Version in base suite: 6.9.11.60+dfsg-1.6+deb12u5 Version in overlay suite: 6.9.11.60+dfsg-1.6+deb12u8 Base version: imagemagick_6.9.11.60+dfsg-1.6+deb12u8 Target version: imagemagick_6.9.11.60+dfsg-1.6+deb12u9 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u8.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u9.dsc changelog | 36 ++++++++++ patches/CVE-2026-25971.patch | 85 ++++++++++++++++++++++++ patches/CVE-2026-33899_1.patch | 30 ++++++++ patches/CVE-2026-33899_2.patch | 37 ++++++++++ patches/CVE-2026-33900.patch | 28 ++++++++ patches/CVE-2026-33901.patch | 40 +++++++++++ patches/CVE-2026-33905_1.patch | 140 +++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-33905_2.patch | 34 +++++++++ patches/CVE-2026-33908.patch | 106 +++++++++++++++++++++++++++++++ patches/CVE-2026-34238.patch | 31 +++++++++ patches/CVE-2026-40310.patch | 47 +++++++++++++ patches/CVE-2026-40311.patch | 77 ++++++++++++++++++++++ patches/series | 11 +++ 13 files changed, 702 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnhag9i30/imagemagick_6.9.11.60+dfsg-1.6+deb12u8.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnhag9i30/imagemagick_6.9.11.60+dfsg-1.6+deb12u9.dsc: no acceptable signature found diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2026-04-12 19:57:53.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2026-04-25 14:03:16.000000000 +0000 @@ -1,3 +1,39 @@ +imagemagick (8:6.9.11.60+dfsg-1.6+deb12u9) bookworm-security; urgency=medium + + * Fix CVE-2026-25971: + Magick fails to check for circular references between two MSLs, + leading to a stack overflow. + * Fix CVE-2026-33899: + When `Magick` parses an XML file it is possible that a single + zero byte is written out of the bounds. + * Fix CVE-2026-33900: + The viff encoder contains an integer truncation/wraparound + issue on 32-bit builds that could trigger an out of bounds + heap write, potentially causing a crash. + * Fix CVE-2026-33901: + A heap buffer overflow occurs in the MVG decoder that could + result in an out of bounds write when processing a crafted image + * Fix CVE-2026-33905 + The -sample operation has an out of bounds read when an + specific offset is set through the `sample:offset` define that could + lead to an out of bounds read. + * Fix CVE-2026-33908: + When Magick processes an XML file with deeply nested structures, + it will exhaust the stack memory, resulting in a Denial of Service + (DoS) attack. + * Fix CVE-2026-34238: + An integer overflow in the despeckle operation causes a heap + buffer overflow on 32-bit builds that will result in an out + of bounds write. + * Fix CVE-2026-40310: + A heap out-of-bounds write in the JP2 encoder with when a user specifies + an invalid sampling index. + * Fix CVE-2026-40311 (Closes: #1134627): + A heap use-after-free vulnerability that can cause a crash when + reading and printing values from an invalid XMP profile. + + -- Bastien Roucariès Sat, 25 Apr 2026 16:03:16 +0200 + imagemagick (8:6.9.11.60+dfsg-1.6+deb12u8) bookworm-security; urgency=high * Fix a regression for CVE-2026-25796 diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25971.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25971.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25971.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-25971.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,85 @@ +From: Cristy +Date: Sat, 31 Jan 2026 12:52:44 -0500 +Subject: utilize a global Splay tree to guard against recursion + +(cherry picked from commit 9795300c611926fc895dd4e02a34ce185d8ed651) + +[backport] +svg and msl coder were update from 6.9.13-41 so SVG and MSL coder are not affected. Only remaining part is draw.c + +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/9795300c611926fc895dd4e02a34ce185d8ed651 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8mpr-6xr2-chhc +--- + magick/draw.c | 46 ++++++++-------------------------------------- + 1 file changed, 8 insertions(+), 38 deletions(-) + +diff --git a/magick/draw.c b/magick/draw.c +index 642c9d4..84bf5aa 100644 +--- a/magick/draw.c ++++ b/magick/draw.c +@@ -5471,57 +5471,27 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image, + else + if (*primitive_info->text != '\0') + { +- const MagickInfo +- *magick_info; +- +- MagickStatusType +- path_status; +- +- struct stat +- attributes; +- + /* + Read composite image. + */ + (void) CopyMagickString(clone_info->filename,primitive_info->text, + MagickPathExtent); + (void) SetImageInfo(clone_info,1,exception); +- magick_info=GetMagickInfo(clone_info->magick,exception); +- if ((magick_info != (const MagickInfo*) NULL) && +- (LocaleCompare(magick_info->module,"SVG") == 0)) +- { +- (void) ThrowMagickException(exception,GetMagickModule(), +- CorruptImageError,"ImageTypeNotSupported","`%s'", +- clone_info->filename); +- clone_info=DestroyImageInfo(clone_info); +- break; +- } + (void) CopyMagickString(clone_info->filename,primitive_info->text, + MagickPathExtent); + if (clone_info->size != (char *) NULL) + clone_info->size=DestroyString(clone_info->size); + if (clone_info->extract != (char *) NULL) + clone_info->extract=DestroyString(clone_info->extract); +- path_status=GetPathAttributes(clone_info->filename,&attributes); +- if (path_status != MagickFalse) +- { +- if (S_ISCHR(attributes.st_mode) == 0) +- composite_images=ReadImage(clone_info,exception); +- else +- (void) ThrowMagickException(exception,GetMagickModule(), +- FileOpenError,"UnableToOpenFile","`%s'", +- clone_info->filename); +- } ++ if ((LocaleCompare(clone_info->magick,"ftp") != 0) && ++ (LocaleCompare(clone_info->magick,"http") != 0) && ++ (LocaleCompare(clone_info->magick,"https") != 0) && ++ (LocaleCompare(clone_info->magick,"mvg") != 0) && ++ (LocaleCompare(clone_info->magick,"vid") != 0)) ++ composite_images=ReadImage(clone_info,exception); + else +- if ((LocaleCompare(clone_info->magick,"ftp") != 0) && +- (LocaleCompare(clone_info->magick,"http") != 0) && +- (LocaleCompare(clone_info->magick,"https") != 0) && +- (LocaleCompare(clone_info->magick,"mvg") != 0) && +- (LocaleCompare(clone_info->magick,"vid") != 0)) +- composite_images=ReadImage(clone_info,exception); +- else +- (void) ThrowMagickException(exception,GetMagickModule(), +- FileOpenError,"UnableToOpenFile","`%s'",clone_info->filename); ++ (void) ThrowMagickException(exception,GetMagickModule(), ++ FileOpenError,"UnableToOpenFile","`%s'",clone_info->filename); + } + clone_info=DestroyImageInfo(clone_info); + if (composite_images == (Image *) NULL) diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33899_1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33899_1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33899_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33899_1.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,30 @@ +From: Cristy +Date: Tue, 24 Mar 2026 11:34:27 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr67-pvmx-2pp2 + +when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. + +(cherry picked from commit d398a4b5290a9729e2e5bf36b4d2b2fb71c9d8bb) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/d398a4b5290a9729e2e5bf36b4d2b2fb71c9d8bb +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr67-pvmx-2pp2 +--- + magick/xml-tree.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/magick/xml-tree.c b/magick/xml-tree.c +index ddf594c..fbe756b 100644 +--- a/magick/xml-tree.c ++++ b/magick/xml-tree.c +@@ -2003,8 +2003,8 @@ MagickExport XMLTreeInfo *NewXMLTree(const char *xml,ExceptionInfo *exception) + "ParseError","UTF16 to UTF8 failed"); + return((XMLTreeInfo *) NULL); + } +- terminal=utf8[length-1]; +- utf8[length-1]='\0'; ++ terminal=utf8[MagickMax(length-1,0)]; ++ utf8[MagickMax(length-1,0)]='\0'; + p=utf8; + while ((*p != '\0') && (*p != '<')) + p++; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33899_2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33899_2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33899_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33899_2.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,37 @@ +From: Cristy +Date: Thu, 26 Mar 2026 19:12:28 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr67-pvmx-2pp2 + +when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds + +(cherry picked from commit 149326dd993e8833e42e35d21bacaa0c98e11c34) + +origin: https://github.com/ImageMagick/ImageMagick6/commit/149326dd993e8833e42e35d21bacaa0c98e11c34 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr67-pvmx-2pp2 +--- + magick/xml-tree.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/magick/xml-tree.c b/magick/xml-tree.c +index fbe756b..8c6b2d4 100644 +--- a/magick/xml-tree.c ++++ b/magick/xml-tree.c +@@ -2003,8 +2003,15 @@ MagickExport XMLTreeInfo *NewXMLTree(const char *xml,ExceptionInfo *exception) + "ParseError","UTF16 to UTF8 failed"); + return((XMLTreeInfo *) NULL); + } +- terminal=utf8[MagickMax(length-1,0)]; +- utf8[MagickMax(length-1,0)]='\0'; ++ if (length == 0) ++ { ++ utf8=DestroyString(utf8); ++ (void) ThrowMagickException(exception,GetMagickModule(),OptionWarning, ++ "ParseError","root tag missing"); ++ return((XMLTreeInfo *) NULL); ++ } ++ terminal=utf8[length-1]; ++ utf8[length-1]='\0'; + p=utf8; + while ((*p != '\0') && (*p != '<')) + p++; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33900.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33900.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33900.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33900.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,28 @@ +From: Dirk Lemstra +Date: Mon, 20 Apr 2026 17:37:31 +0200 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9 + +the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. + +(cherry picked from commit b6c01a5a23f1e350ebe2db78c7cc326db2e320c9) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9 +origin: https://github.com/ImageMagick/ImageMagick6/commit/b6c01a5a23f1e350ebe2db78c7cc326db2e320c9 +--- + coders/viff.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/viff.c b/coders/viff.c +index 49e52ba..37399ab 100644 +--- a/coders/viff.c ++++ b/coders/viff.c +@@ -1113,6 +1113,8 @@ static MagickBooleanType WriteVIFFImage(const ImageInfo *image_info, + /* + Convert MIFF to VIFF raster pixels. + */ ++ if (packets != (MagickSizeType) ((size_t) packets)) ++ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); + pixel_info=AcquireVirtualMemory((size_t) packets,sizeof(*pixels)); + if (pixel_info == (MemoryInfo *) NULL) + ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33901.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33901.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33901.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33901.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,40 @@ +From: Cristy +Date: Tue, 24 Mar 2026 08:18:41 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vcww + +A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image + +(cherry picked from commit 53db9565c648e71733a5c2cc2a4e8e8a4347d9cd) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vcww +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/53db9565c648e71733a5c2cc2a4e8e8a4347d9cd +--- + magick/draw.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/magick/draw.c b/magick/draw.c +index 84bf5aa..e190d9b 100644 +--- a/magick/draw.c ++++ b/magick/draw.c +@@ -3378,7 +3378,9 @@ static MagickBooleanType RenderMVGContent(Image *image, + continue; + break; + } +- if ((q == (char *) NULL) || (p == (char *) NULL) || ((q-4) < p)) ++ if ((q == (char *) NULL) || (*q == '\0') || ++ (p == (char *) NULL) || ((q-4) < p) || ++ ((q-p+4+1) > MagickPathExtent)) + { + status=MagickFalse; + break; +@@ -3488,7 +3490,8 @@ static MagickBooleanType RenderMVGContent(Image *image, + continue; + break; + } +- if ((q == (char *) NULL) || (p == (char *) NULL) || ((q-4) < p)) ++ if ((q == (char *) NULL) || (p == (char *) NULL) || ((q-4) < p) || ++ ((q-p+4+1) > MagickPathExtent)) + { + status=MagickFalse; + break; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33905_1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33905_1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33905_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33905_1.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,140 @@ +From: Cristy +Date: Tue, 24 Mar 2026 11:27:54 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pcvx-ph33-r5vv + +the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read + +(cherry picked from commit 140fc7b01fa7d870b3bc8453fb7adccfb7c1e202) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pcvx-ph33-r5vv +origin: https://github.com/ImageMagick/ImageMagick6/commit/140fc7b01fa7d870b3bc8453fb7adccfb7c1e202 +--- + magick/resize.c | 69 ++++++++++++++++++++++++--------------------------------- + 1 file changed, 29 insertions(+), 40 deletions(-) + +diff --git a/magick/resize.c b/magick/resize.c +index c2c0d59..ffe558a 100644 +--- a/magick/resize.c ++++ b/magick/resize.c +@@ -3073,16 +3073,12 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + MagickOffsetType + progress; + +- ssize_t +- x; ++ PointInfo ++ sample_offset; + + ssize_t +- *x_offset, + y; + +- PointInfo +- sample_offset; +- + /* + Initialize sampled image attributes. + */ +@@ -3123,19 +3119,6 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + sample_offset.y=geometry_info.sigma/100.0-MagickEpsilon; + } + } +- /* +- Allocate scan line buffer and column offset buffers. +- */ +- x_offset=(ssize_t *) AcquireQuantumMemory((size_t) sample_image->columns, +- sizeof(*x_offset)); +- if (x_offset == (ssize_t *) NULL) +- { +- sample_image=DestroyImage(sample_image); +- ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); +- } +- for (x=0; x < (ssize_t) sample_image->columns; x++) +- x_offset[x]=(ssize_t) ((((double) x+sample_offset.x)*image->columns)/ +- sample_image->columns); + /* + Sample each row. + */ +@@ -3149,12 +3132,6 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + #endif + for (y=0; y < (ssize_t) sample_image->rows; y++) + { +- const IndexPacket +- *magick_restrict indexes; +- +- const PixelPacket +- *magick_restrict p; +- + IndexPacket + *magick_restrict sample_indexes; + +@@ -3164,33 +3141,46 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + ssize_t + x; + +- ssize_t +- y_offset; +- + if (status == MagickFalse) + continue; +- y_offset=(ssize_t) ((((double) y+sample_offset.y)*image->rows)/ +- sample_image->rows); +- p=GetCacheViewVirtualPixels(image_view,0,y_offset,image->columns,1, +- exception); + q=QueueCacheViewAuthenticPixels(sample_view,0,y,sample_image->columns,1, + exception); +- if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL)) ++ if (q == (PixelPacket *) NULL) + { + status=MagickFalse; + continue; + } +- indexes=GetCacheViewAuthenticIndexQueue(image_view); + sample_indexes=GetCacheViewAuthenticIndexQueue(sample_view); + /* + Sample each column. + */ + for (x=0; x < (ssize_t) sample_image->columns; x++) +- *q++=p[x_offset[x]]; +- if ((image->storage_class == PseudoClass) || +- (image->colorspace == CMYKColorspace)) +- for (x=0; x < (ssize_t) sample_image->columns; x++) +- SetPixelIndex(sample_indexes+x,GetPixelIndex(indexes+x_offset[x])); ++ { ++ const IndexPacket ++ *magick_restrict indexes; ++ ++ const PixelPacket ++ *magick_restrict p; ++ ++ ssize_t ++ x_offset, ++ y_offset; ++ ++ x_offset=(ssize_t) ((((double) x+sample_offset.x)*image->columns)/ ++ sample_image->columns); ++ y_offset=(ssize_t) ((((double) y+sample_offset.y)*image->rows)/ ++ sample_image->rows); ++ p=GetCacheViewVirtualPixels(image_view,x_offset,y_offset,1,1, ++ exception); ++ if (p == (const PixelPacket *) NULL) ++ { ++ status=MagickFalse; ++ continue; ++ } ++ *q++=(*p); ++ indexes=GetCacheViewAuthenticIndexQueue(image_view); ++ SetPixelIndex(sample_indexes+x,GetPixelIndex(indexes)); ++ } + if (SyncCacheViewAuthenticPixels(sample_view,exception) == MagickFalse) + status=MagickFalse; + if (image->progress_monitor != (MagickProgressMonitor) NULL) +@@ -3209,7 +3199,6 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + } + image_view=DestroyCacheView(image_view); + sample_view=DestroyCacheView(sample_view); +- x_offset=(ssize_t *) RelinquishMagickMemory(x_offset); + sample_image->type=image->type; + if (status == MagickFalse) + sample_image=DestroyImage(sample_image); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33905_2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33905_2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33905_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33905_2.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,34 @@ +From: Dirk Lemstra +Date: Fri, 27 Mar 2026 10:33:49 +0100 +Subject: Restored check that was removed by accident in the + GHSA-pcvx-ph33-r5vv patch. + +the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. + +(cherry picked from commit 8d73954bf7e13a352e71a32cf7d18905577f17e8) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pcvx-ph33-r5vv +origin: https://github.com/ImageMagick/ImageMagick6/commit/8d73954bf7e13a352e71a32cf7d18905577f17e8 +--- + magick/resize.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/magick/resize.c b/magick/resize.c +index ffe558a..bbb2243 100644 +--- a/magick/resize.c ++++ b/magick/resize.c +@@ -3178,8 +3178,12 @@ MagickExport Image *SampleImage(const Image *image,const size_t columns, + continue; + } + *q++=(*p); +- indexes=GetCacheViewAuthenticIndexQueue(image_view); +- SetPixelIndex(sample_indexes+x,GetPixelIndex(indexes)); ++ if ((image->storage_class == PseudoClass) || ++ (image->colorspace == CMYKColorspace)) ++ { ++ indexes=GetCacheViewVirtualIndexQueue(image_view); ++ SetPixelIndex(sample_indexes+x,GetPixelIndex(indexes)); ++ } + } + if (SyncCacheViewAuthenticPixels(sample_view,exception) == MagickFalse) + status=MagickFalse; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33908.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33908.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33908.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-33908.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,106 @@ +From: Cristy +Date: Tue, 24 Mar 2026 11:18:09 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p4x + +When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p4x +origin: https://github.com/ImageMagick/ImageMagick6/commit/4a8819a0e1c2768d592cb6e8584cadecf9cf536e +--- + magick/xml-tree.c | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/magick/xml-tree.c b/magick/xml-tree.c +index 8c6b2d4..1280a4b 100644 +--- a/magick/xml-tree.c ++++ b/magick/xml-tree.c +@@ -434,6 +434,9 @@ MagickExport char *CanonicalXMLContent(const char *content, + % + */ + ++static XMLTreeInfo ++ *DestroyXMLTree_(XMLTreeInfo *,const size_t); ++ + static char **DestroyXMLTreeAttributes(char **attributes) + { + ssize_t +@@ -458,35 +461,37 @@ static char **DestroyXMLTreeAttributes(char **attributes) + return((char **) NULL); + } + +-static void DestroyXMLTreeChild(XMLTreeInfo *xml_info) ++static void DestroyXMLTreeChild(XMLTreeInfo *xml_info, ++ const size_t depth) + { + XMLTreeInfo + *child, + *node; + + child=xml_info->child; +- while(child != (XMLTreeInfo *) NULL) ++ while (child != (XMLTreeInfo *) NULL) + { + node=child; + child=node->child; + node->child=(XMLTreeInfo *) NULL; +- (void) DestroyXMLTree(node); ++ (void) DestroyXMLTree_(node,depth+1); + } + } + +-static void DestroyXMLTreeOrdered(XMLTreeInfo *xml_info) ++static void DestroyXMLTreeOrdered(XMLTreeInfo *xml_info, ++ const size_t depth) + { + XMLTreeInfo + *node, + *ordered; + + ordered=xml_info->ordered; +- while(ordered != (XMLTreeInfo *) NULL) ++ while (ordered != (XMLTreeInfo *) NULL) + { + node=ordered; + ordered=node->ordered; + node->ordered=(XMLTreeInfo *) NULL; +- (void) DestroyXMLTree(node); ++ (void) DestroyXMLTree_(node,depth+1); + } + } + +@@ -553,15 +558,19 @@ static void DestroyXMLTreeRoot(XMLTreeInfo *xml_info) + } + } + +-MagickExport XMLTreeInfo *DestroyXMLTree(XMLTreeInfo *xml_info) ++static XMLTreeInfo *DestroyXMLTree_(XMLTreeInfo *xml_info, ++ const size_t depth) + { + assert(xml_info != (XMLTreeInfo *) NULL); + assert((xml_info->signature == MagickCoreSignature) || + (((XMLTreeRoot *) xml_info)->signature == MagickCoreSignature)); + if (xml_info->debug != MagickFalse) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"..."); +- DestroyXMLTreeChild(xml_info); +- DestroyXMLTreeOrdered(xml_info); ++ if (depth > MagickMaxRecursionDepth) ++ ThrowFatalException(ResourceLimitFatalError, ++ "MemoryAllocationFailed"); ++ DestroyXMLTreeChild(xml_info,depth+1); ++ DestroyXMLTreeOrdered(xml_info,depth+1); + DestroyXMLTreeRoot(xml_info); + xml_info->attributes=DestroyXMLTreeAttributes(xml_info->attributes); + xml_info->content=DestroyString(xml_info->content); +@@ -569,6 +578,11 @@ MagickExport XMLTreeInfo *DestroyXMLTree(XMLTreeInfo *xml_info) + xml_info=(XMLTreeInfo *) RelinquishMagickMemory(xml_info); + return((XMLTreeInfo *) NULL); + } ++ ++MagickExport XMLTreeInfo *DestroyXMLTree(XMLTreeInfo *xml_info) ++{ ++ return(DestroyXMLTree_(xml_info,0)); ++} + + /* + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-34238.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-34238.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-34238.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-34238.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,31 @@ +From: Cristy +Date: Wed, 25 Mar 2026 19:54:31 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-26qp-ffjh-2x4v + +(cherry picked from commit 4b265a742949437a55e344a3ff694281af266190) +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-26qp-ffjh-2x4v +origin: https://github.com/ImageMagick/ImageMagick6/commit/4b265a742949437a55e344a3ff694281af266190 +--- + magick/effect.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/magick/effect.c b/magick/effect.c +index 5f797bf..7835335 100644 +--- a/magick/effect.c ++++ b/magick/effect.c +@@ -1102,7 +1102,13 @@ MagickExport Image *DespeckleImage(const Image *image,ExceptionInfo *exception) + /* + Allocate image buffer. + */ +- length=(size_t) ((image->columns+2)*(image->rows+2)); ++ if ((image->columns > (MAGICK_SIZE_MAX-2)) || ++ (image->rows > (MAGICK_SIZE_MAX-2))) ++ { ++ despeckle_image=DestroyImage(despeckle_image); ++ ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); ++ } ++ length=(image->columns+2)*(image->rows+2); + pixel_info=AcquireVirtualMemory(length,sizeof(*pixels)); + buffer_info=AcquireVirtualMemory(length,sizeof(*buffer)); + if ((pixel_info == (MemoryInfo *) NULL) || diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40310.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40310.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40310.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40310.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,47 @@ +From: Cristy +Date: Thu, 9 Apr 2026 10:42:42 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pwg5-6jfc-crvh + +a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index + +(cherry picked from commit 4c782c770894fc19029d4408a4de37cc491c7c25) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pwg5-6jfc-crvh +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/4c782c770894fc19029d4408a4de37cc491c7c25 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134627 +--- + coders/jp2.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/coders/jp2.c b/coders/jp2.c +index b50783a..e29ae31 100644 +--- a/coders/jp2.c ++++ b/coders/jp2.c +@@ -973,9 +973,23 @@ static MagickBooleanType WriteJP2Image(const ImageInfo *image_info,Image *image) + parameters->tcp_numlayers=i+1; + parameters->cp_disto_alloc=OPJ_TRUE; + } +- if (image_info->sampling_factor != (const char *) NULL) +- (void) sscanf(image_info->sampling_factor,"%d,%d", +- ¶meters->subsampling_dx,¶meters->subsampling_dy); ++ if (image_info->sampling_factor != (char *) NULL) ++ { ++ GeometryInfo ++ geometry_info; ++ ++ MagickStatusType ++ flags; ++ ++ flags=ParseGeometry(image_info->sampling_factor,&geometry_info); ++ if ((flags & RhoValue) != 0) ++ parameters->subsampling_dx=(int) MagickMax( ++ geometry_info.rho,1.0); ++ parameters->subsampling_dy=parameters->subsampling_dx; ++ if ((flags & SigmaValue) != 0) ++ parameters->subsampling_dy=(int) MagickMax( ++ geometry_info.sigma,1.0); ++ } + property=GetImageProperty(image,"comment"); + if (property != (const char *) NULL) + parameters->cp_comment=(char *) property; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40311.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40311.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40311.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40311.patch 2026-04-25 14:03:16.000000000 +0000 @@ -0,0 +1,77 @@ +From: Cristy +Date: Thu, 9 Apr 2026 13:21:33 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r83h-crwp-3vm7 + +A heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. T + +(cherry picked from commit ccf3cffe819616b39374594a7b5389fc2d49260d) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r83h-crwp-3vm7 +origin: https://github.com/ImageMagick/ImageMagick6/commit/ccf3cffe819616b39374594a7b5389fc2d49260d +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134627 +--- + magick/property.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +diff --git a/magick/property.c b/magick/property.c +index f839545..fdbe9e2 100644 +--- a/magick/property.c ++++ b/magick/property.c +@@ -36,7 +36,7 @@ + % + % + */ +- ++ + /* + Include declarations. + */ +@@ -1817,27 +1817,38 @@ static MagickBooleanType GetXMPProperty(const Image *image,const char *property) + while (node != (XMLTreeInfo *) NULL) + { + char +- *xmp_namespace; ++ *property; ++ ++ size_t ++ property_length; + + child=GetXMLTreeChild(node,(const char *) NULL); + content=GetXMLTreeContent(node); + if ((child == (XMLTreeInfo *) NULL) && + (SkipXMPValue(content) == MagickFalse)) + { +- xmp_namespace=ConstantString(GetXMLTreeTag(node)); +- (void) SubstituteString(&xmp_namespace,"exif:","xmp:"); +- (void) AddValueToSplayTree((SplayTreeInfo *) image->properties, +- xmp_namespace,ConstantString(content)); ++ property=ConstantString(GetXMLTreeTag(node)); ++ (void) SubstituteString(&property,"exif:","xmp:"); ++ property_length=strlen(property); ++ if ((property_length <= 2) || (*(property+(property_length-2)) != ':') || ++ (*(property+(property_length-1)) != '*')) ++ (void) AddValueToSplayTree((SplayTreeInfo *) image->properties, ++ ConstantString(property),ConstantString(content)); ++ property=DestroyString(property); + } + while (child != (XMLTreeInfo *) NULL) + { + content=GetXMLTreeContent(child); + if (SkipXMPValue(content) == MagickFalse) + { +- xmp_namespace=ConstantString(GetXMLTreeTag(node)); +- (void) SubstituteString(&xmp_namespace,"exif:","xmp:"); +- (void) AddValueToSplayTree((SplayTreeInfo *) image->properties, +- xmp_namespace,ConstantString(content)); ++ property=ConstantString(GetXMLTreeTag(node)); ++ (void) SubstituteString(&property,"exif:","xmp:"); ++ property_length=strlen(property); ++ if ((property_length <= 2) || (*(property+(property_length-2)) != ':') || ++ (*(property+(property_length-1)) != '*')) ++ (void) AddValueToSplayTree((SplayTreeInfo *) image->properties, ++ ConstantString(property),ConstantString(content)); ++ property=DestroyString(property); + } + child=GetXMLTreeSibling(child); + } diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series --- imagemagick-6.9.11.60+dfsg/debian/patches/series 2026-04-12 19:56:20.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2026-04-25 14:03:16.000000000 +0000 @@ -157,3 +157,14 @@ CVE-2026-32636.patch CVE-2026-33535.patch CVE-2026-33536.patch +CVE-2026-25971.patch +CVE-2026-33899_1.patch +CVE-2026-33899_2.patch +CVE-2026-33900.patch +CVE-2026-33901.patch +CVE-2026-33905_1.patch +CVE-2026-33905_2.patch +CVE-2026-33908.patch +CVE-2026-34238.patch +CVE-2026-40310.patch +CVE-2026-40311.patch