Control: tags -1 - confirmed Hi Bastien,
On Wed, Dec 31, 2025 at 11:29:31AM +0100, Bastien Roucaries wrote: > control: tags -1 - confirmed > > Hi, > > Following new CVEs before uploading I propose a new PU > > > debdiff could be found here (note that diff is against stable not bookworm > security) > https://debusine.debian.net/debian/developers/artifact/2954578/raw/debdiff.txt > > Againt bookworm-security attached > > debusine build: > https://debusine.debian.net/debian/developers/work-request/302156/ > > rouca > > > diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog > imagemagick-6.9.11.60+dfsg/debian/changelog > --- imagemagick-6.9.11.60+dfsg/debian/changelog 2025-09-07 > 23:54:25.000000000 +0200 > +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2025-12-30 > 17:36:07.000000000 +0100 > @@ -1,3 +1,45 @@ > +imagemagick (8:6.9.11.60+dfsg-1.6+deb12u5) bookworm; urgency=medium > + > + * Fix CVE-2025-62171 (Closes: #1118340) > + Integer Overflow in BMP Decoder (ReadBMP): > + CVE-2025-57803 claims to be patched, but the fix is incomplete > + and ineffective. > + . > + The patch added BMPOverflowCheck() but placed it > + after the overflow occurs, making it useless. > + A malicious 58-byte BMP file can trigger AddressSanitizer > + crashes and DoS. > + * Fix CVE-2025-65955 (Closes: #1122827) > + A vulnerability was found in ImageMagick’s Magick++ layer that > + manifests when Options::fontFamily is invoked with an empty > + string. Clearing a font family calls RelinquishMagickMemory on > + _drawInfo->font, freeing the font string but leaving _drawInfo->font > + pointing to freed memory while _drawInfo->family is set to that > + (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font > + re-frees or dereferences dangling memory. DestroyDrawInfo and other > + setters (Options::font, Image::font) assume _drawInfo->font remains > + valid, so destruction or subsequent updates trigger crashes or heap > + corruption > + * Fix CVE-2025-66628 (Closes: #1122584) > + The TIM (PSX TIM) image parser contains a critical integer overflow > + vulnerability in its ReadTIMImage function (coders/tim.c). The code > + reads width and height (16-bit values) from the file header and > + calculates image_size = 2 * width * height without checking for > + overflow. On 32-bit systems (or where size_t is 32-bit), this > + calculation can overflow if width and height are large (e.g., 65535), > + wrapping around to a small value > + * Fix CVE-2025-68469 > + ImageMagick crashes when processing a crafted TIFF file. > + * Fix CVE-2025-68618: > + Magick's failure to limit the depth of SVG file reads caused > + a DoS attack. > + * Fix CVE-2025-68950: > + Magick's failure to limit MVG mutual references forming a loop > + * Fix CVE-2025-69204: > + Converting a malicious MVG file to SVG caused an integer overflow. > + > + -- Bastien Roucariès <[email protected]> Tue, 30 Dec 2025 17:36:07 +0100 > + > imagemagick (8:6.9.11.60+dfsg-1.6+deb12u4) bookworm-security; urgency=medium > > * Fix CVE-2025-53014: > diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-62171.patch > imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-62171.patch > --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-62171.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-62171.patch > 2025-12-30 17:36:07.000000000 +0100 > @@ -0,0 +1,27 @@ > +From: Dirk Lemstra <[email protected]> > +Date: Sun, 12 Oct 2025 20:39:55 +0200 > +Subject: Added extra check to resolve issue on 32-bit systems > + > (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm) > + > +(cherry picked from commit 456771fae8baa9558a1421ec8d522e6937d9b2d7) > + > +origin: > https://github.com/ImageMagick/ImageMagick6/commit/456771fae8baa9558a1421ec8d522e6937d9b2d7 > +bug: > https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm > +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118340 > +--- > + coders/bmp.c | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/coders/bmp.c b/coders/bmp.c > +index c6ec39e..d509bd6 100644 > +--- a/coders/bmp.c > ++++ b/coders/bmp.c > +@@ -982,6 +982,8 @@ static Image *ReadBMPImage(const ImageInfo > *image_info,ExceptionInfo *exception) > + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); > + if (bmp_info.compression == BI_RLE4) > + bmp_info.bits_per_pixel<<=1; > ++ if (BMPOverflowCheck(image->columns,bmp_info.bits_per_pixel) != > MagickFalse) > ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); > + extent=image->columns*bmp_info.bits_per_pixel; > + bytes_per_line=4*((extent+31)/32); > + if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse) > diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-65955.patch > imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-65955.patch > --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-65955.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-65955.patch > 2025-12-30 17:36:07.000000000 +0100 > @@ -0,0 +1,25 @@ > +From: Dirk Lemstra <[email protected]> > +Date: Sun, 23 Nov 2025 09:17:43 +0100 > +Subject: Correct incorrect free (GHSA-q3hc-j9x5-mp9m) > + > +origin: > https://github.com/ImageMagick/ImageMagick6/commit/7d4c27fd4cb2a716a9c1d3346a5e79a692cfe6d8 > +debian-bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122827 > + > +(cherry picked from commit 7d4c27fd4cb2a716a9c1d3346a5e79a692cfe6d8) > +--- > + Magick++/lib/Options.cpp | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp > +index 3d943e4..15f818d 100644 > +--- a/Magick++/lib/Options.cpp > ++++ b/Magick++/lib/Options.cpp > +@@ -312,7 +312,7 @@ void Magick::Options::fontFamily(const std::string > &family_) > + { > + if (family_.length() == 0) > + { > +- _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font); > ++ _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family); > + DestroyString(RemoveImageOption(imageInfo(),"family")); > + } > + else > diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-66628.patch > imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-66628.patch > --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-66628.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-66628.patch > 2025-12-30 17:36:07.000000000 +0100 > @@ -0,0 +1,28 @@ > +From: Dirk Lemstra <[email protected]> > +Date: Tue, 2 Dec 2025 22:49:19 +0100 > +Subject: Added extra check to avoid an overflow on 32-bit machines > + (GHSA-6hjr-v6g4-3fm8) > + > +origin: > https://github.com/ImageMagick/ImageMagick6/commit/7779f1ff772dfabe545c67fb2f3bfa8f7a845a2d > +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122584 > +(cherry picked from commit 7779f1ff772dfabe545c67fb2f3bfa8f7a845a2d) > +--- > + coders/tim.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/coders/tim.c b/coders/tim.c > +index b2fd86c..8c792c6 100644 > +--- a/coders/tim.c > ++++ b/coders/tim.c > +@@ -234,7 +234,10 @@ static Image *ReadTIMImage(const ImageInfo > *image_info,ExceptionInfo *exception) > + (void) ReadBlobLSBShort(image); > + width=ReadBlobLSBShort(image); > + height=ReadBlobLSBShort(image); > +- image_size=2*width*height; > ++ if (HeapOverflowSanityCheckGetSize(2*width,height,&image_size) != > MagickFalse) > ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); > ++ if (image_size > GetBlobSize(image)) > ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); > + bytes_per_line=width*2; > + width=(width*16)/bits_per_pixel; > + image->columns=width; > diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68469.patch > imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68469.patch > --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68469.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68469.patch > 2025-12-30 17:36:07.000000000 +0100 > @@ -0,0 +1,64 @@ > +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <[email protected]> > +Date: Tue, 30 Dec 2025 17:31:06 +0100 > +Subject: CVE-2025-68469 > + > +While Processing a crafted TIFF file, imagemagick crashes. > + > +Note that this patch fix also CVE-2023-3428 that is a variation of > CVE-2025-68469 > + > +origin: > https://github.com/ImageMagick/ImageMagick/issues/8508#issuecomment-3699838767 > +bug: https://github.com/advisories/GHSA-fff3-4rp7-px97 > +bug-github-issue: https://github.com/ImageMagick/ImageMagick/issues/8508 > +--- > + coders/tiff.c | 24 +++++++++++++++--------- > + 1 file changed, 15 insertions(+), 9 deletions(-) > + > +diff --git a/coders/tiff.c b/coders/tiff.c > +index 12bea21..0f615ad 100644 > +--- a/coders/tiff.c > ++++ b/coders/tiff.c > +@@ -1953,7 +1953,14 @@ static Image *ReadTIFFImage(const ImageInfo > *image_info, > + *p; > + > + size_t > +- extent; > ++ extent, > ++ length; > ++ > ++ ssize_t > ++ stride; > ++ > ++ tmsize_t > ++ tile_size; > + > + uint32 > + columns, > +@@ -1971,13 +1978,12 @@ static Image *ReadTIFFImage(const ImageInfo > *image_info, > + number_pixels=(MagickSizeType) columns*rows; > + if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != > MagickFalse) > + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); > +- > extent=4*(samples_per_pixel+1)*MagickMax((rows+1)*TIFFTileRowSize(tiff), > +- TIFFTileSize(tiff)); > +-#if defined(TIFF_VERSION_BIG) > +- extent+=image->columns*sizeof(uint64); > +-#else > +- extent+=image->columns*sizeof(uint32); > +-#endif > ++ > ++ tile_size=TIFFTileSize(tiff); > ++ stride=(ssize_t) TIFFTileRowSize(tiff); > ++ length=GetQuantumExtent(image,quantum_info,quantum_type); > ++ extent=(size_t) MagickMax((size_t) tile_size,rows* > ++ MagickMax((size_t) stride,length)); > + tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, > + sizeof(*tile_pixels)); > + if (tile_pixels == (unsigned char *) NULL) > +@@ -2036,7 +2042,7 @@ static Image *ReadTIFFImage(const ImageInfo > *image_info, > + break; > + (void) ImportQuantumPixels(image,(CacheView *) NULL, > + quantum_info,quantum_type,p,exception); > +- p+=TIFFTileRowSize(tiff); > ++ p+=stride; > + if (SyncAuthenticPixels(image,exception) == MagickFalse) > + break; > + } > diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68618.patch > imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68618.patch > --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68618.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68618.patch > 2025-12-30 17:36:07.000000000 +0100 > @@ -0,0 +1,120 @@ > +From: Cristy <[email protected]> > +Date: Sun, 21 Dec 2025 12:43:25 -0500 > +Subject: CVE-2025-68618 > + > +bug: > https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637 > +origin: backport, > https://github.com/ImageMagick/ImageMagick6/commit/693c8497290ea0c7cac75d3068ea4fa70d7d507e > + > +[backport] > +- drop unrelated policy patch > + > +(cherry picked from commit 693c8497290ea0c7cac75d3068ea4fa70d7d507e) > +--- > + coders/msl.c | 27 +++++++++++++++++---------- > + coders/svg.c | 13 ++++++++++--- > + 2 files changed, 27 insertions(+), 13 deletions(-) > + > +diff --git a/coders/msl.c b/coders/msl.c > +index 39c14da..7560c23 100644 > +--- a/coders/msl.c > ++++ b/coders/msl.c > +@@ -125,6 +125,7 @@ typedef struct _MSLInfo > + *exception; > + > + ssize_t > ++ depth, > + n, > + number_groups; > + > +@@ -642,26 +643,24 @@ static void MSLStartElement(void *context,const > xmlChar *tag, > + int > + flags; > + > +- ssize_t > +- option, > +- j, > +- n, > +- x, > +- y; > +- > + MSLInfo > + *msl_info; > + > + RectangleInfo > + geometry; > + > +- ssize_t > +- i; > +- > + size_t > + height, > + width; > + > ++ ssize_t > ++ option, > ++ i, > ++ j, > ++ n, > ++ x, > ++ y; > ++ > + /* > + Called when an opening tag has been processed. > + */ > +@@ -669,6 +668,13 @@ static void MSLStartElement(void *context,const xmlChar > *tag, > + " SAX.startElement(%s",tag); > + exception=AcquireExceptionInfo(); > + msl_info=(MSLInfo *) context; > ++ if (msl_info->depth++ > MagickMaxRecursionDepth) > ++ { > ++ (void) ThrowMagickException(msl_info->exception,GetMagickModule(), > ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",tag); > ++ xmlStopParser((xmlParserCtxtPtr) context); > ++ return; > ++ } > + n=msl_info->n; > + keyword=(const char *) NULL; > + value=(char *) NULL; > +@@ -7466,6 +7472,7 @@ static void MSLEndElement(void *context,const xmlChar > *tag) > + } > + if (msl_info->content != (char *) NULL) > + msl_info->content=DestroyString(msl_info->content); > ++ msl_info->depth--; > + } > + > + static void MSLCharacters(void *context,const xmlChar *c,int length) > +diff --git a/coders/svg.c b/coders/svg.c > +index 912c714f..1b3a7e1 100644 > +--- a/coders/svg.c > ++++ b/coders/svg.c > +@@ -1252,13 +1252,13 @@ static void SVGStartElement(void *context,const > xmlChar *name, > + *p, > + *value; > + > ++ size_t > ++ number_tokens; > ++ > + ssize_t > + i, > + j; > + > +- size_t > +- number_tokens; > +- > + SVGInfo > + *svg_info; > + > +@@ -1268,6 +1268,13 @@ static void SVGStartElement(void *context,const > xmlChar *name, > + (void) LogMagickEvent(CoderEvent,GetMagickModule()," > SAX.startElement(%s", > + name); > + svg_info=(SVGInfo *) context; > ++ if (svg_info->n >= MagickMaxRecursionDepth) > ++ { > ++ (void) ThrowMagickException(svg_info->exception,GetMagickModule(), > ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name); > ++ xmlStopParser((xmlParserCtxtPtr) context); > ++ return; > ++ } > + svg_info->n++; > + svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale, > + svg_info->n+1UL,sizeof(*svg_info->scale)); > diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68950.patch > imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68950.patch > --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68950.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68950.patch > 2025-12-30 17:36:07.000000000 +0100 > @@ -0,0 +1,22 @@ > +From: Cristy <[email protected]> > +Date: Fri, 26 Dec 2025 11:20:57 -0500 > +Subject: CVE-2025-68950 > + > +bug: > https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j > +origin: > https://github.com/ImageMagick/ImageMagick6/commit/5655e26ee9032a208ad9add1fde2877205d5e540 > +--- > + magick/draw.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/magick/draw.c b/magick/draw.c > +index 91c4954..950ed8a 100644 > +--- a/magick/draw.c > ++++ b/magick/draw.c > +@@ -5505,6 +5505,7 @@ MagickExport MagickBooleanType DrawPrimitive(Image > *image, > + if ((LocaleCompare(clone_info->magick,"ftp") != 0) && > + (LocaleCompare(clone_info->magick,"http") != 0) && > + (LocaleCompare(clone_info->magick,"https") != 0) && > ++ (LocaleCompare(clone_info->magick,"mvg") != 0) && > + (LocaleCompare(clone_info->magick,"vid") != 0)) > + composite_images=ReadImage(clone_info,exception); > + else > diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-69204.patch > imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-69204.patch > --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-69204.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-69204.patch > 2025-12-30 17:36:07.000000000 +0100 > @@ -0,0 +1,54 @@ > +From: Cristy <[email protected]> > +Date: Sat, 27 Dec 2025 14:37:26 -0500 > +Subject: CVE-2025-69204 > + > +bug: > https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw > +origin: > https://github.com/ImageMagick/ImageMagick6/commit/c46bc2a29d0712499173c6ffda1d38d7dc8861f5 > + > +(cherry picked from commit c46bc2a29d0712499173c6ffda1d38d7dc8861f5) > +--- > + coders/svg.c | 24 ++++++++++++++++++++---- > + 1 file changed, 20 insertions(+), 4 deletions(-) > + > +diff --git a/coders/svg.c b/coders/svg.c > +index 1b3a7e1..93438bb 100644 > +--- a/coders/svg.c > ++++ b/coders/svg.c > +@@ -5158,17 +5158,33 @@ static MagickBooleanType WriteSVGImage(const > ImageInfo *image_info,Image *image) > + } > + case PathPrimitive: > + { > +- int > +- number_attributes; > ++ size_t > ++ number_attributes, > ++ quantum; > + > + (void) GetNextToken(q,&q,extent,token); > + number_attributes=1; > + for (p=token; *p != '\0'; p++) > + if (isalpha((int) *p)) > + number_attributes++; > +- if (i > (ssize_t) > (number_points-6*BezierQuantum*number_attributes-1)) > ++ if ((6*BezierQuantum) >= (MAGICK_SSIZE_MAX/number_attributes)) > + { > +- number_points+=6*BezierQuantum*number_attributes; > ++ (void) ThrowMagickException(&image->exception,GetMagickModule(), > ++ ResourceLimitError,"MemoryAllocationFailed","`%s'", > ++ image->filename); > ++ break; > ++ } > ++ quantum=(size_t) 6*BezierQuantum*number_attributes; > ++ if (number_points >= (MAGICK_SSIZE_MAX-quantum)) > ++ { > ++ (void) ThrowMagickException(&image->exception,GetMagickModule(), > ++ ResourceLimitError,"MemoryAllocationFailed","`%s'", > ++ image->filename); > ++ break; > ++ } > ++ if (i > (ssize_t) (number_points-quantum-1)) > ++ { > ++ number_points+=quantum; > + primitive_info=(PrimitiveInfo *) > ResizeQuantumMemory(primitive_info, > + number_points,sizeof(*primitive_info)); > + if (primitive_info == (PrimitiveInfo *) NULL) > diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series > imagemagick-6.9.11.60+dfsg/debian/patches/series > --- imagemagick-6.9.11.60+dfsg/debian/patches/series 2025-09-07 > 23:53:01.000000000 +0200 > +++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2025-12-30 > 17:36:07.000000000 +0100 > @@ -95,3 +95,10 @@ > CVE-2025-57803-pre1.patch > CVE-2025-57803.patch > CVE-2025-57807.patch > +CVE-2025-62171.patch > +CVE-2025-65955.patch > +CVE-2025-66628.patch > +CVE-2025-68469.patch > +CVE-2025-68618.patch > +CVE-2025-68950.patch > +CVE-2025-69204.patch Including the bugreport for the bookworm-pu update. Regards, Salvatore
