Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] X-Debbugs-Cc: [email protected] Control: affects -1 + src:imagemagick User: [email protected] Usertags: pu
[ Reason ] CVE-2025-62594 CVE-2025-65955 CVE-2025-66628 CVE-2025-68618 CVE-2025-68950 CVE-2025-69204 [ Impact ] low [ Tests ] debci, internal testsuite, debusine [ Risks ] low [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] [ Other info ] CVE-2025-62594 CVE-2025-65955 CVE-2025-66628 CVE-2025-68618 CVE-2025-68950 CVE-2025-69204
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog --- imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-10-19 10:37:32.000000000 +0200 +++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-12-29 00:33:04.000000000 +0100 @@ -1,3 +1,41 @@ +imagemagick (8:7.1.1.43+dfsg1-1+deb13u4) trixie; urgency=high + + * Fix CVE-2025-62594 (Closes: #1119296) + Imagemagick is vulnerable to denial-of-service due to unsigned integer + underflow and division-by-zero in the CLAHEImage function. When tile + width or height is zero, unsigned underflow occurs in pointer + arithmetic, leading to out-of-bounds memory access, and + division-by-zero causes immediate crashes. + * Fix CVE-2025-65955 (Closes: #1122827) + There is a vulnerability in ImageMagick’s Magick++ layer that + manifests when Options::fontFamily is invoked with an empty + string. Clearing a font family calls RelinquishMagickMemory on + _drawInfo->font, freeing the font string but leaving _drawInfo->font + pointing to freed memory while _drawInfo->family is set to that + (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font + re-frees or dereferences dangling memory. DestroyDrawInfo and other + setters (Options::font, Image::font) assume _drawInfo->font remains + valid, so destruction or subsequent updates trigger crashes or heap + corruption. + * Fix CVE-2025-66628 (Closes: #1122584) + The TIM (PSX TIM) image parser contains a critical integer overflow + vulnerability in its ReadTIMImage function (coders/tim.c). The code + reads width and height (16-bit values) from the file header and + calculates image_size = 2 * width * height without checking for + overflow. On 32-bit systems (or where size_t is 32-bit), this + calculation can overflow if width and height are large (e.g., 65535), + wrapping around to a small value. + * Fix CVE-2025-68618: + Magick's failure to limit the depth of SVG file reads caused + a DoS attack. + * Do not allow vid for vector graphics + * Fix CVE-2025-68950: + Magick's failure to limit MVG mutual references forming a loop + * Fix CVE-2025-69204: + Converting a malicious MVG file to SVG caused an integer overflow. + + -- Bastien Roucariès <[email protected]> Mon, 29 Dec 2025 00:33:04 +0100 + imagemagick (8:7.1.1.43+dfsg1-1+deb13u3) trixie; urgency=high * Fix CVE-2025-62171 (Closes: #1118340) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch 2025-12-29 00:33:04.000000000 +0100 @@ -0,0 +1,363 @@ +From: Cristy <[email protected]> +Date: Sat, 18 Oct 2025 10:54:39 -0400 +Subject: CVE-2025-62594 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp +origin: https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129 + +[backport] +In order to ease backport minimise difference of image-private.h and add compat wrapper + +(cherry picked from commit 7b47fe369eda90483402fcd3d78fa4167d3bb129) +--- + MagickCore/composite.c | 3 +- + MagickCore/enhance.c | 48 +++++++++-------- + MagickCore/image-private.h | 131 ++++++++++++++++++++++++++++++++++++--------- + 3 files changed, 134 insertions(+), 48 deletions(-) + +diff --git a/MagickCore/composite.c b/MagickCore/composite.c +index a5dfedc..2244cd1 100644 +--- a/MagickCore/composite.c ++++ b/MagickCore/composite.c +@@ -999,7 +999,8 @@ static MagickBooleanType CompositeOverImage(Image *image, + } + pixels=p; + if (x_offset < 0) +- p-=(ptrdiff_t)CastDoubleToLong((double) x_offset*GetPixelChannels(source_image)); ++ p-=(ptrdiff_t) CastDoubleToSsizeT((double) x_offset* ++ GetPixelChannels(source_image)); + } + q=GetCacheViewAuthenticPixels(image_view,0,y,image->columns,1,exception); + if (q == (Quantum *) NULL) +diff --git a/MagickCore/enhance.c b/MagickCore/enhance.c +index ee9d304..ee39476 100644 +--- a/MagickCore/enhance.c ++++ b/MagickCore/enhance.c +@@ -69,6 +69,7 @@ + #include "MagickCore/option.h" + #include "MagickCore/pixel.h" + #include "MagickCore/pixel-accessor.h" ++#include "MagickCore/pixel-private.h" + #include "MagickCore/property.h" + #include "MagickCore/quantum.h" + #include "MagickCore/quantum-private.h" +@@ -318,11 +319,8 @@ static void ClipCLAHEHistogram(const double clip_limit,const size_t number_bins, + return; + cumulative_excess=0; + for (i=0; i < (ssize_t) number_bins; i++) +- { +- excess=(ssize_t) histogram[i]-(ssize_t) clip_limit; +- if (excess > 0) +- cumulative_excess+=excess; +- } ++ if (histogram[i] > clip_limit) ++ cumulative_excess+=(ssize_t) (histogram[i]-clip_limit); + /* + Clip histogram and redistribute excess pixels across all bins. + */ +@@ -481,9 +479,6 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info, + MemoryInfo + *tile_cache; + +- unsigned short +- *p; +- + size_t + limit, + *tiles; +@@ -492,15 +487,16 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info, + y; + + unsigned short +- *lut; ++ *lut, ++ *p; + + /* + Contrast limited adapted histogram equalization. + */ + if (clip_limit == 1.0) + return(MagickTrue); +- tile_cache=AcquireVirtualMemory((size_t) clahe_info->x*number_bins, +- (size_t) clahe_info->y*sizeof(*tiles)); ++ tile_cache=AcquireVirtualMemory((size_t) clahe_info->x*number_bins,(size_t) ++ clahe_info->y*sizeof(*tiles)); + if (tile_cache == (MemoryInfo *) NULL) + return(MagickFalse); + lut=(unsigned short *) AcquireQuantumMemory(NumberCLAHEGrays,sizeof(*lut)); +@@ -510,7 +506,8 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info, + return(MagickFalse); + } + tiles=(size_t *) GetVirtualMemoryBlob(tile_cache); +- limit=(size_t) (clip_limit*(tile_info->width*tile_info->height)/number_bins); ++ limit=(size_t) (clip_limit*((double) tile_info->width*tile_info->height)/ ++ number_bins); + if (limit < 1UL) + limit=1UL; + /* +@@ -535,7 +532,7 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info, + tile_info->height,histogram); + p+=(ptrdiff_t) tile_info->width; + } +- p+=(ptrdiff_t) clahe_info->width*(tile_info->height-1); ++ p+=CastDoubleToPtrdiffT((double) clahe_info->width*(tile_info->height-1)); + } + /* + Interpolate greylevel mappings to get CLAHE image. +@@ -576,6 +573,12 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info, + } + for (x=0; x <= (ssize_t) clahe_info->x; x++) + { ++ double ++ Q11, ++ Q12, ++ Q21, ++ Q22; ++ + tile.width=tile_info->width; + tile.x=x-1; + offset.x=tile.x+1; +@@ -598,15 +601,16 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info, + tile.x=clahe_info->x-1; + offset.x=tile.x; + } +- InterpolateCLAHE(clahe_info, +- tiles+((ssize_t) number_bins*(tile.y*clahe_info->x+tile.x)), /* Q12 */ +- tiles+((ssize_t) number_bins*(tile.y*clahe_info->x+offset.x)), /* Q22 */ +- tiles+((ssize_t) number_bins*(offset.y*clahe_info->x+tile.x)), /* Q11 */ +- tiles+((ssize_t) number_bins*(offset.y*clahe_info->x+offset.x)), /* Q21 */ +- &tile,lut,p); ++ Q12=(double) number_bins*(tile.y*clahe_info->x+tile.x); ++ Q22=(double) number_bins*(tile.y*clahe_info->x+offset.x); ++ Q11=(double) number_bins*(offset.y*clahe_info->x+tile.x); ++ Q21=(double) number_bins*(offset.y*clahe_info->x+offset.x); ++ InterpolateCLAHE(clahe_info,tiles+CastDoubleToPtrdiffT(Q12), ++ tiles+CastDoubleToPtrdiffT(Q22),tiles+CastDoubleToPtrdiffT(Q11), ++ tiles+CastDoubleToPtrdiffT(Q21),&tile,lut,p); + p+=(ptrdiff_t) tile.width; + } +- p+=(ptrdiff_t) clahe_info->width*(tile.height-1); ++ p+=CastDoubleToPtrdiffT((double) clahe_info->width*(tile.height-1)); + } + lut=(unsigned short *) RelinquishMagickMemory(lut); + tile_cache=RelinquishVirtualMemory(tile_cache); +@@ -659,10 +663,10 @@ MagickExport MagickBooleanType CLAHEImage(Image *image,const size_t width, + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); + range_info.min=0; + range_info.max=NumberCLAHEGrays-1; +- tile_info.width=width; ++ tile_info.width=MagickMax(width,2); + if (tile_info.width == 0) + tile_info.width=image->columns >> 3; +- tile_info.height=height; ++ tile_info.height=MagickMax(height,2); + if (tile_info.height == 0) + tile_info.height=image->rows >> 3; + tile_info.x=0; +diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h +index a7cd99c..f33e1aa 100644 +--- a/MagickCore/image-private.h ++++ b/MagickCore/image-private.h +@@ -46,13 +46,17 @@ extern "C" { + #define MagickPHI 1.61803398874989484820458683436563811772030917980576 + #define MagickPI2 1.57079632679489661923132169163975144209858469968755 + #define MagickPI 3.1415926535897932384626433832795028841971693993751058209749445923078164062 ++#define MAGICK_PTRDIFF_MAX (PTRDIFF_MAX) ++#define MAGICK_PTRDIFF_MIN (-PTRDIFF_MAX-1) + #define MagickSQ1_2 0.70710678118654752440084436210484903928483593768847 + #define MagickSQ2 1.41421356237309504880168872420969807856967187537695 + #define MagickSQ2PI 2.50662827463100024161235523934010416269302368164062 + #define MAGICK_SIZE_MAX (SIZE_MAX) + #define MAGICK_SSIZE_MAX (SSIZE_MAX) + #define MAGICK_SSIZE_MIN (-SSIZE_MAX-1) ++#define MAGICK_UINT_MAX (UINT_MAX) + #define MAGICK_ULONG_MAX (ULONG_MAX) ++#define MAGICK_USHORT_MAX (USHRT_MAX) + #define MatteColor "#bdbdbd" /* gray */ + #define MatteColorRGBA ScaleShortToQuantum(0xbdbd),\ + ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha +@@ -65,7 +69,7 @@ extern "C" { + #define UndefinedCompressionQuality 0UL + #define UndefinedTicksPerSecond 100L + +-static inline ssize_t CastDoubleToLong(const double x) ++static inline ptrdiff_t CastDoubleToPtrdiffT(const double x) + { + double + value; +@@ -75,48 +79,70 @@ static inline ssize_t CastDoubleToLong(const double x) + errno=ERANGE; + return(0); + } +- if (x < 0.0) ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < ((double) MAGICK_PTRDIFF_MIN)) + { +- value=ceil(x); +- if (value < ((double) MAGICK_SSIZE_MIN)) +- { +- errno=ERANGE; +- return((ssize_t) MAGICK_SSIZE_MIN); +- } ++ errno=ERANGE; ++ return(MAGICK_PTRDIFF_MIN); + } +- else ++ if (value > ((double) MAGICK_PTRDIFF_MAX)) + { +- value=floor(x); +- if (value > ((double) MAGICK_SSIZE_MAX)) +- { +- errno=ERANGE; +- return((ssize_t) MAGICK_SSIZE_MAX); +- } ++ errno=ERANGE; ++ return(MAGICK_PTRDIFF_MAX); + } +- return((ssize_t) value); ++ return((ptrdiff_t) value); + } + + static inline QuantumAny CastDoubleToQuantumAny(const double x) + { ++ double ++ value; ++ + if (IsNaN(x) != 0) + { + errno=ERANGE; + return(0); + } +- if (x > ((double) ((QuantumAny) ~0))) ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < 0.0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ if (value > ((double) ((QuantumAny) ~0))) + { + errno=ERANGE; + return((QuantumAny) ~0); + } +- if (x < 0.0) ++ return((QuantumAny) value); ++} ++ ++static inline size_t CastDoubleToSizeT(const double x) ++{ ++ double ++ value; ++ ++ if (IsNaN(x) != 0) + { + errno=ERANGE; +- return((QuantumAny) 0); ++ return(0); + } +- return((QuantumAny) (x+0.5)); ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < 0.0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ if (value > ((double) MAGICK_SIZE_MAX)) ++ { ++ errno=ERANGE; ++ return(MAGICK_SIZE_MAX); ++ } ++ return((size_t) value); + } + +-static inline size_t CastDoubleToUnsigned(const double x) ++ ++static inline ssize_t CastDoubleToSsizeT(const double x) + { + double + value; +@@ -126,18 +152,65 @@ static inline size_t CastDoubleToUnsigned(const double x) + errno=ERANGE; + return(0); + } +- value=floor(x); +- if (value >= ((double) MAGICK_SIZE_MAX)) ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < ((double) MAGICK_SSIZE_MIN)) ++ { ++ errno=ERANGE; ++ return(MAGICK_SSIZE_MIN); ++ } ++ if (value > ((double) MAGICK_SSIZE_MAX)) ++ { ++ errno=ERANGE; ++ return(MAGICK_SSIZE_MAX); ++ } ++ return((ssize_t) value); ++} ++ ++static inline unsigned int CastDoubleToUInt(const double x) ++{ ++ double ++ value; ++ if (IsNaN(x) != 0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ value=(x < 0.0) ? ceil(x) : floor(x); ++ if (value < 0.0) + { + errno=ERANGE; +- return((size_t) MAGICK_SIZE_MAX); ++ return((QuantumAny) 0); + } ++ if (value > ((double) MAGICK_UINT_MAX)) ++ { ++ errno=ERANGE; ++ return(MAGICK_UINT_MAX); ++ } ++ return((unsigned int) value); ++} ++ ++static inline unsigned short CastDoubleToUShort(const double x) ++{ ++ double ++ value; ++ ++ if (IsNaN(x) != 0) ++ { ++ errno=ERANGE; ++ return(0); ++ } ++ value=(x < 0.0) ? ceil(x) : floor(x); + if (value < 0.0) + { + errno=ERANGE; + return(0); + } +- return((size_t) value); ++ if (value > ((double) MAGICK_USHORT_MAX)) ++ { ++ errno=ERANGE; ++ return(MAGICK_USHORT_MAX); ++ } ++ return((unsigned short) value); + } + + static inline double DegreesToRadians(const double degrees) +@@ -189,6 +262,14 @@ static inline unsigned int ScaleColor8to6(const unsigned char color) + return((unsigned int) (((color) & ~0x03) >> 2)); + } + ++/* compat inline wrapper for backport ease */ ++static inline ssize_t CastDoubleToLong(const double x) { ++ return CastDoubleToSsizeT(x); ++} ++ ++static inline size_t CastDoubleToUnsigned(const double x) { ++ return CastDoubleToSizeT(x); ++} + #if defined(__cplusplus) || defined(c_plusplus) + } + #endif diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch 2025-12-29 00:33:04.000000000 +0100 @@ -0,0 +1,23 @@ +From: Dirk Lemstra <[email protected]> +Date: Sun, 23 Nov 2025 09:17:29 +0100 +Subject: Correct incorrect free (GHSA-q3hc-j9x5-mp9m) + +origin: https://github.com/ImageMagick/ImageMagick/commit/6f81eb15f822ad86e8255be75efad6f9762c32f8 +bug-debian: https://bugs.debian.org/1122827 +--- + Magick++/lib/Options.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp +index 9a2c3fb..2212c9e 100644 +--- a/Magick++/lib/Options.cpp ++++ b/Magick++/lib/Options.cpp +@@ -310,7 +310,7 @@ void Magick::Options::fontFamily(const std::string &family_) + { + if (family_.length() == 0) + { +- _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font); ++ _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family); + DestroyString(RemoveImageOption(imageInfo(),"family")); + } + else diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch 2025-12-29 00:33:04.000000000 +0100 @@ -0,0 +1,25 @@ +From: Dirk Lemstra <[email protected]> +Date: Tue, 2 Dec 2025 22:49:12 +0100 +Subject: Added extra check to avoid an overflow on 32-bit machines + (GHSA-6hjr-v6g4-3fm8) + +origin: https://github.com/ImageMagick/ImageMagick/commit/bdae0681ad1e572defe62df85834218f01e6d670 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122584 +--- + coders/tim.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/tim.c b/coders/tim.c +index 4c094ac..fcfd926 100644 +--- a/coders/tim.c ++++ b/coders/tim.c +@@ -231,7 +231,8 @@ static Image *ReadTIMImage(const ImageInfo *image_info,ExceptionInfo *exception) + (void) ReadBlobLSBShort(image); + width=ReadBlobLSBShort(image); + height=ReadBlobLSBShort(image); +- image_size=2*width*height; ++ if (HeapOverflowSanityCheckGetSize(2*width,height,&image_size) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (image_size > GetBlobSize(image)) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + bytes_per_line=width*2; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch 2025-12-29 00:33:04.000000000 +0100 @@ -0,0 +1,106 @@ +From: Cristy <[email protected]> +Date: Sun, 21 Dec 2025 12:43:08 -0500 +Subject: CVE-2025-68618 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637 +origin: https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb +--- + coders/msl.c | 24 ++++++++++++++++-------- + coders/svg.c | 8 +++++++- + 2 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index dc7a8bf..80468b1 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -120,6 +120,7 @@ typedef struct _MSLInfo + *exception; + + ssize_t ++ depth, + n, + number_groups; + +@@ -328,6 +329,10 @@ static void MSLStartElement(void *context,const xmlChar *tag, + RectangleInfo + geometry; + ++ size_t ++ height, ++ width; ++ + ssize_t + i, + j, +@@ -336,11 +341,6 @@ static void MSLStartElement(void *context,const xmlChar *tag, + x, + y; + +- +- size_t +- height, +- width; +- + xmlParserCtxtPtr + parser; + +@@ -352,6 +352,13 @@ static void MSLStartElement(void *context,const xmlChar *tag, + exception=AcquireExceptionInfo(); + parser=(xmlParserCtxtPtr) context; + msl_info=(MSLInfo *) parser->_private; ++ if (msl_info->depth++ >= MagickMaxRecursionDepth) ++ { ++ (void) ThrowMagickException(msl_info->exception,GetMagickModule(), ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",tag); ++ xmlStopParser((xmlParserCtxtPtr) context); ++ return; ++ } + n=msl_info->n; + keyword=(const char *) NULL; + value=(char *) NULL; +@@ -7057,15 +7064,15 @@ static void MSLStartElement(void *context,const xmlChar *tag, + + static void MSLEndElement(void *context,const xmlChar *tag) + { +- ssize_t +- n; +- + MSLInfo + *msl_info; + + xmlParserCtxtPtr + parser; + ++ ssize_t ++ n; ++ + /* + Called when the end of an element has been detected. + */ +@@ -7158,6 +7165,7 @@ static void MSLEndElement(void *context,const xmlChar *tag) + } + if (msl_info->content != (char *) NULL) + msl_info->content=DestroyString(msl_info->content); ++ msl_info->depth--; + } + + static void MSLCharacters(void *context,const xmlChar *c,int length) +diff --git a/coders/svg.c b/coders/svg.c +index b1ac078..6a06974 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -1249,7 +1249,13 @@ static void SVGStartElement(void *context,const xmlChar *name, + name); + parser=(xmlParserCtxtPtr) context; + svg_info=(SVGInfo *) parser->_private; +- svg_info->n++; ++ if (svg_info->n++ > MagickMaxRecursionDepth) ++ { ++ (void) ThrowMagickException(svg_info->exception,GetMagickModule(), ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name); ++ xmlStopParser((xmlParserCtxtPtr) context); ++ return; ++ } + svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t) + svg_info->n+1,sizeof(*svg_info->scale)); + if (svg_info->scale == (double *) NULL) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch 2025-12-29 00:33:04.000000000 +0100 @@ -0,0 +1,23 @@ +From: Cristy <[email protected]> +Date: Fri, 26 Dec 2025 11:22:12 -0500 +Subject: CVE-2025-68950 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j +origin: https://github.com/ImageMagick/ImageMagick/commit/204718c2211903949dcfc0df8e65ed066b008dec +(cherry picked from commit 204718c2211903949dcfc0df8e65ed066b008dec) +--- + MagickCore/draw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index 6f1770f..5f0ff88 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -5688,6 +5688,7 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image, + if ((LocaleCompare(clone_info->magick,"ftp") != 0) && + (LocaleCompare(clone_info->magick,"http") != 0) && + (LocaleCompare(clone_info->magick,"https") != 0) && ++ (LocaleCompare(clone_info->magick,"mvg") != 0) && + (LocaleCompare(clone_info->magick,"vid") != 0)) + composite_images=ReadImage(clone_info,exception); + else diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch 2025-12-29 00:33:04.000000000 +0100 @@ -0,0 +1,27 @@ +From: Cristy <[email protected]> +Date: Sun, 9 Feb 2025 10:30:42 -0500 +Subject: vid: format not supported in vector graphics + +[backport] +- strictly not needed but a good idea to remove unsupported vector graphics format +- hardening from a security point of view + +origin: https://github.com/ImageMagick/ImageMagick/commit/678372c9b4c6bad5bbcf998d5eca506103f587eb +--- + MagickCore/draw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index 6657675..6f1770f 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -5687,7 +5687,8 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image, + else + if ((LocaleCompare(clone_info->magick,"ftp") != 0) && + (LocaleCompare(clone_info->magick,"http") != 0) && +- (LocaleCompare(clone_info->magick,"https") != 0)) ++ (LocaleCompare(clone_info->magick,"https") != 0) && ++ (LocaleCompare(clone_info->magick,"vid") != 0)) + composite_images=ReadImage(clone_info,exception); + else + (void) ThrowMagickException(exception,GetMagickModule(), diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch 2025-12-29 00:33:04.000000000 +0100 @@ -0,0 +1,69 @@ +From: Cristy <[email protected]> +Date: Sat, 27 Dec 2025 14:37:23 -0500 +Subject: CVE-2025-69204 + +origin: https://github.com/ImageMagick/ImageMagick/commit/2c08c2311693759153c9aa99a6b2dcb5f985681e +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw +(cherry picked from commit 2c08c2311693759153c9aa99a6b2dcb5f985681e) +--- + coders/svg.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/coders/svg.c b/coders/svg.c +index 6a06974..09705fc 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -1249,13 +1249,14 @@ static void SVGStartElement(void *context,const xmlChar *name, + name); + parser=(xmlParserCtxtPtr) context; + svg_info=(SVGInfo *) parser->_private; +- if (svg_info->n++ > MagickMaxRecursionDepth) ++ if (svg_info->n >= MagickMaxRecursionDepth) + { + (void) ThrowMagickException(svg_info->exception,GetMagickModule(), + DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name); + xmlStopParser((xmlParserCtxtPtr) context); + return; + } ++ svg_info->n++; + svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t) + svg_info->n+1,sizeof(*svg_info->scale)); + if (svg_info->scale == (double *) NULL) +@@ -4721,17 +4722,33 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image, + } + case PathPrimitive: + { +- int +- number_attributes; ++ size_t ++ number_attributes, ++ quantum; + + (void) GetNextToken(q,&q,extent,token); + number_attributes=1; + for (p=token; *p != '\0'; p++) + if (isalpha((int) ((unsigned char) *p)) != 0) + number_attributes++; +- if (i > ((ssize_t) number_points-6*BezierQuantum*number_attributes-1)) ++ if ((6*BezierQuantum) >= (MAGICK_SSIZE_MAX/number_attributes)) + { +- number_points+=(size_t) (6*BezierQuantum*number_attributes); ++ (void) ThrowMagickException(exception,GetMagickModule(), ++ ResourceLimitError,"MemoryAllocationFailed","`%s'", ++ image->filename); ++ break; ++ } ++ quantum=(size_t) 6*BezierQuantum*number_attributes; ++ if (number_points >= (MAGICK_SSIZE_MAX-quantum)) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(), ++ ResourceLimitError,"MemoryAllocationFailed","`%s'", ++ image->filename); ++ break; ++ } ++ if (i > (ssize_t) (number_points-quantum-1)) ++ { ++ number_points+=(size_t) quantum; + primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info, + number_points,sizeof(*primitive_info)); + if (primitive_info == (PrimitiveInfo *) NULL) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series --- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-10-19 10:37:32.000000000 +0200 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-12-29 00:33:04.000000000 +0100 @@ -53,3 +53,10 @@ CVE-2025-57803.patch CVE-2025-57807.patch CVE-2025-62171.patch +CVE-2025-62594.patch +CVE-2025-65955.patch +CVE-2025-66628.patch +CVE-2025-68618.patch +CVE-2025-68950_pre1.patch +CVE-2025-68950.patch +CVE-2025-69204.patch
signature.asc
Description: This is a digitally signed message part.
