Package libImageMagick-devel: Information
Binary package: libImageMagick-devel
Version: 6.8.4.10-alt3.M70P.2
Architecture: i586
Build time: Jun 6, 2016, 02:46 PM in the task #165565
Source package: ImageMagick
Copied in the task: #165606
Category: Development/C
Report package bugHome page: http://www.imagemagick.org/
License: OpenSource
Summary: Header files for ImageMagick app development
Description:
If you want to create applications that will use ImageMagick code or APIs, you'll need to install these packages as well as ImageMagick. These additional packages aren't necessary if you simply want to use ImageMagick, however.
Maintainer: Anton Farygin
List of contributors:
Andrey Cherepanov
George V. Kouryachy
Anton Farygin
Eugeny A. Rostovtsev
Vladimir Lettiev
Alexey Tourbin
Valery Inozemtsev
qa-robot
Dmitry V. Levin
Yuri N. Sedunov
Stanislav Ievlev
goldhead
Andrey Cherepanov
George V. Kouryachy
Anton Farygin
Eugeny A. Rostovtsev
Vladimir Lettiev
Alexey Tourbin
Valery Inozemtsev
qa-robot
Dmitry V. Levin
Yuri N. Sedunov
Stanislav Ievlev
goldhead
Last changed
June 6, 2016 Andrey Cherepanov 6.8.4.10-alt3.M70P.2
- Apply security patch from Debian: Disable support for reading input from a shell command, or writing output to a shell command. This was done by the pipe (|) prefix. It was possible to perform a command injection as discrived by CVE-2016-5118 since it use popen.
May 18, 2016 Andrey Cherepanov 6.8.4.10-alt3.M70P.1
- Apply security patches from Debian: ImageTragick: The coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT are disabled via policy.xml file, since they are vulnerable to code injection. This mitigates CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, and CVE-2016-3718. Since ImageMagick reverts to its internal SVG renderer (which uses MVG coder) if Inkscape or RSVG is not used, the option --with-rsvg is included. Closes: 823542. In addition, some other actions were taken with respect to these vulnerabilities: - Drop the PLT/Gnuplot decoder, which was vulnerable to command injection. - Some sanitization for input filenames in http/https delegates is added. - Indirect filename are now authorized by policy. - Indirect reads with label:@ are prevented. - Less secure coders (such as MVG, TEXT, and MSL) require explicit reference in the filename (e.g. mvg:my-graph.mvg).
April 25, 2013 George V. Kouryachy 6.8.4.10-alt2.1
- Avoid ImageMagick pipe i/o bug