Bug#1104243: marked as done (bookworm-pu: package imagemagick/8:6.9.11.60+dfsg-1.6+deb12u3)

To: jmw@debian.org
Subject: Bug#1104243: marked as done (bookworm-pu: package imagemagick/8:6.9.11.60+dfsg-1.6+deb12u3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 17 May 2025 09:39:25 +0000
Message-id: <[🔎] handler.1104243.D1104243.17474746811605542.ackdone@bugs.debian.org>
Reply-to: 1104243@bugs.debian.org
References: <E1uGDzR-005KH8-Lt@coccia.debian.org> <174577087998.1148916.13392294067344279372.reportbug@localhost>

Your message dated Sat, 17 May 2025 09:37:57 +0000
with message-id <E1uGDzR-005KH8-Lt@coccia.debian.org>
and subject line Close 1104243
has caused the Debian Bug report #1104243,
regarding bookworm-pu: package imagemagick/8:6.9.11.60+dfsg-1.6+deb12u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1104243: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104243
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bookworm-pu: package imagemagick/8:6.9.11.60+dfsg-1.6+deb12u3
From: Adrian Bunk <bunk@debian.org>
Date: Sun, 27 Apr 2025 19:21:19 +0300
Message-id: <174577087998.1148916.13392294067344279372.reportbug@localhost>

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>

  * CVE-2025-43965: MIFF image depth mishandled after SetQuantumFormat

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for imagemagick-6.9.11.60+dfsg imagemagick-6.9.11.60+dfsg

 changelog                                                               |    7 ++
 patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch |   25 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 33 insertions(+)

diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog	2024-07-11 13:48:47.000000000 +0300
+++ imagemagick-6.9.11.60+dfsg/debian/changelog	2025-04-26 20:26:11.000000000 +0300
@@ -1,3 +1,10 @@
+imagemagick (8:6.9.11.60+dfsg-1.6+deb12u3) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-43965: MIFF image depth mishandled after SetQuantumFormat
+
+ -- Adrian Bunk <bunk@debian.org>  Sat, 26 Apr 2025 20:26:11 +0300
+
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u2) bookworm; urgency=medium
 
   * CVE-2023-34151 fix was incomplete (Closes: #1070340)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch imagemagick-6.9.11.60+dfsg/debian/patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch	1970-01-01 02:00:00.000000000 +0200
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch	2025-04-26 20:26:11.000000000 +0300
@@ -0,0 +1,25 @@
+From 64789006934b2974390aa060354ad318c34e0f6a Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Tue, 11 Feb 2025 22:34:41 +0100
+Subject: Update the image depth after this has been changed by
+ SetQuantumFormat.
+
+---
+ coders/miff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index 888be96a5..0703d4822 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1310,6 +1310,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+     if (quantum_format != UndefinedQuantumFormat)
+       {
+         status=SetQuantumFormat(image,quantum_info,quantum_format);
++        image->depth=GetImageQuantumDepth(image,MagickFalse);
+         if (status == MagickFalse)
+           ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed");
+       }
+-- 
+2.30.2
+
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series
--- imagemagick-6.9.11.60+dfsg/debian/patches/series	2024-07-11 13:48:47.000000000 +0300
+++ imagemagick-6.9.11.60+dfsg/debian/patches/series	2025-04-26 20:26:11.000000000 +0300
@@ -78,3 +78,4 @@
 0078-do-not-composite-SVG-to-avoid-possible-recursion.patch
 0079-recursion-detection-framework.patch
 0080-Fixed-memory-leak.patch
+0001-Update-the-image-depth-after-this-has-been-changed-b.patch

--- End Message ---

--- Begin Message ---

To: 1104243-done@bugs.debian.org

Subject: Close 1104243

From: jmw@debian.org

Date: Sat, 17 May 2025 09:37:57 +0000

Message-id: <E1uGDzR-005KH8-Lt@coccia.debian.org>
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---

Reply to:

Prev by Date: Bug#1104052: marked as done (bookworm-pu: package initramfs-tools/0.142+deb12u2)
Next by Date: Bug#1104287: marked as done (bookworm-pu: package poppler/22.12.0-2+deb12u1)
Previous by thread: Bug#1104052: marked as done (bookworm-pu: package initramfs-tools/0.142+deb12u2)
Next by thread: Bug#1104287: marked as done (bookworm-pu: package poppler/22.12.0-2+deb12u1)
Index(es):
- Date
- Thread