ALP-pool/GraphicsMagick
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0128d5cece
GraphicsMagick/GraphicsMagick.changes

1661 lines
77 KiB
Plaintext
Raw Blame History

-------------------------------------------------------------------
Thu Oct 26 09:38:20 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
- Have libGraphicsMagick3-config require ghostscript-fonts-std
(boo#1216604).
-------------------------------------------------------------------
Mon Oct 2 06:55:47 UTC 2023 - pgajdos@suse.com
- version update to 1.3.42
Bug fixes:
* TIFF: Default the alpha channel to type EXTRASAMPLE_UNASSALPHA(2).
* BMP: Many fixes for reading esoteric BMP sub-formats.
* TranslateTextEx(): Revert change so now a NULL pointer is returned
when given an empty string. Some algorithms (e.g. montage) were
depending on this!.
* PAM: Fix reading comments.
* PNG: Added Add missing module aliases "PNG00", "PNG48", "PNG64", so
it is again possible to request these subformats directly.
* TIFF: For common formats with the required number of channels, but
one is an 'unspecified' channel, promote unspecified alpha to
unassociated alpha so that the alpha channel is not ignored.
* "Magick" command line emulation: Eliminate duplicate utility name
output in error messages
New Features:
* BMP: Added the ability to read and write BMP using JPEG compression.
Use '-define bmp:allow-jpeg' to allow use of JPEG compression.
* BMP: Added support for BI_ALPHABITFIELDS compression
* BMP: Added support for reading BMP with PNG compression.
- modified patches
% GraphicsMagick-disable-insecure-coders.patch (refreshed)
- deleted patches
- strlcpy-wrong-sizing.patch (upstreamed)
-------------------------------------------------------------------
Fri Sep 1 13:19:26 UTC 2023 - pgajdos@suse.com
- revert to 1.3.40 [bsc#1214831]
https://sourceforge.net/p/graphicsmagick/news/2023/08/because-1341-is-discarded-i-has-been-published-2-builds-for-win32-architecture/
- modified patches
% GraphicsMagick-disable-insecure-coders.patch (refreshed)
- deleted patches
- GraphicsMagick-fix-regression-NULL-instead-of-empty-string.patch (not needed)
- GraphicsMagick-name-key-return-input-file-base-name.patch (not needed)
-------------------------------------------------------------------
Mon Aug 28 12:41:40 UTC 2023 - pgajdos@suse.com
- fix regression in 1.3.41
https://sourceforge.net/p/graphicsmagick/bugs/722/
- added patches
fix 17179:91afa18a6161
+ GraphicsMagick-fix-regression-NULL-instead-of-empty-string.patch
fix 17180:bb42cd90ce6f
+ GraphicsMagick-name-key-return-input-file-base-name.patch
-------------------------------------------------------------------
Thu Aug 24 11:54:37 UTC 2023 - pgajdos@suse.com
- version update to 1.3.41
Bug fixes:
* Blob: Immediately reject attempts to write blobs to formats which
can not support blobs.
* TranslateTextEx(): An empty string argument should return an empty
string rather than a NULL string.
* SetImageAttribute(): Fix bounds issue when concatenating string.
* JPEG: Do not set image resolution if the values provided are outside
of the valid range.
* Fixes for NaN when reading formats based on floating point.
* HEIF: Fix reading images with rotation/transformation.
* BMP: Do not decode primaries or gamma unless colorspace is
LCS_CALIBRATED_RGB. Add/correct bmp_info.size "biSize" logic which
decides if header chunks are present (or invalid).
* MNG: Fixes for resizing using X_method 5.
* GM command (convert, montage, mogrify): Many command-line parser
fixes/checks for invalid command line syntax which causes unexpected
behavior, or core dumps.
* TopoL: Given that a writer is now provided, issues found in the
reader (and writer) due to continual fuzz-testing have been fixed,
as encountered.
* GetImageClippingPathAttribute(): Check for and use clipping path
name (ID=2999) to get the real attribute name.
* ReadIPTCProfile(): Fix malformed IPTC data parsing.
New Features:
* TopoL: Now provides a writer.
* WPG: Now provides a writer.
* gm batch: Implement simple Test Anything Protocol (TAP) test
counting and "ok N"/"not ok N" messaging.
* TIFF: Support '-define tiff:photometric=minisblack' and '-define
tiff:photometric=miniswhite' to be able to adjust the sense used
when writing bilevel TIFF images.
* TIFF: Require that TIFFTAG_EXTRASAMPLES be used appropriately to
indicate the intention of extra channels.
* utilities/tests/gen-tiff-images/genimages: Script for writing (and
then reading) thousands (5568 permutations) of TIFF format variants.
* EXIF and PNG: Retrieve image orientation from EXIF (if present) and
store in image.
* HEIF: Retrieve image orientation from EXIF and store in image.
Behavior Changes:
* The ability to extend existing image attribute text by calling
SetImageAttribute() multiple times with the same key is now
deprecated, and will soon be removed. In the mean time, the
annoying message "SetImageAttribute: Extending attribute value text
is deprecated!" is printed to the standard error output to help
expose code which is using this feature.
- modified patches
% GraphicsMagick-disable-insecure-coders.patch (refreshed)
- deleted patches
- strlcpy-wrong-sizing.patch (upstreamed)
-------------------------------------------------------------------
Tue Aug 8 08:23:35 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add strlcpy-wrong-sizing.patch: fix incorrect usages of
strlcpy and strlcat detected by glibc 2.38's fortify
-------------------------------------------------------------------
Thu Mar 2 13:45:30 UTC 2023 - pgajdos@suse.com
- clean up old conditionals
-------------------------------------------------------------------
Tue Feb 7 12:36:21 UTC 2023 - pgajdos@suse.com
- version update to 1.3.40
* GetMagickGeometry(): Fix a scaling issue where dimensions could be
scaled down to zero.
* PCD: Handle writing image with a dimension of 1.
* PNG: When writing, use lower-case raw profile identifiers (e.g. 'Raw
profile type xmp') because exiftool expects that.
* SUN: The sense of monochrome images was inverted. Fix scanline size
calculation.
* WPG: Fix 20-year old bug in WPG header reading.
New Features:
* JXL: Decode and log extra channel information. This information is
not yet used.
* PCX and DCX: Support writing uncompressed format (use -compress none
for no compression).
* Added IM1, IM8, and IM24 magick aliases for the Sun Raster format
since those are the historically correct extensions.
API Updates:
* AppendImageToList() now updates the image list pointer to be the
image which was just added. Use GetFirstImageInList() when the
pointer to the first image in the list is needed.
-------------------------------------------------------------------
Sun Jan 8 11:25:06 UTC 2023 - munix9@googlemail.com
- version update to 1.3.39
Special Issues:
* GraphicsMagick really does need some additional productive
volunteers. For several years now, the burden has entirely been on
me (Bob Friesenhahn). I have been sheparding the project for 20
years already (and contributed to ImageMagick and GraphicsMagick
combined for 26 years already). It is not reasonable to expect
someone with a full time job (and expecting to retire in a few
years) to do all of the work.
Security Fixes:
* GraphicsMagick is participating in Google's oss-fuzz project since
February 4 2018 due to the contributions and assistance of Alex
Gaynor and Paul Kehrer. The issues list is available at
https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
"graphicsmagick". Issues are available for anyone to view and
duplicate if they have been in "Verified" status for 30 days, or if
they have been in "New" status for 90 days. Please consult the
GraphicsMagick ChangeLog file, Mercurial repository commit log, and
the oss-fuzz issues list for details.
Security Fixes:
* oss-fuzz: Several security fixes originating from oss-fuzz testing.
* ALL: Replace strcpy() with strlcpy(), replace strcat() with
strlcat(), replace sprintf() with snprintf(). Prefer using bounded
string functions. This change is made for the purpose of increasing
safety than to address any existing demonstrated concern.
Bug fixes:
* Coverity: Several fixes for issues found by Coverity to reduce the
number of reported issues back down to zero.
* Clang Analyzer 12: Fix most discovered issues.
* PNG: Fix possible use of uninitialized 'ping_num_trans' value in
ReadOnePNGImage().
* MinGW: Eliminate overwrite of existing _MSC_VER value in MinGW compile.
* MNG: Fix heap-use-after-free in CloseBlob.
* MNG: Fix indirect leak in MagickMallocCleared().
* PS: Assure that 'bounds' structure is initialized.
* EPT: Assure that 'bounds' structure is initialized.
* HEIF: If heif_image_handle_get_metadata_size() returns 0, then
carrying on with reading image data.
* configure.ac: Fix Bashism in maintainer-mode check.
* TGA: Remove a defective validation of comment length, which blocked
reading some sample TGA files from the "Encyclopedia Of Graphics
File Formats" book. Monochromatic bilevel TGA can now be read and
written. TGA "Footers" are now read and used when logging as well
as converted to Image attributes.
* WebP: Add configure.ac updates to check for libsharpyuv so that
builds with the development version work again.
* Visual Studio Build (VisualMagick): Fix project file generation.
Improve portability of code for configure.exe.
* Fixed mixed encoding (non-UTF-8) errors in text and source files.
* DrawPrimitive(): Fix composition using "0,0" for image size. This
became broken in GraphicsMagick 1.3.36.
* Blob API: Fixed SEEK_END validation. SEEK_END was not used before,
but now it is.
New Features:
* AVIF: Support reading AVIF via libheif if it supports decoding AVIF
(still no writer support).
* LOG: Added function IsEventLogged() to report if a particular event
will be logged. Us this as much as possible throughout the software
to replace use of IsEventLogging(). This avoids a possible
performance hit if any logging is enabled at all and logging
statements are executed which are filtered and produce no output.
* FITS: Support storing multiple scenes in one file (non-standard
extension).
* JPEG: Optionally enable arithmetic coder in JPG images using
'-define jpeg:arithmetic-coding=true'.
* JPEG: Add support for reading deep gray images.
* HEIF: Support reading ICC color profiles.
* Produce ASCII armored ".asc" format GPG signature files.
* Support reading directly from .bz2, .gz, .svgz, and .Z files
(without creating a temporary file), if possible.
API Updates:
* Magick++: Provide a version of Image::colorMapSize() which is a
'const' method. Continue to provide the non-const version in order
to avoid an ABI change. The compiler should choose the appropriate
version.
Feature improvements:
* HTML documentation generation based on Docutils is significantly
updated and improved.
* PerlMagick: Added more sample input files and changed many reader
tests to use hash signature rather than comparison to reduce the
distribution size.
* Blob: The ReadBlobString() function has been re-written to perform
better when reading from files.
* JXL: The JXL coder is updated to compile with what will likely
become JXL 0.8.0. Support for 16-bit 'short' samples, 16-bit
'float' samples, and 32-bit float samples added. Support for
reading and writing ICC, EXIF, and XMP profiles added.
* MIME: GM "magick" to MIME mappings have been added for apng, avif,
bmp, ico, and webp (regardless of if they are supported).
* XPM: The XPM reader performance is dramatically improved and is
observed to be 32x faster when reading a medium-sized XPM file
(e.g. the GraphicsMagick logo).
* XPM: Support reading "deep" images with more pallete entries than
the maximum colormap size.
Windows Delegate Updates/Additions:
* Update bundled libjasper to version 1.900.26. Please note that 4.0.0
is the latest version at this time and fixes a great many security
and stability issues which are present in 1.900.26.
* Update bundled libjpeg to version 9e.
* Update bundled libtiff to version 4.5.0.
Build Changes:
* MSVC: Added porting function to emulate C'99 snprintf for MSVC older
than 2015.
* MSVC: Successfully compiles using Visual Studio 2008 and 2019.
Compiles successfully using Visual Studio 2022 if optimization is
disabled (otherwise there is an internal compiler error in effect.c).
- Enable JPEG-XL on Tumbleweed.
-------------------------------------------------------------------
Tue Apr 12 07:50:49 UTC 2022 - pgajdos@suse.com
- version update to 1.3.38
Special Issues:
* The FTP site ftp.graphicsmagick.org is now shut down due to a lack
of bandwith, extremely abusive users (including from Google and
customers of Amazon Web Services), and a lack of support from the
user community. Another factor is that FTP support has been removed
from popular web browsers. This is very unfortunate since the site
served multiple usages, including providing a lot of historical data
(e.g. related to PNG) which may not be available elsewhere.
* GraphicsMagick really does need some additional productive
volunteers. For several years now, the burden has entirely been on
me (Bob Friesenhahn). I have been sheparding the project for 20
years already (and contributed to ImageMagick and GraphicsMagick
combined for 26 years already). It is not reasonable to expect
someone with a full time job (and expecting to retire in a few
years) to do all of the work.
Security Fixes:
* GraphicsMagick is participating in Google's oss-fuzz project due to
the contributions and assistance of Alex Gaynor. Since February 4
2018, ??? issues have been opened by oss-fuzz and ?? issues remain
open. The issues list is available at
https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
"graphicsmagick". Issues are available for anyone to view and
duplicate if they have been in "Verified" status for 30 days, or if
they have been in "New" status for 90 days. Please consult the
GraphicsMagick ChangeLog file, Mercurial repository commit log, and
the oss-fuzz issues list for details.
Bug fixes:
* Documentation: Generator scripts in 'doc' directory now produce
similar results using GNU sed and Solaris/Illumos sed and don't
produce warnings.
* JNG: Fixes to error handling to avoid temporary file leaks and
avoiding returning a broken image.
* JPEG: Always store embedded profiles in image, even if in 'ping'
mode.
* MAT: Change from using 'int' for sizes/offsets to using 'size_t' and
check all related calculations for overload.
* MIFF: Fix heap buffer overflow which may be provoked in builds with
BZLIB support.
* MogrifyImage() and Magick::Image::trim(): Trim requires
NorthWestGravity.
* PICT: Fixed a heap overflow.
* PerlMagick: Fix issue that image fill attribute had its opacity
reset to transparent so it could not be usefully set at image scope.
* Test Suite: Fixed portability issue related to 'sed' which broke
utilities/tests/convert.tap test script.
* WPG: Fix incorrect TrX and TrY elements in CTM.
New Features:
* Added support for a 'Read' resource limit (e.g. '-limit read 5mb').
This allows the user to specify a hard limit for how much data may
be read from a file, read from a pipe, or decompressed from a file
(e.g gzip or bzip2) before a hard error is reported. This resource
limit is a useful alternative to completely disabling support for
compressed files using the --disable-compressed-files option and it
provides more protections as well.
* Added support for reading HEIF/HEIC format.
* Added support for reading and writing JPEG XL format.
* Support for JasPer 3.0.0 is completed. Upgrading to JasPer 3.0.0 is
strongly recommended due to its many security fixes and integration
with GraphicsMagick's resource-limited memory allocator.
* PNG: Support the define png:chunk-malloc-max=limit in order to allow
reading PNG files which report "chunk data is too large" or to
reduce the default limit.
* compare: Added support for the '-compress' option.
* compare: Added support for the '-auto-orient' option. This tries to
assure that the two images are right-side up before comparing.
API Updates:
* Magick++: Support the new 'ReadResource' enumeration.
Feature improvements:
* JPEG: Implement more efficient way to append JPEG profile chunks.
* Resource Limited Memory: The resource limited memory allocator now
maintains useful statistics such as a tally of the total number of
octets moved by realloc.
Windows Delegate Updates/Additions:
* None
Build Changes:
* In maintainer mode, the configure script searches for a GnuPG 'gpg'
program to use for signing snapshot releases and uses this to
support PGP-signed development snapshots.
Behavior Changes:
* None
* fixes CVE-2022-1270 [bsc#1198351]
- modified patches
% GraphicsMagick-disable-insecure-coders.patch (refreshed)
-------------------------------------------------------------------
Mon Dec 13 10:51:02 UTC 2021 - pgajdos@suse.com
- version update to 1.3.37
* bug fix release, see NEWS.txt
- modified patches
% GraphicsMagick-disable-insecure-coders.patch (refreshed)
- added sources
+ GraphicsMagick-1.3.37.tar.xz.sig
-------------------------------------------------------------------
Mon Dec 28 14:27:07 UTC 2020 - pgajdos@suse.com
- version update to 1.3.36
Security Fixes:
* fix issues found by oss-fuzz project
* WPG: Fixes for heap buffer overflow.
Bug fixes:
* ConstituteImage(): Set image depth appropriately based on the
storage size specified by StorageType and QuantumDepth.
* GetImageBoundingBox(): Fix problem that MagickTrimImage with extreme
fuzz values could produce an image with negative width.
* ImageToFile(): Improve error handling to avoid possible deferred
deletion of temporary files, causing unexpected excessive use of
temporary file space.
* JNG: Add validations for alpha compression method values and use
this information to enforce decoding using the appropriate
sub-format (rather than auto-detecting the format). Also, address
memory leaks which may occur if the sub-decoder does something other
than was expected.
* MagickCondSignal(): Improvements to conditional signal handler
registration (which avoids over-riding signal handlers previously
registered by an API user).
* ModifyCache(): Fix memory leak.
* ReadCacheIndexes(): Don't blunder into accessing a null pointer if
the using code has ignored a previous error report bubled-up from
SetNexus().
* MNG: When doing image scaling and the image width or height is 1
then always use simple pixel replication as per the MNG
specification.
* MVG: Fixes to 'push clip-path foo' and 'pop clip-path foo' parsing
to eliminate a class of malign behavior.
* MVG: Place an aribrary limit on stroke dash polygon unit maximum
length in order to avoid possibly rendering "forever".
* PCL: No longer attempt to handle reading HP PCL format via the
external 'hp2xx' program since it seems worthless for that task.
* PS: Fix corrupt image when writing PseudoClass image with a colormap
larger than two entries as bilevel.
* SVG: Memory leak fixes.
* SVG reader: Now support 'ping' support so the identify command works
as expected.
* TIFF: WEBP compression only supports a depth of 8 so force that
value.
* Wand MagickSetSamplingFactors(): Correct formatting of sampling
factors string.
New Features:
* Logging is now fully programmable.
* DPX format: Support dpx:swap-samples-read define which behaves
similar to dpx:swap-samples, but is only applied when reading, as
well as dpx:swap-samples-write, which is only applied when
writing. This provides for use when there is both reading and
writing in the same operation (otherwise the final result was no
effect!).
API Updates:
* magick/api.h: Add "magick/enum_strings.h" to API headers.
* New log settings accessor C functions: SetLogDefaultFileName(),
SetLogDefaultFormat(), SetLogDefaultOutputType(),
SetLogDefaultLogMethod(), SetLogDefaultLimit(),
SetLogDefaultGenerations(), SetLogDefaultEventType(). These
functions allow a program to set the same parameters which may be
set by loading a "log.mgk" function. If a default logging callback
was provided via SetLogDefaultLogMethod() such that MethodOutput is
used, then the search for a "log.mgk" is avoided entirely.
* New log settings accessor C++ functions: SetLogDefaultFileName(),
SetLogDefaultFormat(), SetLogDefaultOutputType(),
SetLogDefaultLogMethod(), SetLogDefaultLimit(),
SetLogDefaultGenerations(), SetLogDefaultEventType(). These C++
functions just pass through to the equivalent C functions and
provide the same benefits.
* A simple resource-limit respecting memory allocator has been
developed for internal use wherever arbitrarily-large amounts of
memory might be requested. This will gradually be added wherever it
appears to be needed. The memory resource limits are at the overall
process level. The MVG/SVG rendering code is updated to use this
new allocator. Almost all of the coders (image format
readers/writers) have now been updated to use this new allocator.
This means that '-limit memory 300MB' would be more complete and
meaningful now. Temporary allocations by the image processing
algorithms (other than for the images themselves) are still not
accounted for in the resource limiting.
* MVG Renderer / DrawImage(): Use resource-limit respecting memory
allocators for remaining large memory allocations.
* PNG writer: Don't skip optional Exif identifier code if it isn't present.
* DPX reader/writer: decode/encode of 10-bit packed DPX is now twice
as fast due to code simplification.
* TIFF reader: Apply the same resource limits to TIFF tile sizes as
apply to the image itself.
- deleted patches
- GraphicsMagick-CVE-2020-12672.patch (upstreamed)
-------------------------------------------------------------------
Tue Aug 25 09:00:35 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
-------------------------------------------------------------------
Tue Jun 2 12:57:34 UTC 2020 - pgajdos@suse.com
- security update
- added patches
fix CVE-2020-12672 [bsc#1171271], heap-based buffer overflow in ReadMNGImage in coders/png.c.
+ GraphicsMagick-CVE-2020-12672.patch
-------------------------------------------------------------------
Wed Mar 25 08:17:55 UTC 2020 - pgajdos@suse.com
- version update to 1.3.35
Special Issues:
* It has been discovered that the 'ICU' library (a perhaps 30MB C++
library) which is now often a libxml2 dependendency causes huge
process initialization overhead. This is noticed as unexpected
slowness when GraphicsMagick utilities are used to process small to
medium sized files. The time to initialize the 'ICU' library is
often longer than the time that GraphicsMagick would otherwise
require to read the input file, process the image, and write the
output file. If the 'ICU' dependency can not be avoided, then make
sure to use the modules build so there is only impact for file
formats which require libxml2. Please lobby the 'ICU' library
developers to change their implementation to avoid long start-up
times due to merely linking with the library.
Security Fixes:
* GraphicsMagick is now participating in Google's oss-fuzz project due
to the contributions and assistance of Alex Gaynor. Since February 4
2018, 398 issues have been opened by oss-fuzz (some of which were
benign build issues) and 11 issues remain open.
The issues list is available at
https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
"graphicsmagick". Issues are available for anyone to view and
duplicate if they have been in "Verified" status for 30 days, or if
they have been in "New" status for 90 days. There are too many
fixes to list here. Please consult the GraphicsMagick ChangeLog
file, Mercurial repository commit log, and the oss-fuzz issues list
for details.
Bug fixes:
* Fix broken definition of ResourceInfinity which resulted in that
GetMagickResource() would return -1 rather than the maximum range
value for the return type as documented. (problem added by the
1.3.32 release).
* ModifyCache(): Re-open the pixel cache if the cache rows/columns do
not match the owning image rows/columns.
* Fix DisplayImages() return status. The return status was inverted.
* HISTOGRAM: Histogram once again includes the histogram as a text
comment. This became broken by previous security fixes.
* PICT: Fixed heap buffer overuns reported multiple sources.
* JNG: Detect when JPEG encoder has failed and throw an exception.
* MVG/DrawImage(): Performs even more parsing validations.
* Clang static analyzer fixes: A great many fixes were made based on
problem reports by the Clang static analyzer.
* Visual Studio static analyzer fixes: A great many fixes were made
based on problem reports by the Visual Studio 2019 static analyzer.
Many of these may improve the robustness of 64-bit code.
New Features:
* GRADIENT/GradientImage(): Improved accuracy of gradient levels as
well as dramaticaly improving performance. Output PseudoClass
images if we can. Add support for using the image 'gravity'
attribute as well as the "gradient:direction" definition to produce
gradient vector directions corresponding to SouthGravity (the
previously-existing default), NorthGravity, WestGravity,
EastGravity, NorthWestGravity, NorthEastGravity, SouthWestGravity,
and SouthEastGravity.
API Updates:
* InitializeMagickEx(): New function which may be used in place of
InitializeMagick() to initialize GraphicsMagick. This
initialization function returns an error status value, may update a
passed ExceptionInfo structure with error information, and provides
an options parameter which supports simple bit-flags to tailor
initialization. The signal handler registrations are skipped if the
MAGICK_OPT_NO_SIGNAL_HANDER flag is set in the options.
Feature improvements:
* Replace use of non-reentrant legacy POSIX functions with reentrant
equivalents.
* Timing of image reads should now be very accurate. The timer was
sometimes not stopped as soon as it should be.
* PICT: The PICT reader is working pretty good now. It handles all
the PICT image files I have available to me.
Behavior Changes:
* POSIX Signals: Use the normal termination signal handler for SIGXCPU
and SIGXFSZ so that ulimit or setrlimit(2) may be used to apply CPU
(RLIMIT_CPU) and output file size (RLIMIT_FSIZE) limits with the
normal cleanup, and without dumping core. Note that any output files
currently being written may be truncated and files being written by
external programs (e.g. Ghostscript) might be left behind unless
they are to a temporary file assigned by GraphicsMagick.
* Some private string and integer constants were removed from the
apparent library ABI. Some private functions were marked static and
removed from the apparent library ABI. This is mentioned because
someone is sure to notice and be concerned about it.
* The remaining private content in installed header files was moved
into -private.h header files which are not installed. This should
not be cause for concern but is mentiond because someone is sure to
notice and be concerned about it.
-------------------------------------------------------------------
Mon Jan 6 22:29:55 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
- Remove xorg-x11-fonts runtime Requires, gm display no longer
fails when it is missing (see boo#619103).
- Cleanup, replace $RPM_OPT_FLAGS with %optflags
-------------------------------------------------------------------
Sat Jan 4 16:04:54 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
- Revert the change to relinquish resources used by OpenMP on all
devices. There are concerns upstream that this might break
applications that use OpenMP too and suddenly find their threads
closed (remove GraphicsMagick-wait-for-threads-close.patch)
-------------------------------------------------------------------
Thu Jan 2 20:18:49 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
- Due to a broken check, it wasn't noticed the typemap file is
already provided in the source archive (removed typemap)
-------------------------------------------------------------------
Sun Dec 29 14:32:23 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
- Relinquish resources used by OpenMP on all devices (GCC >= 9)
+ GraphicsMagick-wait-for-threads-close.patch
- Set configure options to what is actually build
-------------------------------------------------------------------
Fri Dec 27 17:03:02 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
- version update to 1.3.34
* DPS: Eliminate a memory leak.
* Debug Trace: Only output text to terminate an XML format log file
if XML format is active.
* EXIF Parser: Detect non-terminal parsing and report an error.
* EXIF Parser: Eliminate heap buffer overflows.
* HuffmanDecodeImage(): Fix heap overflow in 32-bit applications.
* MAT: Implement subimage/subrange support.
* MVG: Address non-terminal loops, excessive run-time, thrown
assertions, divide-by-zero, heap overflow, and memory leaks.
* OpenModule(): Now properly case-insensitive, as it used to be.
* PCX: Verify that pixel region is not negative. Assure that opacity
channel is initialized to opaqueOpacity. Update DirectClass
representation while PseudoClass representation is updated.
Improve read performance with uncompressed PCX.
* PICT: Fix heap overflow in PICT writer.
* PNG: Fix validation of raw profile length.
* PNG: Skip coalescing layers if there is only one layer.
* PNM: Fix denial of service opportunity by limiting the length of
PNM comment text.
* WPG: Avoid Avoid dereferencing a null pointer.
* WPG: Implement subimage/subrange support.
* WPG: Improve performance when reading an embedded image.
* Wand library: In MagickClearException(), destroy any existing
exception info before re-initializing the exception info or else
there will be a memory leak.
* XPM: Rquire that image properties appear in the first 512 bytes
of the XPM file header.
* Compliles clean using GCC 9.
* Python scripts related to the build (enabled by --enable-maintainer-mode)
are now compatible with Python 3.
* Now supports using Google gperftools tcmalloc library for the memory
allocator. This improves performance for certain repetitive work-loads
and heavily-threaded algorithms.
* Configure now reports the status of zstd (FaceBook Zstandard)
compression in its configuration summary.
* TclMagick: Address many issues mentioned by SourceForge issue #420
"TclMagick issues and patch".
* PNG: Post-processing to convert the image type in the PNG reader based
on a specified magick prefix string is now disabled. This can (and
should) be done after the image has been returned.
* Trace Logging: The compiled-in logging default is always to stderr,
which may be over-ridden using log.mgk as soon as it is loaded.
-------------------------------------------------------------------
Tue Oct 8 15:00:02 UTC 2019 - pgajdos@suse.com
- version update to 1.3.33
* It has been discovered that the 'ICU' library (a perhaps 30MB C++
library) which is now often a libxml2 dependendency causes huge
process initialization overhead. This is noticed as unexpected
slowness when GraphicsMagick utilities are used to process small to
medium sized files. The time to initialize is often longer than the
time to read the input file, process the image, and write the output
file. If the 'ICU' dependency can not be avoided, then make sure to
use the modules build. Please lobby the 'ICU' library developers to
change their implementation to avoid long start-up times due to
merely linking with the library.
* GraphicsMagick is now participating in Google's oss-fuzz project due
to the contributions and assistance of Alex Gaynor. Since February 4
2018, 353 issues have been opened by oss-fuzz and 338 of those
issues have been resolved. The issues list is available at
https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
"graphicsmagick". Issues are available for anyone to view and
duplicate if they have been in "Verified" status for 30 days, or if
they have been in "New" status for 90 days. There are too many
fixes to list here. Please consult the GraphicsMagick ChangeLog
file, Mercurial repository commit log, and the oss-fuzz issues list
for details.
* Documentation has been added regarding security hazards due to
commands which support a '@filename' syntax.
* MontageImages(): Fix wrong length argument to strlcat() when
building montage directory, which could allow heap overwrite.
* PNG: Pass correct size value to strlcat() in module registration
code. This bug is noticed to cause problems for Apple's OS X and
Linux Alpine with musl libc. This fixes a regression introduced by
the 1.3.32 release.
* Re-implement command-line utility `'@'` file inclusion support for
`-comment`, `-draw`, `-format`, and `-label` which was removed for
the 1.3.32 release. The new implementation is isolated to
command-line utility implementation code rather than being deeply
embedded in the library and exposed in other usage contexts. This
fixes a regression introduced by the 1.3.32 release.
* CAPTION: The The CAPTION reader did not appear to work at all any
more. Now it works again, but still not very well.
* MagickXDisplayImage(): Fix heap overwrite of windows->image.name and
windows->image.icon_name buffers. This bug has surely existed since
early GraphicsMagick releases.
* MagickXAnimateImages(): Fix memory leak of scene_info.pixels.
* AcquireTemporaryFileDescriptor(): Fix compilation under Cygwin. This
fixes a regression introduced by the 1.3.32 release.
* PNG: Fix saving to palette when mage has an alpha channel but no
color is marked as transparent.
* Compilation warnings in the Visual Studio WIN64 build due to the
'long' type being only 32-bits have been addressed.
-------------------------------------------------------------------
Wed Aug 21 12:58:44 UTC 2019 - pgajdos@suse.com
- drop JPEG2000 support [bsc#1144240]
-------------------------------------------------------------------
Mon Jul 15 21:35:15 UTC 2019 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
- Cleanup BuildRequires:
* Remove ghostscript-library (support removed upstream)
* Use ghostscript-mini (sufficient for path and feature detection)
instead of full ghostscript (implicitly added by ghostscript-library)
* Remove ghostscript-fonts-other (unused).
-------------------------------------------------------------------
Tue Jun 18 08:36:44 UTC 2019 - pgajdos@suse.com
- version update to 1.3.32
New Features:
* Added support for writing the Braille image format (by Samuel
Thibault).
* WebP writer: Support WebP 'use_sharp_yuv' option ("if needed, use
sharp (and slow) RGB->YUV conversion") via `-define
webp:use-sharp-yuv=true`.
* The version command output now reports the OpenMP specification
number rather than just the integer version identifier.
API Updates:
* ReallocateImageColormap() added to re-allocate an existing colormap.
* Some improperly-exposed globals are now static as they should have
been.
* The 'benchmark' command now shows 6 digits (microseconds) of elapsed
time indication.
* The 'time' command now shows 6 digits (microseconds) of elapsed time
indication.
* The logging facility now shows 6 digits (microseconds) of time
resolulution
* Dcraw: When QuantumDepth is greater than 8, pass -6 option to dcraw
so that it returns a 16-bit/sample image.
* Dcraw: If Dcraw supports TIFF format, then request TIFF format in
order to be able to acquire more metatdata.
* Scale algorithm: Eliminate artifacts when scaling an image with
semi-transparent pixels.
* Library metrics: The number of shared library relocations and the
amount of initialized data has been signficantly reduced by
following recommendations from Ulrich Drepper's document `How To
Write Shared Libraries <https://akkadia.org/drepper/dsohowto.pdf>`_.
(Security) Bug Fixes:
* see NEWS.txt
* fixes [bsc#1138425]
-------------------------------------------------------------------
Wed Dec 19 15:37:55 UTC 2018 - Petr Gajdos <pgajdos@suse.com>
- asan_build: build ASAN included
- debug_build: build more suitable for debugging
-------------------------------------------------------------------
Wed Dec 19 10:08:13 UTC 2018 - Petr Gajdos <pgajdos@suse.com>
- update to 1.3.31:
Special Issues:
* Firmware and operating system updates to address the Spectre
vulnerability (and possibly to some extent the Meltdown
vulnerability) have substantially penalized GraphicsMagick's OpenMP
performance. Performance is reduced even with GCC 7 and 8's
improved optimizers. There does not appear to be anything we can do
about this.
Security Fixes:
* GraphicsMagick is now participating in Google's oss-fuzz project due
to the contributions and assistance of Alex Gaynor.
Bug fixes:
* See above note about oss-fuzz fixes.
* CINEON: Fix unexpected hang on a crafted Cineon image. SourceForge
issue 571.
* Drawing recursion is limited to 100 and may be tuned via the
MAX_DRAWIMAGE_RECURSION pre-processor definition.
* Fix reading MIFF files using legacy keyword 'color-profile' for ICC
color profile as was used by ImageMagick 4.2.9.
* Fix reading/writing files when 'magick' is specified in lower case.
This bug was a regression in 1.3.30.
New Features:
* TIFF: Support Zstd compression in TIFF. This requires libtiff
4.0.10 or later.
* TIFF: Support WebP compression in TIFF. This requires libtiff
4.0.10 or later.
API Updates:
* MagickMonitor() is marked as deprecated.
- see NEWS.txt for more details
-------------------------------------------------------------------
Wed Aug 22 12:50:39 UTC 2018 - pgajdos@suse.com
- disable PS, PS2, PS3 and PDF coders by default, remove gs calls
from delegates.mgk [bsc#1105592]
+ GraphicsMagick-disable-insecure-coders.patch
-------------------------------------------------------------------
Fri Aug 3 12:32:58 UTC 2018 - idonmez@suse.com
- update to 1.3.30:
* Security Fixes:
. GraphicsMagick is now participating in Google's oss-fuzz project due
to the contributions and assistance of Alex Gaynor. Since February 4
2018, 238 issues have been opened by oss-fuzz and 230 of those
issues have been resolved. The issues list is available at
https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
"graphicsmagick". Issues are available for anyone to view and
duplicate if they have been in "Verified" status for 30 days, or if
they have been in "New" status for 90 days. There are too many
fixes to list here. Please consult the GraphicsMagick ChangeLog
file, Mercurial repository commit log, and the oss-fuzz issues list
for details.
. SVG/Rendering: Fix heap write overflow of PrimitiveInfo and
PointInfo arrays. This is another manefestation of CVE-2016-2317,
which should finally be fixed correctly due to active
detection/correction of pending overflow rather than using
estimation.
* Bug fixes:
. Many oss-fuzz fixes are bug fixes.
. Drawing/Rendering: Many more fixes by Gregory J Wolfe (see the ChangeLog).
. MIFF: Detect end of file while reading image directory.
. SVG: Many more fixes by Gregory J Wolfe (see the ChangeLog).
. The AlphaCompositePixel macro was producing wrong results when the
output alpha value was not 100% opaque. This is a regression
introduced in 1.3.29.
. TILE: Fix problem with tiling JPEG images because the size request
used by the TILE algorithm was also causing re-scaling in the JPEG
reader. The problem is solved by stripping the size request before
reading the image.
* API Updates:
. The size of PrimitiveInfo (believed to be an internal/private
structure but in a header which is installed, has been increased to
store a 'flags' argument. This is intended to be an internal
interface but but may be detected as an ABI change.
* Behavior Changes:
. JPEG: The JPEG reader now allows 3 warnings of any particular type
before giving up on reading and throwing an exception. This choice
was made after observing files which produce hundreds of warnings
and consume massive amounts of memory before reading the image data
has even started. It is currently unknown how many files which were
previously accepted will be rejected by default. The number of
allowed warnings may be adjusted using '-define
jpeg:max-warnings=<value>'. The default limit will be adjusted
based on reported user experiences and may be adjusted prior to
compilation via the MaxWarningCount definition in coders/jpeg.c.
-------------------------------------------------------------------
Wed May 23 08:34:17 UTC 2018 - pgajdos@suse.com
- update to 1.3.29:
* Security Fixes:
. GraphicsMagick is now participating in Google's oss-fuzz project
. JNG: Require that the embedded JPEG image have the same dimensions
as the JNG image as provided by JHDR. Avoids a heap write overflow.
. MNG: Arbitrarily limit the number of loops which may be requested by
the MNG LOOP chunk to 512 loops, and provide the '-define
mng:maximum-loops=value' option in case the user wants to change the
limit. This fixes a denial of service caused by large LOOP
specifications.
* Bug fixes:
. DICOM: Pre/post rescale functions are temporarily disabled (until
the implementation is fixed).
. JPEG: Fix regression in last release in which reading some JPEG
files produces the error "Improper call to JPEG library in state
201".
. ICON: Some DIB-based Windows ICON files were reported as corrupt to
an unexpectedly missing opacity mask image.
. In-memory Blob I/O: Don't implicitly increase the allocation size
due to seek offsets.
. MNG: Detect and handle failure to allocate global PLTE. Fix divide
by zero.
. DrawGetStrokeDashArray(): Check for failure to allocate memory.
. BlobToImage(): Now produces useful exception reports to cover the
cases where 'magick' was not set and the file format could not be
deduced from its header.
* API Updates:
. Wand API: Added MagickIsPaletteImage(), MagickIsOpaqueImage(),
MagickIsMonochromeImage(), MagickIsGrayImage(), MagickHasColormap()
based on contributions by Troy Patteson.
. New structure ImageExtra added and Image 'clip_mask' member is
replaced by 'extra' which points to private ImageExtra allocation.
The ImageGetClipMask() function now provides access to the clip mask
image.
. New structure DrawInfoExtra and DrawInfo 'clip_path' is replaced by
'extra' which points to private DrawInfoExtra allocation. The
DrawInfoGetClipPath() function now provides access to the clip path.
. New core library functions: GetImageCompositeMask(),
CompositeMaskImage(), CompositePathImage(), SetImageCompositeMask(),
ImageGetClipMask(), ImageGetCompositeMask(), DrawInfoGetClipPath(),
DrawInfoGetCompositePath()
. Deprecated core library functions: RegisterStaticModules(),
UnregisterStaticModules().
* Feature improvements:
. Static modules (in static library or shared library without
dynamically loadable modules) are now lazy-loaded using the same
external interface as the lazy-loader for dynamic modules. This
results in more similarity between the builds and reduces the fixed
initialization overhead by only initializing the modules which are
used.
. SVG: The quality of SVG support has been significantly improved due
to the efforts of Greg Wolfe.
. FreeType/TTF rendering: Rendering fixes for opacity.
-------------------------------------------------------------------
Tue Feb 20 18:23:41 UTC 2018 - crrodriguez@opensuse.org
- Add explicit buildrequires on: pkgconfig(libwebpmux),
pkgconfig(libpng), pkgconfig(x11), pkgconfig(xext),
pkgconfig(zlib), libjpeg-devel. all
of them direct build dependencies but not included in
the spec file
-------------------------------------------------------------------
Wed Jan 24 10:30:22 UTC 2018 - pgajdos@suse.com
- update to 1.3.28:
* Security Fixes:
BMP: Fix non-terminal loop due to unexpected bit-field mask
value (DOS opportunity).
PALM: Fix heap buffer underflow in builds with QuantumDepth=8.
SetNexus() Fix heap overwrite under certain conditions due to
using a wrong destination buffer. This issue impacts all
1.3.X releases.
TIFF: Fix heap buffer read overflow in LocaleNCompare() when
parsing NEWS profile.
* Bug fixes:
DescribeImage(): Eliminate possible use of null pointer.
GIF: Fix memory leak of global colormap in error path.
GZ: Writing to gzip files with the extension ".gz" was
not working with Zlib 1.2.8.
JNG: Fix buffer read overflow (a tiny fixed overflow of just
one byte).
JPEG: Promoting certain libjpeg warnings to errors caused
much more problems than expected. The promotion of
warnings to errors is removed. Claimed pixel dimensions
are validated by file size before allocating memory for
the pixels.
IntegralRotateImage(): Assure that reported error in rotate by
270 case does immediately terminate processing.
MNG: Fix possible null pointer reference related to DEFI chunk
parsing. Fix minor heap read overflow (constrained to just
one byte) due to an ordering issue in a limit check. Fix
memory leaks in error path.
WebP: Fix stack buffer overflow in WriteWEBPImage() which
occurs with libwebp 0.5.0 or newer due to a structure type
change in the structure passed to the progress monitor
callback.
WPG: Memory leaks fixed.
* API Updates:
InterpolateViewColor(): This function now returns MagickPassFail
(an unsigned int) rather than void so that errors can be
efficiently reported.
The magick/pixel_cache.h header is updated to add deprecation
attributes such that code using GetPixels(), GetIndexes(),
and GetOnePixel() will produce deprecation warnings for
compilers which support them. These functions will not be
removed in the 1.3.X release series and when they are
removed, pre-processor macros will be added so a replacement
function is used instead. There is a long-term objective to
eliminate functionally-redundant pixel cache functions to
only the ones with the best properties since this reduces
maintenance and may reduce the depth of the call stack
(improving performance).
* removed unneded GraphicsMagick-release-date-missing-quote.patch
-------------------------------------------------------------------
Wed Jan 10 11:42:53 UTC 2018 - pgajdos@suse.com
- update to 1.3.27:
* New Features:
. PNG: Implemented eXIf chunk support.
. WEBP: Add support for EXIF and ICC metadata provided that at
least libwebp 0.5.0 is used.
. Magick++ Image autoOrient(): New Image method to auto-orient an
image so it looks right-side up by default.
* Behavior Changes:
. PALM: PALM writer is disabled.
. ThrowLoggedException(): Capture the first exception
at ErrorException level or greater, or only capture exception
if it is more severe than an already reported exception.
. DestroyJNG(): This internal function is now declared static
and is removed from shared library or DLL namespace.
* lot of security and other bug fixes, see
https://sourceforge.net/projects/graphicsmagick/files/graphicsmagick/1.3.27/
- added GraphicsMagick-release-date-missing-quote.patch
-------------------------------------------------------------------
Tue Sep 19 13:21:49 UTC 2017 - pgajdos@suse.com
- builds for sle11
-------------------------------------------------------------------
Mon Sep 11 09:57:00 UTC 2017 - pgajdos@suse.com
- fix perl bindings
+ GraphicsMagick-perl-linkage.patch from fedora
- turn on perl test suite
-------------------------------------------------------------------
Mon Jul 24 20:52:03 UTC 2017 - jengelh@inai.de
- Trim descriptions. Redo summaries and RPM groups.
-------------------------------------------------------------------
Fri Jul 21 08:47:35 UTC 2017 - tchvatal@suse.com
- Drop patches not meintioned in the changelog ever:
* GraphicsMagick-debian-fixed.patch
* GraphicsMagick-include.patch
* GraphicsMagick-perl-link.patch
* The package builds just fine without them and there is no
refference explaining it
- Convert the deps to pkgconfig variants where possible.
-------------------------------------------------------------------
Fri Jul 21 08:29:03 UTC 2017 - tchvatal@suse.com
- Version update to 1.3.26:
* DPX: Fix excessive use of memory (DOS issue) due to file header
claiming large image dimensions but insufficient backing
data. (CVE-2017-10799 bsc#1047054).
* JNG: Fix memory leak when reading invalid JNG image (CVE-2017-8350).
* MAT: Fix excessive use of memory (DOS issue) due to continuing
processing with insufficient data and claimed large image
size. Verify each file extent to make sure that it is within range
of file size. (CVE-2017-10800 bsc#1047044).
* META: Fix heap overflow while parsing 8BIM chunk (CVE-2016-7800).
* PCX: Fix denial of service issue.
* RLE: Fix abnomally slow operation (denial of service issue) with
intentionally corrupt colormapped file.
* PICT: Fix possible buffer overflow vulnerability given suitably
truncated input file.
* PNG: Enforce spec requirement that the dimensions of the JPEG
embedded in a JDAT chunk must match the JHDR dimensions
(CVE-2016-9830).
* PNG: Avoid NULL dereference when MAGN chunk processing fails.
* SCT: Fix stack-buffer read overflow (underflow?) while reading SCT
header.
* SGI: Fix denial of service issues. Delay large memory allocations
until file header has fully passed sanity checks.
* TIFF: Fix out of bounds read when reading CMYKA TIFF which claims to
have only 2 samples per pixel (CVE-2017-6335 bsc#1027255).
* TIFF: Fix out of bounds read when reading RGB TIFF which claims to
have only 1 sample per pixel (CVE-2017-10794).
* WPG: Fix heap overflow (CVE-2016-7996). Fix assertion crash
(CVE-2016-7997).
* DifferenceImage(): Fix Fix all-black difference image if an input
file is colormapped.
* EXIF orientation was not being properly detected for some files.
* -frame: The `import` command -frame handling was improperly
implemented and was using already freed data.
* GIF: Fixes for "Excessive LZW string data" problem.
* Magick++: Bug fixes to PathSmoothCurvetoRel::operator() and
PathSmoothCurvetoRel::operator().
* PAM: Support writing GRAYSCALE PAM format.
* PNG: Fix memory leaks.
* SVG: Fixed a memory leak. Fixed a possible null pointer dereference.
* TclMagick: Problem that TkMagick could not resolve functions from
TclMagick under Linux is fixed.
* TclMagick: Fix parser validatation in magickCmd() to avoid crash
given a syntax error.
* TIFF: Fix for reading old JPEG files (avoids "Improper call to JPEG
library in state 0. (LibJpeg).").
* TXT: Fixed memory leak.
* XCF: Error checking is improved.
* EXIF rotation: Support is added such that the EXIF orientation tag
is updated when the image is rotated.
* MAT: Now support reading multiple images from Matlab V4 format.
* Magick++: Orientation method now updates orientation in EXIF
profile, if it exists.
* Magick++: Added Image attribute method which accepts a 'char *'
argument, and will remove the attribute if the value argument is
NULL.
* -orient: The -orient command line option now also updates the
orientation in the EXIF profile, if it exists.
* PGX: Support PGX JPEG 2000 format for reading and writing (within
the bounds of what JasPer supports).
* Wand API: Added MagickAutoOrientImage(),
MagickGetImageOrientation(), MagickSetImageOrientation(),
MagickRemoveImageOption(), and MagickClearException().
- Drop merged patch GraphicsMagick-CVE-2017-8350.patch
-------------------------------------------------------------------
Mon Jun 26 06:49:55 UTC 2017 - pgajdos@suse.com
- complementary fix for CVE-2017-8350 [bsc#1036985 c13-c21]
* GraphicsMagick-CVE-2017-8350.patch
-------------------------------------------------------------------
Mon Sep 26 09:01:33 UTC 2016 - pgajdos@suse.com
- update to 1.3.25:
* EscapeParenthesis(): I was notified by Gustavo Grieco of a heap
overflow in EscapeParenthesis() used in the text annotation code.
While not being able to reproduce the issue, the implementation of
this function is completely redone.
* Utah RLE: Reject truncated/absurd files which caused huge memory
allocations and/or consumed huge CPU. Problem was reported by
Agostino Sarubbo based on testing with AFL.
* SVG/MVG: Fix another case of CVE-2016-2317 (heap buffer overflow) in
the MVG rendering code (also impacts SVG).
* TIFF: Fix heap buffer read overflow while copying sized TIFF
attributes. Problem was reported by Agostino Sarubbo based on
testing with AFL.
-------------------------------------------------------------------
Thu Jun 23 11:54:26 UTC 2016 - meissner@suse.com
- Build "gm" as position independend executable (PIE).
-------------------------------------------------------------------
Mon Jun 6 09:22:05 UTC 2016 - pgajdos@suse.com
- updated to 1.3.24:
* many security related changes (incl. CVE-2016-5118), see
ChangeLog
- removed patches:
* GraphicsMagick-CVE-2016-5118.patch
* GraphicsMagick-upstream-delegates-safer.patch
* GraphicsMagick-upstream-disable-mvg-ext.patch
* GraphicsMagick-upstream-disable-tmp-magick-prefix.patch
* GraphicsMagick-upstream-image-sanity-check.patch
-------------------------------------------------------------------
Mon May 30 14:19:50 UTC 2016 - pgajdos@suse.com
- security update:
* CVE-2016-5118 [bsc#982178]
+ GraphicsMagick-CVE-2016-5118.patch
-------------------------------------------------------------------
Mon May 9 12:35:32 UTC 2016 - sflees@suse.de
- Multiple security issues in GraphicsMagick/ImageMagick [boo#978061]
(CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3717)
* GraphicsMagick-upstream-delegates-safer.patch
* GraphicsMagick-upstream-disable-mvg-ext.patch
* GraphicsMagick-upstream-disable-tmp-magick-prefix.patch
* GraphicsMagick-upstream-image-sanity-check.patch
-------------------------------------------------------------------
Sun Nov 8 12:53:03 UTC 2015 - dmitry_r@opensuse.org
- Update to version 1.3.23
* See included NEWS.txt for details
-------------------------------------------------------------------
Mon Oct 5 20:09:55 UTC 2015 - dmitry_r@opensuse.org
- Update to version 1.3.22
* See included NEWS.txt for details
-------------------------------------------------------------------
Sat Mar 21 11:41:22 UTC 2015 - dmitry_r@opensuse.org
- Update to version 1.3.21
* See included NEWS.txt for details
-------------------------------------------------------------------
Wed Sep 17 06:18:26 UTC 2014 - dmitry_r@opensuse.org
- Move library configuration files to separated package
-------------------------------------------------------------------
Tue Sep 16 07:24:18 UTC 2014 - dmitry_r@opensuse.org
- Fix devel package dependencies
-------------------------------------------------------------------
Sat Sep 13 07:21:37 UTC 2014 - dmitry_r@opensuse.org
- Update to version 1.3.20
* See included NEWS.txt for details
- Enable quantum depth in shared library names
- Enable bzip2, jbig, webp support
- Use LCMSv2
-------------------------------------------------------------------
Tue Feb 25 08:43:01 UTC 2014 - dmitry_r@opensuse.org
- Fix quantum depth in package description
-------------------------------------------------------------------
Thu Jan 2 09:43:18 UTC 2014 - pgajdos@suse.com
- updated to 1.3.19:
* EPT: Fix crash observed when Ghostscript fails to produce useful
output. This was particularly noticeable when Ghostscript was not
installed. This crash could be used to cause denial of service.
* PNG: With libpng 1.6.X, avoid a crash while copying a PNG with a
"known incorrect ICC profile". This crash could be used to cause
denial of service.
* etc. see NEWS.txt
-------------------------------------------------------------------
Mon Jul 15 13:32:17 UTC 2013 - pgajdos@suse.com
- set quantum depth to 16 [bnc#828380]
-------------------------------------------------------------------
Tue Mar 12 07:06:04 UTC 2013 - pgajdos@suse.com
- updated to 1.3.18:
* Due to `GCC bug 53967`_, several key agorithms (e.g. convolution)
may execute much faster (e.g. 2-3X) for x86-64 and/or when SSE is
enabled for floating point math (`-mfpmath=sse`) if the GCC option
`-frename-registers` is used. Default 32-bit builds do not
experience the problem since they use '387 math. It is not clear
in what version of GCC this problem started but it was not noticed
by the developers until the GCC 4.6 timeframe. Other compilers do
not suffer from this bug.
* Fixed bug with format substitutions if input string ends with a
single '%'.
* BMP: Fixed an old bug with decoding chromaticity primaries.
* PNG: Fixed reading of interlaced images. Fix reading of sub-8-bit
palette and grayscale images. Some PNG sub-formats were written
incorrectly. Fix crash in PNG8 writer if image colors happened to
be non-zero but image was not actually colormapped.
* PNG: Configure script now also searches for libpng versions 16 and
17.
* TIFF: Fix a crash which was noticed when writing RGBA separated
(planar) format.
* `--enable-symbol-prefix` was not prefixing all of the C
symbols. Some core C library functions were not prefixed. This
option applies to the Wand library API as well now.
* C API: When input is from a user-provided file descriptor, the
file position is restored after reading the file header bytes.
Previously the file position was rewound to the beginning of the
file. This allows reading embedded image data from the current
offset in a file, and allows continuing to use the stream after
GraphicsMagick has returned the image.
* C API: It is now possible to invoke CloseBlob() multiple times.
* etc. see NEWS.txt
-------------------------------------------------------------------
Mon Oct 15 07:13:56 UTC 2012 - pgajdos@suse.com
- updated to 1.3.17:
* PNG: Fix for CVE-2012-3438. The Magick_png_malloc function in
coders/png.c in GraphicsMagick 6.7.8-6 does not use the proper
variable type for the allocation size, which might allow remote
attackers to cause a denial of service (crash) via a crafted PNG
file that triggers incorrect memory allocation.
* PNG: Reading sub-8-bit palette images is fixed (images looked
stretched).
* SVG: Fixed bug which allowed MVG and SVG files with long vector
paths to crash the software.
* SVG: Ignore XML headers rather than rendering them as text.
* MVG/SVG/WMF/-draw: It is now possible to draw a plain ','
character.
* etc., see NEWS.txt
-------------------------------------------------------------------
Tue Jul 31 09:01:37 UTC 2012 - pgajdos@suse.com
- fixed PerlMagick/Makefile.PL.in [bnc#771540]
-------------------------------------------------------------------
Mon Jun 25 08:29:04 UTC 2012 - pgajdos@suse.com
- updated to 1.3.16:
Security Fixes:
* Don't translate 'comment' and 'label' attributes if the request is
made while a file is being read. Only translate such attributes
if they come from the command line or API user.
Bug fixes:
* SWT: SWT reader suffered from a number of implementation errors
which caused it not to work any more. Works again.
* XBM: Fix memory leak observed when reading file in 'ping' mode.
* Support -trim on images which use a consistent (single color)
transparent background. In this case, trim is done based on
opacity rather than foreground color.
* Include <sys/types.h> in order to assure that 'size_t' and
'ssize_t' are declared. This is necessary since
MagickExtentImage() uses these types as part of its definition.
* +repage was not working because parser was insisting that it
should include an argument.
(i.e. multiplying rather than dividing).
* PerlMagick: Fix compilation with Perl 5.16.
* PingBlob(): PingBlob was not working for all cases. Is now based
on BlobToImage() for assured reliability.
Feature improvements:
* MAT: Animated movies inside 4D matrices are loaded now.
* PDF: File base name is used as the document title.
* PNG: Fix issues observed specifically with libpng 1.5.10.
Performance Improvements:
* Pixel iterators should be more efficient now if the image uses a
file-backed cache.
* Motion blur algorithm does scale well as cores are added so
include OpenMP support for it by default.
-------------------------------------------------------------------
Mon Jun 4 08:50:13 UTC 2012 - pgajdos@suse.com
- added PerlMagick/typemap to build module with perl 5.16; to be
removed for 1.4.0
-------------------------------------------------------------------
Wed May 2 08:59:10 UTC 2012 - pgajdos@suse.com
- updated to 1.3.15:
Bug fixes:
* PNG - fixed problem with bit depth when the encoder decides to
write RGBA instead of indexed PNG.
* Fixed some temporary file leaks which were caused by the temporary
file name being automatically extended to include a scene number,
and therefore fail to be deleted.
New Features:
* Added '+noise random' and '-operator noise-random' to 'convert'
and 'mogrify'. This modulates the existing image data with
uniformely random noise.
* Added -strip option in composite, convert, mogrify, and montage to
remove all profiles and text attributes from the image.
* Added -repage option to composite, convert, mogrify, and montage
subcommands to reset or adjust the current image page offsets
based on a provided geometry specification.
* New C function StripImage() to remove all profiles and text
attributes from the image.
* New C function ResetImagePage() to adjust the current image page
canvas and position based on a relative page specification.
* C functions GenerateDifferentialNoise(), AddNoiseImageChannel(),
QuantumOperatorRegionImage(), AddNoiseImage() updated to support
RandomNoise enumeration.
* New C++ Image method strip(), and unary function stripImage() to
remove all profiles and text attributes from the image.
* XCF format now respects image subimage and subrange members so
that returned image layers may be selected.
* The INFO coder (e.g. output file "info:-") now respects the
-format option so that its output may be adjusted identically to
how -format works for 'identify'.
* TclMagick now supports Random noise.
Feature improvements:
* C function ThumbnailImage() now allows the user to override the
filter used, but still defaults to using the box filter.
Behavior Changes:
* No longer add a printf-style scene formatting specification to
filenames which do not have one and no longer automatically
operate in 'adjoin' mode in such cases. If multiple numbered
files are intended to be output, then add +adjoin to the command
line and use an output filename specification similar to
"image-%d.jpg". Output files are now completely specified and
predictable but this may break some existing usages which
anticipate the automatic file numbering.
-------------------------------------------------------------------
Mon Feb 27 08:05:20 UTC 2012 - pgajdos@suse.com
- updated to 1.3.14:
Bug fixes:
* TGA format: Assume that 32-bit TGA files have an alpha channel,
even if they are not marked as such.
* XCF format: Fix reading XCF which is comprised of different sized
layers.
* JPEG & CineonLog: Convert RGB-compatible colorspaces
(e.g. CineonLog) to RGB by default since that was the case prior
to release 1.3.13.
* RAW formats: Small memory leak in dcraw module was fixed.
* Resize: ResizeImage() was ignoring its resize filter argument and
was using the filter setting from the Image structure instead.
* The mirror virtual pixel method was broken.
New Features:
* Open64 Compiler Suite: Version 5.0 is fully supported.
* Wand API: Added MagickExtentImage().
* MEF RAW: Mamiya Photo RAW "MEF" format is now supported.
Feature improvements:
* DPX format: Original file endianness is preserved by default.
Performance Improvements:
* Despeckle algorithm (-despeckle) is many times faster.
Behavior Changes:
* DPX format: Original file endianness is preserved by default.
-------------------------------------------------------------------
Tue Dec 27 09:30:07 UTC 2011 - pgajdos@suse.com
- updated to 1.3.13:
* In I/O blob, don't rewind already open file handle passed to
OpenBlob() since we don't know the intended state of this file
handle, and because it prevents appending to an existing file.
* In AppendImageProfile(), don't leak profile buffer while appending
a chunk to an existing profile.
* Fix deadlock in ClonePixelCache() which was caused by using the
same semaphore pointer in the source and destination images.
* etc. see NEWS.txt
- disabled perl.patch
-------------------------------------------------------------------
Mon Apr 11 11:26:09 CEST 2011 - pgajdos@suse.cz
- removed dependency of devel packages on the main package
[bnc#685755]
-------------------------------------------------------------------
Wed Dec 22 10:11:32 UTC 2010 - neptunia@mail.ru
- restoring *-config scripts as in upstream version: their removal
breaks older software
-------------------------------------------------------------------
Tue Dec 14 16:53:58 UTC 2010 - cristian.rodriguez@opensuse.org
- package no longer requires -fno-strict-aliasins
- fix -devel package dependencies
- run make check
- exclude *-config scripts, whatever uses them _must_ use pkgconfig
to avoid the mess this scripts create.
-------------------------------------------------------------------
Mon Jul 12 13:50:07 CEST 2010 - pgajdos@suse.cz
- added xorg-x11-fonts as runtime dependency [bnc#619103]
-------------------------------------------------------------------
Tue Mar 9 08:59:09 CET 2010 - pgajdos@suse.cz
- updated to version 1.3.12:
* Filter mode (write to stdout) was completely broken.
* Should now compile with libpng 1.4.
* DCX output format is only written on request. Previously the PCX
coder would automatically switch to DCX format if multiple frames
would be written.
-------------------------------------------------------------------
Tue Feb 23 09:44:42 CET 2010 - pgajdos@suse.cz
- updated to version 1.3.11:
* Fixed array underflow on systems using signed char
which could result in a program crash due to extended
characters in filenames or in certain file formats.
* Fixed array underflow on systems using signed char
which could result in a program crash due to extended
characters in filenames or in certain file formats.
* Added a -thumbnail command to 'convert' and 'mogrify'.
This is a faster way to scale down the image when
speed is a primary concern.
* Added a -extent command to 'convert' and 'mogrify'
which composites the image on top of a backing
canvas image of solid color.
* Added support for -compose to the 'convert' and
'mogrify', which were documented to support it
(but did not).
* Requests for 'Over' and 'Atop' composition are
converted to a request for the (faster) 'Copy'
composition when both images are opaque.
-------------------------------------------------------------------
Mon Feb 15 11:05:19 CET 2010 - pgajdos@suse.cz
- updated to version 1.3.10:
* +adjoin was not working correctly for the case when only one image
frame is present. With +adjoin and writing one frame to
"foo%d.jpg" it was outputting "foo%d.jpg" rather than "foo0.jpg".
* When drawing paths, memory allocation for the points was much
larger than it needed to be (patch by Vladimir Lukianov).
* To reiterate the change which first appeared in 1.3.9, there is no
longer an implicit +adjoin if the output file name happens to
contain a %d sequence, or there are multiple frames and the output
file format only supports storing one frame. Specify +adjoin if
scene number substition is desired in the output file names.
-------------------------------------------------------------------
Mon Feb 8 10:22:54 CET 2010 - pgajdos@suse.cz
- updated to version 1.3.9:
* There is no longer an implicit 'adjoin' if an output filename
contains an apparent scene specification (e.g. foo%02d.tiff) and
multiple files are not needed to save the image.. It is necessary
to use +adjoin. For example ``gm convert foo.pdf +adjoin
%02d.tiff``.
* For formats which support multiple frames, output with +adjoing to
filenames containing a scene specification (e.g. foo%02d.tiff) was
resulting in wrong output file names.
* -flatten now applies the image background color under the first
image in the list if it is not already opaque.
* Fix "double free" error when using gm import -frame.
* XPM does not support RGBA color syntax, so return RGB instead.
* The display '-update' option was only working in conjunction with
the '-delay' option with a delay setting of 2 or greater.
* -convolve was crashing rather than reporting an error.
* Fixed crash if the number of OpenMP threads was reduced from the
original value via '-limit threads' or omp_set_num_threads().
* -blur was not blurring the opacity channel for solid-color images.
* Several deleted global string constants are restored with
deprecated status in order to assure that symbols are not removed
from the ABI.
-------------------------------------------------------------------
Mon Jan 25 10:16:57 CET 2010 - pgajdos@suse.cz
- updated to version 1.3.8:
Security Fixes:
* Fix for CVE-2009-1882 "Integer overflow in the XMakeImage
function".
* Fix lockup due to hanging in loop while parsing malformed
sub-image specification (SourceForge issue 2886560).
* Libltdl: Updated libtool to 2.2.6b in order to fix security issue.
Resolves CVE-2009-3736 as it pertains to GraphicsMagick.
Bug fixes:
* -convolve, -recolor: Validate that user-provided matrix is square
when parsing -convolve and -recolor commands in order to avoid a
core dump.
* CALS: Reading images taller than the image width resulted in a
failure.
* ConstituteImage(), DispatchImage(): 'A' and 'T' should indicate
transparency and 'O' should indicate opacity. Behavior was
inconsistent. In some cases 'O' meant transparency while in other
cases it meant opacity. Also, in a few cases, matte was not
getting enabled in the image as it should.
* DCRAW: Module name was not registered so modules based builds were
not supporting formats provided via 'dcraw'.
* GetOptimalKernelWidth1D(), GetOptimalKernelWidth2D(): In the Q32
build, convolution kernel size was estimated incorrectly for large
sigmas on 32-bit systems due to arithmetic overflow. This could
cause wrong results for -convolve, -blur, -sharpen, and other
algorithms which use these functions.
etc., see NEWS.txt
-------------------------------------------------------------------
Mon Nov 23 17:05:42 CET 2009 - pgajdos@suse.cz
- updated to version 1.3.7 (see ChangeLog)
-------------------------------------------------------------------
Tue Nov 3 19:09:19 UTC 2009 - coolo@novell.com
- updated patches to apply with fuzz=0
-------------------------------------------------------------------
Tue Aug 4 18:38:37 CEST 2009 - pgajdos@suse.cz
- updated to 1.2.7:
- Bug fixes:
* VID: Eliminate memory leak.
* montage: Eliminate use of freed memory.
* delegates.mgk: Fix hang when co-process is invoked.
* identify: Return comment text of any size.
* ConvolveImage: Correctly log the convolution kernel used.
- Feature improvements:
* Convert: Re-implement -write so that it works in a useful fashion.
- Performance improvments:
* TIFF: Ping mode ('identify') is now really fast.
-------------------------------------------------------------------
Wed Oct 15 11:35:47 CEST 2008 - nadvornik@suse.cz
- renamed libGraphicsMagick1 -> libGraphicsMagick2
-------------------------------------------------------------------
Fri Sep 12 15:05:31 CEST 2008 - nadvornik@suse.cz
- updated to 1.2.5
* many fixes and improvements
* see NEWS.txt for details
- renamed libGraphicsMagickWand0 -> libGraphicsMagickWand1
- renamed libGraphicsMagick++1 -> libGraphicsMagick++2
-------------------------------------------------------------------
Fri May 23 15:51:33 CEST 2008 - nadvornik@suse.cz
- fixed CVE-2008-1097 PCX buffer overflow [bnc#391366]
- fixed CVE-2008-1096 XCF Buffer overflow [bnc#391364]
-------------------------------------------------------------------
Tue Mar 11 17:02:23 CET 2008 - nadvornik@suse.cz
- updated to 1.1.11:
* security fixes merged upstream
* BMP, DIB: Support large files
* TIFF: Endian option (-endian) now controls TIFF byte endian
order rather than bit fill order
-------------------------------------------------------------------
Tue Oct 23 17:13:42 CEST 2007 - nadvornik@suse.cz
- updated to 1.1.10:
Bugs Fixed:
o Image rotate by -90/270 degrees was producing wrong output.
o In mogrify command, don't remove file name based on random junk in
memory.
o Fixed memory leak when reading MPC files.
o Fixed crash when writing MIFF format and depth is not expected 8/16/32/.
o In mogrify command, don't leak memory in the case where the image
file contains multiple frames.
o Fixed crash in PNG and JPEG coders when the image to be written is
part of an image list.
o PNG reader errors are now properly reported to the user.
o TIFF output can now be written to a pipe or other non-seekable
destination.
o Support writing PDF with CCITT compression.
Feature Improvements:
o Added a new 'benchmark' command which can be used to perform
benchmarking on any other command.
o Image rotate in clockwise (90 degrees) or counter-clockwise (270
degrees) direction is now 2-9X faster than before.
o The -version option now includes a list of supported features.
- fixed interger overflows: CVE-2007-4985, CVE-2007-4986,
CVE-2007-4988 [#327021]
- fixed to build with GCC 4.3
-------------------------------------------------------------------
Mon Aug 6 16:53:26 CEST 2007 - nadvornik@suse.cz
- updated to 1.1.8:
* security fixes merged upstream
* a lot of other bugfixes
-------------------------------------------------------------------
Wed Jul 25 13:41:10 CEST 2007 - nadvornik@suse.cz
- adjusted to Shared Library Policy:
* new subpackages libGraphicsMagick1, libGraphicsMagickWand0
* GraphicsMagick-c++ -> libGraphicsMagick++1
* GraphicsMagick-c++-devel -> libGraphicsMagick++-devel
- fixed to build
-------------------------------------------------------------------
Thu Apr 19 14:15:49 CEST 2007 - nadvornik@suse.cz
- fixed various crashes on malformed input, including
CVE-2007-1797 and CVE-2007-1667 [#258253]
- adjusted BuildRequires for libjasper-devel
-------------------------------------------------------------------
Tue Feb 27 22:49:43 CET 2007 - dmueller@suse.de
- reduce buildrequires
-------------------------------------------------------------------
Thu Feb 22 17:32:48 CET 2007 - nadvornik@suse.cz
- fixed patch for palm codec CVE-2006-5456 [#215685]
- fixed palm patch for palm codec [#215685]
- fixed PerlMagic module library dependencies [#243002]
- fixed broken code that caused compiler warnings [#243012]
-------------------------------------------------------------------
Thu Nov 16 18:35:03 CET 2006 - dmueller@suse.de
- fix c++-devel package requires
-------------------------------------------------------------------
Mon Oct 30 16:27:15 CET 2006 - nadvornik@suse.cz
- applied debian patch for CVE-2006-5456, CVE-2006-3743,
CVE-2006-3744, CAN-2005-0397, CVE-2005-4601
-------------------------------------------------------------------
Thu Sep 21 18:47:45 CEST 2006 - nadvornik@suse.cz
- minor adjustments in spec file
-------------------------------------------------------------------
Thu Sep 14 18:20:05 CEST 2006 - lmichnovic@suse.cz
- initial version 1.1.7
Reference in New Issue View Git Blame Copy Permalink