graphicsmagick (1.4+really1.3.36+hg16481-2+deb11u1) bullseye-security; urgency=medium

  * CVE-2022-1270

 -- Moritz Muehlenhoff <jmm@debian.org>  Thu, 24 Nov 2022 21:50:54 +0100

graphicsmagick (1.4+really1.3.36+hg16481-2) unstable; urgency=medium

  * Backport fix for use appropriate memory deallocator for memory returned
    by StringToList() (closes: #991380).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 24 Jul 2021 11:42:42 +0200

graphicsmagick (1.4+really1.3.36+hg16481-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - ProcessStyleClassDefs(): fix non-terminal loop caused by a
      self-referential list which results in huge memory usage,
    - MSLCDataBlock(): fix leak of value from xmlNewCDataBlock(),
    - ProcessStyleClassDefs(): fix memory leak upon malformed class name list,
    - ProcessStyleClassDefs(): fix non-terminal loop and huge memory
      allocation caused by self-referential list,
    - SVGReference(): fix memory leak when parser node is null,
    - MSLStartElement(): fix assertion in TranslateText() when there are no
      attributes available.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 28 Feb 2021 23:26:56 +0100

graphicsmagick (1.4+really1.3.36+hg16472-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - ReadJP2Image(): validate that file header is a format we expect Jasper
      to decode,
    - MSLPushImage(): only clone attributes if not null,
    - SVGStartElement(): reject impossibly small bounds and view_box width
      or height.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 22 Feb 2021 06:54:42 +0100

graphicsmagick (1.4+really1.3.36+hg16469-1) unstable; urgency=medium

  * Mercurial snapshot:
    - MagickDoubleToLong(): Guard against LONG_MAX not directly representable
      as a double,
    - handle Ghostscript point versions added after 9.52 .
  * Make libgraphicsmagick1-dev depend on pkg-config (closes: #977699).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 21 Feb 2021 08:24:57 +0100

graphicsmagick (1.4+really1.3.36+hg16462-1) unstable; urgency=medium

  * Mercurial snapshot:
    - ExecuteModuleProcess(): add error reporting for the case that the
      expected symbol is not resolved,
    - AnalyzeImage(): add OpenMP speed-ups,
    - TranslateTextEx(): fabricate default resolution values if the actual
      resolution values are zero.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 07 Feb 2021 15:04:57 +0100

graphicsmagick (1.4+really1.3.36+hg16448-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - coders/tiff.c: remove unintended double-charging for memory resource,
    - magick/pixel_cache.c: use resource limited memory allocator,
    - InverseAffineMatrix(): avoid possible division by zero or absurdly
      extreme scaling.
  * Add upstream metadata.
  * Update watch file.
  * Update packaging bits.

  [ Helmut Grohne <helmut@subdivi.de> ]
  * Reduce Build-Depends (closes: #980721):
    + Drop unused libexif-dev.
    + Annotate sharutils with <!nocheck> as uudecode is conditionally used in
      d/rules.
    + Annotate gsfonts with <!nocheck> as it is only used in unit tests.
    + Drop unused transfig as d/rules passes --without-frozenpaths.
    + Drop unused libltdl-dev as d/rules passes --without-modules.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 23 Jan 2021 10:10:54 +0100

graphicsmagick (1.4+really1.3.36+hg16442-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - super_fgets_w() and super_fgets(): assure that returned pointer
      value is the same as reported via 'b',
    - ReadIdentityImage(): don't lose exception info if an image is not
      returned,
    - ReadMETAImage(): fix double-free if blob buffer was reallocated after
      being attached to blob,
    - ReadGIFImage(): fix memory leak of global_colormap if realloc of memory
      for comment fails.
  * Fix broken reading of planar RGB files.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 08 Jan 2021 18:02:36 +0100

graphicsmagick (1.4+really1.3.36-1) unstable; urgency=high

  * New upstream release, fixing the following security issues:
    - update almost all of the remaining coders to use the resource-limited
      memory allocator,
    - ReadMPCImage(): heap-buffer-overflow read,
    - EdgeImage(): fix null pointer dereference if edge image failed to be
      created,
    - CompareImageCommand() and CompositeImageCommand(): fix memory leaks when
      an input image failed to be read,
    - fix several null pointer dereference if an image failed to be created,
    - Classify(): remove variables from function global scope that don't need
      outer scope,
    - ReadMIFFImage() and ReadMPCImage(): arbitrarily limit the number of
      header keywords to avoid DOS attempts.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 27 Dec 2020 07:44:36 +0100

graphicsmagick (1.4+really1.3.35+hg16404-1) unstable; urgency=medium

  * Mercurial snapshot, fixing the following issue:
    - ImportRLEPixels(): Change from C assertion to exception report.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 18 Dec 2020 20:18:42 +0100

graphicsmagick (1.4+really1.3.35+hg16397-1) unstable; urgency=medium

  * Mercurial snapshot, fixing the following issue:
    - fix a regression with parsing MVG and SVG files which contain a "mask"
      statement.
  * Update debhelper level to 13 .
  * Update Standards-Version to 4.5.1 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 12 Dec 2020 20:44:16 +0100

graphicsmagick (1.4+really1.3.35+hg16394-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - DrawImage(): Verify that affine scaling factors are not zero - fixing
      divide-by-zero in InverseAffineMatrix() ,
    - DrawPolygonPrimitive(): Thread error status check was at wrong scope,
      resulting in code executing when it should have quit,
    - DrawImage(): Use unique image attribute space for MVG symbols - fixing
      stack-overflow in DrawImage() and integer-overflow in
      DrawPolygonPrimitive() .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 06 Dec 2020 10:37:34 +0100

graphicsmagick (1.4+really1.3.35+hg16390-1) unstable; urgency=medium

  * Mercurial snapshot, fixing the following security issues:
    - DrawImage(): Reject pattern image with a dimension of zero,
    - add private interfaces for allocating memory while respecting resource
      limits and use them in MVG rendering and MIFF reader code,
    - WriteMIFFImage(): Update to use resource-limit respecting memory
      allocators,
    - adjust test suite memory limit to 128/256/512MB for Q8/Q16/Q32 builds,
    - ConvertPathToPolygon(): Fix memory leak upon memory reallocation
      failure,
    - ReadSVGImage(): Fix memory leak due to CDATA block, and some other
      possible small leaks,
    - WritePSImage(): Fix problem when writing PseudoClass mage with a
      colormap larger than two entries as bilevel,
    - DrawPolygonPrimitive(): Try to minimize the impact of too many threads
      due to replicated data,
    - ConvertPathToPolygon(): Make sure not to leak points from added Edge,
    - DrawDashPolygon(): Place an aribrary limit on stroke dash polygon unit
      maximum length,
    - ConvertPathToPolygon(): Attempt to fix leak of 'points' on memory
      allocation failure,
    - BMP: Use resource-limited memory allocator,
    - DIB: Use resource-limited memory allocator,
    - FITS: Use resource-limited memory allocator,
    - WriteJBIGImage(): Use resource-limited memory allocator,
    - WEBP: Use resource-limited memory allocator,
    - ReadGIFImage(): Use resource-limited memory allocator when reading the
      comment extension,
    - ReadOneJNGImage(): Fix issues related to invoking sub-decoders (which
      may lead to unexpected behavior),
    - MAT: Use resource-limited memory allocator.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 03 Dec 2020 21:22:54 +0100

graphicsmagick (1.4+really1.3.35+hg16348-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - DrawPrimitive(): destroy composite_image since it may be a list, fixing
      indirect memory leak in MagickMalloc() ,
    - DrawPrimitive(): missing DestroyImageList() request if multiple-frames
      were returned,
    - ConstituteImage(): set image depth appropriately based on StorageType
      and QuantumDepth.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 17 Oct 2020 07:49:58 +0200

graphicsmagick (1.4+really1.3.35+hg16344-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - integer overflow in DrawImage() ,
    - stack-overflow due to DrawImage() / DrawClipPath() recursion,
    - fix UBSAN integer overflow warning in MagickXVisualColormapSize() ,
    - ExtractTokensBetweenPushPop(): verify that the expected/required pop
      statement is indeed found,
    - DrawImage(): handle the case that ExtractTokensBetweenPushPop() can
      return NULL,
    - ReadTIFFImage(): apply the same resource limits to TIFF tile sizes as
      apply to the image itself,
    - GetImageBoundingBox(): MagickTrimImage() with extreme fuzz can produce
      image with negative width,
    - ReadTIFFImage(): ignore corrupt whitepoint and primary chromaticities
      tags,
    - ResizeImage(): if CloneImage() of resize_image to source_image fails
      then free source_image allocation before returning in order to prevent
      memory leak,
    - CloneImage(): free clone_image allocation if ImgExtra allocation fails
      in order to prevent memory leak.
  * Remove unsafe quotes from mailcap entries.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 11 Oct 2020 18:16:39 +0200

graphicsmagick (1.4+really1.3.35+hg16297-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - fix WPG heap-buffer-overflow in ImportGrayQuantumType(),
    - fix WPG heap-buffer-overflow in InsertRow(),
    - fix WPG thrown assertion due to a double-free of memory.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 07 Jun 2020 21:02:16 +0200

graphicsmagick (1.4+really1.3.35+hg16296-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - ReadWPGImage(): Terminate reading when a pixel cache resource limit is
      hit rather than moving on to heap buffer overflow,
    - WriteTIFFImage(): WebP compression only supports a depth of 8; fixes
      use-of-uninitialized-value in GammaToLinear.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 03 Jun 2020 17:49:58 +0200

graphicsmagick (1.4+really1.3.35-2) unstable; urgency=high

  * Backport security fix for CVE-2020-12672, MNG: small heap overwrite or
    assertion if magnifying and image to be magnified has rows or columns == 1
    (closes: #960000).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 30 May 2020 17:41:09 +0200

graphicsmagick (1.4+really1.3.35-1) unstable; urgency=high

  * New upstream release, fixing the following security issues among others:
    - ReadSVGImage(): Fix dereference of NULL pointer when stopping image
      timer,
    - DrawImage(): Fix integer-overflow in DrawPolygonPrimitive() .
  * Update library symbols for this release.

  [ Nicolas Boulenguez <nicolas@debian.org> ]
  * mime: improve formatting.
  * mime: adjust priority for all images (closes: #951758).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 23 Feb 2020 20:42:10 +0000

graphicsmagick (1.4+really1.3.34+hg16230-1) unstable; urgency=medium

  * Mercurial snapshot, fixing the following security issues:
    - WritePICTImage(): Eliminating small buffer overrun when run-length
      encoding pixels,
    - WriteOneJNGImage(): Detect when JPEG encoder has failed, and throw
      exception,
    - DecodeImage(): Fix heap buffer over-reads,
    - DecodeImage(): Allocate extra scanline memory to allow small
      RLE overrun.
  * Update library symbols for this release.
  * Update Standards-Version to 4.5.0 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 07 Feb 2020 19:02:36 +0000

graphicsmagick (1.4+really1.3.34+hg16181-1) unstable; urgency=medium

  * Mercurial snapshot, fixing the following security issue:
    - WritePCXImage(): Fix heap overflow in PCX writer when bytes per line
      value overflows its 16-bit storage unit.
  * Fix definition of ResourceInfinity.

  [ Nicolas Boulenguez <nicolas@debian.org> ]
  * Lower MIME priority for PS/PDF (closes: #935099).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 28 Dec 2019 18:58:57 +0000

graphicsmagick (1.4+really1.3.34-2) unstable; urgency=medium

  * Still use glibc malloc allocator.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 25 Dec 2019 10:09:02 +0000

graphicsmagick (1.4+really1.3.34-1) unstable; urgency=high

  * New upstream release, fixing the following security issues among others:
    - PNMInteger(): Place a generous arbitrary limit on the amount of PNM
      comment text to avoid DoS opportunity,
    - MagickClearException(): Destroy any existing exception info before
      re-initializing the exception info or else there will be a memory leak,
    - HuffmanDecodeImage(): Fix signed overflow on range check which leads
      to heap overflow,
    - ReadMNGImage(): Only magnify the image if the requested magnification
      methods are supported,
    - GenerateEXIFAttribute(): Add validations to prevent heap buffer
      overflow,
    - DrawPatternPath(): Don't leak memory if fill_pattern or stroke_pattern
      of cloned draw_info are not null,
    - CVE-2019-19953: PICT: Throw a writer exception if the PICT width limit
      is exceeded (closes: #947311).
  * Build with Google Thread-Caching Malloc library.
  * Update Standards-Version to 4.4.1 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 24 Dec 2019 20:23:10 +0000

graphicsmagick (1.4+really1.3.33+hg16117-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issue:
    - CVE-2019-16709: ReadDPSImage(): Fix memory leak when OpenBlob()
      reports failure.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 10 Oct 2019 22:57:35 +0000

graphicsmagick (1.4+really1.3.33+hg16115-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - ReadMNGImage(): skip coalescing layers if there is only one layer,
    - DrawStrokePolygon(): handle case where TraceStrokePolygon() returns
      NULL,
    - DrawDashPolygon(): handle case where DrawStrokePolygon() returns
      MagickFail,
    - TraceBezier(): detect arithmetic overflow and return errors via
      normal error path rather than exiting,
    - ExtractTokensBetweenPushPop(): fix non-terminal parsing loop,
    - GenerateEXIFAttribute(): check that we are not being directed to read
      an IFD that we are already parsing and quit in order to avoid a loop,
    - ReallocColormap(): avoid dereferencing a NULL pointer if
      image->colormap is NULL,
    - png_read_raw_profile(): fix validation of raw profile length,
    - TraceArcPath(): substitute a lineto command when tracing arc is
      impossible,
    - GenerateEXIFAttribute(): skip unsupported/invalid format 0.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 28 Sep 2019 10:57:12 +0000

graphicsmagick (1.4+really1.3.33-1) unstable; urgency=medium

  * New upstream release, including many security fixes.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 25 Jul 2019 16:43:39 +0000

graphicsmagick (1.4+really1.3.32-1) unstable; urgency=high

  * New upstream release, fixing the following security issues among others:
    - DrawImage(): Terminate drawing if DrawCompositeMask() reports failure,
    - DrawImage(): Detect an error in TracePath() and quit rather than
      forging on.
  * Backport security fixes:
    - ReadTIFFImage(): Fix typo in initialization of 'tile' pointer variable,
    - WriteDIBImage(): Detect arithmetic overflow of image_size,
    - WriteBMPImage(): Detect arithmetic overflow of image_size,
    - WriteBMPImage(): Assure that chromaticity uses double-precision for
      multiply before casting to unsigned integer.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 16 Jun 2019 18:10:05 +0000

graphicsmagick (1.4~hg16039-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - ImportRLEPixels(): Fix heap overflow caused by a typo in the code. Also
      fix undefined behavior caused by large left shifts of an unsigned char,
    - ThrowException(), ThrowLoggedException(): Handle the case where some
      passed character strings refer to existing exception character strings,
    - PICT: Allocate output buffer used by ExpandBuffer() on DecodeImage()
      stack,
    - WritePDFImage(): Allocate working buffer on stack and pass as argument
      to EscapeParenthesis() to eliminate a thread safety problem,
    - TranslateTextEx(): Remove support for reading from a file using
      '@filename' syntax,
    - DrawImage(): Only support '@filename' syntax to read drawing primitive
      from a file if we are not already drawing.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 06 Jun 2019 21:11:11 +0000

graphicsmagick (1.4~hg15978-1) unstable; urgency=medium

  * Mercurial snapshot, fixing uninitialized integer value of log_configured.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 27 Apr 2019 07:06:40 +0000

graphicsmagick (1.4~hg15976-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - ReadXWDImage(): Potential for heap overflow; Address header-directed
      arbitrary memory allocation,
    - ReadXWDImage(): Address segmentation violation and invalid memory
      reads with more validations,
    - Make built-in color tables fully const.
  * Break gnudatalanguage versions that doesn't initialize GraphicsMagick
    library (closes: #927688).
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 22 Apr 2019 14:41:32 +0000

graphicsmagick (1.4~hg15968-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues
    (closes: #927029):
    - ReadMATImage(): Report a corrupt image exception if reader encounters
      end of file while reading scanlines (use of uninitialized value in
      IsGrayImag() ),
    - ReadTOPOLImage(): Report a corrupt image if reader encounters end of
      file while reading header rows (use of uninitialized value in
      InsertRow() ),
    - OpenCache(): Use unsigned 64-bit value to store CacheInfo offset and
      length as well as for the total pixels calculation to prevent some more
      arithmetic overflows,
    - SetNexus(): Apply resource limits to pixel nexus allocations to prevent
      arithmetic and integer overflows,
    - SetNexus(): Report error for empty region rather than crashing due to
      divide by zero exception,
    - ReadTXTImage(): Don't start new line if x_max < x_min to avoid floating
      point exception in SetNexus(),
    - ReadMATImage(): Quit if image scanlines are not fully populated due to
      exception to prevent use of uninitialized value in
      InsertComplexFloatRow(),
    - ReadMATImage(): Fix memory leak on unexpected end of file,
    - Throwing an exception is now thread-safe,
    - Fx module error handling/reporting improvements,
    - Fix various uses of allocated memory without checking if memory
      allocation has failed,
    - CVE-2019-11010: ReadMPCImage(): Deal with a profile length of zero, or
      an irrationally large profile length to prevent memory leak,
    - CVE-2019-11007: ReadMNGImage(): Fix small buffer overflow (one
      PixelPacket) of image colormap,
    - CVE-2019-11009: ReadXWDImage(): Fix heap buffer overflow while reading
      DirectClass XWD file,
    - CVE-2019-11006: ReadMIFFImage(): Detect end of file while reading RLE
      packets to prevent heap buffer overflow,
    - CVE-2019-11005: SVGStartElement(): Fix stack buffer overflow while
      parsing quoted font family value,
    - CVE-2019-11008: XWD: Perform more header validations, a file size
      validation, and fix arithmetic overflows leading to heap overwrite,
    - ReadWMFImage(): Reject WMF files with an empty bounding box to prevent
      division by zero problems,
    - WritePDBImage(): Use correct bits/sample rather than image->depth to
      prevent potential buffer overflow,
    - WriteMATLABImage(): Add completely missing error handling to prevent
      heap buffer overflow,
    - SetNexus(): Fix arithmetic overflow while testing x/y offset limits,
    - DrawPrimitive(): Check primitive point x/y values for NaN to prevent
      integer overflow,
    - DrawImage(): Fix integer overflow while validating gradient dimensions,
    - WritePDBImage(): Assure that input scanline is cleared in order to
      cover up some decoder bug to prevent use of uninitialized value,
    - ReadXWDImage(): Add more validation logic to avoid crashes due to FPE
      and invalid reads.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 15 Apr 2019 17:40:12 +0000

graphicsmagick (1.4~hg15916-2) unstable; urgency=medium

  * Declare break on python{,3}-pgmagick versions compiled with GCC 7
    compiled versions of GraphicsMagick (closes: #915603, #915606).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 02 Apr 2019 18:49:40 +0000

graphicsmagick (1.4~hg15916-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - ReadTIFFImage(): Only disassociate alpha channel for images where
      photometic is PHOTOMETRIC_RGB,
    - DrawDashPolygon(): Heap buffer overflow when parsing SVG images,
    - DrawPrimitive(): Add arithmetic overflow checks when converting
      computed coordinates from 'double' to 'long',
    - DrawImage(): Don't destroy draw_info in graphic_context when draw_info
      has not been allocated yet,
    - RenderFreetype(): Eliminate memory leak of GlyphInfo.image,
    - DrawDashPolygon(): Heap-buffer-overflow via read beyond end of dash
      pattern array,
    - ReadMIFFImage(): Tally directory length to avoid death by strlen(),
    - ReadMPCImage(): Tally directory length to avoid death by strlen(),
    - ReallocColormap(): Make sure that there is not a heap overwrite if the
      number of colors has been reduced.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 28 Feb 2019 17:50:19 +0000

graphicsmagick (1.4~hg15896-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - ReadMNGImage(): Quit processing and report error upon failure to insert
      MNG background layer preventing out of memory issues,
    - ReadMIFFImage(): Improve pixel buffer calculations to defend against
      overflow,
    - ReadTIFFImage(): Make sure that image is in DirectClass mode and ignore
      any claimed colormap when the image is read using various functions,
    - ReadWPGImage(): Assure that all colormap entries are initialized,
    - DecodeImage(): Avoid a one-byte over-read of pixels heap allocation,
    - ReadTIFFImage(): Assure that opacity channel is initialized in the
      RGBAStrippedMethod case,
    - ReadMNGImage(): Bound maximum loop iterations by subrange as a
      primitive means of limiting resource consumption preventing out of
      memory issues,
    - CVE-2019-7397: WritePDFImage(): Make sure to free 'xref' before
      returning preventing several memory leaks,
    - ReadTIFFImage(): For planar TIFF, make sure that pixels are initialized
      in case some planes are missing.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 16 Feb 2019 15:19:56 +0000

graphicsmagick (1.4~hg15880-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - SetNexus(): Merge IsNexusInCore() implementation code into SetNexus()
      and add check for if cache_info->pixels is null,
    - CVE-2018-20185: BMP and DIB: Improve buffer size calculations to guard
      against arithmetic overflow.
  * Update Standards-Version to 4.3.0 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 05 Feb 2019 20:44:14 +0000

graphicsmagick (1.4~hg15873-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - WriteImage(): Eliminate use of just-freed memory in clone_info->magick,
    - ReadMIFFImage(): Fix memory leak of profiles 'name' when claimed length
      is zero,
    - WriteXPMImage(): Assure that added colormap entry for transparent XPM
      is initialized,
    - ReadMNGImage(): Fix non-terminal MNG looping,
    - ReadMIFFImage(): Sanitize claimed profile size before allocating memory
      for it,
    - CVE-2018-20185: ReadBMPImage(): Fix heap overflow in 32-bit build due
      to arithmetic overflow (closes: #916719),
    - CVE-2018-20184: WriteTGAImage(): Image rows/columns must not be larger
      than 65535 (closes: #916721),
    - ReadTIFFImage(): More validations and stricter error reporting,
    - ReadMIFFImage(): Detect and reject zero-length deflate-encoded row in
      MIFF version 0,
    - CVE-2018-20189: ReadDIBImage(): DIB images claiming more than 8-bits
      per pixel are not colormapped (closes: #916752).
  * Add pkg-config to build dependency for FreeType 2.9.1+ detection.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 20 Dec 2018 19:04:33 +0000

graphicsmagick (1.3.31-1) unstable; urgency=high

  * New upstream release.
  * Fix CVE-2018-18544: memory leak of msl_image if OpenBlob() fails in
    ProcessMSLScript() .
  * Can detect FreeType via pkg-config (closes: #887720).
  * Enable Zstandard, the fast lossless compression algorithm support.
  * Update library symbols for this release.
  * Update Standards-Version to 4.2.1 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 20 Nov 2018 17:16:37 +0000

graphicsmagick (1.3.30+hg15796-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - WEBP: Fix compiler warnings regarding uninitialized structure members,
    - ReadJPEGImage(): Allow libjpeg to use 1/5th of the total memory limit,
    - ReadJPEGImage(): Make sure that JPEG pixels array is initialized in
      case libjpeg fails to completely initialize it,
    - WriteOnePNGImage(): Free png_pixels as soon as possible,
    - ReadMIFFImage(): Detect EOF when reading using ReadBlobZC() and avoid
      subsequent heap read overflow,
    - ReadMVGImage(): Don't assume that in-memory MVG blob is a
      null-terminated C string,
    - ReadMVGImage(): Don't allow MVG files to side-load a file as the
      drawing primitive using '@' syntax,
    - FileToBlob(): Use confirm access APIs to verify that read access is
      allowed, and verify that file is a regular file,
    - ExtractTokensBetweenPushPop() needs to always return a valid pointer
      into the primitive string,
    - DrawPolygonPrimitive(): Fix leak of polygon set when object is
      completely outside image,
    - SetNexus(): For requests one pixel tall, SetNexus() was wrongly using
      pixels in-core rather than using a staging area for the case where the
      nexus rows extend beyond the image raster boundary,
    - ReadCINEONImage(): Quit immediately on EOF and detect short files,
    - ReadMVGImage(): Fix memory leak,
    - Add mechanism to approve embedded subformats in WPG,
    - ReadXBMImage(): Add validations for row and column dimensions,
    - MAT InsertComplexFloatRow(): Avoid signed overflow,
    - InsertComplexFloatRow(): Try not to lose the previous intention while
      avoiding signed overflow,
    - XBMInteger(): Limit the number of hex digits parsed to avoid signed
      integer overflow,
    - MAT: More aggresive data corruption checking,
    - MAT: Correctly check GetBlobSize(image) even for zipstreams inside
      blob,
    - MAT: Explicitly reject non-seekable streams,
    - DrawImage(): Add missing error-reporting logic to return immediately
      upon memory reallocation failure. Apply memory resource limits to
      PrimitiveInfo array allocation,
    - MagickAtoFChk(): Add additional validation checks for floating point
      values. NAN and +/- INFINITY values also map to 0.0 ,
    - ReadMPCImage()/(ReadMIFFImage(): Insist that the format be identified
      prior to any comment, and that there is only one comment,
    - ConvertPrimitiveToPath(): Enlarge PathInfo array allocation to avoid
      possible heap write overflow,
    - WPG: Fix intentional 64 bit file offset overflow,
    - DrawImage(): Be more precise about error detection and reporting,
    - TranslateTextEx(): Fix off-by-one in loop bounds check which allowed a
      one-byte stack write overflow,
    - DrawImage(): Fix excessive memory consumption due to
      SetImageAttribute() appending values,
    - QuantumTransferMode(): CIE Log images with an alpha channel are not
      supported,
    - ConvertPrimitiveToPath(): Second attempt to prevent heap write
      overflow of PathInfo array,
    - ExtractTileJPG(): Enforce that JPEG tiles are read by the JPEG coder,
    - MIFF and MPC, need to avoid leaking value allocation (day-old bug),
    - ReadSFWImage(): Enforce that file is read using the JPEG reader,
    - FindEXIFAttribute()/GenerateEXIFAttribute(): Change size types from
      signed to unsigned and check for unsigned overflow,
    - GenerateEXIFAttribute(): Eliminate undefined shift,
    - TraceEllipse(): Detect arithmetic overflow when computing the number of
      points to allocate for an ellipse,
    - ReadMNGImage(): mng_LOOP chunk must be at least 5 bytes long,
    - ReadJPEGImage(): Apply a default limit of 100 progressive scans before
      the reader quits with an error.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 24 Sep 2018 21:54:36 +0000

graphicsmagick (1.3.30-1) unstable; urgency=high

  * New upstream release, including many security fixes.
  * Build with all hardening enabled.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 24 Jun 2018 08:20:31 +0000

graphicsmagick (1.3.29+hg15665-1) unstable; urgency=high

  * Mercurial snapshot, fixing the following security issues:
    - use of uninitialized value in IsMonochromeImage() ,
    - divide by zero in GetPixelOpacity() ,
    - write beyond array bounds in TraceStrokePolygon() ,
    - use of uninitialized value in format8BIM() ,
    - assertion failure in WriteBlob() ,
    - out of bounds write in TraceEllipse() ,
    - memory leak and use of uninitialized memory when handling eXIf chunk
      in png_malloc() ,
    - floating point exception in WriteTIFFImage() ,
    - leak of Image when TIFFReadRGBAImage() reports failure,
    - potentional leak when compressed object is corrupted,
    - floating point exception in WriteTIFFImage() ,
    - heap double free in Magick::BlobRef::~BlobRef() ,
    - direct leak in TIFFClientOpen() ,
    - indirect leak in CloneImage() ,
    - direct leak in ReadOneJNGImage() ,
    - heap buffer overflow in put1bitbwtile() ,
    - use of uninitialized value in SyncImageCallBack() ,
    - validate tile memory requests for TIFFReadRGBATile() .
  * Remove profiles/sRGB Color Space Profile.ICM and
    jp2/data/colorprofiles/srgb.icm for being non-free.
  * Remove zlib/contrib/dotzlib/DotZLib.chm for no source available.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 25 May 2018 19:21:07 +0000

graphicsmagick (1.3.29-1) unstable; urgency=high

  * New upstream release, including many security fixes.
  * Remove previously backported security patches.
  * Update library symbols for this release.
  * Update debhelper level to 11 .
  * Update Standards-Version to 4.1.4 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 08 May 2018 20:33:46 +0000

graphicsmagick (1.3.28-2) unstable; urgency=high

  * Backport security fixes:
    - don't use rescale map if it was not allocated,
    - validate number of colormap bits to avoid undefined shift behavior,
    - defend against partial scanf() expression matching, resulting in benign
      use of uninitialized data,
    - don't use rescale map if it was not allocated,
    - fix tile index overflow,
    - reject XPM if it contains non-whitespace control characters,
    - fix forged amount of frames 6755,
    - validate header length and offset properties,
    - fixed memory leak when tile overflows,
    - fix forged amount of frames 7076,
    - check for forged image that overflows file size,
    - validate size request prior to allocation,
    - validate that file size is sufficient for claimed image properties,
    - fix signed integer overflow when computing pixels size,
    - include number of FITS scenes in file size validations,
    - allocate space for null termination and null terminate string,
    - validate that samples per pixel is in valid range,
    - check whether datablock is really read,
    - verify that sufficient backing data exists before allocating memory to
      read it,
    - duplicate image check for data with fixed geometry,
    - CVE-2018-9018: avoid divide-by-zero if delay or timeout properties
      changed while ticks_per_second is zero (closes: #894396),
    - add checks for EOF,
    - validate that PICT rectangles do not have zero dimensions,
    - check image pixel limits before allocating memory for tile.
  * Backport patch to redesign ReadBlobDwordLSB() to be more effective.
  * Backport patch to destroy tile_image in ThrowPICTReaderException() macro
    to simplify logic.
  * Backport patch to remove shadowed tile_image variable which defeats new
    ThrowPICTReaderException() implementation.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 31 Mar 2018 11:05:51 +0000

graphicsmagick (1.3.28-1) unstable; urgency=high

  * New upstream release, fixing the following security issues among others:
    - BMP: Fix non-terminal loop due to unexpected bit-field mask value
      (DOS opportunity),
    - PALM: Fix heap buffer underflow in builds with QuantumDepth=8,
    - SetNexus() Fix heap overwrite under certain conditions due to using a
      wrong destination buffer,
    - TIFF: Fix heap buffer read overflow in LocaleNCompare() when parsing
      NEWS profile.
  * Remove previously backported security patches.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 20 Jan 2018 20:19:29 +0000

graphicsmagick (1.3.27-4) unstable; urgency=high

  * Fix CVE-2018-5685: infinite loop in ReadBMPImage() (closes: #887158).
  * Fix memory leak of global colormap.
  * Fix memory leak of chunk and mng_info in error path.
  * Update Standards-Version to 4.1.3 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 15 Jan 2018 19:06:43 +0000

graphicsmagick (1.3.27-3) unstable; urgency=high

  * Fix heap-buffer-overflow on LocaleNCompare() .
  * Add some assertions to verify that the image pointer provided by libwebp
    is valid.
  * Fix NULL pointer dereference in ReadMNGImage() .
  * Fix CVE-2017-17913: stack-buffer-overflow in WriteWEBPImage() .
  * Fix CVE-2017-17915: heap-buffer-overflow in ReadMNGImage() .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 27 Dec 2017 22:12:30 +0000

graphicsmagick (1.3.27-2) unstable; urgency=high

  * Fix CVE-2017-17782: heap-based buffer over-read in ReadOneJNGImage()
    (closes: #884905).
  * Fix CVE-2017-17783: buffer over-read in ReadPALMImage() (closes: #884904).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 25 Dec 2017 17:18:01 +0000

graphicsmagick (1.3.27-1) unstable; urgency=medium

  * New upstream release.
  * Remove previously backported security patches.
  * Update library symbols for this release.
  * Add libwebp-dev dependency to libgraphicsmagick1-dev (closes: #863564).
  * Update Standards-Version to 4.1.2 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 10 Dec 2017 17:12:28 +0000

graphicsmagick (1.3.26-19) unstable; urgency=high

  * Fix CVE-2017-16669: heap buffer overflow in AcquireCacheNexus()
    (closes: #881391).
  * Fix CVE-2017-13134: heap buffer overflow in SFWScan() (closes: #881524).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 11 Nov 2017 09:12:53 +0000

graphicsmagick (1.3.26-18) unstable; urgency=high

  * Fix CVE-2017-16547: remote denial of service (negative strncpy and
    application crash).
  * Fix CVE-2017-16545: NULL pointer dereference (write) with malformed WPG
    image.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 06 Nov 2017 17:02:07 +0000

graphicsmagick (1.3.26-17) unstable; urgency=high

  * Fix CVE-2017-16353: heap read overflow vulnerability in DescribeImage() .
  * Fix CVE-2017-16352: heap-based buffer overflow vulnerability in
    DescribeImage() .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 02 Nov 2017 05:57:25 +0000

graphicsmagick (1.3.26-16) unstable; urgency=high

  * Fix CVE-2017-15930: NULL pointer dereference while transferring JPEG
    scanlines (closes: #879999).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 28 Oct 2017 17:54:09 +0000

graphicsmagick (1.3.26-15) unstable; urgency=high

  * Fix CVE-2017-13737: invalid free in MagickFree() (closes: #878511).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 15 Oct 2017 20:03:26 +0000

graphicsmagick (1.3.26-14) unstable; urgency=high

  * Fix CVE-2017-15277: assure that global colormap is fully initialized in
    ReadGIFImage() .
  * Fix memory leak in WriteGIFImage() .
  * Fix CVE-2017-15238: use after free in ReadJNGImage() .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 12 Oct 2017 18:50:19 +0000

graphicsmagick (1.3.26-13) unstable; urgency=high

  * Fix CVE-2017-14733: heap out of bounds read in ReadRLEImage() .
  * Fix CVE-2017-14994: NULL pointer dereference in DICOM Decoder.
  * Fix CVE-2017-14997: memory allocation error due to malformed image file.
  * Update Standards-Version to 4.1.1 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 04 Oct 2017 20:42:21 +0000

graphicsmagick (1.3.26-12) unstable; urgency=high

  * Update upstream changelog for CVE-2017-14103 .
  * Fix CVE-2017-14649: denial of service due to assertion failure in
    AcquireImagePixels() (closes: #876460).
  * Update Standards-Version to 4.1.0:
    - change graphicsmagick-dbg priority to optional.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 24 Sep 2017 08:14:32 +0000

graphicsmagick (1.3.26-11) unstable; urgency=high

  * Fix CVE-2017-14504: NULL pointer dereference triggered by malformed file.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 21 Sep 2017 16:22:42 +0000

graphicsmagick (1.3.26-10) unstable; urgency=high

  * Fix CVE-2017-14314: heap-based buffer over-read in DrawDashPolygon() .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 17 Sep 2017 20:17:54 +0000

graphicsmagick (1.3.26-9) unstable; urgency=high

  * Fix CVE-2017-14165: remote denial of service due to memory allocation
    failure in magickmalloc (closes: #874724).
  * Fix CVE-2017-14042: memory allocation failure in MagickRealloc()
    (closes: #873538).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 09 Sep 2017 12:45:00 +0000

graphicsmagick (1.3.26-8) unstable; urgency=high

  * Fix CVE-2017-13775: denial of service issue in ReadJNXImage() .
  * Fix CVE-2017-13776 and CVE-2017-13777: denial of service issue in
    ReadXBMImage() .
  * Fix memory leak vulnerability in ReadJNGImage() which allow attackers to
    cause a denial of service via a crafted file.
  * Fix double-free after reading a malformed JNG.
  * Fix CVE-2017-14103: the ReadJNGImage() and ReadOneJNGImage() functions do
    not properly manage image pointers after certain error conditions, which
    allows remote use-after-free attacks via a crafted file, related to a
    ReadMNGImage() out-of-order CloseBlob() call. This vulnerability exists
    because of an incomplete fix for CVE-2017-11403 .
  * Fix CVE-2017-8350: crash while reading a malformed JNG file.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 04 Sep 2017 18:50:34 +0000

graphicsmagick (1.3.26-7) unstable; urgency=high

  * Fix CVE-2017-13063: heap-based buffer overflow vulnerability in the
    GetStyleTokens() function (closes: #873130).
  * Fix CVE-2017-13064: another heap-based buffer overflow vulnerability in
    the GetStyleTokens() function (closes: #873129).
  * Fix CVE-2017-13065: NULL pointer dereference vulnerability in the
    SVGStartElement() function (closes: #873119).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 24 Aug 2017 19:53:07 +0000

graphicsmagick (1.3.26-6) unstable; urgency=high

  * Fix CVE-2017-12935: invalid memory read in the SetImageColorCallBack()
    with large MNG images (closes: #872576).
  * Fix CVE-2017-12936: use-after-free issue for data associated with
    exception reporting in the ReadWMFImage() function (closes: #872575).
  * Fix CVE-2017-12937: colormap heap-based buffer over-read in the
    ReadSUNImage() function (closes: #872574).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 20 Aug 2017 12:46:53 +0000

graphicsmagick (1.3.26-5) unstable; urgency=medium

  * Handle mangling change for conversion operators in GCC 7 (closes: #871306).

  [ John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> ]
  * Honor 'nocheck' in DEB_BUILD_OPTIONS (closes: #842787).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 07 Aug 2017 19:25:42 +0000

graphicsmagick (1.3.26-4) unstable; urgency=high

  * Fix CVE-2017-11643: heap overflow in the WriteCMYKImage() function
    (closes: #870157).
  * Fix CVE-2017-11636: heap overflow in the WriteRGBImage() function
    (closes: #870149).
  * Fix CVE-2017-11638 and CVE-2017-11642: null pointer dereference or SEGV if
    input is not colormapped (closes: #870154, #870156).
  * Fix CVE-2017-11641: memory leak while writing Magick Persistent Cache
    format (closes: #870155).
  * Fix CVE-2017-11637: NULL pointer dereference in the WritePCLImage()
    function (closes: #870153).
  * Fix CVE-2017-11722:  denial of service via a crafted file
    (closes: #870158).
  * Remove autotools-dev and dh-autoreconf build dependencies.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 30 Jul 2017 18:47:55 +0000

graphicsmagick (1.3.26-3) unstable; urgency=high

  * Fix CVE-2017-11140: denial of service (resource consumption) via crafted
    JPEG files.
  * Fix apparent off-by-one error in MNG FRAM change_clipping processing.
  * Fix out-of-order CloseBlob() and DestroyImageList() .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 12 Jul 2017 16:27:23 +0000

graphicsmagick (1.3.26-2) unstable; urgency=high

  * Fix CVE-2017-11102: remote denial of service during JNG reading via a
    zero-length color_image data structrure in ReadOneJNGImage (png.c)
    (closes: #867746).
  * Add new DestroyJNGInfo@Base and remove DestroyJNG@Base obsolete symbols.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 08 Jul 2017 07:33:10 +0000

graphicsmagick (1.3.26-1) unstable; urgency=high

  * New upstream release, fixing the following security issues among others:
    - META: Fix heap overflow while parsing 8BIM chunk (CVE-2016-7800).
    - WPG: Fix heap overflow (CVE-2016-7996). Fix assertion crash
      (CVE-2016-7997).
    - PNG: Enforce spec requirement that the dimensions of the JPEG embedded
      in a JDAT chunk must match the JHDR dimensions (CVE-2016-9830).
    - TIFF: Fix out of bounds read when reading CMYKA TIFF which claims to
      have only 2 samples per pixel (CVE-2017-6335).
    - JNG: Fix memory leak when reading invalid JNG image (CVE-2017-8350).
    - TIFF: Fix out of bounds read when reading RGB TIFF which claims to have
      only 1 sample per pixel (CVE-2017-10794) (closes: #867085).
    - DPX: Fix excessive use of memory (DOS issue) due to file header claiming
      large image dimensions but insufficient backing data. (CVE-2017-10799)
      (closes: #867077).
    - MAT: Fix excessive use of memory (DOS issue) due to continuing
      processing with insufficient data and claimed large image size. Verify
      each file extent to make sure that it is within range of file size.
      (CVE-2017-10800) (closes: #867060).
  * Remove previously backported security patches.
  * Self-tests build hack no longer needed.
  * Update library symbols for this release.
  * Update Standards-Version to 4.0.0 and debhelper level to 10 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 05 Jul 2017 16:14:40 +0000

graphicsmagick (1.3.25-8) unstable; urgency=high

  * Backport security fix for out of bounds access when reading CMYKA tiff.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 24 Feb 2017 19:17:41 +0000

graphicsmagick (1.3.25-7) unstable; urgency=medium

  * Add hack to build self-tests on mips* architectures.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 25 Dec 2016 14:42:18 +0000

graphicsmagick (1.3.25-6) unstable; urgency=high

  * Fix CVE-2016-9830: memory allocation failure in MagickRealloc
    (closes: #847072).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 06 Dec 2016 17:45:52 +0000

graphicsmagick (1.3.25-5) unstable; urgency=high

  * Fix CVE-2016-8682: stack-based buffer overflow in ReadSCTImage (sct.c).
  * Fix CVE-2016-8683: memory allocation failure in ReadPCXImage (pcx.c).
  * Fix CVE-2016-8684: memory allocation failure in MagickMalloc (memory.c).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 18 Oct 2016 18:52:13 +0000

graphicsmagick (1.3.25-4) unstable; urgency=high

  * Fix CVE-2016-7997: correctly flip image->blob and rotated_image->blob.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 08 Oct 2016 18:54:05 +0000

graphicsmagick (1.3.25-3) unstable; urgency=high

  * Fix CVE-2016-7800: unsigned underflow leading to heap overflow when
    parsing 8BIM chunk.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 02 Oct 2016 20:20:45 +0000

graphicsmagick (1.3.25-2) unstable; urgency=medium

  * Compile magick/semaphore.c without optimization on ppc64el to prevent
    Perl self-test segfaults (closes: #837719).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 16 Sep 2016 14:25:47 +0000

graphicsmagick (1.3.25-1) unstable; urgency=high

  * New upstream release, with the following security updates:
    - fix heap overflow in EscapeParenthesis() used in the text annotation
      code,
    - Utah RLE: Reject truncated/absurd files which caused huge memory
      allocations and/or consumed huge CPU,
    - SVG/MVG: Fix another case of CVE-2016-2317 (heap buffer overflow) in
      the MVG rendering code (also impacts SVG),
    - TIFF: Fix heap buffer read overflow while copying sized TIFF attributes.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 06 Sep 2016 17:38:39 +0000

graphicsmagick (1.3.24+hg20160808-1) unstable; urgency=low

  * New upstream, Mercurial snapshot release.
  * Fixes DrawPrimitive() issue (closes: #829063).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 14 Aug 2016 14:24:32 +0000

graphicsmagick (1.3.24-2) unstable; urgency=low

  * Backport upstream fix for DrawPrimitive() (closes: #829063).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 28 Jul 2016 16:28:45 +0000

graphicsmagick (1.3.24-1) unstable; urgency=high

  * New upstream release, focusing on security fixes for the following image
    formats:
    - DIB: fix out of bound reads and add more header validations,
    - JNG: file size limits are enforced,
    - MATLAB: fix DoS and hang on corrupt deflate stream,
    - META (Embedded Image Profiles): fix out of bounds reads and writes,
    - MIFF (Magick): fix thrown assertion,
    - CVE-2016-3716: Magick Scripting Language file processing is not done by
      default but need to be prefixed with 'msl:',
    - Magick Vector Graphics file processing is not done by default but need
      to be prefixed with 'mvg:' and prevent head overflow problems,
    - PCX: fix unreasonable memory allocation due to intentionally corrupt
      file,
    - PDB: fix heap buffer overflow and out of bounds read,
    - PICT: fix out of bounds write,
    - CVE-2016-3717: for PostScript files always run Ghostscript with -dSAFER
      for safer execution,
    - PSD: fix segmentation violations, heap buffer overflows and out of
      bound writes,
    - RLE: fix out of bounds reads and writes,
    - ReadImages(): fix possible infinite recursion due to a crafted input
      file,
    - RotateImage(): fix thrown assertion,
    - SGI: fix out of bounds writes,
    - SUN: fix out of bounds reads and writes,
    - SVG: fix CVE-2016-2317 and CVE-2016-2318, heap and stack buffer
      overflows, as well as segmentation violations (closes: #814732);
      also fix endless loop, unexpectedly large memory allocation, divide by
      zero and recursion issues,
    - TIFF: fix assertion while reading and fix benign heap overflow,
    - VIFF: fix excessive memory allocation with intentonally corrupted
      input file,
    - XCF: fix heap buffer overflow,
    - XPM: fix several heap buffer overflows and out of bound reads/writes;
      also fix a case of excessive memory allocation,
    - CVE-2016-5118: popen() shell vulnerability via filename that contains
      '|', remove pipe support entirely (closes: #825800);
      file names starting with a '|' character are no longer interpreted as
      shell commands to be executed as input or output,
    - default.mgk file has been pared down in order to reduce security
      exposure,
    - CVE-2016-3714: Gnuplot ('gplt' delegate) support for rendering these
      files is removed since the format is inherently insecure,
    - CVE-2016-3715: adding a 'tmp:' prefix to a filename no longer removes
      the file since this seems dangerous,
    - CVE-2016-3718: sanity check the image file path or URL before passing
      it to ReadImage(),
    - fix several Coverity issues like dereference after null check, multiple
      resource leaks and logically dead code.
  * Update library symbols for this release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 30 May 2016 20:02:31 +0000

graphicsmagick (1.3.23-3) unstable; urgency=low

  * Remove JasPer JPEG-2000 codec support build dependency and remove its
    symbols from the libgraphicsmagick-q16-3 library (closes: #818199).
  * Update Standards-Version to 3.9.8 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 24 May 2016 19:26:58 +0000

graphicsmagick (1.3.23-2) unstable; urgency=low

  * Add previously transient gsfonts build dependency (closes: #815736).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 24 Feb 2016 18:36:00 +0100

graphicsmagick (1.3.23-1) unstable; urgency=medium

  * New upstream release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 08 Nov 2015 07:35:33 +0100

graphicsmagick (1.3.22-2) unstable; urgency=low

  * Transition libgraphicsmagick++-q16-11 to libgraphicsmagick++-q16-12
    (closes: #803958).
  * Conflict and replace version 1.3.22-1 of libgraphicsmagick++-q16-11 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 03 Nov 2015 23:39:25 +0100

graphicsmagick (1.3.22-1) unstable; urgency=low

  * New upstream release.
  * Update libgraphicsmagick-q16-3 symbols file.
  * Update watch file.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 23 Oct 2015 21:01:39 +0200

graphicsmagick (1.3.21-4) unstable; urgency=low

  * Change C library name to ending with -q16 for QuantumDepth=16 ABI change
    and compile shared library to include the QuantumDepth value
    (closes: #796310).
  * Remove breaks on pdf2djvu.
  * Make rebuildable (closes: #796307).

  [ Jakub Wilk <jwilk@debian.org> ]
  * Remove obsolete conflicts/replaces on libgraphicsmagick.
  * Version conflicts/replaces on libgraphicsmagick3.
  * No longer need to pass -l and -L switches to dh_shlibdeps.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 21 Sep 2015 18:10:49 +0200

graphicsmagick (1.3.21-3) unstable; urgency=medium

  * libgraphicsmagick++3 and libgraphicsmagick++11 are co-installable
    (closes: #795099).
  * libgraphicsmagick1-dev needs recent libgraphicsmagick++1-dev
    (closes: #795102).
  * Fix images symlink for development packages (closes: #795172).
  * libgraphicsmagick3 breaks old versions of pdf2djvu .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 11 Aug 2015 18:40:11 +0200

graphicsmagick (1.3.21-2) unstable; urgency=medium

  * Upload to unstable for GCC 5 transition.
  * Enable WebP support (closes: #789745).
  * Make rebuildable.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 08 Aug 2015 13:10:35 +0000

graphicsmagick (1.3.21-1) experimental; urgency=high

  * New upstream release, including many security fixes.
  * Start transition from libgraphicsmagick++3 to libgraphicsmagick++11 .
  * Update libgraphicsmagick3 symbols.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 07 Mar 2015 13:10:07 +0000

graphicsmagick (1.3.20-4) experimental; urgency=low

  * Test build with QuantumDepth 16 (closes: #557879).
  * Update Standards-Version to 3.9.6 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 28 Jan 2015 17:56:41 +0000

graphicsmagick (1.3.20-3) unstable; urgency=medium

  * Use upstream fix for AnnotateImage() return value (closes: #759956).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 27 Sep 2014 07:37:31 +0000

graphicsmagick (1.3.20-2) unstable; urgency=medium

  * Change binary libtiff4-dev dependency to libtiff-dev as well
    (closes: #759595).
  * Version perl build dependency to 5.20 or later.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 28 Aug 2014 21:22:22 +0000

graphicsmagick (1.3.20-1) unstable; urgency=medium

  * New upstream release (closes: #710716).
  * Use GraphicsMagick-1.3.20-CVE-2014-1947.patch from Fedora to fix
    CVE-2014-1947.
  * Add homepage field.
  * Disable update_freetype.h_location.patch , upstream solved freetype
    detection.
  * Sync with Ubuntu.

  [ Matthias Klose <doko@ubuntu.com> ]
  * Build-depend/depend on libtiff-dev rather than libtiff4-dev.
  * Build-depend/depend on lcms2.
  * Build using dh-autoreconf.
  * Fix link error building the demo and test files.

  [ Bart Martens <bartm@debian.org> ]
  * Add watch file.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 23 Aug 2014 19:12:09 +0000

graphicsmagick (1.3.18-1) unstable; urgency=high

  * New upstream release, fixing CVE-2013-4589 (closes: #729661).
  * New maintainer (closes: #731915).

  [ Cyril Brulebois <kibi@debian.org> ]
  * Fix FTBFS due to perl test failures (in t/ps/read.t) (closes: #732406).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 11 Dec 2013 13:09:16 +0000

graphicsmagick (1.3.16-1.2) unstable; urgency=low

  * Non-maintainer upload.
  * Fix libtool on Hurd. (Closes: #724821)

 -- Pino Toscano <pino@debian.org>  Sat, 28 Sep 2013 12:22:30 +0200

graphicsmagick (1.3.16-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * [SECURITY] Fix "CVE-2012-3438": apply patch from upstream repo:
    http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2
    "coders/png.c: Some typecasts were inconsistent with libpng-1.4 and
    later."
    (Closes: #683284)

 -- gregor herrmann <gregoa@debian.org>  Sat, 18 Aug 2012 15:08:57 +0200

graphicsmagick (1.3.16-1) unstable; urgency=low

  * New upstream version 1.3.16.
    + Includes build fix for Perl 5.16.
  * debian/libgraphicsmagick3.symbols: Add symbol from new upstream
    release.

 -- Daniel Kobras <kobras@debian.org>  Mon, 25 Jun 2012 20:50:44 +0200

graphicsmagick (1.3.15-1) unstable; urgency=low

  * New upstream release 1.3.15. Closes: #672982
    + Fixes crash in psiconv. Closes: #611260
  * debian/control: Change (Build-)Depends from libpng12-dev to
    libpng-dev. Closes: #662359
  * debian/control: Add (Build-)Depends on libjbig-dev. Closes: #669947
  * debian/libgraphicsmagick3.symbols: Add symbols from new upstream
    release.
  * PerlMagick/MANIFEST, PerlMagick/typemap: Add build fix for Perl 5.16,
    cherry-picked from upstream VCS. Closes: #676265

 -- Daniel Kobras <kobras@debian.org>  Mon, 11 Jun 2012 20:49:01 +0200

graphicsmagick (1.3.12-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * {Build-,}Depend on libjpeg-dev, not libjpeg62-dev (closes: #629966,
    #633941)

 -- Julien Cristau <jcristau@debian.org>  Mon, 25 Jul 2011 19:56:29 +0200

graphicsmagick (1.3.12-1) unstable; urgency=low

  * New upstream version 1.3.12.
    + Fixes writing to standard output. Closes: #571719
  * magick/effect.c: Disable OpenMP threading on Sparc for MedianFilterImage()
    and ReduceNoiseImage() as it seems to cause eccessively long runtimes.
    Should prevent build failures due to the testsuite timing out on the
    Sparc buildds. Advice from upstream.

 -- Daniel Kobras <kobras@debian.org>  Mon, 08 Mar 2010 22:05:19 +0100

graphicsmagick (1.3.11-1) unstable; urgency=low

  * New upstream version 1.3.11.
    + Merges or supersedes most Debian-specific patches, apart from
      Hurd PATH_MAX fix, added DPS stubs, and tweaks to
      GraphicsMagick-config.
    + Fixes display option -update to work without -delay. Closes: #414779
    + Adjusts selection of output file when option -adjoin is given.
      Closes: #552998
    + No longer crashes when a convolution operation has failed.
      Closes: #539251
    + Fixes conversion of transparent images to XPM. Closes: #560232
  * debian/control: Package compiles with version 3.8.4 of Debian policy.
  * debian/control: Add debhelper substitution variable misc:Depends to
    all Depends lines to placate lintian.
  * debian/copyright: Resync with Copyright.txt and www/authors.rst from
    upstream distribution.
  * debian/libgraphicsmagick3.symbols: Add two new symbols in 1.3.11.
  * debian/rules: Add logfile output if testsuite has failed.

 -- Daniel Kobras <kobras@debian.org>  Mon, 22 Feb 2010 19:33:44 +0100

graphicsmagick (1.3.8-1) unstable; urgency=low

  * New upstream version 1.3.8.
  * magick/image.c, magick/studio.h: Revert an upstream change that defined
    four global string constants as macros, causing an involuntary ABI
    change.
  * magick/static.c: Add stub definitions for registration functions of
    DPS module to ensure a stable ABI.
  * magick/xwindow.c: Debian-specific patch for CVE-2009-1882 superseded
    with upstream change.
  * debian/control: Complies with version 3.8.3 of Debian policy.
  * debian/control: Build-depend on package hardening-includes.
  * debian/libgraphicsmagick3.symbols: Add 65 new symbols in 1.3.8.
  * debian/rules: Replace homebrew hardening flags with generic version
    imported from hardening-includes.
  * debian/rules: Perl binding is no longer built by default. Adjust make
    calls.

 -- Daniel Kobras <kobras@debian.org>  Fri, 29 Jan 2010 00:52:41 +0100

graphicsmagick (1.3.5-6) unstable; urgency=high

  * debian/control: Build-depend on libltdl-dev to link with system-wide
    library. Avoid security bug in included convenience copy. (CVE-2009-3736)
    Closes: #559811
  * debian/control: Include libltdl-dev as a dependency to
    libgraphicsmagick3-dev.
  * debian/libgraphicsmagick3.symbols: Remove ltdl symbols that now get
    pulled in via a library dependency. Closes: #533410

 -- Daniel Kobras <kobras@debian.org>  Thu, 10 Dec 2009 22:00:16 +0100

graphicsmagick (1.3.5-5.2) unstable; urgency=low

  * Non-maintainer upload.
  * Applied patch to fix FTBFS on hurd-i386, by Barry deFreese and Samuel
    Thibault. Closes: #533513.

 -- Michael Banck <mbanck@debian.org>  Mon, 28 Sep 2009 23:02:18 +0200

graphicsmagick (1.3.5-5.1) unstable; urgency=high

  * Non-maintainer upload.
  * Fixed integer overflow in XMakeImage function in xwindow.c
    (Closes: #530946) (CVE-2009-1882)

 -- Giuseppe Iuculano <giuseppe@iuculano.it>  Thu, 10 Sep 2009 19:08:13 +0200

graphicsmagick (1.3.5-5) unstable; urgency=high

  * debian/control: Update Conflicts/Replaces of -dev-compat package to
    follow libmagick-dev package split. Closes: #526482
  * magick/GraphicsMagick-config.{in,1}: Do not expose compiler options
    used to build the library itself via GraphicsMagick-config. Only
    provide options that are actually useful to depending applications.
    Adjust documentation accordingly. Closes: #523596

 -- Daniel Kobras <kobras@debian.org>  Thu, 07 May 2009 20:09:28 +0200

graphicsmagick (1.3.5-4) unstable; urgency=low

  * debian/libgraphicsmagick++3.symbols*: Maintaining symbols files
    for a C++ ABI does not appear to be a good idea at present as
    arch- and optimisation-dependent symbols from instantiated standard
    templates tend to slip in. Turn off generation of symbols files
    for the C++ bindings, but keep respective files with suffix
    ".disabled" for potential later re-use. As a side-effect, this
    change also fixes the build failures on i386 and armel.
    Closes: #522706
  * debian/control: graphicsmagick-dbg has been moved to section debug.
    Adapt control file accordingly.

 -- Daniel Kobras <kobras@debian.org>  Wed, 08 Apr 2009 19:37:57 +0200

graphicsmagick (1.3.5-3) unstable; urgency=low

  * debian/rules: On some archs, -z relro has to be passed explicitly
    as a linker option to gcc.
  * debian/libgraphicsmagick++3.symbols.*.in: Strip Debian revision
    that slipped into some symbol versions.

 -- Daniel Kobras <kobras@debian.org>  Thu, 02 Apr 2009 21:51:06 +0200

graphicsmagick (1.3.5-2) unstable; urgency=low

  * debian/changelog: Previous upload ended up in unstable by mistake.
    Correct distribution field in changelog entry accordingly.
  * debian/libgraphicsmagick++3.symbols*: Handle architecture-dependent
    differences in exported symbols of C++ bindings.
  * debian/rules: Restrict hardening options to OS/architecture combinations
    where they actually work.

 -- Daniel Kobras <kobras@debian.org>  Tue, 31 Mar 2009 18:00:49 +0200

graphicsmagick (1.3.5-1) unstable; urgency=low

  * New upstream version 1.3.5. Closes: #516909
    + SONAME versions of C and C++ shared libraries change from 2 to 3.
  * magick/command.c: Avoid double free() error when calling
    "gm import" with option "-frame". Closes: #506473
  * utilities/gm.1: Quote one more single tick in gm(1) man page. Thanks
    to Vincent Mauge.
  * debian/changelog: Add information about security problems fixed in
    1.2.4 upstream release to previous changelog entry.
  * debian/control: Adjust for SONAME changes.
  * debian/control: Remove obsolete alternative dependencies on x-dev and
    gs.
  * debian/copyright: Updated list of authors in line with
    www/authors.html
  * debian/graphicsmagick.docs: Most documentation has moved below www
    and doesn't have to be installed separately. Trim file list
    accordingly.
  * debian/graphicsmagick.install: images subdirectory has moved below
    www, so doesn't have to be installed separately.
  * debian/libgraphicsmagick{,++}2.install: Renamed to
    libgraphicsmagick{,++}3.install.
  * debian/libgraphicsmagick{,_++}3.symbols: Add list of current library
    symbols for C and C++ bindings.
  * debian/rules: Adjust for SONAME changes.
  * debian/rules: Make use of improved security features in gcc and ld,
    unless DEB_BUILD_OPTIONS contain the "noharden" keyword.
  * debian/rules: Packages comply with version 3.8.1 of Debian policy.

 -- Daniel Kobras <kobras@debian.org>  Sun, 29 Mar 2009 18:23:02 +0200

graphicsmagick (1.2.4-1) experimental; urgency=low

  * New upstream version 1.2.4.
    + Fixes DoS vulnerabilities in various coders (CVE-2008-3134).
      Closes: #491439
  * debian/control: Add build-time dependencies on libsm-dev, libice-dev,
    and libxext-dev as required by AC_PATH_XTRA autoconf macro. Also add
    the above as dependencies to libgraphicsmagick1-dev for consistency
    with output of (deprecated) script GraphicsMagick-config. Thanks to
    Simon McVittie for the initial fix. Closes: #486985

 -- Daniel Kobras <kobras@debian.org>  Sun, 06 Jul 2008 19:55:04 +0200

graphicsmagick (1.2.3-1) experimental; urgency=low

  * New upstream version 1.2.3.
    + Includes remaining fixes for all reported lower-impact
      denial-of-service problems in several coders. Closes: #414370
  * debian/rules: Disable workaround for arm stack overflow in drawtest as
    toolchains problems appear to be fixed.
  * debian/rules: Explicitly configure desired docdir.

 -- Daniel Kobras <kobras@debian.org>  Sun, 22 Jun 2008 15:06:52 +0200

graphicsmagick (1.2.1-1) experimental; urgency=low

  * New upstream version 1.2.1.
    + Binary interface is incompatible with 1.1.x releases, library
      SONAME has been changed accordingly.
    + Includes fix for missing cstring include in Geometry.cpp,
      Debian-specific patch dropped.
    + Implements different method to avoid failures of WMF testsuite due
      to rendering changes in libwmf, Debian-specific patch dropped.
  * debian/control, debian/rules: Bump SONAME version of library packages
    from 1 to 2. -dev package names remain unchanged.
  * debian/copyright: Update from upstream's Copyright.txt and AUTHORS.txt.
  * debian/graphicsmagick.docs: Update to current list of documentation
    provided in upstream release.

 -- Daniel Kobras <kobras@debian.org>  Fri, 09 May 2008 16:15:24 +0200

graphicsmagick (1.1.11-3) unstable; urgency=high

  * debian/control, debian/rules: Some of the PS-related testsuites still
    fail if gs is not present. Revert build-conflicts hack and temporarily
    ignore all testsuite failures on hppa and sparc, instead.

 -- Daniel Kobras <kobras@debian.org>  Sun, 27 Apr 2008 17:06:18 +0200

graphicsmagick (1.1.11-2) unstable; urgency=high

  * debian/control: ImageMagick's -dev packages have stopped providing
    virtual, unversioned aliases, recently. Add explicit Conflicts and
    Replaces on the versioned package names libmagick9-dev and
    libmagick++9-dev in the -compat-dev package. Closes: #476584
  * debian/control: Replace obsolete package name gs-gpl with its
    successor ghostscript.
  * debian/control: Build-conflict with ghostscript on hppa and sparc to
    work around a long-standing ghostscript bug that causes our build to
    fail. Postscript support is still present on all archs, but PS-specific
    tests are skipped at build time on hppa and sparc. Closes: #475685

 -- Daniel Kobras <kobras@debian.org>  Mon, 21 Apr 2008 21:38:33 +0200

graphicsmagick (1.1.11-1) unstable; urgency=medium

  * New upstream version, containing multiple security fixes. Closes: #444266
    + Fixes denial-of-service via malicious DCM and XCF files. (CVE-2007-4985)
    + Fixes integer overflows in multiple coders. (CVE-2007-4986)
    + Fixes sign extension error when reading DIB images. (CVE-2007-4988)
    + For reference, GraphicsMagick was not affected by an off-by-one error
      in ImageMagick's ReadBlobString() function. (CVE-2007-4987)
  * Magick++/lib/Geometry.cpp: Add missing cstring include to fix build with
    gcc 4.3. Closes: #462113
  * utilities/gm.1: Fix formatting errors in man page gm(1).
  * debian/control: Packages comply with version 3.7.3 of Debian policy.
  * debian/graphicsmagick.menu: Move section of gm utility from obsolete
    section 'Apps' to current 'Applications'.

 -- Daniel Kobras <kobras@debian.org>  Tue, 26 Feb 2008 21:33:02 +0100

graphicsmagick (1.1.10-1) unstable; urgency=low

  * New upstream version.

 -- Daniel Kobras <kobras@debian.org>  Thu, 20 Sep 2007 00:14:37 +0200

graphicsmagick (1.1.8-1) unstable; urgency=medium

  * New upstream version.
    Merges or supersedes all previously applied patches outside debian/,
    except for changes to ttf testsuite.
  * PerlMagick/t/{ttf,wmf}/read.t: Rendered quality changes depending on
    improvements in external libs in these testcases, so run them to
    gather information, but don't expect them to succeed. Closes: #434343
  * debian/control: Replace ${Source-Version} substitutions with new
    syntax ${binary:Version}.
  * debian/rules: Don't ignore any error from 'make distclean' to keep
    lintian happy.
  * debian/rules: Include generic code snippet to update binary reference
    images for testsuite. Clean up after build. Closes: #424370
  * debian/reference-new/PerlMagick/t/reference/*: Move updated WMF reference
    image to new location, and include updated TTF reference images due to
    changes in rendering with recent freetype.

 -- Daniel Kobras <kobras@debian.org>  Sun, 05 Aug 2007 13:17:58 +0200

graphicsmagick (1.1.7-15) unstable; urgency=high

  * coders/dcm.c: Fix integer overflow in DCM coder. (CVE-2007-1797)
  * coders/xwd.c: Fix integer overflows in XWD coder. (CVE-2007-1797)
  * debian/changelog: Document recently assigned CVE id for xwd overflow
    in previous entry to avoid confusion with the new fixes above.
  * debian/control: Remove dependencies on obsolete version of libjasper-dev.
    Closes: #422379
  * Magick++/lib/Image.cpp: Include missing header file to fix build
    failure with gcc 4.3. Patch thanks to Martin Michlmayr.
    Closes: #417218

 -- Daniel Kobras <kobras@debian.org>  Sun,  6 May 2007 11:39:10 +0200

graphicsmagick (1.1.7-14) unstable; urgency=high

  * magick/image.c: Fix heap overflow in GrayscalePseudoClassImage() on
    64bit architectures. (Turned up by Sami Liedes' segv2.viff test case.)
    Closes: #418052, #416096
  * magick/utility.h: Avoid double free() when calling MagickReallocMemory()
    with zero size argument. (Triggered by Sami Liedes' segv2.viff test case.)
    Closes: #418053
  * coders/tiff.c: Fix segfault with certain TIFF images on amd64 due to
    va_list reusal in bogus duplicate vsprintf() call. Thanks to Kurt
    Roeckx for the fix. Closes: #415467
  * coders/viff.c: Add sanity check to prevent heap overflow reading corrupt
    viff images. (Triggered by Sami Liedes' segv.viff test case.)
    Closes: #418054
  * coders/xwd.c: Fix integer overflow in XWD coders. (Triggered by Sami
    Liedes' broken.xwd test case.) Original patch thanks to Larry
    Doolittle. (CVE-2007-1667) Closes: #417862

 -- Daniel Kobras <kobras@debian.org>  Fri,  6 Apr 2007 17:50:35 +0200

graphicsmagick (1.1.7-13) unstable; urgency=high

  * The following problems were found thanks to numerous testcases provided
    by Sami Liedes:
    + coders/pcx.c: Fix heap overflow vulnerability of scanline array
      with user-supplied input. Closes: #413034
      Also adds error checks and caps maximum number of colours to prevent
      segfaults with further testcases. Closes: #414058
    + coders/pict.c: Fix integer overflow to prevent overflowing a
      heap buffer with user-supplied input. Closes: #413036
      Validate header information to prevent segfaults with further
      testcases. Closes: #414059
    + coders/xwd.c: Check image data more strictly before passing it on to
      XGetPixel() to circumvent buffer overflow in libX11. Closes: #413040
    + Fix various segfaults with corrupt image data due to insufficient
      validation of return values from SeekBlob(). None of these are
      currently known to allow code injection.
      - coders/bmp.c: Add error checks to SeekBlob() calls. Closes: #413031
      - coders/cineon.c: Likewise. Closes: #413038
      - coders/icon.c: Likewise. Closes: #413032
                       Extend validation checks to prevent segfaults with
                       further testcases. Closes: #414057
      - magick/blob.c: Increase robustness of function ReadBlobStream() to
        mitigate the impact of missing error checks on SeekBlob() calls.
    + coders/png.c: Fix NULL pointer dereference due to insufficient
      validation of image data. Closes: #413035
    + coders/pnm.c: Fix segfault on out-of-bounds read access due to
      insufficient validation of image data. Closes: #413037
    + coders/sun.c: Fix segfaults on out-of-bounds read access due to
      insufficient validation of image data. Closes: #413039
  * utilities/miff.4: Trim name section of man page, and move overlong
    line to description. Closes: #390501
  * debian/graphicsmagick.menu: Show logo on startup from menu, rather
    than quitting immediately. Thanks Justin B. Rye. Closes: #407464

 -- Daniel Kobras <kobras@debian.org>  Sat, 10 Mar 2007 23:52:50 +0100

graphicsmagick (1.1.7-12) unstable; urgency=high

  * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456.
    Avoid bogus second read in macro call. Patch thanks to Vladimir
    Nadvornik. (CVE-2007-0770)

 -- Daniel Kobras <kobras@debian.org>  Sat, 10 Feb 2007 15:50:53 +0100

graphicsmagick (1.1.7-11) unstable; urgency=medium

  * config/delegates.mgk.in: Lose obsolete option -2 when calling dcraw
    delegate. Fixes support for raw image data from digital cameras.
    Closes: #405960

 -- Daniel Kobras <kobras@debian.org>  Sun,  7 Jan 2007 17:59:16 +0100

graphicsmagick (1.1.7-10) unstable; urgency=high

  * coders/png.c: Fix syntax errors in asm controlling code of PNG
    coder.
  * debian/changelog: Add recently assigned CVE references to security
    fixes in previous changelog entry.
  * debian/control: Recommend package gsfonts that provides the fonts
    referenced in the default type map.
  * debian/control: Adjust (build-)dependencies as x-dev package was
    superseded by x11proto-core-dev. Closes: #397770
  * debian/Magick.pm: Fix typo in POD section.

 -- Daniel Kobras <kobras@debian.org>  Wed, 13 Dec 2006 19:38:31 +0100

graphicsmagick (1.1.7-9) unstable; urgency=high

  * coders/dcm.c: Fix buffer overflow, thanks to M Joonas Pihlaja.
    (CVE-2006-5456)
  * coders/palm.c: Fix multiple heap overflows, again thanks to M Joonas
    Pihlaja. (CVE-2006-5456)

 -- Daniel Kobras <kobras@debian.org>  Fri, 29 Sep 2006 15:52:41 +0200

graphicsmagick (1.1.7-8) unstable; urgency=high

  * coders/xcf.c: Fix buffer overflow in XCF coder (CVE-2006-3743).
  * It seems I've fixed the vulnerabilities described in CVE-2006-3744
    (coders/sgi.c) independently in the previous upload already while
    the original report had been embargoed.

 -- Daniel Kobras <kobras@debian.org>  Wed,  6 Sep 2006 18:24:36 +0200

graphicsmagick (1.1.7-7) unstable; urgency=high

  * coders/sgi.c: Fix multiple heap overflow vulnerabilities in SGI coder
    due to
    + missing boundary checks in SGIDecode();
    + missing validation of pixel depth field;
    + integer overflow via large columns and rows fields (CVE-2006-4144)
      Closes: #383333
    + missing validation of chunk size fields (variable 'runlength') in
      run-length encoded images.
  * coders/sgi.c: Check for bogus values of 'bytes_per_pixel' and 'depth'.
  * coders/sgi.c: Fix calculation of internal depth value.

 -- Daniel Kobras <kobras@debian.org>  Fri, 18 Aug 2006 11:50:42 +0200

graphicsmagick (1.1.7-6) unstable; urgency=low

  * debian/compat: Bump debhelper compatibility level to 5.
  * debian/control: Build-depend on debhelper version 5 and up.
  * debian/control: Remove redundant Build-Depends-Indep.
  * debian/control: Add new package graphicsmagick-dbg containing debugging
    symbols for all language bindings and the main executable.
  * debian/control: Suggest debugging package where appropriate.
  * debian/control: Build-depend on sharutils for uudecode.
  * debian/control: Version build-dependency on libwmf-dev. Earlier versions
    will fail the testsuite.
  * debian/libgraphicsmagick++1.install: There is no libGraphicsMagickWand++,
    so don't try to install it.
  * debian/libgraphicsmagick{,++}1-dev.install: Remove .la files as long as
    nobody's using them.
  * debian/rules: Give in and disable strict aliasing for the moment until
    we get fixes for all instances that currently break the rules.
  * debian/rules: Place all debugging symbols into graphicsmagick-dbg.
  * debian/rules: New libwmf yields better image quality than old reference
    image in regression test. We cannot patch the binary image directly in
    the Debian diff, so add uudecode magic to check and clean targets.
  * debian/ski.miff.uu: Updated version of reference image in WMF regression
    test. Uuencoded to fit into the Debian diff.
  * magick/cache.c: Include definition of HAVE_PREAD before checking its
    value. Now really pulls in proper declarations of pread() and pwrite().

 -- Daniel Kobras <kobras@debian.org>  Tue,  1 Aug 2006 14:00:30 +0200

graphicsmagick (1.1.7-5) unstable; urgency=low

  * coders/wpg.c: Fix segfault in WPG decoder. Closes: #366191
  * debian/control: Fix typo 'thumnails' in package description.
    Closes: #363623
  * debian/control: Prefer real package zlib1g-dev over virtual libz-dev
    in (build-)dependencies.
  * debian/control: Add (build-)dependency on libjasper-1.701-dev to
    support JPEG2000 images.
  * debian/rules: Change X11 directories from /usr/X11R6/{include,lib} to
    /usr/{include,lib}/X11.
  * debian/control: X11 change makes package comply with policy 3.7.2.
    Bump Standards-Version accordingly.

 -- Daniel Kobras <kobras@debian.org>  Sat,  6 May 2006 16:28:08 +0200

graphicsmagick (1.1.7-4) unstable; urgency=low

  * debian/rules: Lower optimisation level on magick/draw.c and
    wand/drawing_wand.c on arm to work around a compiler issue
    when calling variadic functions. Fixes crashes of the test suite
    on arm.

 -- Daniel Kobras <kobras@debian.org>  Tue, 28 Mar 2006 21:49:16 +0200

graphicsmagick (1.1.7-3) unstable; urgency=low

  * debian/control: Replace pre-etch versions of imagemagick to prevent
    file conflicts with miff.4 and quantize.5 man pages during partial
    upgrade. Closes: #351262
  * tests/drawtest.c: Make sure filename strings do not run out of bounds.
  * magick/cache.c: Define as _XOPEN_SOURCE to pull in declarations for
    Unix98 extensions pread() and pwrite().
  * magick/montage.c: Fix bogus modulation of brightness when creating
    shadows around tiles in montage. Instead, drop constant grey shadow
    like current ImageMagick.
  * PerlMagick/t/montage.t: Update reference signatures for montage test
    cases with shadow according to above change.

 -- Daniel Kobras <kobras@debian.org>  Sun,  5 Feb 2006 21:57:14 +0100

graphicsmagick (1.1.7-2) unstable; urgency=low

  * magick/tempfile.c: Canonify relative paths before referring to
    them in a symlink.
  * debian/control: Add transfig to build dependencies for xfig regression
    test.
  * debian/control: Recommend gs in libgraphicsmagick1 package as it's a
    commonly used delegate.

 -- Daniel Kobras <kobras@debian.org>  Thu, 12 Jan 2006 12:32:11 +0100

graphicsmagick (1.1.7-1) unstable; urgency=low

  * First upload to official Debian archives. Closes: #345017
  * New upstream version.
  * debian/*: Major overhaul to comply with packaging standards. Apart
    from the changelog, few lines have survived the clean-up. Still, we
    try to ensure smooth upgrade from the previous, unofficial packages.
    Most notable packaging changes:
    + Names of library packages are properly versioned.
    + Name of compatibility package expanded to -imagemagick-compat.
    + Removed compatibility shell script, and replaced with simple
      symlinks to gm. Extra functionality from wrapper was only required
      by old versions of typo3 according to previous maintainers.
    + New compatibility package -libmagick-dev-compat providing wrappers
      for package development.
    + Build separate packages for C++ library.
    + Drop separate -doc package.
    + More verbose package descriptions.
    + Run test suite at build time.
    + Disable support for obsolete libdps. Build-depend on ghostscript
      instead for ps/pdf regression tests.
    + New maintainer.
  * PerlMagick/t/ttf/read.t: Disabled ttf testcase that is known to fail
    because of problems with special characters.
  * magick/{blob.c,command.c,image.c,log.c,utility.c,utility.h}:
    FormatString() was called with unsanitized user input. Introduced
    new helper function FormatStringNumeric() to allow a single numeric
    format expansion. (This is a more complete fix for CAN-2005-0397
    reported against ImageMagick.)
  * magick/attribute.c: Apply missing piece of fix for heap overflow in
    EXIF parser from ImageMagick patch. (CAN-2004-0981)
  * configure.ac, configure: Fix typo that lead to an undefined delegate
    for HTML conversion.
  * magick/constitute.c: Apply upstream fix for potential NULL pointer
    dereference in ReadImage().
  * magick/{delegate.c,symbols.h,tempfile.h,tempfile.c}: When calling
    external delegates, check filename against whitelist of safe
    characters, and pass securely named symlink to delegate if check fails.
    (CVE-2005-4601)

 -- Daniel Kobras <kobras@debian.org>  Mon,  9 Jan 2006 22:19:07 +0100

graphicsmagick (1.1.6-3) unstable; urgency=low

  * Added colors.mgk to libgraphicsmagick

 -- Michael Stucki <michael@typo3.org>  Sun, 15 May 2005 22:15:02 +0200

graphicsmagick (1.1.6-2) unstable; urgency=low

  * changed value for MagickLibSubdir and MagickShareSubdir in configure.ac
  * changed value for includedir in Makefile.am in
    - magick/Makefile.am
    - Magick++/lib/Magick++/Makefile.am
    - Magick++/lib/Makefile.am
    - wand/Makefile.am

 -- Michael Stucki <michael@typo3.org>  Sun, 15 May 2005 15:00:48 +0200

graphicsmagick (1.1.6-1) unstable; urgency=low

  * New upstream release

 -- Michael Stucki <michael@typo3.org>  Sun, 15 May 2005 04:48:06 +0200

graphicsmagick (1.1.2-5) unstable; urgency=low

  * Backport on Debian Sarge
  * Fixed a bug in -im-compat
  * Renamed gm-wrapper to graphicsmagick_wrapper

 -- Michael Stucki <mundaun@gmx.ch>  Thu, 12 Aug 2004 00:55:27 +0200

graphicsmagick (1.1.2-4) unstable; urgency=low

  * Fixed package -im-compat, shell-script was not executable

 -- Sven Wilhelm <wilhelm@icecrash.com>  Fri,  6 Aug 2004 19:56:38 +0200

graphicsmagick (1.1.2-3) unstable; urgency=low

  * Added wrapper script for im compatibility
  * Fixed descriptions in control file
  * Changed to library libtiff4

 -- Sven Wilhelm <wilhelm@icecrash.com>  Fri,  6 Aug 2004 16:01:43 +0200

graphicsmagick (1.1.2-2) unstable; urgency=low

  * Fixed missing *.mgk files
  * -doc package now has its content

 -- Sven Wilhelm <wilhelm@icecrash.com>  Fri,  6 Aug 2004 14:34:33 +0200

graphicsmagick (1.1.2-1) unstable; urgency=low

  * Initial Release.
  * changed value for MagickLibSubdir in configure.ac
  * changed value for includedir in Makefile.am in
    - magick/Makefile.am
    - Magick++/lib/Magick++/Makefile.am
    - Magick++/lib/Makefile.am
    - wand/Makefile.am

 -- Sven Wilhelm <wilhelm@icecrash.com>  Mon,  7 Jun 2004 02:23:06 +0200