Package libImageMagick: Information
Binary package: libImageMagick
Version: 6.8.4.10-alt3.M70C.1
Architecture: i586
Build time: May 23, 2016, 01:51 PM in the task #164972
Source package: ImageMagick
Category: System/Libraries
Report package bugHome page: http://www.imagemagick.org/
License: OpenSource
Summary: ImageMagick shared libraries
Description:
ImageMagick is a powerful image display, conversion and manipulation libraries.
Maintainer: Anton Farygin
List of contributors:
Anton V. Boyarshinov
Andrey Cherepanov
George V. Kouryachy
Anton Farygin
Eugeny A. Rostovtsev
Vladimir Lettiev
Alexey Tourbin
Valery Inozemtsev
qa-robot
Dmitry V. Levin
Yuri N. Sedunov
Stanislav Ievlev
goldhead
Anton V. Boyarshinov
Andrey Cherepanov
George V. Kouryachy
Anton Farygin
Eugeny A. Rostovtsev
Vladimir Lettiev
Alexey Tourbin
Valery Inozemtsev
qa-robot
Dmitry V. Levin
Yuri N. Sedunov
Stanislav Ievlev
goldhead
Last changed
May 23, 2016 Anton V. Boyarshinov 6.8.4.10-alt3.M70C.1
- backport to 7
May 18, 2016 Andrey Cherepanov 6.8.4.10-alt3.M70P.1
- Apply security patches from Debian: ImageTragick: The coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT are disabled via policy.xml file, since they are vulnerable to code injection. This mitigates CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, and CVE-2016-3718. Since ImageMagick reverts to its internal SVG renderer (which uses MVG coder) if Inkscape or RSVG is not used, the option --with-rsvg is included. Closes: 823542. In addition, some other actions were taken with respect to these vulnerabilities: - Drop the PLT/Gnuplot decoder, which was vulnerable to command injection. - Some sanitization for input filenames in http/https delegates is added. - Indirect filename are now authorized by policy. - Indirect reads with label:@ are prevented. - Less secure coders (such as MVG, TEXT, and MSL) require explicit reference in the filename (e.g. mvg:my-graph.mvg).
April 25, 2013 George V. Kouryachy 6.8.4.10-alt2.1
- Avoid ImageMagick pipe i/o bug