Page MenuHomePhabricator
Paste P4555

imagemagick DSA-3726
ActivePublic
Actions

Authored by Dzahn on Dec 2 2016, 6:40 AM.
Tags
None
Referenced Files
F4935686: imagemagick DSA-3726
Dec 2 2016, 6:40 AM
Subscribers
Joe
Muehlenhoff
```
[neodymium:~/debdeploy] $ cat 2016-12-01-imagemagick.yaml
source: imagemagick
comment: DSA-3726-1 security update
update_type: tool
fixes:
precise:
jessie: 8:6.8.9.9-5+deb8u6+wmf1
trusty:
---
[neodymium:~/debdeploy] $ sudo debdeploy -u 2016-12-01-imagemagick.yaml -s imagescaler-eqiad status-deploy
mw1296.eqiad.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw1298.eqiad.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw1293.eqiad.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5 -> 8:6.8.9.9-5+deb8u6+wmf1
mw1295.eqiad.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw1297.eqiad.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw1294.eqiad.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
Deployment summary:
Number of hosts in this deployment run: 6
No packages were added
No packages were removed
Updated packages:
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 5 hosts
imagemagick-common: 8:6.8.9.9-5+deb8u5 -> 8:6.8.9.9-5+deb8u6+wmf1 on 1 hosts
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 5 hosts
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 5 hosts
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5 -> 8:6.8.9.9-5+deb8u6+wmf1 on 1 hosts
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 5 hosts
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5 -> 8:6.8.9.9-5+deb8u6+wmf1 on 1 hosts
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 5 hosts
No restarts are needed
Error summary:
No errors found
---
[neodymium:~/debdeploy] $ sudo debdeploy -u 2016-12-01-imagemagick.yaml -s imagescaler-codfw status-deploy
mw2086.codfw.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw2087.codfw.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw2148.codfw.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u6 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u6 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u6 -> 8:6.8.9.9-5+deb8u6+wmf1
mw2089.codfw.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw2149.codfw.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw2150.codfw.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw2088.codfw.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
mw2151.codfw.wmnet:
Updated packages:
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1
Deployment summary:
Number of hosts in this deployment run: 8
No packages were added
No packages were removed
Updated packages:
imagemagick-6.q16: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 7 hosts
imagemagick-common: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 7 hosts
imagemagick-common: 8:6.8.9.9-5+deb8u6 -> 8:6.8.9.9-5+deb8u6+wmf1 on 1 hosts
imagemagick: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 7 hosts
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 7 hosts
libmagickcore-6.q16-2: 8:6.8.9.9-5+deb8u6 -> 8:6.8.9.9-5+deb8u6+wmf1 on 1 hosts
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u5+wmf1 -> 8:6.8.9.9-5+deb8u6+wmf1 on 7 hosts
libmagickwand-6.q16-2: 8:6.8.9.9-5+deb8u6 -> 8:6.8.9.9-5+deb8u6+wmf1 on 1 hosts
No restarts are needed
Error summary:
No errors found
---
neodymium:~/debdeploy] $ sudo debdeploy -u 2016-12-01-imagemagick.yaml -s thumbor status-deploy
thumbor1002.eqiad.wmnet:
No change
thumbor1001.eqiad.wmnet:
No change
Deployment summary:
Number of hosts in this deployment run: 2
No packages were added
No packages were removed
No packages were updated
No restarts are needed
Error summary:
No errors found
--
imagemagick (8:6.8.9.9-5+deb8u6+wmf1) jessie-security; urgency=medium
* Fix convert -sharpen with CYMK images (Bug: T141739)
-- Daniel Zahn <dzahn@wikimedia.org> Thu, 1 Dec 2016 18:33:33 -0800
imagemagick (8:6.8.9.9-5+deb8u6) jessie-security; urgency=medium
* Fix CVE-2016-7799: global buffer overflow. (Closes: #840437).
* Fix CVE-2016-7906: use after free. (Closes: #840435).
* Fix a TIFF file buffer overflow. (Closes: #845195).
* Check return of fputc during TIFF file writing.
(Closes: #845196).
* Prevent buffer overflow by checking image extend
for TIFF (Closes: #845198).
* Avoid a out of bound read in VIFF file handler.
(Closes: #845212 and LP: #1545183).
* Avoid a DOS by not allowing too deep nested exception.
(Closes: #845213).
* Better check for buffer overflow in TIFF files
handling. (Closes: #845202).
* Fix CVE-2016-8677: memory allocate failure in AcquireQuantumPixels
(Closes: #845206).
* Prevent fault in MSL interpreter. (Closes: #845242).
* Prevent heap buffer overflow in heap-buffer-overflow in IsPixelGray
(Closes: #845242)
* Fix null pointer dereference in TIFF file handling.
(Closes: #845243).
* Added check for invalid number of frames in mat file
(Closes: #845244).
* Fix an out of bound read in mat file due to insuffisant allocation.
(Closes: #845246).
* Fix CVE-2016-8862: memory allocation failure in AcquireMagickMemory
(Closes: #845634).
--
root@carbon:~# reprepro ls imagemagick
imagemagick | 8:6.8.9.9-5+deb8u6+wmf1 | jessie-wikimedia | amd64, source
---
Format: 1.8
Date: Thu, 1 Dec 2016 18:33:33 -0800
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u6+wmf1
Distribution: jessie-wikimedia
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Daniel Zahn <dzahn@wikimedia.org>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-common - image manipulation programs -- infrastructure
imagemagick-dbg - debugging symbols for ImageMagick
imagemagick-doc - document files of ImageMagick
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - development files
libmagick++-dev - object-oriented C++ interface to ImageMagick
libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth Q16
libmagickcore-6.q16-2-extra - low-level image manipulation library - extra codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
libmagickcore-dev - low-level image manipulation library -- transition package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-2 - image manipulation library
libmagickwand-6.q16-dev - image manipulation library - development files
libmagickwand-dev - image manipulation library - transition for development files
perlmagick - Perl interface to ImageMagick -- transition package
Changes:
imagemagick (8:6.8.9.9-5+deb8u6+wmf1) jessie-security; urgency=medium
.
* Fix convert -sharpen with CYMK images (Bug: T141739)
Checksums-Sha1:
273388417e80f2e2753c09aa9b35496d89e9c866 3379 imagemagick_6.8.9.9-5+deb8u6+wmf1.dsc
```
https://www.debian.org/security/2016/dsa-3726
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL