Package Release Info

GraphicsMagick-1.3.29-bp150.2.6.1

Update Info: openSUSE-2019-688
Available in Package Hub : 15 Update

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

GraphicsMagick
GraphicsMagick-devel
libGraphicsMagick++-devel
libGraphicsMagick++-Q16-12
libGraphicsMagick-Q16-3
libGraphicsMagick3-config
libGraphicsMagickWand-Q16-2
perl-GraphicsMagick

Change Logs

* Mon Sep 10 2018 Petr Gajdos <pgajdos@suse.com>
- security update (pict.c):
  * CVE-2018-16644 [bsc#1107609]
    + GraphicsMagick-CVE-2018-16644.patch
* Mon Sep 10 2018 Petr Gajdos <pgajdos@suse.com>
- security update (bmp.c, dib.c):
  * CVE-2018-16645 [bsc#1107604]
    + GraphicsMagick-CVE-2018-16645.patch
Version: 1.3.29-bp150.2.3.1
* Wed Aug 22 2018 pgajdos@suse.com
- disable PS, PS2, PS3 and PDF coders by default, remove gs calls
  from delegates.mgk [bsc#1105592]
  + GraphicsMagick-disable-insecure-coders.patch
Version: 1.3.29-bp150.2.30.1
* Tue Oct 08 2019 pgajdos@suse.com
- version update to 1.3.33
  * It has been discovered that the 'ICU' library (a perhaps 30MB C++
    library) which is now often a libxml2 dependendency causes huge
    process initialization overhead.  This is noticed as unexpected
    slowness when GraphicsMagick utilities are used to process small to
    medium sized files.  The time to initialize is often longer than the
    time to read the input file, process the image, and write the output
    file.  If the 'ICU' dependency can not be avoided, then make sure to
    use the modules build.  Please lobby the 'ICU' library developers to
    change their implementation to avoid long start-up times due to
    merely linking with the library.
  * GraphicsMagick is now participating in Google's oss-fuzz project due
    to the contributions and assistance of Alex Gaynor. Since February 4
    2018, 353 issues have been opened by oss-fuzz and 338 of those
    issues have been resolved.  The issues list is available at
    https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
    "graphicsmagick".  Issues are available for anyone to view and
    duplicate if they have been in "Verified" status for 30 days, or if
    they have been in "New" status for 90 days.  There are too many
    fixes to list here.  Please consult the GraphicsMagick ChangeLog
    file, Mercurial repository commit log, and the oss-fuzz issues list
    for details.
  * Documentation has been added regarding security hazards due to
    commands which support a '@filename' syntax.
  * MontageImages(): Fix wrong length argument to strlcat() when
    building montage directory, which could allow heap overwrite.
  * PNG: Pass correct size value to strlcat() in module registration
    code.  This bug is noticed to cause problems for Apple's OS X and
    Linux Alpine with musl libc.  This fixes a regression introduced by
    the 1.3.32 release.
  * Re-implement command-line utility `'@'` file inclusion support for
    `-comment`, `-draw`, `-format`, and `-label` which was removed for
    the 1.3.32 release.  The new implementation is isolated to
    command-line utility implementation code rather than being deeply
    embedded in the library and exposed in other usage contexts.  This
    fixes a regression introduced by the 1.3.32 release.
  * CAPTION: The The CAPTION reader did not appear to work at all any
    more.  Now it works again, but still not very well.
  * MagickXDisplayImage(): Fix heap overwrite of windows->image.name and
    windows->image.icon_name buffers.  This bug has surely existed since
    early GraphicsMagick releases.
  * MagickXAnimateImages(): Fix memory leak of scene_info.pixels.
  * AcquireTemporaryFileDescriptor(): Fix compilation under Cygwin. This
    fixes a regression introduced by the 1.3.32 release.
  * PNG: Fix saving to palette when mage has an alpha channel but no
    color is marked as transparent.
  * Compilation warnings in the Visual Studio WIN64 build due to the
    'long' type being only 32-bits have been addressed.
Version: 1.3.29-bp150.2.27.1
* Tue Jun 18 2019 pgajdos@suse.com
- version update to 1.3.32
  New Features:
  * Added support for writing the Braille image format (by Samuel
    Thibault).
  * WebP writer: Support WebP 'use_sharp_yuv' option ("if needed, use
    sharp (and slow) RGB->YUV conversion") via `-define
    webp:use-sharp-yuv=true`.
  * The version command output now reports the OpenMP specification
    number rather than just the integer version identifier.
  API Updates:
  * ReallocateImageColormap() added to re-allocate an existing colormap.
  * Some improperly-exposed globals are now static as they should have
    been.
  * The 'benchmark' command now shows 6 digits (microseconds) of elapsed
    time indication.
  * The 'time' command now shows 6 digits (microseconds) of elapsed time
    indication.
  * The logging facility now shows 6 digits (microseconds) of time
    resolulution
  * Dcraw: When QuantumDepth is greater than 8, pass -6 option to dcraw
    so that it returns a 16-bit/sample image.
  * Dcraw: If Dcraw supports TIFF format, then request TIFF format in
    order to be able to acquire more metatdata.
  * Scale algorithm: Eliminate artifacts when scaling an image with
    semi-transparent pixels.
  * Library metrics: The number of shared library relocations and the
    amount of initialized data has been signficantly reduced by
    following recommendations from Ulrich Drepper's document `How To
    Write Shared Libraries <https://akkadia.org/drepper/dsohowto.pdf>`_.
  (Security) Bug Fixes:
  * see NEWS.txt
  * fixes [bsc#1138425]
Version: 1.3.29-bp150.2.24.1
* Tue May 28 2019 pgajdos@suse.com
- disable also PCL [bsc#1136183]
- modified patches
  % GraphicsMagick-disable-insecure-coders.patch
Version: 1.3.29-bp150.2.21.1
* Tue Apr 30 2019 pgajdos@suse.com
- security update
- modified patches
  CVE-2019-11008 [bsc#1132054], CVE-2019-11009 [bsc#1132053], CVE-2019-11473 [bsc#1133203], CVE-2019-11474 [bsc#1133202]
  % GraphicsMagick-xwd.c-update.patch (refreshed)
- added patches
  CVE-2019-11506 [bsc#1133498]
  + GraphicsMagick-CVE-2019-11506.patch
  CVE-2019-11505 [bsc#1133501]
  + GraphicsMagick-CVE-2019-11505.patch
Version: 1.3.29-bp150.2.18.1
* Tue Apr 16 2019 pgajdos@suse.com
- security update
- added patches
  CVE-2019-11005 [bsc#1132058]
  + GraphicsMagick-CVE-2019-11005.patch
  CVE-2019-11006 [bsc#1132061]
  + GraphicsMagick-CVE-2019-11006.patch
  CVE-2019-11010 [bsc#1132055]
  + GraphicsMagick-CVE-2019-11010.patch
  CVE-2019-11007 [bsc#1132060]
  + GraphicsMagick-CVE-2019-11007.patch
  CVE-2019-11008 [bsc#1132054], CVE-2019-11009 [bsc#1132053]
  + GraphicsMagick-xwd.c-update.patch
Version: 1.3.29-bp150.2.15.1
* Mon Feb 11 2019 Petr Gajdos <pgajdos@suse.com>
- security update (pdf.c):
  * CVE-2019-7397 [bsc#1124366]
    + GraphicsMagick-CVE-2019-7397.patch
Version: 1.3.29-bp150.2.12.1
* Fri Dec 21 2018 Petr Gajdos <pgajdos@suse.com>
- security update (tga.c):
  * CVE-2018-20184 [bsc#1119822]
    + GraphicsMagick-CVE-2018-20184.patch
* Fri Dec 21 2018 Petr Gajdos <pgajdos@suse.com>
- security update (dib.c):
  * CVE-2018-20189 [bsc#1119790]
    + GraphicsMagick-CVE-2018-20189.patch
Version: 1.3.29-bp150.1.2
* Wed Jun 20 2018 pgajdos@suse.com
- security update (rgb.c, cmyk.c, gray.c)
  * CVE-2018-10805 and similar memory leaks [bsc#1095812]
    + GraphicsMagick-CVE-2018-10805.patch
* Wed Jun 13 2018 pgajdos@suse.com
- security update (dcm.c)
  * fix invalid reads in dcm.c [bsc#1075821c#14]
    GraphicsMagick-dcm.c-update.patch
* Wed May 23 2018 pgajdos@suse.com
- update to 1.3.29:
  * Security Fixes:
    . GraphicsMagick is now participating in Google's oss-fuzz project
    . JNG: Require that the embedded JPEG image have the same dimensions
    as the JNG image as provided by JHDR. Avoids a heap write overflow.
    . MNG: Arbitrarily limit the number of loops which may be requested by
    the MNG LOOP chunk to 512 loops, and provide the '-define
    mng:maximum-loops=value' option in case the user wants to change the
    limit.  This fixes a denial of service caused by large LOOP
    specifications.
  * Bug fixes:
    . DICOM: Pre/post rescale functions are temporarily disabled (until
    the implementation is fixed).
    . JPEG: Fix regression in last release in which reading some JPEG
    files produces the error "Improper call to JPEG library in state
    201".
    . ICON: Some DIB-based Windows ICON files were reported as corrupt to
    an unexpectedly missing opacity mask image.
    . In-memory Blob I/O: Don't implicitly increase the allocation size
    due to seek offsets.
    . MNG: Detect and handle failure to allocate global PLTE. Fix divide
    by zero.
    . DrawGetStrokeDashArray(): Check for failure to allocate memory.
    . BlobToImage(): Now produces useful exception reports to cover the
    cases where 'magick' was not set and the file format could not be
    deduced from its header.
  * API Updates:
    . Wand API: Added MagickIsPaletteImage(), MagickIsOpaqueImage(),
    MagickIsMonochromeImage(), MagickIsGrayImage(), MagickHasColormap()
    based on contributions by Troy Patteson.
    . New structure ImageExtra added and Image 'clip_mask' member is
    replaced by 'extra' which points to private ImageExtra allocation.
    The ImageGetClipMask() function now provides access to the clip mask
    image.
    . New structure DrawInfoExtra and DrawInfo 'clip_path' is replaced by
    'extra' which points to private DrawInfoExtra allocation.  The
    DrawInfoGetClipPath() function now provides access to the clip path.
    . New core library functions: GetImageCompositeMask(),
    CompositeMaskImage(), CompositePathImage(), SetImageCompositeMask(),
    ImageGetClipMask(), ImageGetCompositeMask(), DrawInfoGetClipPath(),
    DrawInfoGetCompositePath()
    . Deprecated core library functions: RegisterStaticModules(),
    UnregisterStaticModules().
  * Feature improvements:
    . Static modules (in static library or shared library without
    dynamically loadable modules) are now lazy-loaded using the same
    external interface as the lazy-loader for dynamic modules.  This
    results in more similarity between the builds and reduces the fixed
    initialization overhead by only initializing the modules which are
    used.
    . SVG: The quality of SVG support has been significantly improved due
    to the efforts of Greg Wolfe.
    . FreeType/TTF rendering: Rendering fixes for opacity.
Version: 1.3.28-bp151.4.2
* Tue Feb 20 2018 crrodriguez@opensuse.org
- Add explicit buildrequires on: pkgconfig(libwebpmux),
  pkgconfig(libpng), pkgconfig(x11), pkgconfig(xext),
  pkgconfig(zlib), libjpeg-devel. all
  of them direct build dependencies but not included in
  the spec file
* Wed Jan 24 2018 pgajdos@suse.com
- update to 1.3.28:
  * Security Fixes:
    BMP: Fix non-terminal loop due to unexpected bit-field mask
    value (DOS opportunity).
    PALM: Fix heap buffer underflow in builds with QuantumDepth=8.
    SetNexus() Fix heap overwrite under certain conditions due to
    using a wrong destination buffer. This issue impacts all
    1.3.X releases.
    TIFF: Fix heap buffer read overflow in LocaleNCompare() when
    parsing NEWS profile.
  * Bug fixes:
    DescribeImage(): Eliminate possible use of null pointer.
    GIF: Fix memory leak of global colormap in error path.
    GZ: Writing to gzip files with the extension ".gz" was
    not working with Zlib 1.2.8.
    JNG: Fix buffer read overflow (a tiny fixed overflow of just
    one byte).
    JPEG: Promoting certain libjpeg warnings to errors caused
    much more problems than expected. The promotion of
    warnings to errors is removed. Claimed pixel dimensions
    are validated by file size before allocating memory for
    the pixels.
    IntegralRotateImage(): Assure that reported error in rotate by
    270 case does immediately terminate processing.
    MNG: Fix possible null pointer reference related to DEFI chunk
    parsing. Fix minor heap read overflow (constrained to just
    one byte) due to an ordering issue in a limit check. Fix
    memory leaks in error path.
    WebP: Fix stack buffer overflow in WriteWEBPImage() which
    occurs with libwebp 0.5.0 or newer due to a structure type
    change in the structure passed to the progress monitor
    callback.
    WPG: Memory leaks fixed.
  * API Updates:
    InterpolateViewColor(): This function now returns MagickPassFail
    (an unsigned int) rather than void so that errors can be
    efficiently reported.
    The magick/pixel_cache.h header is updated to add deprecation
    attributes such that code using GetPixels(), GetIndexes(),
    and GetOnePixel() will produce deprecation warnings for
    compilers which support them. These functions will not be
    removed in the 1.3.X release series and when they are
    removed, pre-processor macros will be added so a replacement
    function is used instead. There is a long-term objective to
    eliminate functionally-redundant pixel cache functions to
    only the ones with the best properties since this reduces
    maintenance and may reduce the depth of the call stack
    (improving performance).
  * removed unneded GraphicsMagick-release-date-missing-quote.patch
* Wed Jan 10 2018 pgajdos@suse.com
- update to 1.3.27:
  * New Features:
    . PNG: Implemented eXIf chunk support.
    . WEBP: Add support for EXIF and ICC metadata provided that at
    least libwebp 0.5.0 is used.
    . Magick++ Image autoOrient(): New Image method to auto-orient an
    image so it looks right-side up by default.
  * Behavior Changes:
    . PALM: PALM writer is disabled.
    . ThrowLoggedException(): Capture the first exception
    at ErrorException level or greater, or only capture exception
    if it is more severe than an already reported exception.
    . DestroyJNG(): This internal function is now declared static
    and is removed from shared library or DLL namespace.
  * lot of security and other bug fixes, see
    https://sourceforge.net/projects/graphicsmagick/files/graphicsmagick/1.3.27/
- added GraphicsMagick-release-date-missing-quote.patch
* Tue Sep 19 2017 pgajdos@suse.com
- builds for sle11
* Mon Sep 11 2017 pgajdos@suse.com
- fix perl bindings
  + GraphicsMagick-perl-linkage.patch from fedora
- turn on perl test suite
* Mon Jul 24 2017 jengelh@inai.de
- Trim descriptions. Redo summaries and RPM groups.
* Fri Jul 21 2017 tchvatal@suse.com
- Drop patches not meintioned in the changelog ever:
  * GraphicsMagick-debian-fixed.patch
  * GraphicsMagick-include.patch
  * GraphicsMagick-perl-link.patch
  * The package builds just fine without them and there is no
    refference explaining it
- Convert the deps to pkgconfig variants where possible.
* Fri Jul 21 2017 tchvatal@suse.com
- Version update to 1.3.26:
  * DPX: Fix excessive use of memory (DOS issue) due to file header
    claiming large image dimensions but insufficient backing
    data. (CVE-2017-10799 bsc#1047054).
  * JNG: Fix memory leak when reading invalid JNG image (CVE-2017-8350).
  * MAT: Fix excessive use of memory (DOS issue) due to continuing
    processing with insufficient data and claimed large image
    size. Verify each file extent to make sure that it is within range
    of file size. (CVE-2017-10800 bsc#1047044).
  * META: Fix heap overflow while parsing 8BIM chunk (CVE-2016-7800).
  * PCX: Fix denial of service issue.
  * RLE: Fix abnomally slow operation (denial of service issue) with
    intentionally corrupt colormapped file.
  * PICT: Fix possible buffer overflow vulnerability given suitably
    truncated input file.
  * PNG: Enforce spec requirement that the dimensions of the JPEG
    embedded in a JDAT chunk must match the JHDR dimensions
    (CVE-2016-9830).
  * PNG: Avoid NULL dereference when MAGN chunk processing fails.
  * SCT: Fix stack-buffer read overflow (underflow?) while reading SCT
    header.
  * SGI: Fix denial of service issues.  Delay large memory allocations
    until file header has fully passed sanity checks.
  * TIFF: Fix out of bounds read when reading CMYKA TIFF which claims to
    have only 2 samples per pixel (CVE-2017-6335 bsc#1027255).
  * TIFF: Fix out of bounds read when reading RGB TIFF which claims to
    have only 1 sample per pixel (CVE-2017-10794).
  * WPG: Fix heap overflow (CVE-2016-7996).  Fix assertion crash
    (CVE-2016-7997).
  * DifferenceImage(): Fix Fix all-black difference image if an input
    file is colormapped.
  * EXIF orientation was not being properly detected for some files.
  * -frame: The `import` command -frame handling was improperly
    implemented and was using already freed data.
  * GIF: Fixes for "Excessive LZW string data" problem.
  * Magick++: Bug fixes to PathSmoothCurvetoRel::operator() and
    PathSmoothCurvetoRel::operator().
  * PAM: Support writing GRAYSCALE PAM format.
  * PNG: Fix memory leaks.
  * SVG: Fixed a memory leak.  Fixed a possible null pointer dereference.
  * TclMagick: Problem that TkMagick could not resolve functions from
    TclMagick under Linux is fixed.
  * TclMagick: Fix parser validatation in magickCmd() to avoid crash
    given a syntax error.
  * TIFF: Fix for reading old JPEG files (avoids "Improper call to JPEG
    library in state 0. (LibJpeg).").
  * TXT: Fixed memory leak.
  * XCF: Error checking is improved.
  * EXIF rotation: Support is added such that the EXIF orientation tag
    is updated when the image is rotated.
  * MAT: Now support reading multiple images from Matlab V4 format.
  * Magick++: Orientation method now updates orientation in EXIF
    profile, if it exists.
  * Magick++: Added Image attribute method which accepts a 'char *'
    argument, and will remove the attribute if the value argument is
    NULL.
  * -orient: The -orient command line option now also updates the
    orientation in the EXIF profile, if it exists.
  * PGX: Support PGX JPEG 2000 format for reading and writing (within
    the bounds of what JasPer supports).
  * Wand API: Added MagickAutoOrientImage(),
    MagickGetImageOrientation(), MagickSetImageOrientation(),
    MagickRemoveImageOption(), and MagickClearException().
- Drop merged patch GraphicsMagick-CVE-2017-8350.patch
* Mon Jun 26 2017 pgajdos@suse.com
- complementary fix for CVE-2017-8350 [bsc#1036985 c13-c21]
  * GraphicsMagick-CVE-2017-8350.patch
* Mon Sep 26 2016 pgajdos@suse.com
- update to 1.3.25:
  * EscapeParenthesis(): I was notified by Gustavo Grieco of a heap
    overflow in EscapeParenthesis() used in the text annotation code.
    While not being able to reproduce the issue, the implementation of
    this function is completely redone.
  * Utah RLE: Reject truncated/absurd files which caused huge memory
    allocations and/or consumed huge CPU.  Problem was reported by
    Agostino Sarubbo based on testing with AFL.
  * SVG/MVG: Fix another case of CVE-2016-2317 (heap buffer overflow) in
    the MVG rendering code (also impacts SVG).
  * TIFF: Fix heap buffer read overflow while copying sized TIFF
    attributes.  Problem was reported by Agostino Sarubbo based on
    testing with AFL.
* Thu Jun 23 2016 meissner@suse.com
- Build "gm" as position independend executable (PIE).
* Mon Jun 06 2016 pgajdos@suse.com
- updated to 1.3.24:
  * many security related changes (incl. CVE-2016-5118), see
    ChangeLog
- removed patches:
  * GraphicsMagick-CVE-2016-5118.patch
  * GraphicsMagick-upstream-delegates-safer.patch
  * GraphicsMagick-upstream-disable-mvg-ext.patch
  * GraphicsMagick-upstream-disable-tmp-magick-prefix.patch
  * GraphicsMagick-upstream-image-sanity-check.patch
* Mon May 30 2016 pgajdos@suse.com
- security update:
  * CVE-2016-5118 [bsc#982178]
    + GraphicsMagick-CVE-2016-5118.patch
* Mon May 09 2016 sflees@suse.de
- Multiple security issues in GraphicsMagick/ImageMagick [boo#978061]
  (CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3717)
  * GraphicsMagick-upstream-delegates-safer.patch
  * GraphicsMagick-upstream-disable-mvg-ext.patch
  * GraphicsMagick-upstream-disable-tmp-magick-prefix.patch
  * GraphicsMagick-upstream-image-sanity-check.patch
* Sun Nov 08 2015 dmitry_r@opensuse.org
- Update to version 1.3.23
  * See included NEWS.txt for details
* Mon Oct 05 2015 dmitry_r@opensuse.org
- Update to version 1.3.22
  * See included NEWS.txt for details
* Sat Mar 21 2015 dmitry_r@opensuse.org
- Update to version 1.3.21
  * See included NEWS.txt for details
* Wed Sep 17 2014 dmitry_r@opensuse.org
- Move library configuration files to separated package
* Tue Sep 16 2014 dmitry_r@opensuse.org
- Fix devel package dependencies
* Sat Sep 13 2014 dmitry_r@opensuse.org
- Update to version 1.3.20
  * See included NEWS.txt for details
- Enable quantum depth in shared library names
- Enable bzip2, jbig, webp support
- Use LCMSv2