #15 received at 345876@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: Matthias Clasen <mclasen@redhat.com>, 345876@bugs.debian.org

Subject: Re: Bug#345876: a more complete fix

Date: Wed, 4 Jan 2006 18:47:47 +0100

On Wed, Jan 04, 2006 at 12:04:46PM -0500, Matthias Clasen wrote:
> The same code is repeated in blob.c. Here is a more complete fix.

Thanks a lot! Still not complete, though. I just noticed that animate.c
(or command.c in graphicsmagick) is affected in a similar way. There
might be even more of those lurking...

Regards,

Daniel.

Message #20 received at 345876@bugs.debian.org (full text, mbox, reply):

From: Matthias Clasen <mclasen@redhat.com>

To: 345876@bugs.debian.org

Subject: animate.c

Date: Wed, 04 Jan 2006 13:54:29 -0500

I don't doubt that there are more vulnerabilities lurking in
ImageMagick, but I don't see how this same problem occurs in
animate.c...

Matthias

Message #25 received at 345876@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: Matthias Clasen <mclasen@redhat.com>, 345876@bugs.debian.org

Subject: Re: Bug#345876: animate.c

Date: Thu, 5 Jan 2006 13:37:02 +0100

On Wed, Jan 04, 2006 at 01:54:29PM -0500, Matthias Clasen wrote:
> I don't doubt that there are more vulnerabilities lurking in
> ImageMagick, but I don't see how this same problem occurs in
> animate.c...

Which version are you looking at? The code in question recently moved
from magick/animate.c to wand/animate.c. Anyway, the underlying problem
is the same in all cases: A single numeric format expansion should be
allowed in user-supplied strings. In animate.c, look for a call to
FormatMagickString() following a comment "Form filename for multi-part
images.". The format string is taken verbatim from the command line.
Admittedly though, animate will rarely be called from scripts or as a
mime handler, so the security impact is quite low compared to, say,
convert.

Regards,

Daniel.

Message #30 received at 345876@bugs.debian.org (full text, mbox, reply):

From: Matthias Clasen <mclasen@redhat.com>

To: 345876@bugs.debian.org

Date: Mon, 09 Jan 2006 10:18:13 -0500

[Message part 1 (text/plain, inline)]

Ah, got it now. Does this look more complete ?

[ImageMagick-6.2.5-format-string-again.patch (text/x-patch, attachment)]

Message #35 received at 345876@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: Matthias Clasen <mclasen@redhat.com>, 345876@bugs.debian.org

Subject: Re: Bug#345876: imagemagick: New format string vulnerability in SetImageInfo().

Date: Tue, 10 Jan 2006 17:03:55 +0100

[Message part 1 (text/plain, inline)]

On Mon, Jan 09, 2006 at 10:18:13AM -0500, Matthias Clasen wrote:
> Ah, got it now. Does this look more complete ?

Yes, but there are still a few more places to fix. The attached patch
for 6.2.4.5 should be fairly complete, apart from a few odd places in
coders/, but those fall more into the scope of CVE-2005-4601. Mind,
though, that I'm still testing the fix, so some polishing might be
needed still.

Regards,

Daniel.

[im_format_string.diff (text/plain, inline)]

diff -r 8a3cbd342315 magick/animate.c
--- a/magick/animate.c	Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/animate.c	Tue Jan 10 16:55:22 2006 +0100
@@ -604,7 +604,7 @@
               /*
                 Form filename for multi-part images.
               */
-              (void) FormatMagickString(filename,MaxTextExtent,
+              (void) FormatMagickStringNumeric(filename,MaxTextExtent,
                 image_info->filename,scene);
               if (LocaleCompare(filename,image_info->filename) == 0)
                 (void) FormatMagickString(filename,MaxTextExtent,"%s[%lu]",
diff -r 8a3cbd342315 magick/blob.c
--- a/magick/blob.c	Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/blob.c	Tue Jan 10 16:55:22 2006 +0100
@@ -2120,25 +2120,8 @@
       /*
         Form filename for multi-part images.
       */
-      (void) CopyMagickString(filename,image->filename,MaxTextExtent);
-      for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
-      {
-        char
-          *q;
-
-        q=p+1;
-        if (*q == '0')
-          (void) strtol(q,&q,10);
-        if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
-          {
-            char
-              format[MaxTextExtent];
-
-            (void) CopyMagickString(format,p,MaxTextExtent);
-            (void) FormatMagickString(p,MaxTextExtent,format,image->scene);
-            break;
-          }
-      }
+      (void) FormatMagickStringNumeric(filename,MaxTextExtent,image->filename,
+        image->scene);
       if (image_info->adjoin == MagickFalse)
         if ((image->previous != (Image *) NULL) ||
             (GetNextImageInList(image) != (Image *) NULL))
diff -r 8a3cbd342315 magick/display.c
--- a/magick/display.c	Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/display.c	Tue Jan 10 16:55:22 2006 +0100
@@ -1984,7 +1984,7 @@
               /*
                 Form filename for multi-part images.
               */
-              (void) FormatMagickString(filename,MaxTextExtent,
+              (void) FormatMagickStringNumeric(filename,MaxTextExtent,
                 image_info->filename,scene);
               if (LocaleCompare(filename,image_info->filename) == 0)
                 (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu",
diff -r 8a3cbd342315 magick/image.c
--- a/magick/image.c	Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/image.c	Tue Jan 10 16:55:22 2006 +0100
@@ -2869,25 +2869,8 @@
       /*
         Rectify multi-image file support.
       */
-      (void) CopyMagickString(filename,image_info->filename,MaxTextExtent);
-      for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
-      {
-        char
-          *q;
-
-        q=(char *) p+1;
-        if (*q == '0')
-          (void) strtol(q,&q,10);
-        if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
-          {
-            char
-              format[MaxTextExtent];
-
-            (void) CopyMagickString(format,p,MaxTextExtent);
-            (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene);
-            break;
-          }
-      }
+      (void) FormatMagickStringNumeric(filename,MaxTextExtent,
+        image_info->filename,image_info->scene);
       if ((LocaleCompare(filename,image_info->filename) != 0) &&
           (strchr(filename,'%') == (char *) NULL))
         image_info->adjoin=MagickFalse;
diff -r 8a3cbd342315 magick/log.c
--- a/magick/log.c	Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/log.c	Tue Jan 10 16:55:22 2006 +0100
@@ -914,8 +914,8 @@
           char
             filename[MaxTextExtent];
 
-          (void) FormatMagickString(filename,MaxTextExtent,log_info->filename,
-            log_info->generation % log_info->generations);
+          (void) FormatMagickStringNumeric(filename,MaxTextExtent,
+            log_info->filename,log_info->generation % log_info->generations);
           log_info->file=fopen(filename,"w");
           if (log_info->file == (FILE *) NULL)
             {
diff -r 8a3cbd342315 magick/montage.c
--- a/magick/montage.c	Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/montage.c	Tue Jan 10 16:55:22 2006 +0100
@@ -530,7 +530,7 @@
               /*
                 Form filename for multi-part images.
               */
-              (void) FormatMagickString(filename,MaxTextExtent,
+              (void) FormatMagickStringNumeric(filename,MaxTextExtent,
                 image_info->filename,scene);
               if (LocaleCompare(filename,image_info->filename) == 0)
                 (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu",
diff -r 8a3cbd342315 magick/string.c
--- a/magick/string.c	Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/string.c	Tue Jan 10 16:55:22 2006 +0100
@@ -953,6 +953,75 @@
       return((StringInfo *) NULL);
     }
   return(string_info);
+}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%                                                                             %
+%                                                                             %
+%                                                                             %
+%  F o r m a t M a g i c k S t r i n g N u m e r i c                          %
+%                                                                             %
+%                                                                             %
+%                                                                             %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%  Method FormatMagickStringNumeric formats output for a single numeric
+%  argument. It takes into account that the format string given might be
+%  untrusted user input, and returns the length of the formatted string.
+%
+%  The format of the FormatMagickStringNumeric method is:
+%
+%      long FormatMagickStringNumeric(char *string,const size_t length,
+%                                     const char *format,int value)
+%
+%  A description of each parameter follows.
+%
+%   o string:  FormatMagickStringNumeric() returns the formatted string in this
+%     character buffer.
+%
+%   o length: The maximum length of the string.
+%
+%   o  format:  A string describing the format to use to write the numeric
+%      argument. Only the first numeric format identifier is replaced.
+%
+%   o  value:  Numeric value to substitute into format string.
+%
+%
+*/
+MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value)
+{
+  char
+    *p;
+
+  (void) CopyMagickString(string, format, length);
+
+  for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+  {
+    char
+      *q;
+
+    q=(char *) p+1;
+    if (*q == '0')
+      (void) strtol(q,&q,10);
+    if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
+    {
+      char
+        c;
+
+      q++;
+      c=*q;
+      *q='\0';
+      (void) snprintf(string+(p-format),length-(p-format),p,value);
+      *q=c;
+      (void) ConcatenateMagickString(&string,q,length);
+      if (*(q-1) == '%')
+        p++;
+      else
+        break;
+    }
+  }
+  return (long)strlen(string);
 }
 
 /*
diff -r 8a3cbd342315 magick/string_.h
--- a/magick/string_.h	Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/string_.h	Tue Jan 10 16:55:22 2006 +0100
@@ -60,6 +60,7 @@
     magick_attribute((format (printf,3,4))),
   FormatMagickStringList(char *,const size_t,const char *,va_list)
     magick_attribute((format (printf,3,0))),
+  FormatMagickStringNumeric(char *,const size_t,const char *,int),
   LocaleCompare(const char *,const char *),
   LocaleNCompare(const char *,const char *,const size_t);
 

Message #40 received at 345876@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: 345876@bugs.debian.org

Cc: Matthias Clasen <mclasen@redhat.com>

Subject: Re: Bug#345876: imagemagick: New format string vulnerability in SetImageInfo().

Date: Tue, 10 Jan 2006 19:03:55 +0100

On Tue, Jan 10, 2006 at 05:03:55PM +0100, Daniel Kobras wrote:
> On Mon, Jan 09, 2006 at 10:18:13AM -0500, Matthias Clasen wrote:
> > Ah, got it now. Does this look more complete ?
> 
> Yes, but there are still a few more places to fix. The attached patch
> for 6.2.4.5 should be fairly complete, apart from a few odd places in
> coders/, but those fall more into the scope of CVE-2005-4601. Mind,
> though, that I'm still testing the fix, so some polishing might be
> needed still.
(...)
> +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> +%                                                                             %
> +%                                                                             %
> +%                                                                             %
> +%  F o r m a t M a g i c k S t r i n g N u m e r i c                          %
> +%                                                                             %
> +%                                                                             %
> +%                                                                             %
> +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> +%
> +%  Method FormatMagickStringNumeric formats output for a single numeric
> +%  argument. It takes into account that the format string given might be
> +%  untrusted user input, and returns the length of the formatted string.
> +%
> +%  The format of the FormatMagickStringNumeric method is:
> +%
> +%      long FormatMagickStringNumeric(char *string,const size_t length,
> +%                                     const char *format,int value)
> +%
> +%  A description of each parameter follows.
> +%
> +%   o string:  FormatMagickStringNumeric() returns the formatted string in this
> +%     character buffer.
> +%
> +%   o length: The maximum length of the string.
> +%
> +%   o  format:  A string describing the format to use to write the numeric
> +%      argument. Only the first numeric format identifier is replaced.
> +%
> +%   o  value:  Numeric value to substitute into format string.
> +%
> +%
> +*/
> +MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value)
> +{
> +  char
> +    *p;
> +
> +  (void) CopyMagickString(string, format, length);
> +
> +  for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
> +  {
> +    char
> +      *q;
> +
> +    q=(char *) p+1;
> +    if (*q == '0')
> +      (void) strtol(q,&q,10);
> +    if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
> +    {
> +      char
> +        c;
> +
> +      q++;
> +      c=*q;
> +      *q='\0';
> +      (void) snprintf(string+(p-format),length-(p-format),p,value);
> +      *q=c;
> +      (void) ConcatenateMagickString(&string,q,length);

Bah, scratch that &, even. Forgot to fix that one before sending.

Sorry,

Daniel.

Message #45 received at 345876@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: 345876@bugs.debian.org

Subject: Re: Bug#345876: imagemagick: New format string vulnerability in SetImageInfo().

Date: Fri, 13 Jan 2006 22:41:52 +0100

retitle 345876 [CVE-2006-0082] imagemagick: New format string vulnerability in SetImageInfo().
thanks

On Wed, Jan 04, 2006 at 02:05:20AM +0100, Daniel Kobras wrote:
> As this is really is a new vulnerability, I assume CAN-2005-0397
> should not be reused. Security team, can you please confirm and
> possibly provide a new CVE ID?

Just spotted that this problem has been assigned CVE-2006-0082. Thanks
to whoever requested the id.

Regards,

Daniel.

Message #54 received at 345876-submitter@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

To: 345876-submitter@bugs.debian.org

Subject: Debian bug #345876

Date: Thu, 26 Oct 2006 18:59:21 +0100

Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #345876 in the imagemagick 
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam

Message #59 received at 345876-submitter@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

To: 345876-submitter@bugs.debian.org

Subject: Debian bug #345876

Date: Thu, 26 Oct 2006 19:06:36 +0100

Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #345876 in the imagemagick 
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam

Message #64 received at 345876-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: 345876-close@bugs.debian.org

Subject: Bug#345876: fixed in imagemagick 7:6.2.4.5.dfsg1-1

Date: Mon, 30 Apr 2007 18:17:04 +0000

Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.4.5.dfsg1-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.diff.gz
imagemagick_6.2.4.5.dfsg1-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.dsc
imagemagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick9_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-1_i386.deb
perlmagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 345876@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 28 Apr 2007 18:00:10 +0200
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <luciano@linux.org.ar>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 214623 317083 318176 325651 325720 330666 333616 335111 339548 340401 344997 345238 345595 345876 347486 349264 351498 352575 358148 360362 360400 364826 381831 383314 383314 385062 386964 393025 395830 398183 401047 404477 410435 412945 417237 418057 419274 420353
Changes: 
 imagemagick (7:6.2.4.5.dfsg1-1) unstable; urgency=high
 .
   * New maintainers.
   * debian/compat: Splice debhelper version out of debian/rules into
     separate file (but don't bump version).
   * debian/control: Adjust jasper dependencies to current package names.
     Closes: #419274, #420353
   * Documentation minors improvements:
     - Manpages says SEE ALSO, not SEE-ALSO. Closes: #333616
     - Escaped specials chars in manpages. Closes: #381831
     - External reference in convert(1). Closes: #398183
     - "isplay", "perferred", "similiar" and "morify.html" typos fixed.
       Closes: #386964, #351498, #395830
     - ImageMagick(1) indentation. Closes: #335111
     - "convert -help" duplicated line fixes. Closes: #339548
     - Typo in description of --resize command fixed. Closes: #364826
   * Magick++/lib/Image.cpp: Include cstdlib header to fix build failure
     with gcc 4.3. Patch thanks to Martin Michlmayr. Closes: #417237
   * coders/dcm.c: Fix integer overflow in DCM coder. (CVE-2007-1797)
     Closes: #418057
   * coders/icon.c: Fix segfault in ICON coder.
   * coders/pcx.c: Fix heap overflow in PCX coder.
   * coders/pict.c: Fix multiple segfaults in PICT coder.
   * coders/png.c: Fix segfault in PNG coder.
   * coders/pnm.c: Fix segfault in PNM coder.
   * coders/sgi.c: Fix segfault in SGI coder.
   * coders/sun.c: Fix segfault during conversion in SUN coder.
   * coders/viff.c: Prevent heap corruption in VIFF coder.
   * coders/xwd.c: Fix segfault during conversion in XWD coder.
   * coders/xwd.c: Fix multiple integer overflows in XWD coder.
     (CVE-2007-1667, CVE-2007-1797)
   * The above fixes collectively address the following bug report:
     Closes: #412945
   * config/delegates.xml.in: Lose obsolete option -3 to dcraw delegate
     to unbreak support for raw digital images. Closes: #404477
 .
 imagemagick (7:6.2.4.5.dfsg1-0.14) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456.
     Avoid bogus second read in macro call. Patch thanks to Vladimir
     Nadvornik. (CVE-2007-0770) Closes: #410435
 .
 imagemagick (7:6.2.4.5.dfsg1-0.13) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/png.c: Fix amd64 build failure with recent libpng versions.
     Closes: #401047
   * debian/control: Tighten libpng12-dev build-dependency to exclude versions
     that are known to fail to link even with the above fix in place.
 .
 imagemagick (7:6.2.4.5.dfsg1-0.12) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/control: Add build dependency on libxt-dev and pkg-config to
     make dependency list deterministic.
   * debian/control: libmagick9-dev depends on libxt-dev.
 .
 imagemagick (7:6.2.4.5.dfsg1-0.11) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/dcm.c, coders/palm.c: Fix buffer overflows in DCM and Palm coders.
     Patches thanks to M Joonas Pihlaja. Closes: #393025
   * coders/sgi.c: Put back missing initialisation of loop variable that
     was erroneously removed in fix for CVE-2006-4144. Spotted by
     Martin Pitt. Closes: #383314
   * coders/sgi.c: Fix off-by-one error in boundary check causing slightly
     garbled image output. Also introduced in fix for for CVE-2006-4144.
   * coders/xpm.c: Do not gratuitously limit the allowed number of
     bytes per pixel. Patch thanks to Jens Seidel. Closes: #358148
   * magick/display.c: Fix NULL pointer dereference in display's
     "Visual Directory". Patch thanks to Frédéric Bothamy. Closes: #360400
   * utilities/ImageMagick.1.in: Replace UTF-8 encoded characters with
     latin1 equivalents to placate lintian.
   * debian/control: perlmagick provides libimage-magick-perl to comply
     with Perl policy. Closes: #317083
   * debian/control: Add gs-gpl build dependency, used in testsuite.
   * debian/control: Tries hard to comply with version 3.7.2 of Debian
     policy.
   * debian/rules: Eliminate -l entries that slipped into --ldflags output.
     They're already present in --libs anyway. Closes: #340401
   * debian/rules: Run the testsuite, but don't treat failures as fatal
     errors for now.
   * debian/rules: At configure time, change X11 search paths to X11R7
     locations.
   * debian/rules: Remove duplicate of license file from imagemagick
     package.
 .
 imagemagick (7:6.2.4.5.dfsg1-0.10) unstable; urgency=high
 .
   * Non-Maintainer Upload
   * Fix buffer overflow in SGI parser [CVE-2006-4144] (closes: #383314)
     Thanks to Daniel Kobras
   * Fix double free in ICC profile in PerlMagick (closes: #349264)
   * Fix incomaptibility with graphviz >= 2.8 and build-depend on an
     appropriate version (closes: #360362)
   * Fix XCF and Sun Raster File buffer overflows [CVE-2006-3743/-3744]
     (closes: #385062)
 .
 imagemagick (7:6.2.4.5.dfsg1-0.9) unstable; urgency=low
 .
   * Non-Maintainer Upload
   * Remove all instances of the imagemagick logo from the original
     sourcefile and repack. (closes: #214623)
   * Add back the free logo patch
   * Add clean-tarball rule to accomplish this
   * Change the copyright file to indicate that the logo is no longer
     included, and indiciate that the included logo is actually text saying
     "imagemagick" with the Debian open use logo.
 .
 imagemagick (7:6.2.4.5-0.8) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Back to 6.2.4.5 as requested by the release team to maintain binary
     compatibility. Bumped epoch once more.
 .
 imagemagick (6:6.2.6.7-1) unstable; urgency=low
 .
   * New upstream version.
 .
 imagemagick (6:6.2.4.5-0.7) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/url.c: Do not treat local file:// URIs as temporary files that
     are removed after reading. Closes: #352575
 .
 imagemagick (6:6.2.4.5-0.6) unstable; urgency=high
 .
   * Non-maintainer upload.
   * magick/display.c: In DisplayImageCommand(), expand command line before
     allocating ressources based on argc. Patch and analysis thanks to
     Eero Häkkinen. Closes: #345595
   * magick/{animate.c,blob.c,display.c,image.c,log.c,montage.c,string.c,
     string_.h}: Implement new utility function FormatMagickStringNumeric()
     to securely expand a user-supplied format string with a single numeric
     argument. Adjust code to use this function where appropriate.
     (CVE-2006-0082) Closes: #345876
   * coders/pdf.c,coders/ps.c,magick/delegate.c,magick/delegate.h,
     magick/methods.h: Do not call external delegates with user-supplied
     filename, but with securely named symlinks only to prevent shell command
     injection (CVE-2005-4601). Closes: #345238
   * debian/rules: Make sure to include trailing spaces in multi-line
     commands to keep recent make happy. Cures problems with ghostscript
     font path. Fix thanks to Jeff Lessem. Closes: #347486
   * debian/imagemagick.mime: Rather than autodetect the type of an image,
     derive it from the mime type. As a side effect, this change allows to
     use arbitrary filenames with the 'see' command, even if they have
     special meaning to imagemagick internally. Also clean up some typos
     and superfluous entries once we're at it. Closes: #344997
 .
 imagemagick (6:6.2.4.5-0.5) unstable; urgency=low
 .
   * Another NMU to complete the installability fixes from 6:6.2.4.5-0.4.
   * Adjust libmagick9-dev dependencies to account for the removal of
     xlibs-dev from unstable, and bring them in line with build-deps.
 .
 imagemagick (6:6.2.4.5-0.4) unstable; urgency=low
 .
   * Non-maintainer upload to resolve buildability/installability.
   * debian/{control,rules}: Disable DPS support, which is no longer shipped
     in Xorg 6.9/7.0 (and was making us both FTBFS and uninstallable in sid)
   * debian/control: explicitely build-depend on libxext-dev, since we both
     test for and use it directly, rather than indirectly.
 .
 imagemagick (6:6.2.4.5-0.3) unstable; urgency=low
 .
   * Non-maintainer upload.
   * debian/control: Rename libmagick++9 to libmagick++9c2a, following a
     C++ ABI transition. Conflicts with and Replaces old version.
   * debian/*: Rename various debhelper support files due to above name
     change.
 .
 imagemagick (6:6.2.4.5-0.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * debian/control: libmagick9-dev Conflicts/Replaces libmagick6-dev.
     Likewise for libmagick++9-dev. Closes: #330666
   * debian/control: Provide unversioned libmagick-dev and libmagick++-dev
     and conflict/replace them for future-proof handling of soname bumps.
 .
 imagemagick (6:6.2.4.5-0.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * New upstream version.
     + Yet another bump of the soname version, this time going from
       7 to 9.
   * debian/*: Cater for soname change and corresponding change of
     library packages names in multiple places.
 .
 imagemagick (6:6.2.4.4-0.1) experimental; urgency=low
 .
   * Non-maintainer upload.
   * New upstream version.
     + Version in library soname was increased from 6 to 7 due to
       changes in binary interface starting with 6.0.7. (Yes, this
       should have happened earlier.) Closes: #318176, #325651, #325720
   * debian/*: Rename packages from libmagick6 to libmagick7, and similar.
     Adjust version in various places accordingly. Drop c2 suffix from
     C++ library package.
   * debian/control: Use shlibs information to generate Depends line for
     imagemagick binary package.
   * debian/control: Remove Pre-Depends on prehistoric version of dpkg.
   * debian/control: Package complies with policy version 3.6.2. Bump
     Standards-Version accordingly.
   * Patches to upstream sources:
     + [bin/Magick++-config.1.debdiff]
       Stray file that seems to have slipped into the previous Debian
       diffs by mistake. Removed now.
     + [magick/blob.c]
       Originally a patch from upstream, now mostly merged. Retaining a
       single hunk that upstream reverted later on, though it still looks
       correct.
     + [configure.ac, configure]
       Override location of documentation files to Debian's default
       /usr/share/doc/imagemagick. Patch to configure was present before.
       This release promotes it back to configure.ac as well. (No ill
       effects because AM_MAINTAINER_MODE is used.)
     + [coders/magick.c]
       Drop patch that exchanges upstream's logo for a DFSG-free version.
       This attempt to address #214623 (distribution of non-free logo)
       missed several other instances of the logo, must be applied to
       the orig.tar.gz rather than the Debian diff, and should have
       some input from upstream, so no point in carrying it around still.
Files: 
 289dcca20cabdc8279e324acfbd5739e 1047 graphics optional imagemagick_6.2.4.5.dfsg1-1.dsc
 2c5d3723d25c4119cf003efce2161c56 5203463 graphics optional imagemagick_6.2.4.5.dfsg1.orig.tar.gz
 f7f59b4cd2bd6292c84cc1a922cb3191 98891 graphics optional imagemagick_6.2.4.5.dfsg1-1.diff.gz
 ed785393f73321c39045a2cfca3c4bcc 739222 graphics optional imagemagick_6.2.4.5.dfsg1-1_i386.deb
 03fcdd0be6ac45461187f443c2cdee30 1270866 libs optional libmagick9_6.2.4.5.dfsg1-1_i386.deb
 8f082a61b40f4117ac245bfc24203fcf 1578224 libdevel optional libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
 be8022b4e8d154339e9e471c11f3af38 176368 libs optional libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
 aa5279c10479f169fdd0057e2a1cba01 227988 libdevel optional libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
 f4807e698dc13e1bb46fe5c3e48c2dbd 168080 perl optional perlmagick_6.2.4.5.dfsg1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFGNiompOKIA4m/fisRAlQ5AJ4rul+sr6wTCvZzTo+azk3g0yKMfACgyGeT
uFkhOZ7y6MlMxNtiZ8wB0No=
=pe/9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.