Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: imagemagick@packages.debian.org X-Debbugs-Cc: security@debian.org Control: affects -1 + src:imagemagick User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] CVE-2025-62594 CVE-2025-65955 CVE-2025-66628 CVE-2025-68618 CVE-2025-68950 CVE-2025-69204 [ Impact ] low [ Tests ] debci, internal testsuite, debusine [ Risks ] low [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] [ Other info ] CVE-2025-62594 CVE-2025-65955 CVE-2025-66628 CVE-2025-68618 CVE-2025-68950 CVE-2025-69204
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog
--- imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-10-19 10:37:32.000000000 +0200
+++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-12-29 00:33:04.000000000 +0100
@@ -1,3 +1,41 @@
+imagemagick (8:7.1.1.43+dfsg1-1+deb13u4) trixie; urgency=high
+
+ * Fix CVE-2025-62594 (Closes: #1119296)
+ Imagemagick is vulnerable to denial-of-service due to unsigned integer
+ underflow and division-by-zero in the CLAHEImage function. When tile
+ width or height is zero, unsigned underflow occurs in pointer
+ arithmetic, leading to out-of-bounds memory access, and
+ division-by-zero causes immediate crashes.
+ * Fix CVE-2025-65955 (Closes: #1122827)
+ There is a vulnerability in ImageMagick’s Magick++ layer that
+ manifests when Options::fontFamily is invoked with an empty
+ string. Clearing a font family calls RelinquishMagickMemory on
+ _drawInfo->font, freeing the font string but leaving _drawInfo->font
+ pointing to freed memory while _drawInfo->family is set to that
+ (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font
+ re-frees or dereferences dangling memory. DestroyDrawInfo and other
+ setters (Options::font, Image::font) assume _drawInfo->font remains
+ valid, so destruction or subsequent updates trigger crashes or heap
+ corruption.
+ * Fix CVE-2025-66628 (Closes: #1122584)
+ The TIM (PSX TIM) image parser contains a critical integer overflow
+ vulnerability in its ReadTIMImage function (coders/tim.c). The code
+ reads width and height (16-bit values) from the file header and
+ calculates image_size = 2 * width * height without checking for
+ overflow. On 32-bit systems (or where size_t is 32-bit), this
+ calculation can overflow if width and height are large (e.g., 65535),
+ wrapping around to a small value.
+ * Fix CVE-2025-68618:
+ Magick's failure to limit the depth of SVG file reads caused
+ a DoS attack.
+ * Do not allow vid for vector graphics
+ * Fix CVE-2025-68950:
+ Magick's failure to limit MVG mutual references forming a loop
+ * Fix CVE-2025-69204:
+ Converting a malicious MVG file to SVG caused an integer overflow.
+
+ -- Bastien Roucariès <rouca@debian.org> Mon, 29 Dec 2025 00:33:04 +0100
+
imagemagick (8:7.1.1.43+dfsg1-1+deb13u3) trixie; urgency=high
* Fix CVE-2025-62171 (Closes: #1118340)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-62594.patch 2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,363 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 18 Oct 2025 10:54:39 -0400
+Subject: CVE-2025-62594
+
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp
+origin: https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129
+
+[backport]
+In order to ease backport minimise difference of image-private.h and add compat wrapper
+
+(cherry picked from commit 7b47fe369eda90483402fcd3d78fa4167d3bb129)
+---
+ MagickCore/composite.c | 3 +-
+ MagickCore/enhance.c | 48 +++++++++--------
+ MagickCore/image-private.h | 131 ++++++++++++++++++++++++++++++++++++---------
+ 3 files changed, 134 insertions(+), 48 deletions(-)
+
+diff --git a/MagickCore/composite.c b/MagickCore/composite.c
+index a5dfedc..2244cd1 100644
+--- a/MagickCore/composite.c
++++ b/MagickCore/composite.c
+@@ -999,7 +999,8 @@ static MagickBooleanType CompositeOverImage(Image *image,
+ }
+ pixels=p;
+ if (x_offset < 0)
+- p-=(ptrdiff_t)CastDoubleToLong((double) x_offset*GetPixelChannels(source_image));
++ p-=(ptrdiff_t) CastDoubleToSsizeT((double) x_offset*
++ GetPixelChannels(source_image));
+ }
+ q=GetCacheViewAuthenticPixels(image_view,0,y,image->columns,1,exception);
+ if (q == (Quantum *) NULL)
+diff --git a/MagickCore/enhance.c b/MagickCore/enhance.c
+index ee9d304..ee39476 100644
+--- a/MagickCore/enhance.c
++++ b/MagickCore/enhance.c
+@@ -69,6 +69,7 @@
+ #include "MagickCore/option.h"
+ #include "MagickCore/pixel.h"
+ #include "MagickCore/pixel-accessor.h"
++#include "MagickCore/pixel-private.h"
+ #include "MagickCore/property.h"
+ #include "MagickCore/quantum.h"
+ #include "MagickCore/quantum-private.h"
+@@ -318,11 +319,8 @@ static void ClipCLAHEHistogram(const double clip_limit,const size_t number_bins,
+ return;
+ cumulative_excess=0;
+ for (i=0; i < (ssize_t) number_bins; i++)
+- {
+- excess=(ssize_t) histogram[i]-(ssize_t) clip_limit;
+- if (excess > 0)
+- cumulative_excess+=excess;
+- }
++ if (histogram[i] > clip_limit)
++ cumulative_excess+=(ssize_t) (histogram[i]-clip_limit);
+ /*
+ Clip histogram and redistribute excess pixels across all bins.
+ */
+@@ -481,9 +479,6 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+ MemoryInfo
+ *tile_cache;
+
+- unsigned short
+- *p;
+-
+ size_t
+ limit,
+ *tiles;
+@@ -492,15 +487,16 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+ y;
+
+ unsigned short
+- *lut;
++ *lut,
++ *p;
+
+ /*
+ Contrast limited adapted histogram equalization.
+ */
+ if (clip_limit == 1.0)
+ return(MagickTrue);
+- tile_cache=AcquireVirtualMemory((size_t) clahe_info->x*number_bins,
+- (size_t) clahe_info->y*sizeof(*tiles));
++ tile_cache=AcquireVirtualMemory((size_t) clahe_info->x*number_bins,(size_t)
++ clahe_info->y*sizeof(*tiles));
+ if (tile_cache == (MemoryInfo *) NULL)
+ return(MagickFalse);
+ lut=(unsigned short *) AcquireQuantumMemory(NumberCLAHEGrays,sizeof(*lut));
+@@ -510,7 +506,8 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+ return(MagickFalse);
+ }
+ tiles=(size_t *) GetVirtualMemoryBlob(tile_cache);
+- limit=(size_t) (clip_limit*(tile_info->width*tile_info->height)/number_bins);
++ limit=(size_t) (clip_limit*((double) tile_info->width*tile_info->height)/
++ number_bins);
+ if (limit < 1UL)
+ limit=1UL;
+ /*
+@@ -535,7 +532,7 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+ tile_info->height,histogram);
+ p+=(ptrdiff_t) tile_info->width;
+ }
+- p+=(ptrdiff_t) clahe_info->width*(tile_info->height-1);
++ p+=CastDoubleToPtrdiffT((double) clahe_info->width*(tile_info->height-1));
+ }
+ /*
+ Interpolate greylevel mappings to get CLAHE image.
+@@ -576,6 +573,12 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+ }
+ for (x=0; x <= (ssize_t) clahe_info->x; x++)
+ {
++ double
++ Q11,
++ Q12,
++ Q21,
++ Q22;
++
+ tile.width=tile_info->width;
+ tile.x=x-1;
+ offset.x=tile.x+1;
+@@ -598,15 +601,16 @@ static MagickBooleanType CLAHE(const RectangleInfo *clahe_info,
+ tile.x=clahe_info->x-1;
+ offset.x=tile.x;
+ }
+- InterpolateCLAHE(clahe_info,
+- tiles+((ssize_t) number_bins*(tile.y*clahe_info->x+tile.x)), /* Q12 */
+- tiles+((ssize_t) number_bins*(tile.y*clahe_info->x+offset.x)), /* Q22 */
+- tiles+((ssize_t) number_bins*(offset.y*clahe_info->x+tile.x)), /* Q11 */
+- tiles+((ssize_t) number_bins*(offset.y*clahe_info->x+offset.x)), /* Q21 */
+- &tile,lut,p);
++ Q12=(double) number_bins*(tile.y*clahe_info->x+tile.x);
++ Q22=(double) number_bins*(tile.y*clahe_info->x+offset.x);
++ Q11=(double) number_bins*(offset.y*clahe_info->x+tile.x);
++ Q21=(double) number_bins*(offset.y*clahe_info->x+offset.x);
++ InterpolateCLAHE(clahe_info,tiles+CastDoubleToPtrdiffT(Q12),
++ tiles+CastDoubleToPtrdiffT(Q22),tiles+CastDoubleToPtrdiffT(Q11),
++ tiles+CastDoubleToPtrdiffT(Q21),&tile,lut,p);
+ p+=(ptrdiff_t) tile.width;
+ }
+- p+=(ptrdiff_t) clahe_info->width*(tile.height-1);
++ p+=CastDoubleToPtrdiffT((double) clahe_info->width*(tile.height-1));
+ }
+ lut=(unsigned short *) RelinquishMagickMemory(lut);
+ tile_cache=RelinquishVirtualMemory(tile_cache);
+@@ -659,10 +663,10 @@ MagickExport MagickBooleanType CLAHEImage(Image *image,const size_t width,
+ (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
+ range_info.min=0;
+ range_info.max=NumberCLAHEGrays-1;
+- tile_info.width=width;
++ tile_info.width=MagickMax(width,2);
+ if (tile_info.width == 0)
+ tile_info.width=image->columns >> 3;
+- tile_info.height=height;
++ tile_info.height=MagickMax(height,2);
+ if (tile_info.height == 0)
+ tile_info.height=image->rows >> 3;
+ tile_info.x=0;
+diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h
+index a7cd99c..f33e1aa 100644
+--- a/MagickCore/image-private.h
++++ b/MagickCore/image-private.h
+@@ -46,13 +46,17 @@ extern "C" {
+ #define MagickPHI 1.61803398874989484820458683436563811772030917980576
+ #define MagickPI2 1.57079632679489661923132169163975144209858469968755
+ #define MagickPI 3.1415926535897932384626433832795028841971693993751058209749445923078164062
++#define MAGICK_PTRDIFF_MAX (PTRDIFF_MAX)
++#define MAGICK_PTRDIFF_MIN (-PTRDIFF_MAX-1)
+ #define MagickSQ1_2 0.70710678118654752440084436210484903928483593768847
+ #define MagickSQ2 1.41421356237309504880168872420969807856967187537695
+ #define MagickSQ2PI 2.50662827463100024161235523934010416269302368164062
+ #define MAGICK_SIZE_MAX (SIZE_MAX)
+ #define MAGICK_SSIZE_MAX (SSIZE_MAX)
+ #define MAGICK_SSIZE_MIN (-SSIZE_MAX-1)
++#define MAGICK_UINT_MAX (UINT_MAX)
+ #define MAGICK_ULONG_MAX (ULONG_MAX)
++#define MAGICK_USHORT_MAX (USHRT_MAX)
+ #define MatteColor "#bdbdbd" /* gray */
+ #define MatteColorRGBA ScaleShortToQuantum(0xbdbd),\
+ ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha
+@@ -65,7 +69,7 @@ extern "C" {
+ #define UndefinedCompressionQuality 0UL
+ #define UndefinedTicksPerSecond 100L
+
+-static inline ssize_t CastDoubleToLong(const double x)
++static inline ptrdiff_t CastDoubleToPtrdiffT(const double x)
+ {
+ double
+ value;
+@@ -75,48 +79,70 @@ static inline ssize_t CastDoubleToLong(const double x)
+ errno=ERANGE;
+ return(0);
+ }
+- if (x < 0.0)
++ value=(x < 0.0) ? ceil(x) : floor(x);
++ if (value < ((double) MAGICK_PTRDIFF_MIN))
+ {
+- value=ceil(x);
+- if (value < ((double) MAGICK_SSIZE_MIN))
+- {
+- errno=ERANGE;
+- return((ssize_t) MAGICK_SSIZE_MIN);
+- }
++ errno=ERANGE;
++ return(MAGICK_PTRDIFF_MIN);
+ }
+- else
++ if (value > ((double) MAGICK_PTRDIFF_MAX))
+ {
+- value=floor(x);
+- if (value > ((double) MAGICK_SSIZE_MAX))
+- {
+- errno=ERANGE;
+- return((ssize_t) MAGICK_SSIZE_MAX);
+- }
++ errno=ERANGE;
++ return(MAGICK_PTRDIFF_MAX);
+ }
+- return((ssize_t) value);
++ return((ptrdiff_t) value);
+ }
+
+ static inline QuantumAny CastDoubleToQuantumAny(const double x)
+ {
++ double
++ value;
++
+ if (IsNaN(x) != 0)
+ {
+ errno=ERANGE;
+ return(0);
+ }
+- if (x > ((double) ((QuantumAny) ~0)))
++ value=(x < 0.0) ? ceil(x) : floor(x);
++ if (value < 0.0)
++ {
++ errno=ERANGE;
++ return(0);
++ }
++ if (value > ((double) ((QuantumAny) ~0)))
+ {
+ errno=ERANGE;
+ return((QuantumAny) ~0);
+ }
+- if (x < 0.0)
++ return((QuantumAny) value);
++}
++
++static inline size_t CastDoubleToSizeT(const double x)
++{
++ double
++ value;
++
++ if (IsNaN(x) != 0)
+ {
+ errno=ERANGE;
+- return((QuantumAny) 0);
++ return(0);
+ }
+- return((QuantumAny) (x+0.5));
++ value=(x < 0.0) ? ceil(x) : floor(x);
++ if (value < 0.0)
++ {
++ errno=ERANGE;
++ return(0);
++ }
++ if (value > ((double) MAGICK_SIZE_MAX))
++ {
++ errno=ERANGE;
++ return(MAGICK_SIZE_MAX);
++ }
++ return((size_t) value);
+ }
+
+-static inline size_t CastDoubleToUnsigned(const double x)
++
++static inline ssize_t CastDoubleToSsizeT(const double x)
+ {
+ double
+ value;
+@@ -126,18 +152,65 @@ static inline size_t CastDoubleToUnsigned(const double x)
+ errno=ERANGE;
+ return(0);
+ }
+- value=floor(x);
+- if (value >= ((double) MAGICK_SIZE_MAX))
++ value=(x < 0.0) ? ceil(x) : floor(x);
++ if (value < ((double) MAGICK_SSIZE_MIN))
++ {
++ errno=ERANGE;
++ return(MAGICK_SSIZE_MIN);
++ }
++ if (value > ((double) MAGICK_SSIZE_MAX))
++ {
++ errno=ERANGE;
++ return(MAGICK_SSIZE_MAX);
++ }
++ return((ssize_t) value);
++}
++
++static inline unsigned int CastDoubleToUInt(const double x)
++{
++ double
++ value;
++ if (IsNaN(x) != 0)
++ {
++ errno=ERANGE;
++ return(0);
++ }
++ value=(x < 0.0) ? ceil(x) : floor(x);
++ if (value < 0.0)
+ {
+ errno=ERANGE;
+- return((size_t) MAGICK_SIZE_MAX);
++ return((QuantumAny) 0);
+ }
++ if (value > ((double) MAGICK_UINT_MAX))
++ {
++ errno=ERANGE;
++ return(MAGICK_UINT_MAX);
++ }
++ return((unsigned int) value);
++}
++
++static inline unsigned short CastDoubleToUShort(const double x)
++{
++ double
++ value;
++
++ if (IsNaN(x) != 0)
++ {
++ errno=ERANGE;
++ return(0);
++ }
++ value=(x < 0.0) ? ceil(x) : floor(x);
+ if (value < 0.0)
+ {
+ errno=ERANGE;
+ return(0);
+ }
+- return((size_t) value);
++ if (value > ((double) MAGICK_USHORT_MAX))
++ {
++ errno=ERANGE;
++ return(MAGICK_USHORT_MAX);
++ }
++ return((unsigned short) value);
+ }
+
+ static inline double DegreesToRadians(const double degrees)
+@@ -189,6 +262,14 @@ static inline unsigned int ScaleColor8to6(const unsigned char color)
+ return((unsigned int) (((color) & ~0x03) >> 2));
+ }
+
++/* compat inline wrapper for backport ease */
++static inline ssize_t CastDoubleToLong(const double x) {
++ return CastDoubleToSsizeT(x);
++}
++
++static inline size_t CastDoubleToUnsigned(const double x) {
++ return CastDoubleToSizeT(x);
++}
+ #if defined(__cplusplus) || defined(c_plusplus)
+ }
+ #endif
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-65955.patch 2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,23 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sun, 23 Nov 2025 09:17:29 +0100
+Subject: Correct incorrect free (GHSA-q3hc-j9x5-mp9m)
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/6f81eb15f822ad86e8255be75efad6f9762c32f8
+bug-debian: https://bugs.debian.org/1122827
+---
+ Magick++/lib/Options.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp
+index 9a2c3fb..2212c9e 100644
+--- a/Magick++/lib/Options.cpp
++++ b/Magick++/lib/Options.cpp
+@@ -310,7 +310,7 @@ void Magick::Options::fontFamily(const std::string &family_)
+ {
+ if (family_.length() == 0)
+ {
+- _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
++ _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family);
+ DestroyString(RemoveImageOption(imageInfo(),"family"));
+ }
+ else
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-66628.patch 2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,25 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Tue, 2 Dec 2025 22:49:12 +0100
+Subject: Added extra check to avoid an overflow on 32-bit machines
+ (GHSA-6hjr-v6g4-3fm8)
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/bdae0681ad1e572defe62df85834218f01e6d670
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122584
+---
+ coders/tim.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tim.c b/coders/tim.c
+index 4c094ac..fcfd926 100644
+--- a/coders/tim.c
++++ b/coders/tim.c
+@@ -231,7 +231,8 @@ static Image *ReadTIMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ (void) ReadBlobLSBShort(image);
+ width=ReadBlobLSBShort(image);
+ height=ReadBlobLSBShort(image);
+- image_size=2*width*height;
++ if (HeapOverflowSanityCheckGetSize(2*width,height,&image_size) != MagickFalse)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if (image_size > GetBlobSize(image))
+ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+ bytes_per_line=width*2;
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68618.patch 2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,106 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 21 Dec 2025 12:43:08 -0500
+Subject: CVE-2025-68618
+
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637
+origin: https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb
+---
+ coders/msl.c | 24 ++++++++++++++++--------
+ coders/svg.c | 8 +++++++-
+ 2 files changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/coders/msl.c b/coders/msl.c
+index dc7a8bf..80468b1 100644
+--- a/coders/msl.c
++++ b/coders/msl.c
+@@ -120,6 +120,7 @@ typedef struct _MSLInfo
+ *exception;
+
+ ssize_t
++ depth,
+ n,
+ number_groups;
+
+@@ -328,6 +329,10 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+ RectangleInfo
+ geometry;
+
++ size_t
++ height,
++ width;
++
+ ssize_t
+ i,
+ j,
+@@ -336,11 +341,6 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+ x,
+ y;
+
+-
+- size_t
+- height,
+- width;
+-
+ xmlParserCtxtPtr
+ parser;
+
+@@ -352,6 +352,13 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+ exception=AcquireExceptionInfo();
+ parser=(xmlParserCtxtPtr) context;
+ msl_info=(MSLInfo *) parser->_private;
++ if (msl_info->depth++ >= MagickMaxRecursionDepth)
++ {
++ (void) ThrowMagickException(msl_info->exception,GetMagickModule(),
++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",tag);
++ xmlStopParser((xmlParserCtxtPtr) context);
++ return;
++ }
+ n=msl_info->n;
+ keyword=(const char *) NULL;
+ value=(char *) NULL;
+@@ -7057,15 +7064,15 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+
+ static void MSLEndElement(void *context,const xmlChar *tag)
+ {
+- ssize_t
+- n;
+-
+ MSLInfo
+ *msl_info;
+
+ xmlParserCtxtPtr
+ parser;
+
++ ssize_t
++ n;
++
+ /*
+ Called when the end of an element has been detected.
+ */
+@@ -7158,6 +7165,7 @@ static void MSLEndElement(void *context,const xmlChar *tag)
+ }
+ if (msl_info->content != (char *) NULL)
+ msl_info->content=DestroyString(msl_info->content);
++ msl_info->depth--;
+ }
+
+ static void MSLCharacters(void *context,const xmlChar *c,int length)
+diff --git a/coders/svg.c b/coders/svg.c
+index b1ac078..6a06974 100644
+--- a/coders/svg.c
++++ b/coders/svg.c
+@@ -1249,7 +1249,13 @@ static void SVGStartElement(void *context,const xmlChar *name,
+ name);
+ parser=(xmlParserCtxtPtr) context;
+ svg_info=(SVGInfo *) parser->_private;
+- svg_info->n++;
++ if (svg_info->n++ > MagickMaxRecursionDepth)
++ {
++ (void) ThrowMagickException(svg_info->exception,GetMagickModule(),
++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name);
++ xmlStopParser((xmlParserCtxtPtr) context);
++ return;
++ }
+ svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t)
+ svg_info->n+1,sizeof(*svg_info->scale));
+ if (svg_info->scale == (double *) NULL)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950.patch 2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,23 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 26 Dec 2025 11:22:12 -0500
+Subject: CVE-2025-68950
+
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j
+origin: https://github.com/ImageMagick/ImageMagick/commit/204718c2211903949dcfc0df8e65ed066b008dec
+(cherry picked from commit 204718c2211903949dcfc0df8e65ed066b008dec)
+---
+ MagickCore/draw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/MagickCore/draw.c b/MagickCore/draw.c
+index 6f1770f..5f0ff88 100644
+--- a/MagickCore/draw.c
++++ b/MagickCore/draw.c
+@@ -5688,6 +5688,7 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
+ (LocaleCompare(clone_info->magick,"http") != 0) &&
+ (LocaleCompare(clone_info->magick,"https") != 0) &&
++ (LocaleCompare(clone_info->magick,"mvg") != 0) &&
+ (LocaleCompare(clone_info->magick,"vid") != 0))
+ composite_images=ReadImage(clone_info,exception);
+ else
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-68950_pre1.patch 2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,27 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 9 Feb 2025 10:30:42 -0500
+Subject: vid: format not supported in vector graphics
+
+[backport]
+- strictly not needed but a good idea to remove unsupported vector graphics format
+- hardening from a security point of view
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/678372c9b4c6bad5bbcf998d5eca506103f587eb
+---
+ MagickCore/draw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/MagickCore/draw.c b/MagickCore/draw.c
+index 6657675..6f1770f 100644
+--- a/MagickCore/draw.c
++++ b/MagickCore/draw.c
+@@ -5687,7 +5687,8 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ else
+ if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
+ (LocaleCompare(clone_info->magick,"http") != 0) &&
+- (LocaleCompare(clone_info->magick,"https") != 0))
++ (LocaleCompare(clone_info->magick,"https") != 0) &&
++ (LocaleCompare(clone_info->magick,"vid") != 0))
+ composite_images=ReadImage(clone_info,exception);
+ else
+ (void) ThrowMagickException(exception,GetMagickModule(),
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch
--- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2025-69204.patch 2025-12-29 00:33:04.000000000 +0100
@@ -0,0 +1,69 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 27 Dec 2025 14:37:23 -0500
+Subject: CVE-2025-69204
+
+origin: https://github.com/ImageMagick/ImageMagick/commit/2c08c2311693759153c9aa99a6b2dcb5f985681e
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw
+(cherry picked from commit 2c08c2311693759153c9aa99a6b2dcb5f985681e)
+---
+ coders/svg.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/coders/svg.c b/coders/svg.c
+index 6a06974..09705fc 100644
+--- a/coders/svg.c
++++ b/coders/svg.c
+@@ -1249,13 +1249,14 @@ static void SVGStartElement(void *context,const xmlChar *name,
+ name);
+ parser=(xmlParserCtxtPtr) context;
+ svg_info=(SVGInfo *) parser->_private;
+- if (svg_info->n++ > MagickMaxRecursionDepth)
++ if (svg_info->n >= MagickMaxRecursionDepth)
+ {
+ (void) ThrowMagickException(svg_info->exception,GetMagickModule(),
+ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name);
+ xmlStopParser((xmlParserCtxtPtr) context);
+ return;
+ }
++ svg_info->n++;
+ svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t)
+ svg_info->n+1,sizeof(*svg_info->scale));
+ if (svg_info->scale == (double *) NULL)
+@@ -4721,17 +4722,33 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image,
+ }
+ case PathPrimitive:
+ {
+- int
+- number_attributes;
++ size_t
++ number_attributes,
++ quantum;
+
+ (void) GetNextToken(q,&q,extent,token);
+ number_attributes=1;
+ for (p=token; *p != '\0'; p++)
+ if (isalpha((int) ((unsigned char) *p)) != 0)
+ number_attributes++;
+- if (i > ((ssize_t) number_points-6*BezierQuantum*number_attributes-1))
++ if ((6*BezierQuantum) >= (MAGICK_SSIZE_MAX/number_attributes))
+ {
+- number_points+=(size_t) (6*BezierQuantum*number_attributes);
++ (void) ThrowMagickException(exception,GetMagickModule(),
++ ResourceLimitError,"MemoryAllocationFailed","`%s'",
++ image->filename);
++ break;
++ }
++ quantum=(size_t) 6*BezierQuantum*number_attributes;
++ if (number_points >= (MAGICK_SSIZE_MAX-quantum))
++ {
++ (void) ThrowMagickException(exception,GetMagickModule(),
++ ResourceLimitError,"MemoryAllocationFailed","`%s'",
++ image->filename);
++ break;
++ }
++ if (i > (ssize_t) (number_points-quantum-1))
++ {
++ number_points+=(size_t) quantum;
+ primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info,
+ number_points,sizeof(*primitive_info));
+ if (primitive_info == (PrimitiveInfo *) NULL)
diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series
--- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-10-19 10:37:32.000000000 +0200
+++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-12-29 00:33:04.000000000 +0100
@@ -53,3 +53,10 @@
CVE-2025-57803.patch
CVE-2025-57807.patch
CVE-2025-62171.patch
+CVE-2025-62594.patch
+CVE-2025-65955.patch
+CVE-2025-66628.patch
+CVE-2025-68618.patch
+CVE-2025-68950_pre1.patch
+CVE-2025-68950.patch
+CVE-2025-69204.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.