|
|
|
|
Changelog for perl-GraphicsMagick-1.3.31-125.5.i586.rpm :
* Wed Dec 19 2018 Petr Gajdos - asan_build: build ASAN included- debug_build: build more suitable for debugging * Wed Dec 19 2018 Petr Gajdos - update to 1.3.31: Special Issues: * Firmware and operating system updates to address the Spectre vulnerability (and possibly to some extent the Meltdown vulnerability) have substantially penalized GraphicsMagick\'s OpenMP performance. Performance is reduced even with GCC 7 and 8\'s improved optimizers. There does not appear to be anything we can do about this. Security Fixes: * GraphicsMagick is now participating in Google\'s oss-fuzz project due to the contributions and assistance of Alex Gaynor. Bug fixes: * See above note about oss-fuzz fixes. * CINEON: Fix unexpected hang on a crafted Cineon image. SourceForge issue 571. * Drawing recursion is limited to 100 and may be tuned via the MAX_DRAWIMAGE_RECURSION pre-processor definition. * Fix reading MIFF files using legacy keyword \'color-profile\' for ICC color profile as was used by ImageMagick 4.2.9. * Fix reading/writing files when \'magick\' is specified in lower case. This bug was a regression in 1.3.30. New Features: * TIFF: Support Zstd compression in TIFF. This requires libtiff 4.0.10 or later. * TIFF: Support WebP compression in TIFF. This requires libtiff 4.0.10 or later. API Updates: * MagickMonitor() is marked as deprecated.- see NEWS.txt for more details * Wed Aug 22 2018 pgajdosAATTsuse.com- disable PS, PS2, PS3 and PDF coders by default, remove gs calls from delegates.mgk [bsc#1105592] + GraphicsMagick-disable-insecure-coders.patch * Fri Aug 03 2018 idonmezAATTsuse.com- update to 1.3.30: * Security Fixes: . GraphicsMagick is now participating in Google\'s oss-fuzz project due to the contributions and assistance of Alex Gaynor. Since February 4 2018, 238 issues have been opened by oss-fuzz and 230 of those issues have been resolved. The issues list is available at https://bugs.chromium.org/p/oss-fuzz/issues/list under search term \"graphicsmagick\". Issues are available for anyone to view and duplicate if they have been in \"Verified\" status for 30 days, or if they have been in \"New\" status for 90 days. There are too many fixes to list here. Please consult the GraphicsMagick ChangeLog file, Mercurial repository commit log, and the oss-fuzz issues list for details. . SVG/Rendering: Fix heap write overflow of PrimitiveInfo and PointInfo arrays. This is another manefestation of CVE-2016-2317, which should finally be fixed correctly due to active detection/correction of pending overflow rather than using estimation. * Bug fixes: . Many oss-fuzz fixes are bug fixes. . Drawing/Rendering: Many more fixes by Gregory J Wolfe (see the ChangeLog). . MIFF: Detect end of file while reading image directory. . SVG: Many more fixes by Gregory J Wolfe (see the ChangeLog). . The AlphaCompositePixel macro was producing wrong results when the output alpha value was not 100% opaque. This is a regression introduced in 1.3.29. . TILE: Fix problem with tiling JPEG images because the size request used by the TILE algorithm was also causing re-scaling in the JPEG reader. The problem is solved by stripping the size request before reading the image. * API Updates: . The size of PrimitiveInfo (believed to be an internal/private structure but in a header which is installed, has been increased to store a \'flags\' argument. This is intended to be an internal interface but but may be detected as an ABI change. * Behavior Changes: . JPEG: The JPEG reader now allows 3 warnings of any particular type before giving up on reading and throwing an exception. This choice was made after observing files which produce hundreds of warnings and consume massive amounts of memory before reading the image data has even started. It is currently unknown how many files which were previously accepted will be rejected by default. The number of allowed warnings may be adjusted using \'-define jpeg:max-warnings=\'. The default limit will be adjusted based on reported user experiences and may be adjusted prior to compilation via the MaxWarningCount definition in coders/jpeg.c. * Wed May 23 2018 pgajdosAATTsuse.com- update to 1.3.29: * Security Fixes: . GraphicsMagick is now participating in Google\'s oss-fuzz project . JNG: Require that the embedded JPEG image have the same dimensions as the JNG image as provided by JHDR. Avoids a heap write overflow. . MNG: Arbitrarily limit the number of loops which may be requested by the MNG LOOP chunk to 512 loops, and provide the \'-define mng:maximum-loops=value\' option in case the user wants to change the limit. This fixes a denial of service caused by large LOOP specifications. * Bug fixes: . DICOM: Pre/post rescale functions are temporarily disabled (until the implementation is fixed). . JPEG: Fix regression in last release in which reading some JPEG files produces the error \"Improper call to JPEG library in state 201\". . ICON: Some DIB-based Windows ICON files were reported as corrupt to an unexpectedly missing opacity mask image. . In-memory Blob I/O: Don\'t implicitly increase the allocation size due to seek offsets. . MNG: Detect and handle failure to allocate global PLTE. Fix divide by zero. . DrawGetStrokeDashArray(): Check for failure to allocate memory. . BlobToImage(): Now produces useful exception reports to cover the cases where \'magick\' was not set and the file format could not be deduced from its header. * API Updates: . Wand API: Added MagickIsPaletteImage(), MagickIsOpaqueImage(), MagickIsMonochromeImage(), MagickIsGrayImage(), MagickHasColormap() based on contributions by Troy Patteson. . New structure ImageExtra added and Image \'clip_mask\' member is replaced by \'extra\' which points to private ImageExtra allocation. The ImageGetClipMask() function now provides access to the clip mask image. . New structure DrawInfoExtra and DrawInfo \'clip_path\' is replaced by \'extra\' which points to private DrawInfoExtra allocation. The DrawInfoGetClipPath() function now provides access to the clip path. . New core library functions: GetImageCompositeMask(), CompositeMaskImage(), CompositePathImage(), SetImageCompositeMask(), ImageGetClipMask(), ImageGetCompositeMask(), DrawInfoGetClipPath(), DrawInfoGetCompositePath() . Deprecated core library functions: RegisterStaticModules(), UnregisterStaticModules(). * Feature improvements: . Static modules (in static library or shared library without dynamically loadable modules) are now lazy-loaded using the same external interface as the lazy-loader for dynamic modules. This results in more similarity between the builds and reduces the fixed initialization overhead by only initializing the modules which are used. . SVG: The quality of SVG support has been significantly improved due to the efforts of Greg Wolfe. . FreeType/TTF rendering: Rendering fixes for opacity. * Tue Feb 20 2018 crrodriguezAATTopensuse.org- Add explicit buildrequires on: pkgconfig(libwebpmux), pkgconfig(libpng), pkgconfig(x11), pkgconfig(xext), pkgconfig(zlib), libjpeg-devel. all of them direct build dependencies but not included in the spec file * Wed Jan 24 2018 pgajdosAATTsuse.com- update to 1.3.28: * Security Fixes: BMP: Fix non-terminal loop due to unexpected bit-field mask value (DOS opportunity). PALM: Fix heap buffer underflow in builds with QuantumDepth=8. SetNexus() Fix heap overwrite under certain conditions due to using a wrong destination buffer. This issue impacts all 1.3.X releases. TIFF: Fix heap buffer read overflow in LocaleNCompare() when parsing NEWS profile. * Bug fixes: DescribeImage(): Eliminate possible use of null pointer. GIF: Fix memory leak of global colormap in error path. GZ: Writing to gzip files with the extension \".gz\" was not working with Zlib 1.2.8. JNG: Fix buffer read overflow (a tiny fixed overflow of just one byte). JPEG: Promoting certain libjpeg warnings to errors caused much more problems than expected. The promotion of warnings to errors is removed. Claimed pixel dimensions are validated by file size before allocating memory for the pixels. IntegralRotateImage(): Assure that reported error in rotate by 270 case does immediately terminate processing. MNG: Fix possible null pointer reference related to DEFI chunk parsing. Fix minor heap read overflow (constrained to just one byte) due to an ordering issue in a limit check. Fix memory leaks in error path. WebP: Fix stack buffer overflow in WriteWEBPImage() which occurs with libwebp 0.5.0 or newer due to a structure type change in the structure passed to the progress monitor callback. WPG: Memory leaks fixed. * API Updates: InterpolateViewColor(): This function now returns MagickPassFail (an unsigned int) rather than void so that errors can be efficiently reported. The magick/pixel_cache.h header is updated to add deprecation attributes such that code using GetPixels(), GetIndexes(), and GetOnePixel() will produce deprecation warnings for compilers which support them. These functions will not be removed in the 1.3.X release series and when they are removed, pre-processor macros will be added so a replacement function is used instead. There is a long-term objective to eliminate functionally-redundant pixel cache functions to only the ones with the best properties since this reduces maintenance and may reduce the depth of the call stack (improving performance). * removed unneded GraphicsMagick-release-date-missing-quote.patch * Wed Jan 10 2018 pgajdosAATTsuse.com- update to 1.3.27: * New Features: . PNG: Implemented eXIf chunk support. . WEBP: Add support for EXIF and ICC metadata provided that at least libwebp 0.5.0 is used. . Magick++ Image autoOrient(): New Image method to auto-orient an image so it looks right-side up by default. * Behavior Changes: . PALM: PALM writer is disabled. . ThrowLoggedException(): Capture the first exception at ErrorException level or greater, or only capture exception if it is more severe than an already reported exception. . DestroyJNG(): This internal function is now declared static and is removed from shared library or DLL namespace. * lot of security and other bug fixes, see https://sourceforge.net/projects/graphicsmagick/files/graphicsmagick/1.3.27/- added GraphicsMagick-release-date-missing-quote.patch * Tue Sep 19 2017 pgajdosAATTsuse.com- builds for sle11 * Mon Sep 11 2017 pgajdosAATTsuse.com- fix perl bindings + GraphicsMagick-perl-linkage.patch from fedora- turn on perl test suite * Mon Jul 24 2017 jengelhAATTinai.de- Trim descriptions. Redo summaries and RPM groups. * Fri Jul 21 2017 tchvatalAATTsuse.com- Drop patches not meintioned in the changelog ever: * GraphicsMagick-debian-fixed.patch * GraphicsMagick-include.patch * GraphicsMagick-perl-link.patch * The package builds just fine without them and there is no refference explaining it- Convert the deps to pkgconfig variants where possible. * Fri Jul 21 2017 tchvatalAATTsuse.com- Version update to 1.3.26: * DPX: Fix excessive use of memory (DOS issue) due to file header claiming large image dimensions but insufficient backing data. (CVE-2017-10799 bsc#1047054). * JNG: Fix memory leak when reading invalid JNG image (CVE-2017-8350). * MAT: Fix excessive use of memory (DOS issue) due to continuing processing with insufficient data and claimed large image size. Verify each file extent to make sure that it is within range of file size. (CVE-2017-10800 bsc#1047044). * META: Fix heap overflow while parsing 8BIM chunk (CVE-2016-7800). * PCX: Fix denial of service issue. * RLE: Fix abnomally slow operation (denial of service issue) with intentionally corrupt colormapped file. * PICT: Fix possible buffer overflow vulnerability given suitably truncated input file. * PNG: Enforce spec requirement that the dimensions of the JPEG embedded in a JDAT chunk must match the JHDR dimensions (CVE-2016-9830). * PNG: Avoid NULL dereference when MAGN chunk processing fails. * SCT: Fix stack-buffer read overflow (underflow?) while reading SCT header. * SGI: Fix denial of service issues. Delay large memory allocations until file header has fully passed sanity checks. * TIFF: Fix out of bounds read when reading CMYKA TIFF which claims to have only 2 samples per pixel (CVE-2017-6335 bsc#1027255). * TIFF: Fix out of bounds read when reading RGB TIFF which claims to have only 1 sample per pixel (CVE-2017-10794). * WPG: Fix heap overflow (CVE-2016-7996). Fix assertion crash (CVE-2016-7997). * DifferenceImage(): Fix Fix all-black difference image if an input file is colormapped. * EXIF orientation was not being properly detected for some files. * -frame: The `import` command -frame handling was improperly implemented and was using already freed data. * GIF: Fixes for \"Excessive LZW string data\" problem. * Magick++: Bug fixes to PathSmoothCurvetoRel::operator() and PathSmoothCurvetoRel::operator(). * PAM: Support writing GRAYSCALE PAM format. * PNG: Fix memory leaks. * SVG: Fixed a memory leak. Fixed a possible null pointer dereference. * TclMagick: Problem that TkMagick could not resolve functions from TclMagick under Linux is fixed. * TclMagick: Fix parser validatation in magickCmd() to avoid crash given a syntax error. * TIFF: Fix for reading old JPEG files (avoids \"Improper call to JPEG library in state 0. (LibJpeg).\"). * TXT: Fixed memory leak. * XCF: Error checking is improved. * EXIF rotation: Support is added such that the EXIF orientation tag is updated when the image is rotated. * MAT: Now support reading multiple images from Matlab V4 format. * Magick++: Orientation method now updates orientation in EXIF profile, if it exists. * Magick++: Added Image attribute method which accepts a \'char *\' argument, and will remove the attribute if the value argument is NULL. * -orient: The -orient command line option now also updates the orientation in the EXIF profile, if it exists. * PGX: Support PGX JPEG 2000 format for reading and writing (within the bounds of what JasPer supports). * Wand API: Added MagickAutoOrientImage(), MagickGetImageOrientation(), MagickSetImageOrientation(), MagickRemoveImageOption(), and MagickClearException().- Drop merged patch GraphicsMagick-CVE-2017-8350.patch * Mon Jun 26 2017 pgajdosAATTsuse.com- complementary fix for CVE-2017-8350 [bsc#1036985 c13-c21] * GraphicsMagick-CVE-2017-8350.patch * Mon Sep 26 2016 pgajdosAATTsuse.com- update to 1.3.25: * EscapeParenthesis(): I was notified by Gustavo Grieco of a heap overflow in EscapeParenthesis() used in the text annotation code. While not being able to reproduce the issue, the implementation of this function is completely redone. * Utah RLE: Reject truncated/absurd files which caused huge memory allocations and/or consumed huge CPU. Problem was reported by Agostino Sarubbo based on testing with AFL. * SVG/MVG: Fix another case of CVE-2016-2317 (heap buffer overflow) in the MVG rendering code (also impacts SVG). * TIFF: Fix heap buffer read overflow while copying sized TIFF attributes. Problem was reported by Agostino Sarubbo based on testing with AFL. * Thu Jun 23 2016 meissnerAATTsuse.com- Build \"gm\" as position independend executable (PIE). * Mon Jun 06 2016 pgajdosAATTsuse.com- updated to 1.3.24: * many security related changes (incl. CVE-2016-5118), see ChangeLog- removed patches: * GraphicsMagick-CVE-2016-5118.patch * GraphicsMagick-upstream-delegates-safer.patch * GraphicsMagick-upstream-disable-mvg-ext.patch * GraphicsMagick-upstream-disable-tmp-magick-prefix.patch * GraphicsMagick-upstream-image-sanity-check.patch * Mon May 30 2016 pgajdosAATTsuse.com- security update: * CVE-2016-5118 [bsc#982178] + GraphicsMagick-CVE-2016-5118.patch * Mon May 09 2016 sfleesAATTsuse.de- Multiple security issues in GraphicsMagick/ImageMagick [boo#978061] (CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3717) * GraphicsMagick-upstream-delegates-safer.patch * GraphicsMagick-upstream-disable-mvg-ext.patch * GraphicsMagick-upstream-disable-tmp-magick-prefix.patch * GraphicsMagick-upstream-image-sanity-check.patch * Sun Nov 08 2015 dmitry_rAATTopensuse.org- Update to version 1.3.23 * See included NEWS.txt for details * Mon Oct 05 2015 dmitry_rAATTopensuse.org- Update to version 1.3.22 * See included NEWS.txt for details * Sat Mar 21 2015 dmitry_rAATTopensuse.org- Update to version 1.3.21 * See included NEWS.txt for details
|
|
|