688176 – media-gfx/graphicsmagick-1.3.32 is out, fixing 52 oss-fuzz issues

Bug 688176 - media-gfx/graphicsmagick-1.3.32 is out, fixing 52 oss-fuzz issues

Summary: media-gfx/graphicsmagick-1.3.32 is out, fixing 52 oss-fuzz issues

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Linux bug wranglers

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-06-16 18:32 UTC by Attila Tóth
Modified:	2019-06-16 22:53 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Attila Tóth 2019-06-16 18:32:18 UTC

Subject: GraphicsMagick 1.3.32 security fixes, plus one of special mention

GraphicsMagick 1.3.32 is now released, fixing another 52 additional 
issues detected by oss-fuzz.

Of special mention is a bug reported to us by "Battle Furry" via our 
security mail alias.  This bug (was considered to be a "feature") 
allows including file text as rendered text on a graphic image, or as 
text hidden in metadata, by using a file refered to with '@...ename' 
syntax where text to be rendered normally appears.  This issue was 
inherited from ImageMagick 5.5.2 and it even appears in ImageMagick 
4.2.9.

Comment 1 Attila Tóth 2019-06-16 18:33:50 UTC

Renaming ebuild to -1.3.32 works. However I would also remove --without-gslib, since it complains there's no such option.

Comment 2 Tim Harder gentoo-dev

2019-06-16 21:26:09 UTC

Sync your tree, it was added yesterday.

Comment 3 Attila Tóth 2019-06-16 22:53:22 UTC

(In reply to Tim Harder from comment #2)
> Sync your tree, it was added yesterday.

Sorry, I was checking the package database online and it seems to fall behind. Haven't checked the git tree...