Path to this page:
Subject: CVS commit: pkgsrc/graphics/GraphicsMagick
From: Thomas Klausner
Date: 2016-06-06 13:46:04
Message id: 20160606114605.002DEFBB5@cvs.NetBSD.org
Log Message:
Updated GraphicsMagick to 1.3.24.
1.3.24 (May 30, 2016)
==========================
.. _`GCC bug 53967` : http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53967
Special Issues:
* A shell exploit (CVE-2016-5118) was discovered associated with a
filename syntax where file names starting with '|' are intepreted as
shell commands executed via popen(). Insufficient sanitization in
the SVG and MVG renderers allows such filenames to be passed through
from potentially untrusted files. There might be other ways for
untrusted inputs to produce such filenames. Due to this issue,
support for the feature is removed entirely.
* A shell exploit was discovered associated with the gnuplot delegate
and which is triggered by the 'gplt' entry in delegates.mgk. A
remote exploit is possible if the attacker can cause a provided SVG
or MVG file to be rendered (or the user opens a provided file). The
gnuplot program must be installed in order for the exploit to be
successful. It is strongly recommended to remove this entry in all
delegates.mgk files.
* Due to `GCC bug 53967`_, several key agorithms (e.g. convolution)
may execute much faster (e.g. 2-3X) for x86-64 and/or when SSE is
enabled for floating point math (`-mfpmath=sse`) if the GCC option
`-frename-registers` is used. Default 32-bit builds do not
experience the problem since they use '387 math. It is not clear in
what version of GCC this problem started but it was not noticed by
the developers until the GCC 4.6 timeframe. Other compilers do not
suffer from this bug. Please lobby the GCC project to fix this
embarrassing performance bug.
Security Fixes:
* BLOB: Remove support for reading input from a shell command, or
writing output to a shell command, by prefixing the specified
filename (containing the command) with a '|'. This feature provided
a remote shell execution opportunity.
* DIB: Fixed out of bounds reads. Added more header validations.
* JNG: File size limits are enforced.
* MAT: Fixed denial of service opportunity. Fix hang on corrupt deflate stream.
* META: Fixed out of bounds reads and writes.
* MIFF: Fixed thrown assertion.
* MSL: Ignore the file extension on MSL files. It is necessary to add
a "msl:" prefix to MSL files to read the as an image.
* MVG: No longer assume that files ending with extension ".mvg" are
MVG files. MVG parsing does more validity checking on its input.
Assure that enough PrimitiveInfo structures are allocated in advance
to support a given vector path (heap overflow problem).
* PCX: Fixed unreasonable memory allocation due to intentionally
corrupt file.
* PDB: Fixed a heap buffer overflow and out of bounds read.
* PICT: Fixed an out of bounds write.
* PS: Ghostscript is now always run with -dSAFER for safer execution.
* PSD: Fixed segmentation violations, heap buffer overflows, and out
of bounds writes.
* RLE: Fixed out of bounds reads and writes.
* ReadImages(): Fixed a possible infinite recursion due to a crafted input file.
* RotateImage(): Fixed thrown assertion.
* SGI: Fixed out of bounds writes.
* SUN: Fixed out of bounds reads and writes.
* SVG: Fixed heap and stack buffer overflows, as well as segmentation
violations (CVE-2016-2317 and CVE-2016-2318). Also fixed endless
loop, unexpectedly large memory allocation, divide by zero, and
recursion issues.
* TIFF: Fixed an assertion while reading. Fixed benign heap overflow.
* TMP: Adding a "tmp:" prefix to a filename no longer removes the file
since this seems dangerous.
* VIFF: Fix excessive memory allocation with intentionally corrupted input file.
* XCF: Fixed a heap buffer overflow.
* XPM: Fixed several heap buffer overflows, and out of bound
reads/writes. Also fixed a case of excessive memory allocation.
* delegate.mgk: The default delegate.mgk file has been pared down in
order to reduce security exposure.
* gnuplot ('gplt' delegate in delegates.mgk): Support for rendering
gnuplot files is removed since the format is inherently insecure.
* File names: File names starting with a '|' character are no longer
interpreted as shell commands to be executed as input or output.
Bug fixes:
* BMP: Fix reading 24-bit Microsoft BMP which claims to have a
colormap.
* FILE: `file://` URLs are properly supported now (they never worked
before).
* JP2: It is now possible to write lossless JPEG 2000 "JP2" format.
* SVG: Support font-size "medium".
New Features:
* Blob I/O C APIs: Added signed versions of short and long Read/Write
functions.
* FILE: `file://` URLs are properly supported now (they never worked
before).
* MAT: Matlab V4 is now partially supported.
* Magick++: Added double-precision xResolution() and yResolution()
methods to support setting the horizontal and vertical resolution
with double floating point precision.
* Mogrify now supports a -preserve-timestamp option to preserve file
access and modification timestamps.
Feature improvements:
Windows Delegate Updates/Additions:
* Updated bundled libpng to release 1.6.19.
* Updated bundled libwebp to release 0.4.4.
* Update bundled libxml2 to release 2.9.3.
* Update bundled freetype to release 2.6.2.
Build Changes:
* Added ``--enable-broken-coders`` configure option to enable file
format support which may be broken or cause security issues. The
PSD format is now classified as "broken" (until it is fixed).
Behavior Changes:
* PSD format is not included in the build by default.
* Files ending with ".mvg" and ".msl" are not assumed to be image
files by default.
* File names starting with '|' are no longer treated as shell
commands.
* Gnuplot and POV delegate support is removed from the default
delegate.mgk file.
Files: