Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: imagemagick@packages.debian.org Control: affects -1 + src:imagemagick [ Reason ] Imagemagick is affected in stable by a few securities problems. [ Impact ] Security problems with some exploit (image) in the wild [ Tests ] Yes testsuite is included in the package and autopkgtest [ Risks ] Code is complex,I prefer to not solve in a single step all the security bugs. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] + * Fix CVE-2021-3574: memory leak was found in TIFF coder + * Fix CVE-2021-4219: a special crafted file could lead to a DOS. + * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in + some coders (Closes: #1013282) + * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c + * Fix CVE-2021-20245: Fix a divide by zero in webp coder + * Fix CVE-2021-20246: Fix a divide by zero in resample code. + * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function. + * Fix CVE-2021-39212: Postscript files could be read and written + when specifically excluded by a module policy in policy.xml file. + (Closes: #996588) + * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo() + (Closes: #1013282) + * Fix CVE-2022-28463: Buffer overflow in cin coder. + * Fix CVE-2022-32545: Value outside the range of unsigned char + (Closes: #1016442) + * Fix CVE-2022-32546: Value outside the range of representable + values of type 'unsigned long' at coders/pcl.c, + * Use Salsa CI [ Other info ] Security team is ok with this.
diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog 2023-02-03 17:59:42.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/changelog 2023-05-26 07:10:27.000000000 +0000
@@ -1,3 +1,27 @@
+imagemagick (8:6.9.11.60+dfsg-1.3+deb11u2) bullseye-security; urgency=medium
+
+ * Fix CVE-2021-3574: memory leak was found in TIFF coder
+ * Fix CVE-2021-4219: a special crafted file could lead to a DOS.
+ * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in
+ some coders (Closes: #1013282)
+ * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c
+ * Fix CVE-2021-20245: Fix a divide by zero in webp coder
+ * Fix CVE-2021-20246: Fix a divide by zero in resample code.
+ * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function.
+ * Fix CVE-2021-39212: Postscript files could be read and written
+ when specifically excluded by a module policy in policy.xml file.
+ (Closes: #996588)
+ * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo()
+ (Closes: #1013282)
+ * Fix CVE-2022-28463: Buffer overflow in cin coder.
+ * Fix CVE-2022-32545: Value outside the range of unsigned char
+ (Closes: #1016442)
+ * Fix CVE-2022-32546: Value outside the range of representable
+ values of type 'unsigned long' at coders/pcl.c,
+ * Use Salsa CI
+
+ -- Bastien Roucariès <rouca@debian.org> Fri, 26 May 2023 07:10:27 +0000
+
imagemagick (8:6.9.11.60+dfsg-1.3+deb11u1) bullseye-security; urgency=medium
* Fix CVE-2022-44267 / CVE-2022-44268
diff -Nru imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh
--- imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh 2023-05-26 07:10:27.000000000 +0000
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -x
+set -e
+
+# Debug what repositories are available to begin with
+grep -r "^deb " /etc/apt/sources.*
+
+# Enable the same repositories that were available at build time in
+# registry.salsa.debian.org/salsa-ci-team/pipeline/base:bullseye
+. /etc/os-release
+cat << EOF > /etc/apt/sources.list.d/base-$VERSION_CODENAME-repos.list
+deb http://deb.debian.org/debian $VERSION_CODENAME main
+deb http://deb.debian.org/debian-security $VERSION_CODENAME-security main
+deb http://deb.debian.org/debian $VERSION_CODENAME-updates main
+EOF
+
+apt-get update
+
+# Ref
+# bullseye piuparts test runner environment is missing the bullseye-updates apt repository: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/292
+# piuparts: doesn't install dependencies from experimental or -backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/58
+# autopkgtest: doesn't install dependencies from experimental or backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/85
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,40 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Tue, 13 Apr 2021 21:41:34 -0400
+Subject: CVE-2021-3574: memory leak
+
+Memory leak due to crafted tiff file
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/3540
+origin: https://github.com/ImageMagick/ImageMagick6/commit/cd7f9fb7751b0d59d5a74b12d971155caad5a792.patch
+---
+ coders/tiff.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index a3caa..8e89e 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1332,6 +1332,11 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+ TIFFClose(tiff);
+ ThrowReaderException(CorruptImageError,"UnsupportedBitsPerPixel");
+ }
++ if (samples_per_pixel > MaxPixelChannels)
++ {
++ TIFFClose(tiff);
++ ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
++ }
+ if (sample_format == SAMPLEFORMAT_IEEEFP)
+ (void) SetImageProperty(image,"quantum:format","floating-point");
+ switch (photometric)
+@@ -1700,11 +1705,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+ }
+ if (image->matte != MagickFalse)
+ (void) SetImageAlphaChannel(image,OpaqueAlphaChannel);
+- if (samples_per_pixel > MaxPixelChannels)
+- {
+- TIFFClose(tiff);
+- ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
+- }
+ method=ReadGenericMethod;
+ rows_per_strip=(uint32) image->rows;
+ if (TIFFGetField(tiff,TIFFTAG_ROWSPERSTRIP,&rows_per_strip) == 1)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0027-CVE-2021-4219-Dos.patch imagemagick-6.9.11.60+dfsg/debian/patches/0027-CVE-2021-4219-Dos.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0027-CVE-2021-4219-Dos.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0027-CVE-2021-4219-Dos.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,26 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 22 Dec 2021 16:00:28 -0500
+Subject: CVE-2021-4219: Dos
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4626
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023282
+origin: https://github.com/ImageMagick/ImageMagick6/commit/c10351c16b8d2cabd11d2627a02de522570f6ceb.patch
+---
+ magick/draw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 75b3d..ba216 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5452,7 +5452,9 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ {
+ (void) CopyMagickString(clone_info->filename,primitive_info->text,
+ MagickPathExtent);
+- status&=SetImageInfo(clone_info,0,exception);
++ status&=SetImageInfo(clone_info,1,exception);
++ (void) CopyMagickString(clone_info->filename,primitive_info->text,
++ MagickPathExtent);
+ if (clone_info->size != (char *) NULL)
+ clone_info->size=DestroyString(clone_info->size);
+ if (clone_info->extract != (char *) NULL)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0028-CVE-2021-20241.patch imagemagick-6.9.11.60+dfsg/debian/patches/0028-CVE-2021-20241.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0028-CVE-2021-20241.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0028-CVE-2021-20241.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,26 @@
+From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+Date: Tue, 2 Feb 2021 16:10:05 +0800
+Subject: CVE-2021-20241:
+
+fix division by zero in WriteJP2Image() in coders/jp2.c
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745.patch
+---
+ coders/jp2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/jp2.c b/coders/jp2.c
+index 0354f..b5078 100644
+--- a/coders/jp2.c
++++ b/coders/jp2.c
+@@ -1064,8 +1064,8 @@ static MagickBooleanType WriteJP2Image(const ImageInfo *image_info,Image *image)
+
+ scale=(double) (((size_t) 1UL << jp2_image->comps[i].prec)-1)/
+ QuantumRange;
+- q=jp2_image->comps[i].data+(y/jp2_image->comps[i].dy*
+- image->columns/jp2_image->comps[i].dx+x/jp2_image->comps[i].dx);
++ q=jp2_image->comps[i].data+(ssize_t) (y*PerceptibleReciprocal(jp2_image->comps[i].dy)*
++ image->columns*PerceptibleReciprocal(jp2_image->comps[i].dx)+x*PerceptibleReciprocal(jp2_image->comps[i].dx));
+ switch (i)
+ {
+ case 0:
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0029-CVE-2021-20243.patch imagemagick-6.9.11.60+dfsg/debian/patches/0029-CVE-2021-20243.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0029-CVE-2021-20243.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0029-CVE-2021-20243.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,23 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 3 Feb 2021 15:30:39 -0500
+Subject: CVE-2021-20243
+
+bug: https://github.com/ImageMagick/ImageMagick/pull/3177
+origin: https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745.patch
+---
+ magick/resize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/resize.c b/magick/resize.c
+index fe662..56e94 100644
+--- a/magick/resize.c
++++ b/magick/resize.c
+@@ -1611,7 +1611,7 @@ MagickExport MagickRealType GetResizeFilterWeight(
+ */
+ assert(resize_filter != (ResizeFilter *) NULL);
+ assert(resize_filter->signature == MagickCoreSignature);
+- x_blur=fabs((double) x)/resize_filter->blur; /* X offset with blur scaling */
++ x_blur=fabs((double) x)*PerceptibleReciprocal(resize_filter->blur); /* X offset with blur scaling */
+ if ((resize_filter->window_support < MagickEpsilon) ||
+ (resize_filter->window == Box))
+ scale=1.0; /* Point or Box Filter -- avoid division by zero */
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch imagemagick-6.9.11.60+dfsg/debian/patches/0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,37 @@
+From: ruc_zhangxiaohui <553441439@qq.com>
+Date: Thu, 4 Feb 2021 04:19:08 +0800
+Subject: CVE-2021-20244: uses the PerceptibleReciprocal() to prevent the
+ divide-by-zero from occurring (#3194)
+
+A crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/c8d674946a687f40a126166edf470733fc8ede02.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+Co-authored-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+(cherry picked from commit 329dd528ab79531d884c0ba131e97d43f872ab5d)
+
+This backports the fix for CVE-2021-20244 to IM6.
+---
+ magick/visual-effects.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/magick/visual-effects.c b/magick/visual-effects.c
+index 11dce..46f1d 100644
+--- a/magick/visual-effects.c
++++ b/magick/visual-effects.c
+@@ -1101,11 +1101,11 @@ MagickExport Image *ImplodeImage(const Image *image,const double amount,
+ */
+ factor=1.0;
+ if (distance > 0.0)
+- factor=pow(sin((double) (MagickPI*sqrt((double) distance)/
+- radius/2)),-amount);
++ factor=pow(sin((double) (MagickPI*sqrt((double) distance)*
++ PerceptibleReciprocal(radius)/2)),-amount);
+ status=InterpolateMagickPixelPacket(image,image_view,
+- UndefinedInterpolatePixel,(double) (factor*delta.x/scale.x+
+- center.x),(double) (factor*delta.y/scale.y+center.y),&pixel,
++ UndefinedInterpolatePixel,(double) (factor*delta.x*PerceptibleReciprocal(scale.x)+
++ center.x),(double) (factor*delta.y*PerceptibleReciprocal(scale.y)+center.y),&pixel,
+ exception);
+ if (status == MagickFalse)
+ break;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch imagemagick-6.9.11.60+dfsg/debian/patches/0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,26 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 3 Feb 2021 16:04:25 -0500
+Subject: CVE-2021-20245 Division by zero in WriteAnimatedWEBPImage() in
+ coders/webp.c
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/3176
+origin: https://github.com/ImageMagick/ImageMagick6/commit/a78d92dc0f468e79c3d761aae9707042952cdaca.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+---
+ coders/webp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/coders/webp.c b/coders/webp.c
+index 3c7d9..2bad2b 100644
+--- a/coders/webp.c
++++ b/coders/webp.c
+@@ -881,7 +881,8 @@ static MagickBooleanType WriteAnimatedWEBPImage(const ImageInfo *image_info,
+
+ WriteSingleWEBPImage(image_info, image, &picture, current, exception);
+
+- effective_delta = image->delay*1000/image->ticks_per_second;
++ effective_delta = image->delay*1000*PerceptibleReciprocal(
++ image->ticks_per_second);
+ if (effective_delta < 10)
+ effective_delta = 100; /* Consistent with gif2webp */
+ frame_timestamp+=effective_delta;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch imagemagick-6.9.11.60+dfsg/debian/patches/0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,28 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 3 Feb 2021 15:50:29 -0500
+Subject: CVE-2021-20246: division by zero in MagickCore/resample.c
+
+bug:https://github.com/ImageMagick/ImageMagick/issues/3195
+origin: https://github.com/ImageMagick/ImageMagick6/commit/f3190d4a6e6e8556575c84b5d976f77d111caa74.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+---
+ magick/resample.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/magick/resample.c b/magick/resample.c
+index 593af..d5c72 100644
+--- a/magick/resample.c
++++ b/magick/resample.c
+@@ -1212,10 +1212,10 @@ MagickExport void ScaleResampleFilter(ResampleFilter *resample_filter,
+ { double scale;
+ #if FILTER_LUT
+ /* scale so that F = WLUT_WIDTH; -- hardcoded */
+- scale = (double)WLUT_WIDTH/F;
++ scale=(double) WLUT_WIDTH*PerceptibleReciprocal(F);
+ #else
+ /* scale so that F = resample_filter->F (support^2) */
+- scale = resample_filter->F/F;
++ scale=resample_filter->F*PerceptibleReciprocal(F);
+ #endif
+ resample_filter->A = A*scale;
+ resample_filter->B = B*scale;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch imagemagick-6.9.11.60+dfsg/debian/patches/0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,24 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Feb 2021 19:34:36 -0500
+Subject: CVE-2021-20309: Division by zero in WaveImage()
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/3296
+origin: https://github.com/ImageMagick/ImageMagick6/commit/f1e68d22d1b35459421710587a0dcbab6900b51f.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+---
+ magick/visual-effects.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/visual-effects.c b/magick/visual-effects.c
+index 46f1d..87fd0b 100644
+--- a/magick/visual-effects.c
++++ b/magick/visual-effects.c
+@@ -3328,7 +3328,7 @@ MagickExport Image *WaveImage(const Image *image,const double amplitude,
+ }
+ for (i=0; i < (ssize_t) wave_image->columns; i++)
+ sine_map[i]=(float) fabs(amplitude)+amplitude*sin((double)
+- ((2.0*MagickPI*i)/wave_length));
++ ((2.0*MagickPI*i)*PerceptibleReciprocal(wave_length)));
+ /*
+ Wave image.
+ */
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch imagemagick-6.9.11.60+dfsg/debian/patches/0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,68 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 11 Sep 2021 10:57:09 +0200
+Subject: [partial] CVE-2021-39212: Fixed incorrect check when module is used
+ as the domain in policy.xml that would allow the use of a disabled module.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/8cd2fcd33460826628a7590dc3ce74d7785e1598.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996588
+bug-ubuntu-security: https://ubuntu.com/security/CVE-2021-39212
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
+---
+ magick/module.c | 10 +++++-----
+ magick/static.c | 8 ++++----
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/magick/module.c b/magick/module.c
+index 9f160..1ea993 100644
+--- a/magick/module.c
++++ b/magick/module.c
+@@ -1279,18 +1279,18 @@ MagickExport MagickBooleanType OpenModule(const char *module,
+ module_info=(ModuleInfo *) GetModuleInfo(module,exception);
+ if (module_info != (ModuleInfo *) NULL)
+ return(MagickTrue);
++ (void) CopyMagickString(module_name,module,MaxTextExtent);
++ p=GetCoderInfo(module,exception);
++ if (p != (CoderInfo *) NULL)
++ (void) CopyMagickString(module_name,p->name,MaxTextExtent);
+ rights=ReadPolicyRights;
+- if (IsRightsAuthorized(ModulePolicyDomain,rights,module) == MagickFalse)
++ if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+ {
+ errno=EPERM;
+ (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+ "NotAuthorized","`%s'",module);
+ return(MagickFalse);
+ }
+- (void) CopyMagickString(module_name,module,MaxTextExtent);
+- p=GetCoderInfo(module,exception);
+- if (p != (CoderInfo *) NULL)
+- (void) CopyMagickString(module_name,p->name,MaxTextExtent);
+ if (GetValueFromSplayTree(module_list,module_name) != (void *) NULL)
+ return(MagickTrue); /* module already opened, return */
+ /*
+diff --git a/magick/static.c b/magick/static.c
+index 8c68f..a2b11 100644
+--- a/magick/static.c
++++ b/magick/static.c
+@@ -395,17 +395,17 @@ MagickExport MagickBooleanType RegisterStaticModule(const char *module,
+ */
+ assert(module != (const char *) NULL);
+ (void) CopyMagickString(module_name,module,MagickPathExtent);
++ p=GetCoderInfo(module,exception);
++ if (p != (CoderInfo *) NULL)
++ (void) CopyMagickString(module_name,p->name,MagickPathExtent);
+ rights=ReadPolicyRights;
+- if (IsRightsAuthorized(ModulePolicyDomain,rights,module) == MagickFalse)
++ if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+ {
+ errno=EPERM;
+ (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+ "NotAuthorized","`%s'",module);
+ return(MagickFalse);
+ }
+- p=GetCoderInfo(module,exception);
+- if (p != (CoderInfo *) NULL)
+- (void) CopyMagickString(module_name,p->name,MagickPathExtent);
+ extent=sizeof(MagickModules)/sizeof(MagickModules[0]);
+ for (i=0; i < (ssize_t) extent; i++)
+ if (LocaleCompare(MagickModules[i].module,module_name) == 0)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch imagemagick-6.9.11.60+dfsg/debian/patches/0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,36 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 11 Sep 2021 12:30:44 +0200
+Subject: [partial] CVE-2021-39212: Added missing policy checks in
+ RegisterStaticModules.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/69ea5587de17ef89476be47a3cb7f855c0355a74
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996588
+bug-ubuntu-security: https://ubuntu.com/security/CVE-2021-39212
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
+---
+ magick/static.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/magick/static.c b/magick/static.c
+index a2b11..3b036 100644
+--- a/magick/static.c
++++ b/magick/static.c
+@@ -398,7 +398,7 @@ MagickExport MagickBooleanType RegisterStaticModule(const char *module,
+ p=GetCoderInfo(module,exception);
+ if (p != (CoderInfo *) NULL)
+ (void) CopyMagickString(module_name,p->name,MagickPathExtent);
+- rights=ReadPolicyRights;
++ rights=AllPolicyRights;
+ if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+ {
+ errno=EPERM;
+@@ -452,6 +452,9 @@ MagickExport void RegisterStaticModules(void)
+ {
+ if (MagickModules[i].registered == MagickFalse)
+ {
++ if (IsRightsAuthorized(ModulePolicyDomain,AllPolicyRights,
++ MagickModules[i].module) == MagickFalse)
++ continue;
+ (void) (MagickModules[i].register_module)();
+ MagickModules[i].registered=MagickTrue;
+ }
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch imagemagick-6.9.11.60+dfsg/debian/patches/0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,27 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 11 Sep 2021 12:43:45 +0200
+Subject: [partial] CVE-2021-39212: Use AllPolicyRights instead.
+
+(cherry picked from commit b60e17133b982d28816386b83174c2bc06dd39bd)
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/b60e17133b982d28816386b83174c2bc06dd39bd
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996588
+bug-ubuntu-security: https://ubuntu.com/security/CVE-2021-39212
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
+---
+ magick/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/module.c b/magick/module.c
+index 1ea993..da267 100644
+--- a/magick/module.c
++++ b/magick/module.c
+@@ -1283,7 +1283,7 @@ MagickExport MagickBooleanType OpenModule(const char *module,
+ p=GetCoderInfo(module,exception);
+ if (p != (CoderInfo *) NULL)
+ (void) CopyMagickString(module_name,p->name,MaxTextExtent);
+- rights=ReadPolicyRights;
++ rights=AllPolicyRights;
+ if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+ {
+ errno=EPERM;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0037-CVE-2021-39212-Use-the-correct-rights.patch imagemagick-6.9.11.60+dfsg/debian/patches/0037-CVE-2021-39212-Use-the-correct-rights.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0037-CVE-2021-39212-Use-the-correct-rights.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0037-CVE-2021-39212-Use-the-correct-rights.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,65 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 11 Sep 2021 17:01:23 +0200
+Subject: CVE-2021-39212: Use the correct rights.
+
+(cherry picked from commit 428e68597fa904d0bdc133d878e12acd7dc60fa3)
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/428e68597fa904d0bdc133d878e12acd7dc60fa3
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996588
+bug-ubuntu-security: https://ubuntu.com/security/CVE-2021-39212
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
+---
+ magick/module.c | 2 +-
+ magick/static.c | 8 ++++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/magick/module.c b/magick/module.c
+index da267..3d177 100644
+--- a/magick/module.c
++++ b/magick/module.c
+@@ -1283,7 +1283,7 @@ MagickExport MagickBooleanType OpenModule(const char *module,
+ p=GetCoderInfo(module,exception);
+ if (p != (CoderInfo *) NULL)
+ (void) CopyMagickString(module_name,p->name,MaxTextExtent);
+- rights=AllPolicyRights;
++ rights=ReadPolicyRights|WritePolicyRights;
+ if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+ {
+ errno=EPERM;
+diff --git a/magick/static.c b/magick/static.c
+index 3b036..1268d 100644
+--- a/magick/static.c
++++ b/magick/static.c
+@@ -398,7 +398,7 @@ MagickExport MagickBooleanType RegisterStaticModule(const char *module,
+ p=GetCoderInfo(module,exception);
+ if (p != (CoderInfo *) NULL)
+ (void) CopyMagickString(module_name,p->name,MagickPathExtent);
+- rights=AllPolicyRights;
++ rights=ReadPolicyRights|WritePolicyRights;
+ if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+ {
+ errno=EPERM;
+@@ -441,18 +441,22 @@ MagickExport MagickBooleanType RegisterStaticModule(const char *module,
+ */
+ MagickExport void RegisterStaticModules(void)
+ {
++ PolicyRights
++ rights;
++
+ size_t
+ extent;
+
+ ssize_t
+ i;
+
++ rights=ReadPolicyRights|WritePolicyRights;
+ extent=sizeof(MagickModules)/sizeof(MagickModules[0]);
+ for (i=0; i < (ssize_t) extent; i++)
+ {
+ if (MagickModules[i].registered == MagickFalse)
+ {
+- if (IsRightsAuthorized(ModulePolicyDomain,AllPolicyRights,
++ if (IsRightsAuthorized(ModulePolicyDomain,rights,
+ MagickModules[i].module) == MagickFalse)
+ continue;
+ (void) (MagickModules[i].register_module)();
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch imagemagick-6.9.11.60+dfsg/debian/patches/0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,38 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 15 Mar 2022 21:59:36 -0400
+Subject: Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo()
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4947
+bug-debian: https://bugs.debian.org/1013282
+origin: https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f.patch
+---
+ coders/dcm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index d274ad..439aa 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3242,15 +3242,15 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ RelinquishMagickMemory(info_copy);
+ }
+
+- /*
+- If we're entering a sequence, push the current image parameters onto
+- the stack, so we can restore them at the end of the sequence.
+- */
+ if (strcmp(explicit_vr,"SQ") == 0)
+ {
+- DCMInfo *info_copy = (DCMInfo *) AcquireMagickMemory(sizeof(info));
+- memcpy(info_copy,&info,sizeof(info));
+- AppendValueToLinkedList(stack,info_copy);
++ /*
++ If we're entering a sequence, push the current image parameters
++ onto the stack, so we can restore them at the end of the sequence.
++ */
++ DCMInfo *clone_info = (DCMInfo *) AcquireMagickMemory(sizeof(info));
++ (void) memcpy(clone_info,&info,sizeof(info));
++ AppendValueToLinkedList(stack,clone_info);
+ sequence_depth++;
+ }
+
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch imagemagick-6.9.11.60+dfsg/debian/patches/0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,25 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 26 Mar 2022 09:27:36 -0400
+Subject: CVE-2022-28463: buffer overflow in cin coder
+
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+bug: https://github.com/ImageMagick/ImageMagick/issues/4988
+origin: https://github.com/ImageMagick/ImageMagick6/commit/e6ea5876e0228165ee3abc6e959aa174cee06680.patch
+(cherry picked from commit e6ea5876e0228165ee3abc6e959aa174cee06680)
+---
+ coders/cin.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/cin.c b/coders/cin.c
+index 2f814e..67c56 100644
+--- a/coders/cin.c
++++ b/coders/cin.c
+@@ -450,6 +450,8 @@ static Image *ReadCINImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ image->endian=(magick[0] == 0x80) && (magick[1] == 0x2a) &&
+ (magick[2] == 0x5f) && (magick[3] == 0xd7) ? MSBEndian : LSBEndian;
+ cin.file.image_offset=ReadBlobLong(image);
++ if (cin.file.image_offset < 712)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ offset+=4;
+ cin.file.generic_length=ReadBlobLong(image);
+ offset+=4;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch imagemagick-6.9.11.60+dfsg/debian/patches/0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,111 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 19 Mar 2022 07:01:57 -0400
+Subject: CVE-2022-32545: undefined behavior value outside char range
+
+bug: https://github.com/ImageMagick/ImageMagick/pull/4963
+bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2091811
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016442
+origin: https://github.com/ImageMagick/ImageMagick6/commit/450949ed017f009b399c937cf362f0058eacc5fa.patch
+
+(cherry picked from commit 450949ed017f009b399c937cf362f0058eacc5fa)
+---
+ coders/emf.c | 3 ++-
+ coders/psd.c | 5 +++--
+ magick/widget.c | 6 ++++++
+ wand/animate.c | 5 ++++-
+ wand/display.c | 5 ++++-
+ 5 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/coders/emf.c b/coders/emf.c
+index 6a9db..fd93c 100644
+--- a/coders/emf.c
++++ b/coders/emf.c
+@@ -411,7 +411,8 @@ static HENHMETAFILE ReadEnhMetaFile(const char *path,ssize_t *width,
+ }
+ ReadFile(hFile,pBits,dwSize,&dwSize,NULL);
+ CloseHandle(hFile);
+- if (((PAPMHEADER) pBits)->dwKey != 0x9ac6cdd7l)
++ if (((PAPMHEADER) pBits)->dwKey != 0x9ac6cdd7l ||
++ (((PAPMHEADER) pBits)->wInch == 0))
+ {
+ pBits=(BYTE *) DestroyString((char *) pBits);
+ return((HENHMETAFILE) NULL);
+diff --git a/coders/psd.c b/coders/psd.c
+index 3dc25..5c70c 100644
+--- a/coders/psd.c
++++ b/coders/psd.c
+@@ -1045,8 +1045,9 @@ static MagickBooleanType ReadPSDChannelPixels(Image *image,
+ number_bits=8;
+ for (bit=0; bit < number_bits; bit++)
+ {
+- SetPSDPixel(image,channels,type,packet_size,(((unsigned char) pixel)
+- & (0x01 << (7-bit))) != 0 ? 0 : QuantumRange,q++,indexes,x++);
++ SetPSDPixel(image,channels,type,packet_size,
++ (((unsigned char) ((ssize_t) pixel)) & (0x01 << (7-bit))) != 0 ? 0 :
++ QuantumRange,q++,indexes,x++);
+ }
+ if (x != (ssize_t) image->columns)
+ x--;
+diff --git a/magick/widget.c b/magick/widget.c
+index e93a3..605558 100644
+--- a/magick/widget.c
++++ b/magick/widget.c
+@@ -7858,6 +7858,8 @@ MagickExport int XMenuWidget(Display *display,XWindows *windows,
+ break;
+ }
+ state&=(~InactiveWidgetState);
++ if (selection_info.height == 0)
++ break;
+ id=(event.xbutton.y-top_offset)/(int) selection_info.height;
+ selection_info.id=id;
+ if ((id < 0) || (id >= (int) number_selections))
+@@ -7911,6 +7913,8 @@ MagickExport int XMenuWidget(Display *display,XWindows *windows,
+ if (event.xcrossing.state == 0)
+ break;
+ state&=(~InactiveWidgetState);
++ if (selection_info.height == 0)
++ break;
+ id=((event.xcrossing.y-top_offset)/(int) selection_info.height);
+ if ((selection_info.id >= 0) &&
+ (selection_info.id < (int) number_selections))
+@@ -7997,6 +8001,8 @@ MagickExport int XMenuWidget(Display *display,XWindows *windows,
+ break;
+ if (state & InactiveWidgetState)
+ break;
++ if (selection_info.height == 0)
++ break;
+ id=(event.xmotion.y-top_offset)/(int) selection_info.height;
+ if ((selection_info.id >= 0) &&
+ (selection_info.id < (int) number_selections))
+diff --git a/wand/animate.c b/wand/animate.c
+index 0f704..adc84 100644
+--- a/wand/animate.c
++++ b/wand/animate.c
+@@ -1143,7 +1143,10 @@ WandExport MagickBooleanType AnimateImageCommand(ImageInfo *image_info,
+ if (i == (ssize_t) argc)
+ ThrowAnimateException(OptionError,"MissingArgument",option);
+ if (XRemoteCommand(display,resource_info.window_id,argv[i]) != 0)
+- return(MagickFalse);
++ {
++ DestroyAnimate();
++ return(MagickFalse);
++ }
+ i--;
+ break;
+ }
+diff --git a/wand/display.c b/wand/display.c
+index b7b9e..27aba 100644
+--- a/wand/display.c
++++ b/wand/display.c
+@@ -1491,7 +1491,10 @@ WandExport MagickBooleanType DisplayImageCommand(ImageInfo *image_info,
+ if (i == (ssize_t) argc)
+ ThrowDisplayException(OptionError,"MissingArgument",option);
+ if (XRemoteCommand(display,resource_info.window_id,argv[i]) != 0)
+- return(MagickFalse);
++ {
++ DestroyDisplay();
++ return(MagickFalse);
++ }
+ i--;
+ break;
+ }
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0041-CVE-2022-32546-outside-the-range-of-representable-va.patch imagemagick-6.9.11.60+dfsg/debian/patches/0041-CVE-2022-32546-outside-the-range-of-representable-va.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0041-CVE-2022-32546-outside-the-range-of-representable-va.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0041-CVE-2022-32546-outside-the-range-of-representable-va.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,27 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 24 Mar 2022 11:38:59 -0400
+Subject: CVE-2022-32546 outside the range of representable values of type
+ 'unsigned long' at coders/pcl.c,
+
+bug: https://github.com/ImageMagick/ImageMagick/pull/4986
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016442
+origin: https://github.com/ImageMagick/ImageMagick6/commit/29c8abce0da56b536542f76a9ddfebdaab5b2943.patch
+---
+ coders/pcl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/pcl.c b/coders/pcl.c
+index a6bd6..f1d9a 100644
+--- a/coders/pcl.c
++++ b/coders/pcl.c
+@@ -294,8 +294,8 @@ static Image *ReadPCLImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ /*
+ Set PCL render geometry.
+ */
+- width=(size_t) floor(bounds.x2-bounds.x1+0.5);
+- height=(size_t) floor(bounds.y2-bounds.y1+0.5);
++ width=(size_t) CastDoubleToLong(floor(bounds.x2-bounds.x1+0.5));
++ height=(size_t) CastDoubleToLong(floor(bounds.y2-bounds.y1+0.5));
+ if (width > page.width)
+ page.width=width;
+ if (height > page.height)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch imagemagick-6.9.11.60+dfsg/debian/patches/0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch 2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,33 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 9 Apr 2022 08:40:54 -0400
+Subject: Fix CVE-2022-32547: unaligned access in property
+
+bug: https://github.com/ImageMagick/ImageMagick/pull/5034
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016442
+origin: https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b.patch
+bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2091813
+---
+ magick/property.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/magick/property.c b/magick/property.c
+index 0381b..f83954 100644
+--- a/magick/property.c
++++ b/magick/property.c
+@@ -1513,12 +1513,14 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
+ }
+ case EXIF_FMT_SINGLE:
+ {
+- EXIFMultipleValues(4,"%f",(double) *(float *) p1);
++ EXIFMultipleValues(4,"%.20g",(double)
++ ReadPropertySignedLong(endian,p1));
+ break;
+ }
+ case EXIF_FMT_DOUBLE:
+ {
+- EXIFMultipleValues(8,"%f",*(double *) p1);
++ EXIFMultipleValues(8,"%.20g",(double)
++ ReadPropertySignedLong(endian,p1));
+ break;
+ }
+ case EXIF_FMT_STRING:
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series
--- imagemagick-6.9.11.60+dfsg/debian/patches/series 2023-02-03 17:59:07.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2023-05-25 21:50:29.000000000 +0000
@@ -23,3 +23,20 @@
0001-https-github.com-ImageMagick-ImageMagick6-issues-145.patch
0023-disable-ghostscript-formats.patch
move-profile-property-to-cli-option.patch
+0026-CVE-2021-3574-memory-leak.patch
+0027-CVE-2021-4219-Dos.patch
+0028-CVE-2021-20241.patch
+0029-CVE-2021-20243.patch
+0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch
+0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch
+0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch
+0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch
+0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch
+0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch
+0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch
+0037-CVE-2021-39212-Use-the-correct-rights.patch
+0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch
+0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch
+0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch
+0041-CVE-2022-32546-outside-the-range-of-representable-va.patch
+0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch
diff -Nru imagemagick-6.9.11.60+dfsg/debian/salsa-ci-enable-sec-and-update-repos.sh imagemagick-6.9.11.60+dfsg/debian/salsa-ci-enable-sec-and-update-repos.sh
--- imagemagick-6.9.11.60+dfsg/debian/salsa-ci-enable-sec-and-update-repos.sh 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/salsa-ci-enable-sec-and-update-repos.sh 2023-05-26 07:10:27.000000000 +0000
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -x
+set -e
+
+# Debug what repositories are available to begin with
+grep -r "^deb " /etc/apt/sources.*
+
+# Enable the same repositories that were available at build time in
+# registry.salsa.debian.org/salsa-ci-team/pipeline/base:bullseye
+. /etc/os-release
+cat << EOF > /etc/apt/sources.list.d/base-$VERSION_CODENAME-repos.list
+deb http://deb.debian.org/debian $VERSION_CODENAME main
+deb http://deb.debian.org/debian-security $VERSION_CODENAME-security main
+deb http://deb.debian.org/debian $VERSION_CODENAME-updates main
+EOF
+
+apt-get update
+
+# Ref
+# bullseye piuparts test runner environment is missing the bullseye-updates apt repository: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/292
+# piuparts: doesn't install dependencies from experimental or -backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/58
+# autopkgtest: doesn't install dependencies from experimental or backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/85
diff -Nru imagemagick-6.9.11.60+dfsg/debian/salsa-ci.yml imagemagick-6.9.11.60+dfsg/debian/salsa-ci.yml
--- imagemagick-6.9.11.60+dfsg/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/salsa-ci.yml 2023-05-26 07:10:27.000000000 +0000
@@ -0,0 +1,8 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bullseye'
+ SALSA_CI_PIUPARTS_PRE_INSTALL_SCRIPT: 'debian/salsa-ci-enable-sec-and-update-repos.sh'
Attachment:
signature.asc
Description: This is a digitally signed message part.