-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Feb 2024 15:31:24 +0000
Source: imagemagick
Architecture: source
Version: 8:6.9.11.60+dfsg-1.3+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1013282 1036999
Changes:
 imagemagick (8:6.9.11.60+dfsg-1.3+deb11u3) bullseye-security; urgency=medium
 .
   * Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder
   * Fix an heap buffer overflow in TIFF coder
   * Fix uninitialised value passing in TIFFGetField
   * Fix stack overflow in TIFF coder
   * Early exit in case of malformed TIFF file
   * Fix buffer overrun in TIFF coder
   * Fix unitialised value in TIFF coder
   * Fix CVE-2022-1115: Heap based overflow in
     TIFF coder (Closes: #1013282)
   * Fix uninitialised value in TIFF coders
   * Use salsa-ci
   * Fix CVE-2023-1289: A specially created SVG file loaded itself and
     causes a segmentation fault. This flaw allows a remote attacker
     to pass a specially crafted SVG file that leads to a segmentation
     fault, generating many trash files in "/tmp," resulting in
     a denial of service. When ImageMagick crashes,
     it generates a lot of trash files. These trash files
     can be large if the SVG file contains many render actions.
     In a denial of service attack, if a remote attacker uploads an SVG file
     of size t, ImageMagick generates files of size 103*t.
     If an attacker uploads a 100M SVG, the server will generate about 10G.
   * Fix CVE-2023-1906: A heap-based buffer overflow issue was
     discovered in ImageMagick's ImportMultiSpectralQuantum() function
     in MagickCore/quantum-import.c. An attacker could pass specially
     crafted file to convert, triggering an out-of-bounds read error,
     allowing an application to crash, resulting in a denial of service.
   * Fix CVE-2023-34151: Imagemagick was vulnerable due to
     an undefined behaviors of casting double to size_t in svg, mvg
     and other coders. (Closes: #1036999)
   * Fix CVE-2023-3428: A heap-based buffer overflow vulnerability
     was found in coders/tiff.c in ImageMagick. This issue
     may allow a local attacker to trick the user into opening
     a specially crafted file, resulting in an application crash
     and denial of service.
   * Fix CVE-2023-5341: A heap use-after-free flaw was found in
     coders/bmp.c
Checksums-Sha1:
 be11a2c206a17c86362b39985ab168010e4af271 5131 imagemagick_6.9.11.60+dfsg-1.3+deb11u3.dsc
 ef515de6277141ee73ec6de5730ed23d71a266d9 263996 imagemagick_6.9.11.60+dfsg-1.3+deb11u3.debian.tar.xz
 cc9a5e3894f2b99a719f175514e39e64393b202c 30930 imagemagick_6.9.11.60+dfsg-1.3+deb11u3_amd64.buildinfo
Checksums-Sha256:
 c5c87b8bde9f0737ba3751d8dde5b7dede10019038690b03b11e331568cfa02e 5131 imagemagick_6.9.11.60+dfsg-1.3+deb11u3.dsc
 cb1f7ee1bd082f28b36b4db6a9eb9e5e04d92a5514e0aac14727f2378eb9a2ae 263996 imagemagick_6.9.11.60+dfsg-1.3+deb11u3.debian.tar.xz
 630ae106eedb7718cb6faeec92763811296912eaa4b6d16c9470c5a025dc413c 30930 imagemagick_6.9.11.60+dfsg-1.3+deb11u3_amd64.buildinfo
Files:
 4bd2d05d79f290d0dd0b6f2bc9e3d336 5131 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u3.dsc
 c39087eecf2c3e1fa259f9d200e6eb65 263996 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u3.debian.tar.xz
 3adf9c61d5a8f1a031b2b4628fd2f2ce 30930 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmXSPVMRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF8OXw/9H390//Zc2A1LR9XQS3gBIOJYTTx96upi
8tcwRUjH2M5gERkY/f24bfNnvOskVmZGWfkx9qdQPLvZBtoWalUcGzIzBBIRcqQo
ZaFTsOX0V3tYd8rE5I+lD6a2aN6h26uMIvNul11rnXIfDn6tXOUX9QqipbnC885U
DmcsV5OpY2waeOBxMQmQHAVXcAvVz8Ed+/PF4QzCetWUV/5koKzZQh76y1wQDxoL
cgCpu+omDSMIwD15zIJQF4j7Bg1JqgS2yaSr63ekr6ubnI3GBY/VcyVl8+01HacS
cj0XoNsmEwMDXy07Xbg0F6/PQnueYwzuIxQqXIH3P0arWR5WnrFFTiBBvtyqh37r
zG6K6AEaSxiQcPB4SgNvqrPMxr8yMjGOZnbsK64pkgRxTkZ+C1svQDbDJgE552bX
C1It8JI6aPRRk5g5QCRkqeNBv4Pt8IPRhfjB1Saw+NcacSgD5hjjIwP+L7aMCHOn
YUWSPJVH6MoYy9z3/FdkUVdpVSoDJUrw0P71nA4petT5UK3lRkTNoFZUEmwpWdjP
E1JjILzqCPAgheyKJTeIxsmovcEBaKDz4X2X10QVg1VtKCA+SYODE2rX1cDd+CWy
Q156t3xIO10tQ2HTzbL8+WfqYiPzGL7HcQI7il+wuhZwcj3x7WbC3+D4wC4zxC3Z
CcdGIX1hf1E=
=KILb
-----END PGP SIGNATURE-----