Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.GSO.2.20.1712101126280.22571@freddy.simplesystems.org>
Date: Sun, 10 Dec 2017 11:32:31 -0600 (CST)
From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us>
To: oss-security@...ts.openwall.com
Subject: GraphicsMagick 1.3.27 is available

[ This release announcement is forwarded to the oss-security list due 
the many security issues found in 1.3.26 and fixed by 1.3.27.  Much 
thanks to the security researchers and OS package maintainers who 
notified us about problems and sometimes provided useful analysis and 
patches.]

GraphicsMagick 1.3.27 (the 61st release, and the 28th in this cycle) is now 
available.  This release is API and ABI compatible with previous 1.3.X releases 
so it is possible to update without re-compiling dependent programs.

There have been a large number of security issues and other stability bugs 
fixed in this release.  There has been intense fuzzing activity and code 
inspections by a number of people, resulting in many issues identified and 
fixed.

It is recommended to update to this release immediately.

The SHA1 checksums for the release files are as follows:

ed18c3db2ad786453ebe495222b24acdb8374a6d  GraphicsMagick-1.3.27-1.src.rpm
ec9f366a22053ddeb14373bc3abdbe5843626c62  GraphicsMagick-1.3.27-Q16-win32-dll.exe
79cfc2774e4c259e7953a08c2148eb8aa5297b78  GraphicsMagick-1.3.27-Q16-win64-dll.exe
91cf1930279a033d65f11ce54fea05cde0d75d3b  GraphicsMagick-1.3.27-Q8-win32-dll.exe
20dbbaebbc6df485d02e5fd687dfbe72fe30ec37  GraphicsMagick-1.3.27-Q8-win64-dll.exe
4c3676e3dcf36d3bc3538729316bb3dbdccff28f  GraphicsMagick-1.3.27-windows-source.7z
cb8fc4751c159c52913af7f0f9b572486c2efd4b  GraphicsMagick-1.3.27.tar.bz2
ca58a6004012a17e8fee587125b5bb3e314e8b3d  GraphicsMagick-1.3.27.tar.gz
863d359c7ee2a4f074e1f543ad97c4d2c01d64bb  GraphicsMagick-1.3.27.tar.lz
f334cfc6f03e6d4dfea8d9fe0643820649d20f7a  GraphicsMagick-1.3.27.tar.xz

The news for this release follows:

Special Issues:

* None

Security Fixes:

* CMYK: Fix heap overwrites in raw CMYK writer.  Fix heap overwrites
   in raw CMYK reader (noticed when doing montage).

* GIF: Assure that global colormap is initialized.

* DescribeImage(): Fix possible heap write overflow when describing
   visual image directory. Fix possible heap read overflow while
   accessing heap data, and possible information disclosure while
   describing the IPTC profile.

* DICOM: Fix huge memory allocation based on bogus length value (DOS
   opportunity).

* DrawDashPolygon(): Fix heap out of bounds read in render code.

* GRAY: Fix heap overwrites in raw GRAY reader (noticed when doing
   montage).

* JNG: Fix heap overruns.  Fix assertions.

* JNG: Prevent a crash due to zero-length color_image while reading a
   JNG image. (CVE-2017-11102).  Reject JNG files with unreasonable
   dimensions given the file size (avoid DOS).

* JNX: Fix DOS due to excessive memory allocations with corrupt file.

* JPEG: Do not allocate backing image pixels until a scanline has been
   successfully read.  Avoids DOS opportunity with suitably
   manufactured file.

* MAP: Fix null pointer dereference or segmentation violation.

* MAT: Fix heap write overflow.

* MNG: Reject over-large (65k by 65k) image.  Fix heap overwrites.

* PAM: Fix heap buffer overflow in PAM writer for 1 bit/sample + alpha.

* PICT: Fix excessive memory allocation due to malformed image file.

* PNG: Fix heap buffer overflow in PNG writer when promoting from
   indexed PNG to RGBA.

* PNM: Fix DOS due to excessive memory allocations with corrupt file.

* RGB: Fix heap overwrite in raw RGB writer. Fix heap overwrites in
   raw RGB reader (noticed when doing montage).

* RLE: Fix DOS opportunities due to false claims in image header.  Fix
   heap out of bounds read.

* SFW: Avoid possible heap write overflow.

* SUN: Fix heap read overflow.  Fix DOS due to excessive memory
   allocations with corrupt file.

* SVG: Fix heap write overflow.

* TIFF: Use heuristics to avoid DOS (excessive memory use) due to
   false claims by input file.  It is possible that this may reject
   some valid files.  Fix possible small heap overwrite beyond the
   allocated scanline buffer due to the NumberOfObjectsInArray() macro
   rounding up rather than down.

* UIL: Fix heap overwrite in writer.

* WPG: Fix DOS issues (memory, disk space, CPU time) due to
   insufficient validations.  Fix heap overwrites.

* XBM: Fix DOS issue where code remains stuck in loop and does not
   return.

* XV 332 (PNM): Fix null pointer dereference due to malformed file.

* TracePSClippingPath()/TraceSVGClippingPath(): Fix heap out of bounds
   read.

* Validate path entries in the MAGICK_CODER_MODULE_PATH and
   MAGICK_FILTER_MODULE_PATH environment variables and convert all
   paths to real paths if possible. This avoids possible use of
   relative paths to load modules (a possible security issue), or the
   possibility of adding a directory which was in the path, but
   missing, and may improve efficiency by removing non-existent paths.

Bug fixes:

* AVS: Memory leaks eliminated.

* CINEON: Fix possible use of NULL pointer.

* CMYK: Memory leaks eliminated.

* CUT: Memory leaks eliminated.  Fix possible use of NULL pointer.

* DCM: Fix possible use of NULL pointer.

* DrawImage(): Avoid "negative" strncpy().  This seems to be benign
   with glibc but perhaps not with other implementations.

* DPX: Memory leaks eliminated.

* EMF: Fix possible use of NULL pointer.

* FindMagickModule(): Fix possible use of NULL pointer.

* FITS: Fix memory leak.

* GIF: Fix memory leak.

* HDF: Memory leaks eliminated.

* HISTOGRAM: Fix memory leak.

* JNG: Memory leaks eliminated. Memory use after free and double-free
   issues eliminated.  Error reporting fixes.

* Magick::Options::strokeDashArray(): Fix possible use of NULL pointer.

* MagickXFileBrowserWidget(): Fix possible use of NULL pointer.

* MAT: Memory leaks eliminated.

* MagickMapCloneMap(): Fix possible assertion failure.

* MNG: Memory use after free issues eliminated.  Fix possible use of
   NULL pointer.  Fix memory leaks.

* MontageImageCommand(): Fix memory leaks.

* MPC: Fix memory leak in writer.

* MPEG: Fix memory leaks in writer.

* MTV: Memory leaks eliminated.

* NTRegistryKeyLookup(): Fix possible use of NULL pointer.

* NTGetTypeList(): Fix possible use of NULL pointer.

* PCD: Memory leaks eliminated.

* PCL: Fix null pointer dereference in PCL writer.

* PCX: Memory leaks eliminated.

* PALM: Fix possible use of NULL pointer. Fix memory leak.

* PICT: Memory leaks eliminated.

* PNG: Fix small (one-off) heap read overflow.

* PNM: Fix memory leaks.

* PS: Fix use of null pointer in error path.

* PWP: Fix possible use of null pointer.

* ReplaceImageColormap(): Throw an exception rather than assertion if
   the input image is not colormapped.

* RGB: Fix memory leak.

* SegmentImage(): Fix possible use of NULL pointer.

* SetImageProfile(): Fix possible assertion failure.

* SGI: Check for EOF while reading SGI file header.

* SUN: Fix memory leak.

* TIFF: Fix possible use of NULL pointer.  Fix memory leaks in writer.

* TIM: Fix memory leak.

* TOPOL: Fix possible use of NULL pointer.  Fix memory leaks.

* VIFF: Fix memory leak.

* WEBP: Detect partial write to output file.

* WPG: Fix possible use of null pointer. Fix excessive use of disk
   resources due to insufficient validations.

* WriteImage(): Restore use of GetBlobStatus() to test if an I/O error
   was encountered while writing output file. This assures that I/O
   failure in writers which do not themselves verify writes is assured
   to be reported.

* WMF: Memory use after free issues eliminated.

* YUV: Fix memory leaks.


New Features:

* PNG: Implemented eXIf chunk support.

* WEBP: Add support for EXIF and ICC metadata provided that at least
   libwebp 0.5.0 is used.

* Magick++ Image autoOrient(): New Image method to auto-orient an
   image so it looks right-side up by default.

Feature improvements:

* None

Windows Delegate Updates/Additions:

* Libtiff is updated to libtiff 4.0.9.

Build Changes:

* JPEG/PNG: The SETJMP_IS_THREAD_SAFE definition is used to determine
   if setjmp/longjmp are thread safe.  If these interfaces are thread
   safe, then concurrent reads/writes are possible.  This definition is
   false for Solaris but true for Linux.  JPEG and PNG will be fully
   concurrent if this definition is enabled.

Behavior Changes:

* PALM: PALM writer is disabled.

* ThrowLoggedException(): Capture the first exception at
   ErrorException level or greater, or only capture exception if it is
   more severe than an already reported exception.

* DestroyJNG(): This internal function is now declared static and is
   removed from shared library or DLL namespace.

-- 
Bob Friesenhahn
bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.