Bug 214511 - graphics/ImageMagick7: Update to 7.0.3-7 (security fixes)
Summary: graphics/ImageMagick7: Update to 7.0.3-7 (security fixes)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Felder
URL: https://github.com/ImageMagick/ImageM...
Keywords: patch, security
Depends on: 214514
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-14 18:33 UTC by VK
Modified: 2016-12-05 00:02 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (kwm)
feld: merge-quarterly+


Attachments
Bump IM7 to latest (1009 bytes, patch)
2016-11-14 18:33 UTC, VK
no flags Details | Diff
Bump to latest, 7.0.3-7 (1.00 KB, patch)
2016-11-20 22:03 UTC, VK
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VK 2016-11-14 18:33:11 UTC
Created attachment 177002 [details]
Bump IM7 to latest

Please bump ImageMagick7 to latest version, 7.0.3-6. There are some security fixes there as well (no assigned CVEs as of yet, afaik).

Summarized ChangeLog since 7.0.2-9:

  * Off by one memory allocation (reference
    https://github.com/ImageMagick/ImageMagick/issues/296).
  * The -extent option now matches the results of IMv6 (reference
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=30779).
  * Prevent fault in MSL interpreter (reference
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797).
  * Mask composite produces proper results for the convert utility (reference
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29675).
  * Added layer RLE compression to the PSD encoder.
  * Fixed incorrect parsing with ordered dither. (reference
    https://github.com/ImageMagick/ImageMagick/issues/254)
  * Unit test pass again after small SUN image patch.
  * Fixed incorrect RLE decoding when reading a DCM image that contains
    multiple segments.
  * Fixed incorrect RLE decoding when reading an SGI image (reference 
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30514)
  * Added layer RLE compression to the PSD encoder.
  * Added define 'psd:preserve-opacity-mask' to preserve the opacity mask
    in a PSD file.
  * Fixed issue where the display window was used instead of the data window
    when reading EXR files (reference
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&p=137849).
  * Fixed reading DXT1 images with an alpha channel.
  * Fixed incorrect padding calculation in PSD encoder.
  * Added define 'psd:additional-info' to preserve the additional information
    in a PSD file.
  * Prevent buffer overflow in BMP & SGI coders (bug report from
    pwchen&rayzhong of tencent).
  * Prevent buffer overflow and other problems in SIXEL, PDB, MAP, TIFF and
    CALS coders (bug report from Donghai Zhu).
  * The -stream option now increments the pixel pointer properly (reference
    https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30327).

Note that vulnerability to CVE-2016-8866 (incomplete fix to CVE-2016-8862) still appears unfixed, but at least the bump covers many other fixes.

https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/

Request merge to Quarterly, all the changes are bug or security fixes.

Currently running Poudriere tests.
Comment 1 VK 2016-11-14 18:45:34 UTC
Poudriere build passed, ImageMagick7 and ImageMagick7-nox11, on 11.0, 10.3 and 9.3, amd64.
Comment 2 VK 2016-11-14 21:53:25 UTC
Please ignore "no assigned CVEs" remark, I've filed a VuXML PR for that.
Comment 3 VK 2016-11-20 22:03:38 UTC
Created attachment 177217 [details]
Bump to latest, 7.0.3-7

The upstream meanwhile released 7.0.3-7 with more security fixes. New patch attached.

* https://github.com/ImageMagick/ImageMagick/issues/298
  (CVE pending)

Build passed with Poudriere 11.0, amd64, both IM7 and IM7-nox11. Currently testing for 10.3 and 9.3.
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-12-05 00:00:04 UTC
A commit references this bug:

Author: feld
Date: Sun Dec  4 23:59:11 UTC 2016
New revision: 427819
URL: https://svnweb.freebsd.org/changeset/ports/427819

Log:
  graphics/ImageMagick7: Update to 7.0.3-7

  Summarized ChangeLog since 7.0.2-9:

    * Off by one memory allocation (reference
      https://github.com/ImageMagick/ImageMagick/issues/296).
    * The -extent option now matches the results of IMv6 (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=30779).
    * Prevent fault in MSL interpreter (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797).
    * Mask composite produces proper results for the convert utility (reference
      http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29675).
    * Added layer RLE compression to the PSD encoder.
    * Fixed incorrect parsing with ordered dither. (reference
      https://github.com/ImageMagick/ImageMagick/issues/254)
    * Unit test pass again after small SUN image patch.
    * Fixed incorrect RLE decoding when reading a DCM image that contains
      multiple segments.
    * Fixed incorrect RLE decoding when reading an SGI image (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30514)
    * Added layer RLE compression to the PSD encoder.
    * Added define 'psd:preserve-opacity-mask' to preserve the opacity mask
      in a PSD file.
    * Fixed issue where the display window was used instead of the data window
      when reading EXR files (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&p=137849).
    * Fixed reading DXT1 images with an alpha channel.
    * Fixed incorrect padding calculation in PSD encoder.
    * Added define 'psd:additional-info' to preserve the additional information
      in a PSD file.
    * Prevent buffer overflow in BMP & SGI coders (bug report from
      pwchen&rayzhong of tencent).
    * Prevent buffer overflow and other problems in SIXEL, PDB, MAP, TIFF and
      CALS coders (bug report from Donghai Zhu).
    * The -stream option now increments the pixel pointer properly (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30327).

  PR:		214511
  MFH:		2016Q4

Changes:
  head/graphics/ImageMagick7/Makefile
  head/graphics/ImageMagick7/distinfo
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-12-05 00:02:08 UTC
A commit references this bug:

Author: feld
Date: Mon Dec  5 00:01:46 UTC 2016
New revision: 427820
URL: https://svnweb.freebsd.org/changeset/ports/427820

Log:
  MFH: r427819

  graphics/ImageMagick7: Update to 7.0.3-7

  Summarized ChangeLog since 7.0.2-9:

    * Off by one memory allocation (reference
      https://github.com/ImageMagick/ImageMagick/issues/296).
    * The -extent option now matches the results of IMv6 (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=30779).
    * Prevent fault in MSL interpreter (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797).
    * Mask composite produces proper results for the convert utility (reference
      http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29675).
    * Added layer RLE compression to the PSD encoder.
    * Fixed incorrect parsing with ordered dither. (reference
      https://github.com/ImageMagick/ImageMagick/issues/254)
    * Unit test pass again after small SUN image patch.
    * Fixed incorrect RLE decoding when reading a DCM image that contains
      multiple segments.
    * Fixed incorrect RLE decoding when reading an SGI image (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30514)
    * Added layer RLE compression to the PSD encoder.
    * Added define 'psd:preserve-opacity-mask' to preserve the opacity mask
      in a PSD file.
    * Fixed issue where the display window was used instead of the data window
      when reading EXR files (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&p=137849).
    * Fixed reading DXT1 images with an alpha channel.
    * Fixed incorrect padding calculation in PSD encoder.
    * Added define 'psd:additional-info' to preserve the additional information
      in a PSD file.
    * Prevent buffer overflow in BMP & SGI coders (bug report from
      pwchen&rayzhong of tencent).
    * Prevent buffer overflow and other problems in SIXEL, PDB, MAP, TIFF and
      CALS coders (bug report from Donghai Zhu).
    * The -stream option now increments the pixel pointer properly (reference
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30327).

  PR:		214511

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/graphics/ImageMagick7/Makefile
  branches/2016Q4/graphics/ImageMagick7/distinfo