[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109572: unblock: imagemagick/8:7.1.1.43+dfsg1-1+deb13u1



Package: release.debian.org
Severity: normal
X-Debbugs-Cc: imagemagick@packages.debian.org, carnil@debian.org, security@debian.org
Control: affects -1 + src:imagemagick
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package imagemagick

[ Reason ]
CVE fix asked by carnil (security team) here in copy.
Note it is a proposed-testing-update because sid have
some regression

[ Impact ]
CVE are opened

[ Tests ]
Autopkgtest + internal testsuite

[ Risks ]
Low change are self contained

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Asked by security team to go before release

unblock imagemagick/8:7.1.1.43+dfsg1-1+deb13u1
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog
--- imagemagick-7.1.1.43+dfsg1/debian/changelog	2024-12-29 12:21:15.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/changelog	2025-07-15 22:29:23.000000000 +0200
@@ -1,3 +1,35 @@
+imagemagick (8:7.1.1.43+dfsg1-1+deb13u1) trixie; urgency=medium
+
+  * Fix CVE-2025-53014:
+    A heap buffer overflow was found in the `InterpretImageFilename`
+    function. The issue stems from an off-by-one error that
+    causes out-of-bounds memory access when processing format
+    strings containing consecutive percent signs (`%%`).
+    (Closes: #1109339)
+  * Fix CVE-2025-53015:
+    Infinite loop occur when writing during a specific XMP
+    file conversion command
+    (Closes: #1109339)
+  * Fix CVE-2025-53019:
+    `magick stream` command, specifying
+    multiple consecutive `%d` format specifiers in a
+    filename template causes a memory leak
+    (Closes: #1109339)
+  * Fix CVE-2025-53101:
+    `magick mogrify` command, specifying multiple consecutive
+    `%d` format specifiers in a filename template causes
+    internal pointer arithmetic to generate an address
+    below the beginning of the stack buffer, resulting
+    in a stack overflow through `vsnprintf()`
+    (Closes: #1109339)
+  * Fix CVE-2025-43965:
+    In MIFF image processing, image depth is mishandled
+    after SetQuantumFormat is used.
+  * Fix CVE-2025-46393:
+    In multispectral MIFF image processing, packet_size is mishandled.
+
+ -- Bastien Roucariès <rouca@debian.org>  Tue, 15 Jul 2025 22:29:23 +0200
+
 imagemagick (8:7.1.1.43+dfsg1-1) unstable; urgency=medium
 
   * New upstream version
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,23 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 8 Feb 2025 23:31:39 +0100
+Subject: Update the image depth after this has been changed by
+ SetQuantumFormat.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/bac413a26073923d3ffb258adaab07fb3fe8fdc9
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-43965
+---
+ coders/miff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index 355455b..887659e 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1335,6 +1335,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+     if (quantum_format != UndefinedQuantumFormat)
+       {
+         status=SetQuantumFormat(image,quantum_info,quantum_format);
++        image->depth=quantum_info->depth;
+         if (status == MagickFalse)
+           ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed");
+       }
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,36 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 7 Feb 2025 20:57:15 -0500
+Subject: multispectral MIFF images renders all channels in arbitrary order
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/81ac8a0d2eb21739842ed18c48c7646b7eef65b8
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-46393
+---
+ coders/miff.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index 887659e..47fa753 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1348,10 +1348,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+       packet_size+=image->depth/8;
+     if (image->colorspace == CMYKColorspace)
+       packet_size+=image->depth/8;
++    if (image->number_meta_channels != 0)
++      packet_size=GetImageChannels(image)*image->depth/8;
+     if (image->compression == RLECompression)
+       packet_size++;
+-    if (image->number_meta_channels != 0)
+-      packet_size+=image->number_meta_channels*image->depth/8;
+     compress_extent=MagickMax(MagickMax(BZipMaxExtent(packet_size*
+       image->columns),LZMAMaxExtent(packet_size*image->columns)),
+       ZipMaxExtent(packet_size*image->columns));
+@@ -2172,7 +2172,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info,
+     if (compression == RLECompression)
+       packet_size++;
+     if (image->number_meta_channels != 0)
+-      packet_size+=image->number_meta_channels*image->depth/8;
++      packet_size=GetImageChannels(image)*image->depth/8;
+     length=MagickMax(BZipMaxExtent(packet_size*image->columns),ZipMaxExtent(
+       packet_size*image->columns));
+     if ((compression == BZipCompression) || (compression == ZipCompression))
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,25 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Thu, 26 Jun 2025 23:01:07 +0200
+Subject: Correct out of bounds read of a single byte.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53014
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/image.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 261d750..1b242f8 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1678,7 +1678,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     q=(char *) p+1;
+     if (*q == '%')
+       {
+-        p=q+1;
++        p++;
+         continue;
+       }
+     field_width=0;
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,48 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Fri, 2 May 2025 18:33:17 +0200
+Subject: [PATCH] Added extra checks to make sure we don't get stuck in the
+  while loop.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/image-private.h |  1 +
+ MagickCore/profile.c       | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h
+index 4ce71c3..11dca10 100644
+--- a/MagickCore/image-private.h
++++ b/MagickCore/image-private.h
+@@ -52,6 +52,7 @@ extern "C" {
+ #define MAGICK_SIZE_MAX  (SIZE_MAX)
+ #define MAGICK_SSIZE_MAX  (SSIZE_MAX)
+ #define MAGICK_SSIZE_MIN  (-SSIZE_MAX-1)
++#define MAGICK_ULONG_MAX  (ULONG_MAX)
+ #define MatteColor  "#bdbdbd"  /* gray */
+ #define MatteColorRGBA  ScaleShortToQuantum(0xbdbd),\
+   ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha
+diff --git a/MagickCore/profile.c b/MagickCore/profile.c
+index 7eea1d3..85c1801 100644
+--- a/MagickCore/profile.c
++++ b/MagickCore/profile.c
+@@ -2571,6 +2571,17 @@ static void GetXmpNumeratorAndDenominator(double value,
+   *denominator=1;
+   if (value <= MagickEpsilon)
+     return;
++  if (value > (double) MAGICK_ULONG_MAX)
++    {
++      *numerator = MAGICK_ULONG_MAX;
++      *denominator = 1;
++      return;
++    }
++  if (floor(value) == value)
++    {
++      *numerator = (unsigned long) value;
++      *denominator = 1;
++    }
+   *numerator=1;
+   df=1.0;
+   while(fabs(df - value) > MagickEpsilon)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,24 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Mon, 12 May 2025 22:23:48 +0200
+Subject: Added missing return.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/profile.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/MagickCore/profile.c b/MagickCore/profile.c
+index 85c1801..a68e54f 100644
+--- a/MagickCore/profile.c
++++ b/MagickCore/profile.c
+@@ -2581,6 +2581,7 @@ static void GetXmpNumeratorAndDenominator(double value,
+     {
+       *numerator = (unsigned long) value;
+       *denominator = 1;
++      return;
+     }
+   *numerator=1;
+   df=1.0;
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,24 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Fri, 27 Jun 2025 14:51:57 +0200
+Subject: Fixed memory leak when entering StreamImage multiple times.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc
+---
+ MagickCore/stream.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/MagickCore/stream.c b/MagickCore/stream.c
+index 786dabb..22a0c9e 100644
+--- a/MagickCore/stream.c
++++ b/MagickCore/stream.c
+@@ -1321,7 +1321,8 @@ MagickExport Image *StreamImage(const ImageInfo *image_info,
+       image_info->filename);
+   read_info=CloneImageInfo(image_info);
+   stream_info->image_info=image_info;
+-  stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL);
++  if (stream_info->quantum_info == (QuantumInfo *) NULL)
++    stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL);
+   if (stream_info->quantum_info == (QuantumInfo *) NULL)
+     {
+       read_info=DestroyImageInfo(read_info);
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,54 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 27 Jun 2025 20:02:12 -0400
+Subject: [PATCH]
+  https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
+
+origin: backport, https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
+---
+ MagickCore/image.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 1b242f8..63d6ef0 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1665,7 +1665,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     canonical;
+ 
+   ssize_t
+-    field_width,
+     offset;
+ 
+   canonical=MagickFalse;
+@@ -1681,22 +1680,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+         p++;
+         continue;
+       }
+-    field_width=0;
+-    if (*q == '0')
+-      field_width=(ssize_t) strtol(q,&q,10);
+     switch (*q)
+     {
+       case 'd':
+       case 'o':
+       case 'x':
+       {
++        ssize_t
++          count;
++
+         q++;
+         c=(*q);
+         *q='\0';
+-        (void) FormatLocaleString(filename+(p-format-offset),(size_t)
++        count=FormatLocaleString(filename+(p-format-offset),(size_t)
+           (MagickPathExtent-(p-format-offset)),p,value);
+-        offset+=(4-field_width);
+-        *q=c;
++        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
++          return(0);
++        offset+=(ssize_t) ((q-p)-count);
++        *q=(char) c;
+         (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+         canonical=MagickTrue;
+         if (*(q-1) != '%')
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series
--- imagemagick-7.1.1.43+dfsg1/debian/patches/series	2024-12-29 12:21:15.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/series	2025-07-15 22:29:23.000000000 +0200
@@ -32,3 +32,10 @@
 0032-Remove-cse-script.patch
 0033-Fix-remaining-html-error.patch
 0034-Fix-html-error-1034333.patch
+CVE-2025-43965.patch
+CVE-2025-46393.patch
+CVE-2025-53014.patch
+CVE-2025-53015_1.patch
+CVE-2025-53015_2.patch
+CVE-2025-53101.patch
+CVE-2025-53019.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: