Updated GraphicsMagick to 1.3.24.

1.3.24 (May 30, 2016)
==========================

.. _`GCC bug 53967` : http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53967

Special Issues:

* A shell exploit (CVE-2016-5118) was discovered associated with a
  filename syntax where file names starting with '|' are intepreted as
  shell commands executed via popen().  Insufficient sanitization in
  the SVG and MVG renderers allows such filenames to be passed through
  from potentially untrusted files.  There might be other ways for
  untrusted inputs to produce such filenames.  Due to this issue,
  support for the feature is removed entirely.

* A shell exploit was discovered associated with the gnuplot delegate
  and which is triggered by the 'gplt' entry in delegates.mgk.  A
  remote exploit is possible if the attacker can cause a provided SVG
  or MVG file to be rendered (or the user opens a provided file).  The
  gnuplot program must be installed in order for the exploit to be
  successful.  It is strongly recommended to remove this entry in all
  delegates.mgk files.

* Due to `GCC bug 53967`_, several key agorithms (e.g. convolution)
  may execute much faster (e.g. 2-3X) for x86-64 and/or when SSE is
  enabled for floating point math (`-mfpmath=sse`) if the GCC option
  `-frename-registers` is used. Default 32-bit builds do not
  experience the problem since they use '387 math.  It is not clear in
  what version of GCC this problem started but it was not noticed by
  the developers until the GCC 4.6 timeframe.  Other compilers do not
  suffer from this bug.  Please lobby the GCC project to fix this
  embarrassing performance bug.

Security Fixes:

* BLOB: Remove support for reading input from a shell command, or
  writing output to a shell command, by prefixing the specified
  filename (containing the command) with a '|'.  This feature provided
  a remote shell execution opportunity.

* DIB: Fixed out of bounds reads.  Added more header validations.

* JNG: File size limits are enforced.

* MAT: Fixed denial of service opportunity.  Fix hang on corrupt deflate stream.

* META: Fixed out of bounds reads and writes.

* MIFF: Fixed thrown assertion.

* MSL: Ignore the file extension on MSL files.  It is necessary to add
  a "msl:" prefix to MSL files to read the as an image.

* MVG: No longer assume that files ending with extension ".mvg" are
  MVG files.  MVG parsing does more validity checking on its input.
  Assure that enough PrimitiveInfo structures are allocated in advance
  to support a given vector path (heap overflow problem).

* PCX: Fixed unreasonable memory allocation due to intentionally
  corrupt file.

* PDB: Fixed a heap buffer overflow and out of bounds read.

* PICT: Fixed an out of bounds write.

* PS: Ghostscript is now always run with -dSAFER for safer execution.

* PSD: Fixed segmentation violations, heap buffer overflows, and out
  of bounds writes.

* RLE: Fixed out of bounds reads and writes.

* ReadImages(): Fixed a possible infinite recursion due to a crafted input file.

* RotateImage(): Fixed thrown assertion.

* SGI: Fixed out of bounds writes.

* SUN: Fixed out of bounds reads and writes.

* SVG: Fixed heap and stack buffer overflows, as well as segmentation
  violations (CVE-2016-2317 and CVE-2016-2318).  Also fixed endless
  loop, unexpectedly large memory allocation, divide by zero, and
  recursion issues.

* TIFF: Fixed an assertion while reading.  Fixed benign heap overflow.

* TMP: Adding a "tmp:" prefix to a filename no longer removes the file
  since this seems dangerous.

* VIFF: Fix excessive memory allocation with intentionally corrupted input file.

* XCF: Fixed a heap buffer overflow.

* XPM: Fixed several heap buffer overflows, and out of bound
  reads/writes.  Also fixed a case of excessive memory allocation.

* delegate.mgk: The default delegate.mgk file has been pared down in
  order to reduce security exposure.

* gnuplot ('gplt' delegate in delegates.mgk): Support for rendering
  gnuplot files is removed since the format is inherently insecure.

* File names: File names starting with a '|' character are no longer
  interpreted as shell commands to be executed as input or output.

Bug fixes:

* BMP: Fix reading 24-bit Microsoft BMP which claims to have a
  colormap.

* FILE: `file://` URLs are properly supported now (they never worked
  before).

* JP2: It is now possible to write lossless JPEG 2000 "JP2" format.

* SVG: Support font-size "medium".

New Features:

* Blob I/O C APIs: Added signed versions of short and long Read/Write
  functions.

* FILE: `file://` URLs are properly supported now (they never worked
  before).

* MAT: Matlab V4 is now partially supported.

* Magick++: Added double-precision xResolution() and yResolution()
  methods to support setting the horizontal and vertical resolution
  with double floating point precision.

* Mogrify now supports a -preserve-timestamp option to preserve file
  access and modification timestamps.

Feature improvements:

Windows Delegate Updates/Additions:

* Updated bundled libpng to release 1.6.19.

* Updated bundled libwebp to release 0.4.4.

* Update bundled libxml2 to release 2.9.3.

* Update bundled freetype to release 2.6.2.

Build Changes:

* Added ``--enable-broken-coders`` configure option to enable file
  format support which may be broken or cause security issues.  The
  PSD format is now classified as "broken" (until it is fixed).

Behavior Changes:

* PSD format is not included in the build by default.

* Files ending with ".mvg" and ".msl" are not assumed to be image
  files by default.

* File names starting with '|' are no longer treated as shell
  commands.

* Gnuplot and POV delegate support is removed from the default
  delegate.mgk file.


(wiz)