From: Simon McVittie <smcv@debian.org>
Date: Wed, 4 May 2016 07:52:40 +0000 (+0100)
Subject: Update img plugin to version 3.20160506
X-Git-Tag: debian/3.20120629.2+deb7u2~46
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/b84854289f508404f15612328b89ad0627569f49?hp=b84854289f508404f15612328b89ad0627569f49

Update img plugin to version 3.20160506

* Update img plugin to version 3.20160506 to mitigate ImageMagick
  vulnerabilities, including remote code execution (CVE-2016-3714):
  - Never convert SVG images to PNG; simply pass them through to the
    browser. This prevents exploitation of any ImageMagick SVG coder
    vulnerabilities. (joeyh)
  - Do not resize image formats other than JPEG, PNG, GIF unless
    specifically configured to do so. This prevents exploitation
    of any vulnerabilities in less common coders, such as MVG. (smcv)
  - Do not resize JPEG, PNG, GIF, PDF images if their extensions do
    not match their "magic numbers", because wiki admins might try to
    restrict attachments by extension, but ImageMagick can base its
    choice of coder on the magic number. Explicitly force the
    obvious ImageMagick coder to be used. (smcv)
* Minor non-security changes resulting from that update, since
  reverting them seems higher-risk than keeping them:
  - Add PDF support, disabled by the above changes unless specifically
    configured (chrysn)
  - Only render one frame or page from animated GIF or multi-page PDF
    (chrysn)
  - Do not distort aspect ratio when resizing small images (chrysn)
  - Use data: URLs to embed images in page previews (chrysn)
  - Raise an error if the image's size cannot be determined (chrysn)
  - Handle filenames containing a colon correctly (smcv)
---