[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109572: marked as done (trixie-pu: package imagemagick/8:7.1.1.43+dfsg1-1+deb13u1)

Your message dated Sat, 06 Sep 2025 12:14:57 +0100
with message-id <165032e5317517556dd7fd8cf24843112a3fb6ac.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 13.1
has caused the Debian Bug report #1109572,
regarding trixie-pu: package imagemagick/8:7.1.1.43+dfsg1-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109572
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: imagemagick@packages.debian.org, carnil@debian.org, security@debian.org
Control: affects -1 + src:imagemagick
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package imagemagick

[ Reason ]
CVE fix asked by carnil (security team) here in copy.
Note it is a proposed-testing-update because sid have
some regression

[ Impact ]
CVE are opened

[ Tests ]
Autopkgtest + internal testsuite

[ Risks ]
Low change are self contained

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Asked by security team to go before release

unblock imagemagick/8:7.1.1.43+dfsg1-1+deb13u1

diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog
--- imagemagick-7.1.1.43+dfsg1/debian/changelog	2024-12-29 12:21:15.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/changelog	2025-07-15 22:29:23.000000000 +0200
@@ -1,3 +1,35 @@
+imagemagick (8:7.1.1.43+dfsg1-1+deb13u1) trixie; urgency=medium
+
+  * Fix CVE-2025-53014:
+    A heap buffer overflow was found in the `InterpretImageFilename`
+    function. The issue stems from an off-by-one error that
+    causes out-of-bounds memory access when processing format
+    strings containing consecutive percent signs (`%%`).
+    (Closes: #1109339)
+  * Fix CVE-2025-53015:
+    Infinite loop occur when writing during a specific XMP
+    file conversion command
+    (Closes: #1109339)
+  * Fix CVE-2025-53019:
+    `magick stream` command, specifying
+    multiple consecutive `%d` format specifiers in a
+    filename template causes a memory leak
+    (Closes: #1109339)
+  * Fix CVE-2025-53101:
+    `magick mogrify` command, specifying multiple consecutive
+    `%d` format specifiers in a filename template causes
+    internal pointer arithmetic to generate an address
+    below the beginning of the stack buffer, resulting
+    in a stack overflow through `vsnprintf()`
+    (Closes: #1109339)
+  * Fix CVE-2025-43965:
+    In MIFF image processing, image depth is mishandled
+    after SetQuantumFormat is used.
+  * Fix CVE-2025-46393:
+    In multispectral MIFF image processing, packet_size is mishandled.
+
+ -- Bastien Roucariès <rouca@debian.org>  Tue, 15 Jul 2025 22:29:23 +0200
+
 imagemagick (8:7.1.1.43+dfsg1-1) unstable; urgency=medium
 
   * New upstream version
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-43965.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,23 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 8 Feb 2025 23:31:39 +0100
+Subject: Update the image depth after this has been changed by
+ SetQuantumFormat.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/bac413a26073923d3ffb258adaab07fb3fe8fdc9
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-43965
+---
+ coders/miff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index 355455b..887659e 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1335,6 +1335,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+     if (quantum_format != UndefinedQuantumFormat)
+       {
+         status=SetQuantumFormat(image,quantum_info,quantum_format);
++        image->depth=quantum_info->depth;
+         if (status == MagickFalse)
+           ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed");
+       }
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-46393.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,36 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 7 Feb 2025 20:57:15 -0500
+Subject: multispectral MIFF images renders all channels in arbitrary order
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/81ac8a0d2eb21739842ed18c48c7646b7eef65b8
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-46393
+---
+ coders/miff.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index 887659e..47fa753 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1348,10 +1348,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+       packet_size+=image->depth/8;
+     if (image->colorspace == CMYKColorspace)
+       packet_size+=image->depth/8;
++    if (image->number_meta_channels != 0)
++      packet_size=GetImageChannels(image)*image->depth/8;
+     if (image->compression == RLECompression)
+       packet_size++;
+-    if (image->number_meta_channels != 0)
+-      packet_size+=image->number_meta_channels*image->depth/8;
+     compress_extent=MagickMax(MagickMax(BZipMaxExtent(packet_size*
+       image->columns),LZMAMaxExtent(packet_size*image->columns)),
+       ZipMaxExtent(packet_size*image->columns));
+@@ -2172,7 +2172,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info,
+     if (compression == RLECompression)
+       packet_size++;
+     if (image->number_meta_channels != 0)
+-      packet_size+=image->number_meta_channels*image->depth/8;
++      packet_size=GetImageChannels(image)*image->depth/8;
+     length=MagickMax(BZipMaxExtent(packet_size*image->columns),ZipMaxExtent(
+       packet_size*image->columns));
+     if ((compression == BZipCompression) || (compression == ZipCompression))
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53014.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,25 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Thu, 26 Jun 2025 23:01:07 +0200
+Subject: Correct out of bounds read of a single byte.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53014
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/image.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 261d750..1b242f8 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1678,7 +1678,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     q=(char *) p+1;
+     if (*q == '%')
+       {
+-        p=q+1;
++        p++;
+         continue;
+       }
+     field_width=0;
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_1.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,48 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Fri, 2 May 2025 18:33:17 +0200
+Subject: [PATCH] Added extra checks to make sure we don't get stuck in the
+  while loop.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/image-private.h |  1 +
+ MagickCore/profile.c       | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h
+index 4ce71c3..11dca10 100644
+--- a/MagickCore/image-private.h
++++ b/MagickCore/image-private.h
+@@ -52,6 +52,7 @@ extern "C" {
+ #define MAGICK_SIZE_MAX  (SIZE_MAX)
+ #define MAGICK_SSIZE_MAX  (SSIZE_MAX)
+ #define MAGICK_SSIZE_MIN  (-SSIZE_MAX-1)
++#define MAGICK_ULONG_MAX  (ULONG_MAX)
+ #define MatteColor  "#bdbdbd"  /* gray */
+ #define MatteColorRGBA  ScaleShortToQuantum(0xbdbd),\
+   ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha
+diff --git a/MagickCore/profile.c b/MagickCore/profile.c
+index 7eea1d3..85c1801 100644
+--- a/MagickCore/profile.c
++++ b/MagickCore/profile.c
+@@ -2571,6 +2571,17 @@ static void GetXmpNumeratorAndDenominator(double value,
+   *denominator=1;
+   if (value <= MagickEpsilon)
+     return;
++  if (value > (double) MAGICK_ULONG_MAX)
++    {
++      *numerator = MAGICK_ULONG_MAX;
++      *denominator = 1;
++      return;
++    }
++  if (floor(value) == value)
++    {
++      *numerator = (unsigned long) value;
++      *denominator = 1;
++    }
+   *numerator=1;
+   df=1.0;
+   while(fabs(df - value) > MagickEpsilon)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53015_2.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,24 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Mon, 12 May 2025 22:23:48 +0200
+Subject: Added missing return.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339
+---
+ MagickCore/profile.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/MagickCore/profile.c b/MagickCore/profile.c
+index 85c1801..a68e54f 100644
+--- a/MagickCore/profile.c
++++ b/MagickCore/profile.c
+@@ -2581,6 +2581,7 @@ static void GetXmpNumeratorAndDenominator(double value,
+     {
+       *numerator = (unsigned long) value;
+       *denominator = 1;
++      return;
+     }
+   *numerator=1;
+   df=1.0;
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53019.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,24 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Fri, 27 Jun 2025 14:51:57 +0200
+Subject: Fixed memory leak when entering StreamImage multiple times.
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc
+---
+ MagickCore/stream.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/MagickCore/stream.c b/MagickCore/stream.c
+index 786dabb..22a0c9e 100644
+--- a/MagickCore/stream.c
++++ b/MagickCore/stream.c
+@@ -1321,7 +1321,8 @@ MagickExport Image *StreamImage(const ImageInfo *image_info,
+       image_info->filename);
+   read_info=CloneImageInfo(image_info);
+   stream_info->image_info=image_info;
+-  stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL);
++  if (stream_info->quantum_info == (QuantumInfo *) NULL)
++    stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL);
+   if (stream_info->quantum_info == (QuantumInfo *) NULL)
+     {
+       read_info=DestroyImageInfo(read_info);
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch	1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-53101.patch	2025-07-15 22:29:23.000000000 +0200
@@ -0,0 +1,54 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 27 Jun 2025 20:02:12 -0400
+Subject: [PATCH]
+  https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
+
+origin: backport, https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
+---
+ MagickCore/image.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 1b242f8..63d6ef0 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1665,7 +1665,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     canonical;
+ 
+   ssize_t
+-    field_width,
+     offset;
+ 
+   canonical=MagickFalse;
+@@ -1681,22 +1680,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+         p++;
+         continue;
+       }
+-    field_width=0;
+-    if (*q == '0')
+-      field_width=(ssize_t) strtol(q,&q,10);
+     switch (*q)
+     {
+       case 'd':
+       case 'o':
+       case 'x':
+       {
++        ssize_t
++          count;
++
+         q++;
+         c=(*q);
+         *q='\0';
+-        (void) FormatLocaleString(filename+(p-format-offset),(size_t)
++        count=FormatLocaleString(filename+(p-format-offset),(size_t)
+           (MagickPathExtent-(p-format-offset)),p,value);
+-        offset+=(4-field_width);
+-        *q=c;
++        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
++          return(0);
++        offset+=(ssize_t) ((q-p)-count);
++        *q=(char) c;
+         (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+         canonical=MagickTrue;
+         if (*(q-1) != '%')
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series
--- imagemagick-7.1.1.43+dfsg1/debian/patches/series	2024-12-29 12:21:15.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/series	2025-07-15 22:29:23.000000000 +0200
@@ -32,3 +32,10 @@
 0032-Remove-cse-script.patch
 0033-Fix-remaining-html-error.patch
 0034-Fix-html-error-1034333.patch
+CVE-2025-43965.patch
+CVE-2025-46393.patch
+CVE-2025-53014.patch
+CVE-2025-53015_1.patch
+CVE-2025-53015_2.patch
+CVE-2025-53101.patch
+CVE-2025-53019.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.1

Hi,

Each of the updates referenced by these requests was included in
today's 13.1 point release for trixie.

Regards,

Adam

--- End Message ---
Reply to: