Package: release.debian.org Severity: normal X-Debbugs-Cc: imagemagick@packages.debian.org, carnil@debian.org, security@debian.org Control: affects -1 + src:imagemagick User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package imagemagick [ Reason ] CVE fix asked by carnil (security team) here in copy. Note it is a proposed-testing-update because sid have some regression [ Impact ] CVE are opened [ Tests ] Autopkgtest + internal testsuite [ Risks ] Low change are self contained [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] Asked by security team to go before release unblock imagemagick/8:7.1.1.43+dfsg1-1+deb13u1
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog --- imagemagick-7.1.1.43+dfsg1/debian/changelog 2024-12-29 12:21:15.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-07-15 22:29:23.000000000 +0200 @@ -1,3 +1,35 @@ +imagemagick (8:7.1.1.43+dfsg1-1+deb13u1) trixie; urgency=medium + + * Fix CVE-2025-53014: + A heap buffer overflow was found in the `InterpretImageFilename` + function. The issue stems from an off-by-one error that + causes out-of-bounds memory access when processing format + strings containing consecutive percent signs (`%%`). + (Closes: #1109339) + * Fix CVE-2025-53015: + Infinite loop occur when writing during a specific XMP + file conversion command + (Closes: #1109339) + * Fix CVE-2025-53019: + `magick stream` command, specifying + multiple consecutive `%d` format specifiers in a + filename template causes a memory leak + (Closes: #1109339) + * Fix CVE-2025-53101: + `magick mogrify` command, specifying multiple consecutive + `%d` format specifiers in a filename template causes + internal pointer arithmetic to generate an address + below the beginning of the stack buffer, resulting + in a stack overflow through `vsnprintf()` + (Closes: #1109339) + * Fix CVE-2025-43965: + In MIFF image processing, image depth is mishandled + after SetQuantumFormat is used. + * Fix CVE-2025-46393: + In multispectral MIFF image processing, packet_size is mishandled. + + -- Bastien Roucariès <rouca@debian.org> Tue, 15 Jul 2025 22:29:23 +0200 + imagemagick (8:7.1.1.43+dfsg1-1) unstable; urgency=medium * New upstream version diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch 2025-07-15 22:29:23.000000000 +0200 @@ -0,0 +1,23 @@ +From: Dirk Lemstra <dirk@lemstra.org> +Date: Sat, 8 Feb 2025 23:31:39 +0100 +Subject: Update the image depth after this has been changed by + SetQuantumFormat. + +origin: https://github.com/ImageMagick/ImageMagick/commit/bac413a26073923d3ffb258adaab07fb3fe8fdc9 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-43965 +--- + coders/miff.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/coders/miff.c b/coders/miff.c +index 355455b..887659e 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1335,6 +1335,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + if (quantum_format != UndefinedQuantumFormat) + { + status=SetQuantumFormat(image,quantum_info,quantum_format); ++ image->depth=quantum_info->depth; + if (status == MagickFalse) + ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed"); + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch 2025-07-15 22:29:23.000000000 +0200 @@ -0,0 +1,36 @@ +From: Cristy <urban-warrior@imagemagick.org> +Date: Fri, 7 Feb 2025 20:57:15 -0500 +Subject: multispectral MIFF images renders all channels in arbitrary order + +origin: https://github.com/ImageMagick/ImageMagick/commit/81ac8a0d2eb21739842ed18c48c7646b7eef65b8 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-46393 +--- + coders/miff.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/coders/miff.c b/coders/miff.c +index 887659e..47fa753 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1348,10 +1348,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + packet_size+=image->depth/8; + if (image->colorspace == CMYKColorspace) + packet_size+=image->depth/8; ++ if (image->number_meta_channels != 0) ++ packet_size=GetImageChannels(image)*image->depth/8; + if (image->compression == RLECompression) + packet_size++; +- if (image->number_meta_channels != 0) +- packet_size+=image->number_meta_channels*image->depth/8; + compress_extent=MagickMax(MagickMax(BZipMaxExtent(packet_size* + image->columns),LZMAMaxExtent(packet_size*image->columns)), + ZipMaxExtent(packet_size*image->columns)); +@@ -2172,7 +2172,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info, + if (compression == RLECompression) + packet_size++; + if (image->number_meta_channels != 0) +- packet_size+=image->number_meta_channels*image->depth/8; ++ packet_size=GetImageChannels(image)*image->depth/8; + length=MagickMax(BZipMaxExtent(packet_size*image->columns),ZipMaxExtent( + packet_size*image->columns)); + if ((compression == BZipCompression) || (compression == ZipCompression)) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch 2025-07-15 22:29:23.000000000 +0200 @@ -0,0 +1,25 @@ +From: Dirk Lemstra <dirk@lemstra.org> +Date: Thu, 26 Jun 2025 23:01:07 +0200 +Subject: Correct out of bounds read of a single byte. + +origin: https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53014 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339 +--- + MagickCore/image.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 261d750..1b242f8 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1678,7 +1678,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + q=(char *) p+1; + if (*q == '%') + { +- p=q+1; ++ p++; + continue; + } + field_width=0; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch 2025-07-15 22:29:23.000000000 +0200 @@ -0,0 +1,48 @@ +From: Dirk Lemstra <dirk@lemstra.org> +Date: Fri, 2 May 2025 18:33:17 +0200 +Subject: [PATCH] Added extra checks to make sure we don't get stuck in the + while loop. + +origin: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339 +--- + MagickCore/image-private.h | 1 + + MagickCore/profile.c | 11 +++++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h +index 4ce71c3..11dca10 100644 +--- a/MagickCore/image-private.h ++++ b/MagickCore/image-private.h +@@ -52,6 +52,7 @@ extern "C" { + #define MAGICK_SIZE_MAX (SIZE_MAX) + #define MAGICK_SSIZE_MAX (SSIZE_MAX) + #define MAGICK_SSIZE_MIN (-SSIZE_MAX-1) ++#define MAGICK_ULONG_MAX (ULONG_MAX) + #define MatteColor "#bdbdbd" /* gray */ + #define MatteColorRGBA ScaleShortToQuantum(0xbdbd),\ + ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha +diff --git a/MagickCore/profile.c b/MagickCore/profile.c +index 7eea1d3..85c1801 100644 +--- a/MagickCore/profile.c ++++ b/MagickCore/profile.c +@@ -2571,6 +2571,17 @@ static void GetXmpNumeratorAndDenominator(double value, + *denominator=1; + if (value <= MagickEpsilon) + return; ++ if (value > (double) MAGICK_ULONG_MAX) ++ { ++ *numerator = MAGICK_ULONG_MAX; ++ *denominator = 1; ++ return; ++ } ++ if (floor(value) == value) ++ { ++ *numerator = (unsigned long) value; ++ *denominator = 1; ++ } + *numerator=1; + df=1.0; + while(fabs(df - value) > MagickEpsilon) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch 2025-07-15 22:29:23.000000000 +0200 @@ -0,0 +1,24 @@ +From: Dirk Lemstra <dirk@lemstra.org> +Date: Mon, 12 May 2025 22:23:48 +0200 +Subject: Added missing return. + +origin: https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339 +--- + MagickCore/profile.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/MagickCore/profile.c b/MagickCore/profile.c +index 85c1801..a68e54f 100644 +--- a/MagickCore/profile.c ++++ b/MagickCore/profile.c +@@ -2581,6 +2581,7 @@ static void GetXmpNumeratorAndDenominator(double value, + { + *numerator = (unsigned long) value; + *denominator = 1; ++ return; + } + *numerator=1; + df=1.0; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch 2025-07-15 22:29:23.000000000 +0200 @@ -0,0 +1,24 @@ +From: Dirk Lemstra <dirk@lemstra.org> +Date: Fri, 27 Jun 2025 14:51:57 +0200 +Subject: Fixed memory leak when entering StreamImage multiple times. + +origin: https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc +--- + MagickCore/stream.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/MagickCore/stream.c b/MagickCore/stream.c +index 786dabb..22a0c9e 100644 +--- a/MagickCore/stream.c ++++ b/MagickCore/stream.c +@@ -1321,7 +1321,8 @@ MagickExport Image *StreamImage(const ImageInfo *image_info, + image_info->filename); + read_info=CloneImageInfo(image_info); + stream_info->image_info=image_info; +- stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL); ++ if (stream_info->quantum_info == (QuantumInfo *) NULL) ++ stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL); + if (stream_info->quantum_info == (QuantumInfo *) NULL) + { + read_info=DestroyImageInfo(read_info); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch 1970-01-01 01:00:00.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch 2025-07-15 22:29:23.000000000 +0200 @@ -0,0 +1,54 @@ +From: Cristy <urban-warrior@imagemagick.org> +Date: Fri, 27 Jun 2025 20:02:12 -0400 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9 + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9 +--- + MagickCore/image.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 1b242f8..63d6ef0 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1665,7 +1665,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + canonical; + + ssize_t +- field_width, + offset; + + canonical=MagickFalse; +@@ -1681,22 +1680,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + p++; + continue; + } +- field_width=0; +- if (*q == '0') +- field_width=(ssize_t) strtol(q,&q,10); + switch (*q) + { + case 'd': + case 'o': + case 'x': + { ++ ssize_t ++ count; ++ + q++; + c=(*q); + *q='\0'; +- (void) FormatLocaleString(filename+(p-format-offset),(size_t) ++ count=FormatLocaleString(filename+(p-format-offset),(size_t) + (MagickPathExtent-(p-format-offset)),p,value); +- offset+=(4-field_width); +- *q=c; ++ if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset)))) ++ return(0); ++ offset+=(ssize_t) ((q-p)-count); ++ *q=(char) c; + (void) ConcatenateMagickString(filename,q,MagickPathExtent); + canonical=MagickTrue; + if (*(q-1) != '%') diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series --- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2024-12-29 12:21:15.000000000 +0100 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-07-15 22:29:23.000000000 +0200 @@ -32,3 +32,10 @@ 0032-Remove-cse-script.patch 0033-Fix-remaining-html-error.patch 0034-Fix-html-error-1034333.patch +CVE-2025-43965.patch +CVE-2025-46393.patch +CVE-2025-53014.patch +CVE-2025-53015_1.patch +CVE-2025-53015_2.patch +CVE-2025-53101.patch +CVE-2025-53019.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.