Created attachment 177002 [details] Bump IM7 to latest Please bump ImageMagick7 to latest version, 7.0.3-6. There are some security fixes there as well (no assigned CVEs as of yet, afaik). Summarized ChangeLog since 7.0.2-9: * Off by one memory allocation (reference https://github.com/ImageMagick/ImageMagick/issues/296). * The -extent option now matches the results of IMv6 (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=30779). * Prevent fault in MSL interpreter (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797). * Mask composite produces proper results for the convert utility (reference http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29675). * Added layer RLE compression to the PSD encoder. * Fixed incorrect parsing with ordered dither. (reference https://github.com/ImageMagick/ImageMagick/issues/254) * Unit test pass again after small SUN image patch. * Fixed incorrect RLE decoding when reading a DCM image that contains multiple segments. * Fixed incorrect RLE decoding when reading an SGI image (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30514) * Added layer RLE compression to the PSD encoder. * Added define 'psd:preserve-opacity-mask' to preserve the opacity mask in a PSD file. * Fixed issue where the display window was used instead of the data window when reading EXR files (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&p=137849). * Fixed reading DXT1 images with an alpha channel. * Fixed incorrect padding calculation in PSD encoder. * Added define 'psd:additional-info' to preserve the additional information in a PSD file. * Prevent buffer overflow in BMP & SGI coders (bug report from pwchen&rayzhong of tencent). * Prevent buffer overflow and other problems in SIXEL, PDB, MAP, TIFF and CALS coders (bug report from Donghai Zhu). * The -stream option now increments the pixel pointer properly (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30327). Note that vulnerability to CVE-2016-8866 (incomplete fix to CVE-2016-8862) still appears unfixed, but at least the bump covers many other fixes. https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/ Request merge to Quarterly, all the changes are bug or security fixes. Currently running Poudriere tests.
Poudriere build passed, ImageMagick7 and ImageMagick7-nox11, on 11.0, 10.3 and 9.3, amd64.
Please ignore "no assigned CVEs" remark, I've filed a VuXML PR for that.
Created attachment 177217 [details] Bump to latest, 7.0.3-7 The upstream meanwhile released 7.0.3-7 with more security fixes. New patch attached. * https://github.com/ImageMagick/ImageMagick/issues/298 (CVE pending) Build passed with Poudriere 11.0, amd64, both IM7 and IM7-nox11. Currently testing for 10.3 and 9.3.
A commit references this bug: Author: feld Date: Sun Dec 4 23:59:11 UTC 2016 New revision: 427819 URL: https://svnweb.freebsd.org/changeset/ports/427819 Log: graphics/ImageMagick7: Update to 7.0.3-7 Summarized ChangeLog since 7.0.2-9: * Off by one memory allocation (reference https://github.com/ImageMagick/ImageMagick/issues/296). * The -extent option now matches the results of IMv6 (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=30779). * Prevent fault in MSL interpreter (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797). * Mask composite produces proper results for the convert utility (reference http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29675). * Added layer RLE compression to the PSD encoder. * Fixed incorrect parsing with ordered dither. (reference https://github.com/ImageMagick/ImageMagick/issues/254) * Unit test pass again after small SUN image patch. * Fixed incorrect RLE decoding when reading a DCM image that contains multiple segments. * Fixed incorrect RLE decoding when reading an SGI image (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30514) * Added layer RLE compression to the PSD encoder. * Added define 'psd:preserve-opacity-mask' to preserve the opacity mask in a PSD file. * Fixed issue where the display window was used instead of the data window when reading EXR files (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&p=137849). * Fixed reading DXT1 images with an alpha channel. * Fixed incorrect padding calculation in PSD encoder. * Added define 'psd:additional-info' to preserve the additional information in a PSD file. * Prevent buffer overflow in BMP & SGI coders (bug report from pwchen&rayzhong of tencent). * Prevent buffer overflow and other problems in SIXEL, PDB, MAP, TIFF and CALS coders (bug report from Donghai Zhu). * The -stream option now increments the pixel pointer properly (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30327). PR: 214511 MFH: 2016Q4 Changes: head/graphics/ImageMagick7/Makefile head/graphics/ImageMagick7/distinfo
A commit references this bug: Author: feld Date: Mon Dec 5 00:01:46 UTC 2016 New revision: 427820 URL: https://svnweb.freebsd.org/changeset/ports/427820 Log: MFH: r427819 graphics/ImageMagick7: Update to 7.0.3-7 Summarized ChangeLog since 7.0.2-9: * Off by one memory allocation (reference https://github.com/ImageMagick/ImageMagick/issues/296). * The -extent option now matches the results of IMv6 (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=30779). * Prevent fault in MSL interpreter (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797). * Mask composite produces proper results for the convert utility (reference http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29675). * Added layer RLE compression to the PSD encoder. * Fixed incorrect parsing with ordered dither. (reference https://github.com/ImageMagick/ImageMagick/issues/254) * Unit test pass again after small SUN image patch. * Fixed incorrect RLE decoding when reading a DCM image that contains multiple segments. * Fixed incorrect RLE decoding when reading an SGI image (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30514) * Added layer RLE compression to the PSD encoder. * Added define 'psd:preserve-opacity-mask' to preserve the opacity mask in a PSD file. * Fixed issue where the display window was used instead of the data window when reading EXR files (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&p=137849). * Fixed reading DXT1 images with an alpha channel. * Fixed incorrect padding calculation in PSD encoder. * Added define 'psd:additional-info' to preserve the additional information in a PSD file. * Prevent buffer overflow in BMP & SGI coders (bug report from pwchen&rayzhong of tencent). * Prevent buffer overflow and other problems in SIXEL, PDB, MAP, TIFF and CALS coders (bug report from Donghai Zhu). * The -stream option now increments the pixel pointer properly (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30327). PR: 214511 Approved by: ports-secteam (with hat) Changes: _U branches/2016Q4/ branches/2016Q4/graphics/ImageMagick7/Makefile branches/2016Q4/graphics/ImageMagick7/distinfo