@cf-buildpacks-eng cf-buildpacks-eng released this Jul 24, 2017 · 120 commits to master since this release

Assets 3

Notably, this release addresses:

USN-3363-1 Ubuntu Security Notice USN-3363-1:

  • CVE-2017-10928: In ImageMagick 7.0.6-0, a heap-based buffer over-read in the GetNextToken function in token.c allows remote attackers to obtain sensitive information from process memory or possibly have unspecified other impact via a crafted SVG document that is mishandled in the GetUserSpaceCoordinateValue function in coders/svg.c.
  • CVE-2017-11141: The ReadMATImage function in coders\mat.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted MAT file, related to incorrect ordering of a SetImageExtent call.
  • CVE-2017-11170: The ReadTGAImage function in coders\tga.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via invalid colors data in the header of a TGA or VST file.
  • CVE-2017-11188: The ReadDPXImage function in coders\dpx.c in ImageMagick 7.0.6-0 has a large loop vulnerability that can cause CPU exhaustion via a crafted DPX file, related to lack of an EOF check.
  • CVE-2017-11352: In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-9144.
  • CVE-2017-11360: The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a large loop vulnerability via a crafted rle file that triggers a huge number_pixels value.
  • CVE-2017-11447: The ReadSCREENSHOTImage function in coders/screenshot.c in ImageMagick before 7.0.6-1 has memory leaks, causing denial of service.
  • CVE-2017-11448: The ReadJPEGImage function in coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted file.
  • CVE-2017-11449: coders/mpc.c in ImageMagick before 7.0.6-1 does not enable seekable streams and thus cannot validate blob sizes, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an image received from stdin.
  • CVE-2017-11450: coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via JPEG data that is too short.
  • CVE-2017-11478: The ReadOneDJVUImage function in coders/djvu.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed DJVU image.
  • CVE-2017-9261: In ImageMagick 7.0.5-6 Q16, the ReadMNGImage function in coders/png.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-9262: In ImageMagick 7.0.5-6 Q16, the ReadJNGImage function in coders/png.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-9405: In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-9407: In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-9409: In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) via a crafted file.
  • CVE-2017-9439: In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file.
  • CVE-2017-9440: In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file.
  • CVE-2017-9501: In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file.
-ii  imagemagick                8:6.7.7.10-6ubuntu3.7   amd64 image manipulation programs
-ii  imagemagick-common         8:6.7.7.10-6ubuntu3.7   all   image manipulation programs -- infrastructure
+ii  imagemagick                8:6.7.7.10-6ubuntu3.8   amd64 image manipulation programs
+ii  imagemagick-common         8:6.7.7.10-6ubuntu3.8   all   image manipulation programs -- infrastructure
-ii  libdrm-intel1:amd64        2.4.67-1ubuntu0.14.04.1 amd64 Userspace interface to intel-specific kernel DRM services -- runtime
-ii  libdrm-nouveau2:amd64      2.4.67-1ubuntu0.14.04.1 amd64 Userspace interface to nouveau-specific kernel DRM services -- runtime
-ii  libdrm-radeon1:amd64       2.4.67-1ubuntu0.14.04.1 amd64 Userspace interface to radeon-specific kernel DRM services -- runtime
-ii  libdrm2:amd64              2.4.67-1ubuntu0.14.04.1 amd64 Userspace interface to kernel DRM services -- runtime
+ii  libdrm-intel1:amd64        2.4.67-1ubuntu0.14.04.2 amd64 Userspace interface to intel-specific kernel DRM services -- runtime
+ii  libdrm-nouveau2:amd64      2.4.67-1ubuntu0.14.04.2 amd64 Userspace interface to nouveau-specific kernel DRM services -- runtime
+ii  libdrm-radeon1:amd64       2.4.67-1ubuntu0.14.04.2 amd64 Userspace interface to radeon-specific kernel DRM services -- runtime
+ii  libdrm2:amd64              2.4.67-1ubuntu0.14.04.2 amd64 Userspace interface to kernel DRM services -- runtime
-ii  libmagickcore-dev          8:6.7.7.10-6ubuntu3.7   amd64 low-level image manipulation library - development files
-ii  libmagickcore5:amd64       8:6.7.7.10-6ubuntu3.7   amd64 low-level image manipulation library
-ii  libmagickcore5-extra:amd64 8:6.7.7.10-6ubuntu3.7   amd64 low-level image manipulation library - extra codecs
-ii  libmagickwand-dev          8:6.7.7.10-6ubuntu3.7   amd64 image manipulation library - development files
-ii  libmagickwand5:amd64       8:6.7.7.10-6ubuntu3.7   amd64 image manipulation library
+ii  libmagickcore-dev          8:6.7.7.10-6ubuntu3.8   amd64 low-level image manipulation library - development files
+ii  libmagickcore5:amd64       8:6.7.7.10-6ubuntu3.8   amd64 low-level image manipulation library
+ii  libmagickcore5-extra:amd64 8:6.7.7.10-6ubuntu3.8   amd64 low-level image manipulation library - extra codecs
+ii  libmagickwand-dev          8:6.7.7.10-6ubuntu3.8   amd64 image manipulation library - development files
+ii  libmagickwand5:amd64       8:6.7.7.10-6ubuntu3.8   amd64 image manipulation library
-ii  xtrans-dev                 1.3.5-1~ubuntu14.04.1   all   X transport library (development files)
+ii  xtrans-dev                 1.3.5-1~ubuntu14.04.2   all   X transport library (development files)