Bug#1118414: Updated PU for imagemagick
Control: tags -1 - confirmed
Hi Bastien,
On Wed, Dec 31, 2025 at 11:29:31AM +0100, Bastien Roucaries wrote:
> control: tags -1 - confirmed
>
> Hi,
>
> Following new CVEs before uploading I propose a new PU
>
>
> debdiff could be found here (note that diff is against stable not bookworm security)
> https://debusine.debian.net/debian/developers/artifact/2954578/raw/debdiff.txt
>
> Againt bookworm-security attached
>
> debusine build:
> https://debusine.debian.net/debian/developers/work-request/302156/
>
> rouca
>
>
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
> --- imagemagick-6.9.11.60+dfsg/debian/changelog 2025-09-07 23:54:25.000000000 +0200
> +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2025-12-30 17:36:07.000000000 +0100
> @@ -1,3 +1,45 @@
> +imagemagick (8:6.9.11.60+dfsg-1.6+deb12u5) bookworm; urgency=medium
> +
> + * Fix CVE-2025-62171 (Closes: #1118340)
> + Integer Overflow in BMP Decoder (ReadBMP):
> + CVE-2025-57803 claims to be patched, but the fix is incomplete
> + and ineffective.
> + .
> + The patch added BMPOverflowCheck() but placed it
> + after the overflow occurs, making it useless.
> + A malicious 58-byte BMP file can trigger AddressSanitizer
> + crashes and DoS.
> + * Fix CVE-2025-65955 (Closes: #1122827)
> + A vulnerability was found in ImageMagick’s Magick++ layer that
> + manifests when Options::fontFamily is invoked with an empty
> + string. Clearing a font family calls RelinquishMagickMemory on
> + _drawInfo->font, freeing the font string but leaving _drawInfo->font
> + pointing to freed memory while _drawInfo->family is set to that
> + (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font
> + re-frees or dereferences dangling memory. DestroyDrawInfo and other
> + setters (Options::font, Image::font) assume _drawInfo->font remains
> + valid, so destruction or subsequent updates trigger crashes or heap
> + corruption
> + * Fix CVE-2025-66628 (Closes: #1122584)
> + The TIM (PSX TIM) image parser contains a critical integer overflow
> + vulnerability in its ReadTIMImage function (coders/tim.c). The code
> + reads width and height (16-bit values) from the file header and
> + calculates image_size = 2 * width * height without checking for
> + overflow. On 32-bit systems (or where size_t is 32-bit), this
> + calculation can overflow if width and height are large (e.g., 65535),
> + wrapping around to a small value
> + * Fix CVE-2025-68469
> + ImageMagick crashes when processing a crafted TIFF file.
> + * Fix CVE-2025-68618:
> + Magick's failure to limit the depth of SVG file reads caused
> + a DoS attack.
> + * Fix CVE-2025-68950:
> + Magick's failure to limit MVG mutual references forming a loop
> + * Fix CVE-2025-69204:
> + Converting a malicious MVG file to SVG caused an integer overflow.
> +
> + -- Bastien Roucariès <rouca@debian.org> Tue, 30 Dec 2025 17:36:07 +0100
> +
> imagemagick (8:6.9.11.60+dfsg-1.6+deb12u4) bookworm-security; urgency=medium
>
> * Fix CVE-2025-53014:
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-62171.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-62171.patch
> --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-62171.patch 1970-01-01 01:00:00.000000000 +0100
> +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-62171.patch 2025-12-30 17:36:07.000000000 +0100
> @@ -0,0 +1,27 @@
> +From: Dirk Lemstra <dirk@lemstra.org>
> +Date: Sun, 12 Oct 2025 20:39:55 +0200
> +Subject: Added extra check to resolve issue on 32-bit systems
> + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm)
> +
> +(cherry picked from commit 456771fae8baa9558a1421ec8d522e6937d9b2d7)
> +
> +origin: https://github.com/ImageMagick/ImageMagick6/commit/456771fae8baa9558a1421ec8d522e6937d9b2d7
> +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm
> +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118340
> +---
> + coders/bmp.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/coders/bmp.c b/coders/bmp.c
> +index c6ec39e..d509bd6 100644
> +--- a/coders/bmp.c
> ++++ b/coders/bmp.c
> +@@ -982,6 +982,8 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
> + ThrowReaderException(CorruptImageError,"ImproperImageHeader");
> + if (bmp_info.compression == BI_RLE4)
> + bmp_info.bits_per_pixel<<=1;
> ++ if (BMPOverflowCheck(image->columns,bmp_info.bits_per_pixel) != MagickFalse)
> ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
> + extent=image->columns*bmp_info.bits_per_pixel;
> + bytes_per_line=4*((extent+31)/32);
> + if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse)
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-65955.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-65955.patch
> --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-65955.patch 1970-01-01 01:00:00.000000000 +0100
> +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-65955.patch 2025-12-30 17:36:07.000000000 +0100
> @@ -0,0 +1,25 @@
> +From: Dirk Lemstra <dirk@lemstra.org>
> +Date: Sun, 23 Nov 2025 09:17:43 +0100
> +Subject: Correct incorrect free (GHSA-q3hc-j9x5-mp9m)
> +
> +origin: https://github.com/ImageMagick/ImageMagick6/commit/7d4c27fd4cb2a716a9c1d3346a5e79a692cfe6d8
> +debian-bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122827
> +
> +(cherry picked from commit 7d4c27fd4cb2a716a9c1d3346a5e79a692cfe6d8)
> +---
> + Magick++/lib/Options.cpp | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp
> +index 3d943e4..15f818d 100644
> +--- a/Magick++/lib/Options.cpp
> ++++ b/Magick++/lib/Options.cpp
> +@@ -312,7 +312,7 @@ void Magick::Options::fontFamily(const std::string &family_)
> + {
> + if (family_.length() == 0)
> + {
> +- _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
> ++ _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family);
> + DestroyString(RemoveImageOption(imageInfo(),"family"));
> + }
> + else
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-66628.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-66628.patch
> --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-66628.patch 1970-01-01 01:00:00.000000000 +0100
> +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-66628.patch 2025-12-30 17:36:07.000000000 +0100
> @@ -0,0 +1,28 @@
> +From: Dirk Lemstra <dirk@lemstra.org>
> +Date: Tue, 2 Dec 2025 22:49:19 +0100
> +Subject: Added extra check to avoid an overflow on 32-bit machines
> + (GHSA-6hjr-v6g4-3fm8)
> +
> +origin: https://github.com/ImageMagick/ImageMagick6/commit/7779f1ff772dfabe545c67fb2f3bfa8f7a845a2d
> +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122584
> +(cherry picked from commit 7779f1ff772dfabe545c67fb2f3bfa8f7a845a2d)
> +---
> + coders/tim.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/coders/tim.c b/coders/tim.c
> +index b2fd86c..8c792c6 100644
> +--- a/coders/tim.c
> ++++ b/coders/tim.c
> +@@ -234,7 +234,10 @@ static Image *ReadTIMImage(const ImageInfo *image_info,ExceptionInfo *exception)
> + (void) ReadBlobLSBShort(image);
> + width=ReadBlobLSBShort(image);
> + height=ReadBlobLSBShort(image);
> +- image_size=2*width*height;
> ++ if (HeapOverflowSanityCheckGetSize(2*width,height,&image_size) != MagickFalse)
> ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
> ++ if (image_size > GetBlobSize(image))
> ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
> + bytes_per_line=width*2;
> + width=(width*16)/bits_per_pixel;
> + image->columns=width;
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68469.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68469.patch
> --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68469.patch 1970-01-01 01:00:00.000000000 +0100
> +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68469.patch 2025-12-30 17:36:07.000000000 +0100
> @@ -0,0 +1,64 @@
> +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
> +Date: Tue, 30 Dec 2025 17:31:06 +0100
> +Subject: CVE-2025-68469
> +
> +While Processing a crafted TIFF file, imagemagick crashes.
> +
> +Note that this patch fix also CVE-2023-3428 that is a variation of CVE-2025-68469
> +
> +origin: https://github.com/ImageMagick/ImageMagick/issues/8508#issuecomment-3699838767
> +bug: https://github.com/advisories/GHSA-fff3-4rp7-px97
> +bug-github-issue: https://github.com/ImageMagick/ImageMagick/issues/8508
> +---
> + coders/tiff.c | 24 +++++++++++++++---------
> + 1 file changed, 15 insertions(+), 9 deletions(-)
> +
> +diff --git a/coders/tiff.c b/coders/tiff.c
> +index 12bea21..0f615ad 100644
> +--- a/coders/tiff.c
> ++++ b/coders/tiff.c
> +@@ -1953,7 +1953,14 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
> + *p;
> +
> + size_t
> +- extent;
> ++ extent,
> ++ length;
> ++
> ++ ssize_t
> ++ stride;
> ++
> ++ tmsize_t
> ++ tile_size;
> +
> + uint32
> + columns,
> +@@ -1971,13 +1978,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
> + number_pixels=(MagickSizeType) columns*rows;
> + if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
> + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
> +- extent=4*(samples_per_pixel+1)*MagickMax((rows+1)*TIFFTileRowSize(tiff),
> +- TIFFTileSize(tiff));
> +-#if defined(TIFF_VERSION_BIG)
> +- extent+=image->columns*sizeof(uint64);
> +-#else
> +- extent+=image->columns*sizeof(uint32);
> +-#endif
> ++
> ++ tile_size=TIFFTileSize(tiff);
> ++ stride=(ssize_t) TIFFTileRowSize(tiff);
> ++ length=GetQuantumExtent(image,quantum_info,quantum_type);
> ++ extent=(size_t) MagickMax((size_t) tile_size,rows*
> ++ MagickMax((size_t) stride,length));
> + tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
> + sizeof(*tile_pixels));
> + if (tile_pixels == (unsigned char *) NULL)
> +@@ -2036,7 +2042,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
> + break;
> + (void) ImportQuantumPixels(image,(CacheView *) NULL,
> + quantum_info,quantum_type,p,exception);
> +- p+=TIFFTileRowSize(tiff);
> ++ p+=stride;
> + if (SyncAuthenticPixels(image,exception) == MagickFalse)
> + break;
> + }
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68618.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68618.patch
> --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68618.patch 1970-01-01 01:00:00.000000000 +0100
> +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68618.patch 2025-12-30 17:36:07.000000000 +0100
> @@ -0,0 +1,120 @@
> +From: Cristy <urban-warrior@imagemagick.org>
> +Date: Sun, 21 Dec 2025 12:43:25 -0500
> +Subject: CVE-2025-68618
> +
> +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637
> +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/693c8497290ea0c7cac75d3068ea4fa70d7d507e
> +
> +[backport]
> +- drop unrelated policy patch
> +
> +(cherry picked from commit 693c8497290ea0c7cac75d3068ea4fa70d7d507e)
> +---
> + coders/msl.c | 27 +++++++++++++++++----------
> + coders/svg.c | 13 ++++++++++---
> + 2 files changed, 27 insertions(+), 13 deletions(-)
> +
> +diff --git a/coders/msl.c b/coders/msl.c
> +index 39c14da..7560c23 100644
> +--- a/coders/msl.c
> ++++ b/coders/msl.c
> +@@ -125,6 +125,7 @@ typedef struct _MSLInfo
> + *exception;
> +
> + ssize_t
> ++ depth,
> + n,
> + number_groups;
> +
> +@@ -642,26 +643,24 @@ static void MSLStartElement(void *context,const xmlChar *tag,
> + int
> + flags;
> +
> +- ssize_t
> +- option,
> +- j,
> +- n,
> +- x,
> +- y;
> +-
> + MSLInfo
> + *msl_info;
> +
> + RectangleInfo
> + geometry;
> +
> +- ssize_t
> +- i;
> +-
> + size_t
> + height,
> + width;
> +
> ++ ssize_t
> ++ option,
> ++ i,
> ++ j,
> ++ n,
> ++ x,
> ++ y;
> ++
> + /*
> + Called when an opening tag has been processed.
> + */
> +@@ -669,6 +668,13 @@ static void MSLStartElement(void *context,const xmlChar *tag,
> + " SAX.startElement(%s",tag);
> + exception=AcquireExceptionInfo();
> + msl_info=(MSLInfo *) context;
> ++ if (msl_info->depth++ > MagickMaxRecursionDepth)
> ++ {
> ++ (void) ThrowMagickException(msl_info->exception,GetMagickModule(),
> ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",tag);
> ++ xmlStopParser((xmlParserCtxtPtr) context);
> ++ return;
> ++ }
> + n=msl_info->n;
> + keyword=(const char *) NULL;
> + value=(char *) NULL;
> +@@ -7466,6 +7472,7 @@ static void MSLEndElement(void *context,const xmlChar *tag)
> + }
> + if (msl_info->content != (char *) NULL)
> + msl_info->content=DestroyString(msl_info->content);
> ++ msl_info->depth--;
> + }
> +
> + static void MSLCharacters(void *context,const xmlChar *c,int length)
> +diff --git a/coders/svg.c b/coders/svg.c
> +index 912c714f..1b3a7e1 100644
> +--- a/coders/svg.c
> ++++ b/coders/svg.c
> +@@ -1252,13 +1252,13 @@ static void SVGStartElement(void *context,const xmlChar *name,
> + *p,
> + *value;
> +
> ++ size_t
> ++ number_tokens;
> ++
> + ssize_t
> + i,
> + j;
> +
> +- size_t
> +- number_tokens;
> +-
> + SVGInfo
> + *svg_info;
> +
> +@@ -1268,6 +1268,13 @@ static void SVGStartElement(void *context,const xmlChar *name,
> + (void) LogMagickEvent(CoderEvent,GetMagickModule()," SAX.startElement(%s",
> + name);
> + svg_info=(SVGInfo *) context;
> ++ if (svg_info->n >= MagickMaxRecursionDepth)
> ++ {
> ++ (void) ThrowMagickException(svg_info->exception,GetMagickModule(),
> ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name);
> ++ xmlStopParser((xmlParserCtxtPtr) context);
> ++ return;
> ++ }
> + svg_info->n++;
> + svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,
> + svg_info->n+1UL,sizeof(*svg_info->scale));
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68950.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68950.patch
> --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68950.patch 1970-01-01 01:00:00.000000000 +0100
> +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-68950.patch 2025-12-30 17:36:07.000000000 +0100
> @@ -0,0 +1,22 @@
> +From: Cristy <urban-warrior@imagemagick.org>
> +Date: Fri, 26 Dec 2025 11:20:57 -0500
> +Subject: CVE-2025-68950
> +
> +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j
> +origin: https://github.com/ImageMagick/ImageMagick6/commit/5655e26ee9032a208ad9add1fde2877205d5e540
> +---
> + magick/draw.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/magick/draw.c b/magick/draw.c
> +index 91c4954..950ed8a 100644
> +--- a/magick/draw.c
> ++++ b/magick/draw.c
> +@@ -5505,6 +5505,7 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
> + if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
> + (LocaleCompare(clone_info->magick,"http") != 0) &&
> + (LocaleCompare(clone_info->magick,"https") != 0) &&
> ++ (LocaleCompare(clone_info->magick,"mvg") != 0) &&
> + (LocaleCompare(clone_info->magick,"vid") != 0))
> + composite_images=ReadImage(clone_info,exception);
> + else
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-69204.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-69204.patch
> --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-69204.patch 1970-01-01 01:00:00.000000000 +0100
> +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-69204.patch 2025-12-30 17:36:07.000000000 +0100
> @@ -0,0 +1,54 @@
> +From: Cristy <urban-warrior@imagemagick.org>
> +Date: Sat, 27 Dec 2025 14:37:26 -0500
> +Subject: CVE-2025-69204
> +
> +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw
> +origin: https://github.com/ImageMagick/ImageMagick6/commit/c46bc2a29d0712499173c6ffda1d38d7dc8861f5
> +
> +(cherry picked from commit c46bc2a29d0712499173c6ffda1d38d7dc8861f5)
> +---
> + coders/svg.c | 24 ++++++++++++++++++++----
> + 1 file changed, 20 insertions(+), 4 deletions(-)
> +
> +diff --git a/coders/svg.c b/coders/svg.c
> +index 1b3a7e1..93438bb 100644
> +--- a/coders/svg.c
> ++++ b/coders/svg.c
> +@@ -5158,17 +5158,33 @@ static MagickBooleanType WriteSVGImage(const ImageInfo *image_info,Image *image)
> + }
> + case PathPrimitive:
> + {
> +- int
> +- number_attributes;
> ++ size_t
> ++ number_attributes,
> ++ quantum;
> +
> + (void) GetNextToken(q,&q,extent,token);
> + number_attributes=1;
> + for (p=token; *p != '\0'; p++)
> + if (isalpha((int) *p))
> + number_attributes++;
> +- if (i > (ssize_t) (number_points-6*BezierQuantum*number_attributes-1))
> ++ if ((6*BezierQuantum) >= (MAGICK_SSIZE_MAX/number_attributes))
> + {
> +- number_points+=6*BezierQuantum*number_attributes;
> ++ (void) ThrowMagickException(&image->exception,GetMagickModule(),
> ++ ResourceLimitError,"MemoryAllocationFailed","`%s'",
> ++ image->filename);
> ++ break;
> ++ }
> ++ quantum=(size_t) 6*BezierQuantum*number_attributes;
> ++ if (number_points >= (MAGICK_SSIZE_MAX-quantum))
> ++ {
> ++ (void) ThrowMagickException(&image->exception,GetMagickModule(),
> ++ ResourceLimitError,"MemoryAllocationFailed","`%s'",
> ++ image->filename);
> ++ break;
> ++ }
> ++ if (i > (ssize_t) (number_points-quantum-1))
> ++ {
> ++ number_points+=quantum;
> + primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info,
> + number_points,sizeof(*primitive_info));
> + if (primitive_info == (PrimitiveInfo *) NULL)
> diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series
> --- imagemagick-6.9.11.60+dfsg/debian/patches/series 2025-09-07 23:53:01.000000000 +0200
> +++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2025-12-30 17:36:07.000000000 +0100
> @@ -95,3 +95,10 @@
> CVE-2025-57803-pre1.patch
> CVE-2025-57803.patch
> CVE-2025-57807.patch
> +CVE-2025-62171.patch
> +CVE-2025-65955.patch
> +CVE-2025-66628.patch
> +CVE-2025-68469.patch
> +CVE-2025-68618.patch
> +CVE-2025-68950.patch
> +CVE-2025-69204.patch
Including the bugreport for the bookworm-pu update.
Regards,
Salvatore
Reply to: