Package: release.debian.org Severity: normal X-Debbugs-Cc: imagemagick@packages.debian.org, carnil@debian.org, security@debian.org Control: affects -1 + src:imagemagick User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package imagemagick [ Reason ] CVE fix asked by carnil (security team) here in copy. Note it is a proposed-testing-update because sid have some regression [ Impact ] CVE are opened [ Tests ] Autopkgtest + internal testsuite [ Risks ] Low change are self contained [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] Asked by security team to go before release unblock imagemagick/8:7.1.1.43+dfsg1-1+deb13u1
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog
--- imagemagick-7.1.1.43+dfsg1/debian/changelog 2024-12-29 12:21:15.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-07-15 22:29:23.000000000 +0200
@@ -1,3 +1,35 @@
+imagemagick (8:7.1.1.43+dfsg1-1+deb13u1) trixie; urgency=medium
+
+ * Fix CVE-2025-53014:
+ A heap buffer overflow was found in the `InterpretImageFilename`
+ function. The issue stems from an off-by-one error that
+ causes out-of-bounds memory access when processing format
+ strings containing consecutive percent signs (`%%`).
+ (Closes: #1109339)
+ * Fix CVE-2025-53015:
+ Infinite loop occur when writing during a specific XMP
+ file conversion command
+ (Closes: #1109339)
+ * Fix CVE-2025-53019:
+ `magick stream` command, specifying
+ multiple consecutive `%d` format specifiers in a
+ filename template causes a memory leak
+ (Closes: #1109339)
+ * Fix CVE-2025-53101:
+ `magick mogrify` command, specifying multiple consecutive
+ `%d` format specifiers in a filename template causes
+ internal pointer arithmetic to generate an address
+ below the beginning of the stack buffer, resulting
+ in a stack overflow through `vsnprintf()`
+ (Closes: #1109339)
+ * Fix CVE-2025-43965:
+ In MIFF image processing, image depth is mishandled
+ after SetQuantumFormat is used.
+ * Fix CVE-2025-46393:
+ In multispectral MIFF image processing, packet_size is mishandled.
+
+ -- Bastien Roucariès <rouca@debian.org> Tue, 15 Jul 2025 22:29:23 +0200
+
imagemagick (8:7.1.1.43+dfsg1-1) unstable; urgency=medium
* New upstream version
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch 2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,23 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 8 Feb 2025 23:31:39 +0100
+Subject: Update the image depth after this has been changed by
+ SetQuantumFormat.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/bac413a26073923d3ffb258adaab07fb3fe8fdc9
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-43965
+---
+ coders/miff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index 355455b..887659e 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1335,6 +1335,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+ if (quantum_format != UndefinedQuantumFormat)
+ {
+ status=SetQuantumFormat(image,quantum_info,quantum_format);
++ image->depth=quantum_info->depth;
+ if (status == MagickFalse)
+ ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed");
+ }
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch 2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,36 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 7 Feb 2025 20:57:15 -0500
+Subject: multispectral MIFF images renders all channels in arbitrary order
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/81ac8a0d2eb21739842ed18c48c7646b7eef65b8
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-46393
+---
+ coders/miff.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index 887659e..47fa753 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1348,10 +1348,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+ packet_size+=image->depth/8;
+ if (image->colorspace == CMYKColorspace)
+ packet_size+=image->depth/8;
++ if (image->number_meta_channels != 0)
++ packet_size=GetImageChannels(image)*image->depth/8;
+ if (image->compression == RLECompression)
+ packet_size++;
+- if (image->number_meta_channels != 0)
+- packet_size+=image->number_meta_channels*image->depth/8;
+ compress_extent=MagickMax(MagickMax(BZipMaxExtent(packet_size*
+ image->columns),LZMAMaxExtent(packet_size*image->columns)),
+ ZipMaxExtent(packet_size*image->columns));
+@@ -2172,7 +2172,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info,
+ if (compression == RLECompression)
+ packet_size++;
+ if (image->number_meta_channels != 0)
+- packet_size+=image->number_meta_channels*image->depth/8;
++ packet_size=GetImageChannels(image)*image->depth/8;
+ length=MagickMax(BZipMaxExtent(packet_size*image->columns),ZipMaxExtent(
+ packet_size*image->columns));
+ if ((compression == BZipCompression) || (compression == ZipCompression))
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch 2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,25 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Thu, 26 Jun 2025 23:01:07 +0200
+Subject: Correct out of bounds read of a single byte.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53014
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/image.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 261d750..1b242f8 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1678,7 +1678,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+ q=(char *) p+1;
+ if (*q == '%')
+ {
+- p=q+1;
++ p++;
+ continue;
+ }
+ field_width=0;
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch 2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,48 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Fri, 2 May 2025 18:33:17 +0200
+Subject: [PATCH] Added extra checks to make sure we don't get stuck in the
+ while loop.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/image-private.h | 1 +
+ MagickCore/profile.c | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h
+index 4ce71c3..11dca10 100644
+--- a/MagickCore/image-private.h
++++ b/MagickCore/image-private.h
+@@ -52,6 +52,7 @@ extern "C" {
+ #define MAGICK_SIZE_MAX (SIZE_MAX)
+ #define MAGICK_SSIZE_MAX (SSIZE_MAX)
+ #define MAGICK_SSIZE_MIN (-SSIZE_MAX-1)
++#define MAGICK_ULONG_MAX (ULONG_MAX)
+ #define MatteColor "#bdbdbd" /* gray */
+ #define MatteColorRGBA ScaleShortToQuantum(0xbdbd),\
+ ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha
+diff --git a/MagickCore/profile.c b/MagickCore/profile.c
+index 7eea1d3..85c1801 100644
+--- a/MagickCore/profile.c
++++ b/MagickCore/profile.c
+@@ -2571,6 +2571,17 @@ static void GetXmpNumeratorAndDenominator(double value,
+ *denominator=1;
+ if (value <= MagickEpsilon)
+ return;
++ if (value > (double) MAGICK_ULONG_MAX)
++ {
++ *numerator = MAGICK_ULONG_MAX;
++ *denominator = 1;
++ return;
++ }
++ if (floor(value) == value)
++ {
++ *numerator = (unsigned long) value;
++ *denominator = 1;
++ }
+ *numerator=1;
+ df=1.0;
+ while(fabs(df - value) > MagickEpsilon)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch 2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,24 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Mon, 12 May 2025 22:23:48 +0200
+Subject: Added missing return.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/profile.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/MagickCore/profile.c b/MagickCore/profile.c
+index 85c1801..a68e54f 100644
+--- a/MagickCore/profile.c
++++ b/MagickCore/profile.c
+@@ -2581,6 +2581,7 @@ static void GetXmpNumeratorAndDenominator(double value,
+ {
+ *numerator = (unsigned long) value;
+ *denominator = 1;
++ return;
+ }
+ *numerator=1;
+ df=1.0;
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch 2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,24 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Fri, 27 Jun 2025 14:51:57 +0200
+Subject: Fixed memory leak when entering StreamImage multiple times.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc
+---
+ MagickCore/stream.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/MagickCore/stream.c b/MagickCore/stream.c
+index 786dabb..22a0c9e 100644
+--- a/MagickCore/stream.c
++++ b/MagickCore/stream.c
+@@ -1321,7 +1321,8 @@ MagickExport Image *StreamImage(const ImageInfo *image_info,
+ image_info->filename);
+ read_info=CloneImageInfo(image_info);
+ stream_info->image_info=image_info;
+- stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL);
++ if (stream_info->quantum_info == (QuantumInfo *) NULL)
++ stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL);
+ if (stream_info->quantum_info == (QuantumInfo *) NULL)
+ {
+ read_info=DestroyImageInfo(read_info);
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch 2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,54 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 27 Jun 2025 20:02:12 -0400
+Subject: [PATCH]
+ https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
+
+origin: backport, https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
+---
+ MagickCore/image.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 1b242f8..63d6ef0 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1665,7 +1665,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+ canonical;
+
+ ssize_t
+- field_width,
+ offset;
+
+ canonical=MagickFalse;
+@@ -1681,22 +1680,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+ p++;
+ continue;
+ }
+- field_width=0;
+- if (*q == '0')
+- field_width=(ssize_t) strtol(q,&q,10);
+ switch (*q)
+ {
+ case 'd':
+ case 'o':
+ case 'x':
+ {
++ ssize_t
++ count;
++
+ q++;
+ c=(*q);
+ *q='\0';
+- (void) FormatLocaleString(filename+(p-format-offset),(size_t)
++ count=FormatLocaleString(filename+(p-format-offset),(size_t)
+ (MagickPathExtent-(p-format-offset)),p,value);
+- offset+=(4-field_width);
+- *q=c;
++ if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
++ return(0);
++ offset+=(ssize_t) ((q-p)-count);
++ *q=(char) c;
+ (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+ canonical=MagickTrue;
+ if (*(q-1) != '%')
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series
--- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2024-12-29 12:21:15.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-07-15 22:29:23.000000000 +0200
@@ -32,3 +32,10 @@
0032-Remove-cse-script.patch
0033-Fix-remaining-html-error.patch
0034-Fix-html-error-1034333.patch
+CVE-2025-43965.patch
+CVE-2025-46393.patch
+CVE-2025-53014.patch
+CVE-2025-53015_1.patch
+CVE-2025-53015_2.patch
+CVE-2025-53101.patch
+CVE-2025-53019.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.