2016-06-06 13:46:35 by Thomas Klausner | Files touched by this commit (1) |
Log message:
Add patch needed for 1.3.24.
|
2016-06-06 13:46:04 by Thomas Klausner | Files touched by this commit (4) |
Log message:
Updated GraphicsMagick to 1.3.24.
1.3.24 (May 30, 2016)
==========================
.. _`GCC bug 53967` : http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53967
Special Issues:
* A shell exploit (CVE-2016-5118) was discovered associated with a
filename syntax where file names starting with '|' are intepreted as
shell commands executed via popen(). Insufficient sanitization in
the SVG and MVG renderers allows such filenames to be passed through
from potentially untrusted files. There might be other ways for
untrusted inputs to produce such filenames. Due to this issue,
support for the feature is removed entirely.
* A shell exploit was discovered associated with the gnuplot delegate
and which is triggered by the 'gplt' entry in delegates.mgk. A
remote exploit is possible if the attacker can cause a provided SVG
or MVG file to be rendered (or the user opens a provided file). The
gnuplot program must be installed in order for the exploit to be
successful. It is strongly recommended to remove this entry in all
delegates.mgk files.
* Due to `GCC bug 53967`_, several key agorithms (e.g. convolution)
may execute much faster (e.g. 2-3X) for x86-64 and/or when SSE is
enabled for floating point math (`-mfpmath=sse`) if the GCC option
`-frename-registers` is used. Default 32-bit builds do not
experience the problem since they use '387 math. It is not clear in
what version of GCC this problem started but it was not noticed by
the developers until the GCC 4.6 timeframe. Other compilers do not
suffer from this bug. Please lobby the GCC project to fix this
embarrassing performance bug.
Security Fixes:
* BLOB: Remove support for reading input from a shell command, or
writing output to a shell command, by prefixing the specified
filename (containing the command) with a '|'. This feature provided
a remote shell execution opportunity.
* DIB: Fixed out of bounds reads. Added more header validations.
* JNG: File size limits are enforced.
* MAT: Fixed denial of service opportunity. Fix hang on corrupt deflate stream.
* META: Fixed out of bounds reads and writes.
* MIFF: Fixed thrown assertion.
* MSL: Ignore the file extension on MSL files. It is necessary to add
a "msl:" prefix to MSL files to read the as an image.
* MVG: No longer assume that files ending with extension ".mvg" are
MVG files. MVG parsing does more validity checking on its input.
Assure that enough PrimitiveInfo structures are allocated in advance
to support a given vector path (heap overflow problem).
* PCX: Fixed unreasonable memory allocation due to intentionally
corrupt file.
* PDB: Fixed a heap buffer overflow and out of bounds read.
* PICT: Fixed an out of bounds write.
* PS: Ghostscript is now always run with -dSAFER for safer execution.
* PSD: Fixed segmentation violations, heap buffer overflows, and out
of bounds writes.
* RLE: Fixed out of bounds reads and writes.
* ReadImages(): Fixed a possible infinite recursion due to a crafted input file.
* RotateImage(): Fixed thrown assertion.
* SGI: Fixed out of bounds writes.
* SUN: Fixed out of bounds reads and writes.
* SVG: Fixed heap and stack buffer overflows, as well as segmentation
violations (CVE-2016-2317 and CVE-2016-2318). Also fixed endless
loop, unexpectedly large memory allocation, divide by zero, and
recursion issues.
* TIFF: Fixed an assertion while reading. Fixed benign heap overflow.
* TMP: Adding a "tmp:" prefix to a filename no longer removes the file
since this seems dangerous.
* VIFF: Fix excessive memory allocation with intentionally corrupted input file.
* XCF: Fixed a heap buffer overflow.
* XPM: Fixed several heap buffer overflows, and out of bound
reads/writes. Also fixed a case of excessive memory allocation.
* delegate.mgk: The default delegate.mgk file has been pared down in
order to reduce security exposure.
* gnuplot ('gplt' delegate in delegates.mgk): Support for rendering
gnuplot files is removed since the format is inherently insecure.
* File names: File names starting with a '|' character are no longer
interpreted as shell commands to be executed as input or output.
Bug fixes:
* BMP: Fix reading 24-bit Microsoft BMP which claims to have a
colormap.
* FILE: `file://` URLs are properly supported now (they never worked
before).
* JP2: It is now possible to write lossless JPEG 2000 "JP2" format.
* SVG: Support font-size "medium".
New Features:
* Blob I/O C APIs: Added signed versions of short and long Read/Write
functions.
* FILE: `file://` URLs are properly supported now (they never worked
before).
* MAT: Matlab V4 is now partially supported.
* Magick++: Added double-precision xResolution() and yResolution()
methods to support setting the horizontal and vertical resolution
with double floating point precision.
* Mogrify now supports a -preserve-timestamp option to preserve file
access and modification timestamps.
Feature improvements:
Windows Delegate Updates/Additions:
* Updated bundled libpng to release 1.6.19.
* Updated bundled libwebp to release 0.4.4.
* Update bundled libxml2 to release 2.9.3.
* Update bundled freetype to release 2.6.2.
Build Changes:
* Added ``--enable-broken-coders`` configure option to enable file
format support which may be broken or cause security issues. The
PSD format is now classified as "broken" (until it is fixed).
Behavior Changes:
* PSD format is not included in the build by default.
* Files ending with ".mvg" and ".msl" are not assumed to be image
files by default.
* File names starting with '|' are no longer treated as shell
commands.
* Gnuplot and POV delegate support is removed from the default
delegate.mgk file.
|
2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) |
Log message:
Bump PKGREVISION for security/openssl ABI bump.
|
2016-01-06 11:46:56 by Adam Ciarcinski | Files touched by this commit (87) |
Log message:
Revbump after updating graphics/libwebp
|
2015-12-13 08:13:36 by Richard PALO | Files touched by this commit (2) |
Log message:
Add libwebp dependency and bump PKGREVISION accordingly.
|
2015-11-25 13:50:44 by Jonathan Perkin | Files touched by this commit (14) |
Log message:
Remove mk/find-prefix.mk usage from the graphics category.
The find-prefix infrastructure was required in a pkgviews world where
packages installed from pkgsrc could have different installation
prefixes, and this was a way for a dependency prefix to be determined.
Now that pkgviews has been removed there is no longer any need for the
overhead of this infrastructure. Instead we use BUILDLINK_PREFIX.pkg
for dependencies pulled in via buildlink, or LOCALBASE/PREFIX where the
dependency is coming from pkgsrc.
Provides a reasonable performance win due to the reduction of `pkg_info
-qp` calls, some of which were redundant anyway as they were duplicating
the same information provided by BUILDLINK_PREFIX.pkg.
|
2015-11-17 21:05:48 by Adam Ciarcinski | Files touched by this commit (2) |
Log message:
Changes 1.3.23:
Special Issues:
* Due to GCC bug 53967, several key agorithms (e.g. convolution) may execute \
much faster (e.g. 2-3X) for x86-64 and/or when SSE is enabled for floating point \
math (-mfpmath=sse) if the GCC option -frename-registers is used. Default 32-bit \
builds do not experience the problem since they use '387 math. It is not clear \
in what version of GCC this problem started but it was not noticed by the \
developers until the GCC 4.6 timeframe. Other compilers do not suffer from this \
bug. Please lobby the GCC project to fix this embarrassing performance bug.
Security Fixes:
* ScaleImage(): While not strictly a security issue, requesting to scale an \
image while retaining the original number of rows will lead to a program crash \
or memory corruption due to double-free.
Bug fixes:
* ScaleImage(): Fix problem with new width/height match original (regression \
added by 1.3.22).
* ScaleImage(): Fix double-free when new rows matches original rows (regression \
added by 1.3.22).
* MinGW build fix related to eliminating a sleep() macro which conflicts with a \
MinGW-provided inline sleep() function.
* PNG: Issue a warning instead of an error when attempting to read a PNG file \
containing a zero-length profile. This allows the file to be read.
* identify: Fix problem in that identify -format "%A" (to test if \
transparency is supported in image) does not always produce the correct results.
|
2015-11-03 22:34:36 by Alistair G. Crooks | Files touched by this commit (610) |
Log message:
Add SHA512 digests for distfiles for graphics category
Problems found with existing digests:
Package fotoxx distfile fotoxx-14.03.1.tar.gz
ac2033f87de2c23941261f7c50160cddf872c110 [recorded]
118e98a8cc0414676b3c4d37b8df407c28a1407c [calculated]
Package ploticus-examples distfile ploticus-2.00/plnode200.tar.gz
34274a03d0c41fae5690633663e3d4114b9d7a6d [recorded]
da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]
Problems found locating distfiles:
Package AfterShotPro: missing distfile AfterShotPro-1.1.0.30/AfterShotPro_i386.deb
Package pgraf: missing distfile pgraf-20010131.tar.gz
Package qvplay: missing distfile qvplay-0.95.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
|
2015-10-06 18:50:32 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message:
Changes 1.3.22:
Special Issues:
* Due to GCC bug 53967, several key agorithms (e.g. convolution) may execute \
much faster (e.g. 2-3X) for x86-64 and/or when SSE is enabled for floating point \
math (-mfpmath=sse) if the GCC option -frename-registers is used. Default 32-bit \
builds do not experience the problem since they use '387 math. It is not clear \
in what version of GCC this problem started but it was not noticed by the \
developers until the GCC 4.6 timeframe. Other compilers do not suffer from this \
bug. Please lobby the GCC project to fix this embarrassing performance bug.
* Magick++: Any libraries or applications using Magick++ should be rebuilt in \
order to use this new release. Libraries and applications will be able to \
continue to use prior versions of Magick++ without being re-built, while \
benefiting from updated C libraries, provided that the system supports library \
versioning.
Security Fixes:
* General Coverity fixes. Some might have security consequences.
* Ghostscript options concatenation is more secure against buffer overflow.
* Windows: Built-in random number generator is now salted using \
CryptGenRandom(). This improves the robustness of the temporary file allocator.
Bug fixes:
* ...
|
2015-06-12 12:52:19 by Thomas Klausner | Files touched by this commit (3152) |
Log message:
Recursive PKGREVISION bump for all packages mentioning 'perl',
having a PKGNAME of p5-*, or depending such a package,
for perl-5.22.0.
|