./graphics/GraphicsMagick, X application for displaying and manipulating images

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.3.26, Package name: GraphicsMagick-1.3.26, Maintainer: pkgsrc-users

GraphicsMagick(TM) provides a powerful image manipulation and
translation utility. It is capable of displaying still images and
animations using the X Window system, provides a simple interface for
interactively editing images, and is capable of importing selected
windows or the entire desktop. GraphicsMagick can read and write over
88 image formats, including JPEG, TIFF, WMF, SVG, PNG, PNM, GIF, and
Photo CD. It can resize, rotate, sharpen, color reduce, or add
special effects to the image and save the result to any supported
format. GraphicsMagick may be used to create animated or transparent
.gifs, create composite images, create thumbnail images, and much,
much, more.

GraphicsMagick is one of your choices if you need a program to
manipulate and display images. If you want to develop your own
applications which use GraphicsMagick code or APIs, you need to
install GraphicsMagick-devel as well.

Required to run:
[textproc/libxml2] [graphics/tiff] [graphics/freetype2] [devel/libltdl] [graphics/jbigkit] [graphics/libwebp] [devel/pkgconf]

Required to build:
[pkgtools/x11-links] [pkgtools/cwrappers]

Package options: bzip2, jasper, lzma, x11

Master sites:

SHA1: 2cc885d1b157996aa14c98e34f7aa17815d00c41
RMD160: 3dd490364c3e4498c308c38b26a0fe41cf4e81f2
Filesize: 5273.988 KB

Version history: (Expand)

CVS history: (Expand)

   2017-07-09 22:02:28 by Adam Ciarcinski | Files touched by this commit (5) | Package updated
Log message:

Security Fixes:
DPX: Fix excessive use of memory (DOS issue) due to file header claiming large \ 
image dimensions but insufficient backing data. (CVE-2017-10799).
JNG: Fix memory leak when reading invalid JNG image (CVE-2017-8350).
MAT: Fix excessive use of memory (DOS issue) due to continuing processing with \ 
insufficient data and claimed large image size. Verify each file extent to make \ 
sure that it is within range of file size. (CVE-2017-10800).
META: Fix heap overflow while parsing 8BIM chunk (CVE-2016-7800).
PCX: Fix denial of service issue.
RLE: Fix abnomally slow operation (denial of service issue) with intentionally \ 
corrupt colormapped file.
PICT: Fix possible buffer overflow vulnerability given suitably truncated input file.
PNG: Enforce spec requirement that the dimensions of the JPEG embedded in a JDAT \ 
chunk must match the JHDR dimensions (CVE-2016-9830).
PNG: Avoid NULL dereference when MAGN chunk processing fails.
SCT: Fix stack-buffer read overflow (underflow?) while reading SCT header.
SGI: Fix denial of service issues. Delay large memory allocations until file \ 
header has fully passed sanity checks.
TIFF: Fix out of bounds read when reading CMYKA TIFF which claims to have only 2 \ 
samples per pixel (CVE-2017-6335).
TIFF: Fix out of bounds read when reading RGB TIFF which claims to have only 1 \ 
sample per pixel (CVE-2017-10794).
WPG: Fix heap overflow (CVE-2016-7996). Fix assertion crash (CVE-2016-7997).

Bug fixes:
DifferenceImage(): Fix Fix all-black difference image if an input file is \ 
EXIF orientation was not being properly detected for some files.
-frame: The import command -frame handling was improperly implemented and was \ 
using already freed data.
GIF: Fixes for "Excessive LZW string data" problem.
Magick++: Bug fixes to PathSmoothCurvetoRel::operator() and \ 
PAM: Support writing GRAYSCALE PAM format.
PNG: Fix memory leaks.
SVG: Fixed a memory leak. Fixed a possible null pointer dereference.
TclMagick: Problem that TkMagick could not resolve functions from TclMagick \ 
under Linux is fixed.
TclMagick: Fix parser validatation in magickCmd() to avoid crash given a syntax \ 
TIFF: Fix for reading old JPEG files (avoids "Improper call to JPEG library \ 
in state 0. (LibJpeg).").
TXT: Fixed memory leak.
XCF: Error checking is improved.

New Features:
EXIF rotation: Support is added such that the EXIF orientation tag is updated \ 
when the image is rotated.
MAT: Now support reading multiple images from Matlab V4 format.
Magick++: Orientation method now updates orientation in EXIF profile, if it exists.
Magick++: Added Image attribute method which accepts a 'char *' argument, and \ 
will remove the attribute if the value argument is NULL.
-orient: The -orient command line option now also updates the orientation in the \ 
EXIF profile, if it exists.
PGX: Support PGX JPEG 2000 format for reading and writing (within the bounds of \ 
what JasPer supports).
Wand API: Added MagickAutoOrientImage(), MagickGetImageOrientation(), \ 
MagickSetImageOrientation(), MagickRemoveImageOption(), and \ 
   2017-03-09 11:47:24 by Jonathan Perkin | Files touched by this commit (1) | Package updated
Log message:
Make pkg-config a runtime dependency so GraphicsMagick*config work.

   2017-02-28 16:20:12 by Ryo ONODERA | Files touched by this commit (208)
Log message:
Recursive revbump from graphics/libwebp
   2017-01-19 19:52:30 by Alistair G. Crooks | Files touched by this commit (352)
Log message:
Convert all occurrences (353 by my count) of

	MASTER_SITES= 	site1 \

style continuation lines to be simple repeated


lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
   2016-09-07 08:29:31 by Thomas Klausner | Files touched by this commit (4) | Package updated
Log message:
Updated GraphicsMagick to 1.3.25.

1.3.25 (September 5, 2016)

Special Issues:

* None

Security Fixes:

* EscapeParenthesis(): I was notified by Gustavo Grieco of a heap
  overflow in EscapeParenthesis() used in the text annotation code.
  While not being able to reproduce the issue, the implementation of
  this function is completely redone.

* Utah RLE: Reject truncated/absurd files which caused huge memory
  allocations and/or consumed huge CPU.  Problem was reported by
  Agostino Sarubbo based on testing with AFL.

* SVG/MVG: Fix another case of CVE-2016-2317 (heap buffer overflow) in
  the MVG rendering code (also impacts SVG).

* TIFF: Fix heap buffer read overflow while copying sized TIFF
  attributes.  Problem was reported by Agostino Sarubbo based on
  testing with AFL.

Bug fixes:

* GetToken(): Fix obscure bug (read beyond end of string buffer)
  noticed while parsing a MVG file.  This problem was reported by
  Gustavo Grieco.

* MVG rendering: Fix undesired hard errors when some objects were
  drawn outside of the image bounds.  Requests to draw objects
  entirely outside of the image should be silently ignored.

* MVG/SVG rendering: Fix gradient size sanity checks which were
  causing gradient requests to fail.  Due to a design weakness in that
  gradient images allocate resources rather than being computations at
  point of use, the maximum gradient image size is now hard-limited to
  5000x5000 pixels until the design problem is fixed.  Some SVG icons
  (as small as 8x8 pixels) authored using Inkscape request absurdly
  huge gradients.  Gradient sizes as large as 20,000x20,000 have been
  observed in SVG icon files delivered by packages on an Ubuntu Linux

* SVG: Fix some memory leaks which occur on parsing error.

New Features:

* None

Feature improvements:

* ElapsedTime(): Use clock_gettime() (when available with default
  linkage) to obtain elapsed time.

* DescribeImage(): Provide 6 digits of seconds precision in in elapsed
  time output.  Previously the resolution was rounded up to a full

Windows Delegate Updates/Additions:

* webp: Updated bundled libwebp to release 0.5.1.

* libxml: Updated bundled libxml2 to release 2.9.4.

* lcms: Updated bundled lcms2 to release 2.8.

* png: Update bundled libpng to release 1.6.24.

Build Changes:

* OpenMP is properly configured for clang 3.8 using its own '-lomp'
  rather than '-lgomp'.

Behavior Changes:

* SVG: Some SVG files may be rejected due to absurdly large gradient

* The 'identify' and 'info' functionality only shows the pixel read
  rate if image was not read in 'ping' mode. Provide 6 digits of
  seconds precision in in elapsed time output.
   2016-07-09 08:39:18 by Thomas Klausner | Files touched by this commit (1068) | Package updated
Log message:
Bump PKGREVISION for perl-5.24.0 for everything mentioning perl.
   2016-06-06 13:46:35 by Thomas Klausner | Files touched by this commit (1)
Log message:
Add patch needed for 1.3.24.
   2016-06-06 13:46:04 by Thomas Klausner | Files touched by this commit (4) | Package updated
Log message:
Updated GraphicsMagick to 1.3.24.

1.3.24 (May 30, 2016)

.. _`GCC bug 53967` : http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53967

Special Issues:

* A shell exploit (CVE-2016-5118) was discovered associated with a
  filename syntax where file names starting with '|' are intepreted as
  shell commands executed via popen().  Insufficient sanitization in
  the SVG and MVG renderers allows such filenames to be passed through
  from potentially untrusted files.  There might be other ways for
  untrusted inputs to produce such filenames.  Due to this issue,
  support for the feature is removed entirely.

* A shell exploit was discovered associated with the gnuplot delegate
  and which is triggered by the 'gplt' entry in delegates.mgk.  A
  remote exploit is possible if the attacker can cause a provided SVG
  or MVG file to be rendered (or the user opens a provided file).  The
  gnuplot program must be installed in order for the exploit to be
  successful.  It is strongly recommended to remove this entry in all
  delegates.mgk files.

* Due to `GCC bug 53967`_, several key agorithms (e.g. convolution)
  may execute much faster (e.g. 2-3X) for x86-64 and/or when SSE is
  enabled for floating point math (`-mfpmath=sse`) if the GCC option
  `-frename-registers` is used. Default 32-bit builds do not
  experience the problem since they use '387 math.  It is not clear in
  what version of GCC this problem started but it was not noticed by
  the developers until the GCC 4.6 timeframe.  Other compilers do not
  suffer from this bug.  Please lobby the GCC project to fix this
  embarrassing performance bug.

Security Fixes:

* BLOB: Remove support for reading input from a shell command, or
  writing output to a shell command, by prefixing the specified
  filename (containing the command) with a '|'.  This feature provided
  a remote shell execution opportunity.

* DIB: Fixed out of bounds reads.  Added more header validations.

* JNG: File size limits are enforced.

* MAT: Fixed denial of service opportunity.  Fix hang on corrupt deflate stream.

* META: Fixed out of bounds reads and writes.

* MIFF: Fixed thrown assertion.

* MSL: Ignore the file extension on MSL files.  It is necessary to add
  a "msl:" prefix to MSL files to read the as an image.

* MVG: No longer assume that files ending with extension ".mvg" are
  MVG files.  MVG parsing does more validity checking on its input.
  Assure that enough PrimitiveInfo structures are allocated in advance
  to support a given vector path (heap overflow problem).

* PCX: Fixed unreasonable memory allocation due to intentionally
  corrupt file.

* PDB: Fixed a heap buffer overflow and out of bounds read.

* PICT: Fixed an out of bounds write.

* PS: Ghostscript is now always run with -dSAFER for safer execution.

* PSD: Fixed segmentation violations, heap buffer overflows, and out
  of bounds writes.

* RLE: Fixed out of bounds reads and writes.

* ReadImages(): Fixed a possible infinite recursion due to a crafted input file.

* RotateImage(): Fixed thrown assertion.

* SGI: Fixed out of bounds writes.

* SUN: Fixed out of bounds reads and writes.

* SVG: Fixed heap and stack buffer overflows, as well as segmentation
  violations (CVE-2016-2317 and CVE-2016-2318).  Also fixed endless
  loop, unexpectedly large memory allocation, divide by zero, and
  recursion issues.

* TIFF: Fixed an assertion while reading.  Fixed benign heap overflow.

* TMP: Adding a "tmp:" prefix to a filename no longer removes the file
  since this seems dangerous.

* VIFF: Fix excessive memory allocation with intentionally corrupted input file.

* XCF: Fixed a heap buffer overflow.

* XPM: Fixed several heap buffer overflows, and out of bound
  reads/writes.  Also fixed a case of excessive memory allocation.

* delegate.mgk: The default delegate.mgk file has been pared down in
  order to reduce security exposure.

* gnuplot ('gplt' delegate in delegates.mgk): Support for rendering
  gnuplot files is removed since the format is inherently insecure.

* File names: File names starting with a '|' character are no longer
  interpreted as shell commands to be executed as input or output.

Bug fixes:

* BMP: Fix reading 24-bit Microsoft BMP which claims to have a

* FILE: `file://` URLs are properly supported now (they never worked

* JP2: It is now possible to write lossless JPEG 2000 "JP2" format.

* SVG: Support font-size "medium".

New Features:

* Blob I/O C APIs: Added signed versions of short and long Read/Write

* FILE: `file://` URLs are properly supported now (they never worked

* MAT: Matlab V4 is now partially supported.

* Magick++: Added double-precision xResolution() and yResolution()
  methods to support setting the horizontal and vertical resolution
  with double floating point precision.

* Mogrify now supports a -preserve-timestamp option to preserve file
  access and modification timestamps.

Feature improvements:

Windows Delegate Updates/Additions:

* Updated bundled libpng to release 1.6.19.

* Updated bundled libwebp to release 0.4.4.

* Update bundled libxml2 to release 2.9.3.

* Update bundled freetype to release 2.6.2.

Build Changes:

* Added ``--enable-broken-coders`` configure option to enable file
  format support which may be broken or cause security issues.  The
  PSD format is now classified as "broken" (until it is fixed).

Behavior Changes:

* PSD format is not included in the build by default.

* Files ending with ".mvg" and ".msl" are not assumed to be image
  files by default.

* File names starting with '|' are no longer treated as shell

* Gnuplot and POV delegate support is removed from the default
  delegate.mgk file.