graphicsmagick 1.3.24-1 source package in Ubuntu

Changelog

graphicsmagick (1.3.24-1) unstable; urgency=high

  * New upstream release, focusing on security fixes for the following image
    formats:
    - DIB: fix out of bound reads and add more header validations,
    - JNG: file size limits are enforced,
    - MATLAB: fix DoS and hang on corrupt deflate stream,
    - META (Embedded Image Profiles): fix out of bounds reads and writes,
    - MIFF (Magick): fix thrown assertion,
    - CVE-2016-3716: Magick Scripting Language file processing is not done by
      default but need to be prefixed with 'msl:',
    - Magick Vector Graphics file processing is not done by default but need
      to be prefixed with 'mvg:' and prevent head overflow problems,
    - PCX: fix unreasonable memory allocation due to intentionally corrupt
      file,
    - PDB: fix heap buffer overflow and out of bounds read,
    - PICT: fix out of bounds write,
    - CVE-2016-3717: for PostScript files always run Ghostscript with -dSAFER
      for safer execution,
    - PSD: fix segmentation violations, heap buffer overflows and out of
      bound writes,
    - RLE: fix out of bounds reads and writes,
    - ReadImages(): fix possible infinite recursion due to a crafted input
      file,
    - RotateImage(): fix thrown assertion,
    - SGI: fix out of bounds writes,
    - SUN: fix out of bounds reads and writes,
    - SVG: fix CVE-2016-2317 and CVE-2016-2318, heap and stack buffer
      overflows, as well as segmentation violations (closes: #814732);
      also fix endless loop, unexpectedly large memory allocation, divide by
      zero and recursion issues,
    - TIFF: fix assertion while reading and fix benign heap overflow,
    - VIFF: fix excessive memory allocation with intentonally corrupted
      input file,
    - XCF: fix heap buffer overflow,
    - XPM: fix several heap buffer overflows and out of bound reads/writes;
      also fix a case of excessive memory allocation,
    - CVE-2016-5118: popen() shell vulnerability via filename that contains
      '|', remove pipe support entirely (closes: #825800);
      file names starting with a '|' character are no longer interpreted as
      shell commands to be executed as input or output,
    - default.mgk file has been pared down in order to reduce security
      exposure,
    - CVE-2016-3714: Gnuplot ('gplt' delegate) support for rendering these
      files is removed since the format is inherently insecure,
    - CVE-2016-3715: adding a 'tmp:' prefix to a filename no longer removes
      the file since this seems dangerous,
    - CVE-2016-3718: sanity check the image file path or URL before passing
      it to ReadImage(),
    - fix several Coverity issues like dereference after null check, multiple
      resource leaks and logically dead code.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <email address hidden>  Mon, 30 May 2016 20:02:31 +0000