Version in base suite: 1.4+really1.3.40-4 Base version: graphicsmagick_1.4+really1.3.40-4 Target version: graphicsmagick_1.4+really1.3.40-4+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/graphicsmagick/graphicsmagick_1.4+really1.3.40-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/graphicsmagick/graphicsmagick_1.4+really1.3.40-4+deb12u1.dsc changelog | 14 ++++++++++++ patches/CVE-2025-27795.patch | 38 ++++++++++++++++++++++++++++++++ patches/CVE-2025-32460.patch | 50 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 + 4 files changed, 104 insertions(+) diff -Nru graphicsmagick-1.4+really1.3.40/debian/changelog graphicsmagick-1.4+really1.3.40/debian/changelog --- graphicsmagick-1.4+really1.3.40/debian/changelog 2023-04-17 17:17:10.000000000 +0000 +++ graphicsmagick-1.4+really1.3.40/debian/changelog 2025-04-11 20:49:23.000000000 +0000 @@ -1,3 +1,17 @@ +graphicsmagick (1.4+really1.3.40-4+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + + [ Carlos Henrique Lima Melara ] + * d/p/CVE-2025-27795.patch: fix CVE-2025-27795 by adding image dimension + resource limits. (Closes: #1099955) + + [ Salvatore Bonaccorso ] + * ReadJXLImage(): pixel_format.num_channels needs to be 2 for grayscale + matte (CVE-2025-32460) + + -- Salvatore Bonaccorso Fri, 11 Apr 2025 22:49:23 +0200 + graphicsmagick (1.4+really1.3.40-4) unstable; urgency=medium * Remove development ifdef from memory leak fix. diff -Nru graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-27795.patch graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-27795.patch --- graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-27795.patch 1970-01-01 00:00:00.000000000 +0000 +++ graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-27795.patch 2025-04-11 20:49:23.000000000 +0000 @@ -0,0 +1,38 @@ +From: Bob Friesenhahn +Date: Mon, 9 Sep 2024 08:01:43 -0500 +Subject: ReadJXLImage(): Apply image dimension resource limits. Addresses + oss-fuzz Issue 69728 + +Backported to Debian by Carlos Henrique Lima Melara + +Changes: + - Drop changes to changelog and version files. +Origin: upstream, https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42 +Bug-Debian: https://bugs.debian.org/1099955 +Last-Update: 2025-03-31 +--- + coders/jxl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/coders/jxl.c b/coders/jxl.c +index b8a85fd..8a370fe 100644 +--- a/coders/jxl.c ++++ b/coders/jxl.c +@@ -531,6 +531,7 @@ static Image *ReadJXLImage(const ImageInfo *image_info, + basic_info.alpha_bits, basic_info.num_color_channels, + basic_info.have_animation == JXL_FALSE ? "False" : "True"); + } ++ + if (basic_info.num_extra_channels) + { + size_t index; +@@ -579,6 +580,9 @@ static Image *ReadJXLImage(const ImageInfo *image_info, + + image->orientation=convert_orientation(basic_info.orientation); + ++ if (CheckImagePixelLimits(image, exception) != MagickPass) ++ ThrowJXLReaderException(ResourceLimitError,ImagePixelLimitExceeded,image); ++ + pixel_format.endianness=JXL_NATIVE_ENDIAN; + pixel_format.align=0; + if (basic_info.num_color_channels == 1) diff -Nru graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-32460.patch graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-32460.patch --- graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-32460.patch 1970-01-01 00:00:00.000000000 +0000 +++ graphicsmagick-1.4+really1.3.40/debian/patches/CVE-2025-32460.patch 2025-04-11 20:49:23.000000000 +0000 @@ -0,0 +1,50 @@ +Description: ReadJXLImage(): pixel_format.num_channels needs to be 2 for grayscale matte +Origin: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-32460 +Forwarded: not-needed +Author: Bob Friesenhahn + +--- a/coders/jxl.c ++++ b/coders/jxl.c +@@ -600,7 +600,7 @@ static Image *ReadJXLImage(const ImageIn + ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image); + } + grayscale=MagickTrue; +- pixel_format.num_channels=1; ++ pixel_format.num_channels=image->matte ? 2 : 1; + pixel_format.data_type=(basic_info.bits_per_sample <= 8 ? JXL_TYPE_UINT8 : + (basic_info.bits_per_sample <= 16 ? JXL_TYPE_UINT16 : + JXL_TYPE_FLOAT)); +@@ -765,10 +765,32 @@ static Image *ReadJXLImage(const ImageIn + size_t + out_len; + ++ if (image->logging) ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "JxlPixelFormat:\n" ++ " num_channels: %u\n" ++ " data_type: %s\n" ++ " endianness: %s\n" ++ " align: %" MAGICK_SIZE_T_F "u", ++ pixel_format.num_channels, ++ pixel_format.data_type == JXL_TYPE_FLOAT ? "float" : ++ (pixel_format.data_type == JXL_TYPE_UINT8 ? "uint8" : ++ (pixel_format.data_type == JXL_TYPE_UINT16 ? "uint16" : ++ (pixel_format.data_type == JXL_TYPE_FLOAT16 ? "float16" : ++ "unknown"))) , ++ pixel_format.endianness == JXL_NATIVE_ENDIAN ? "native" : ++ (pixel_format.endianness == JXL_LITTLE_ENDIAN ? "little" : ++ (pixel_format.endianness == JXL_BIG_ENDIAN ? "big" : "unknown")), ++ pixel_format.align); ++ + status=JxlDecoderImageOutBufferSize(jxl_decoder,&pixel_format,&out_len); + if (status != JXL_DEC_SUCCESS) + break; + ++ if (image->logging) ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "JxlDecoderImageOutBufferSize() returns %" MAGICK_SIZE_T_F "u", ++ (MAGICK_SIZE_T) out_len); + out_buf=MagickAllocateResourceLimitedArray(unsigned char *,out_len,sizeof(*out_buf)); + if (out_buf == (unsigned char *) NULL) + ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image); diff -Nru graphicsmagick-1.4+really1.3.40/debian/patches/series graphicsmagick-1.4+really1.3.40/debian/patches/series --- graphicsmagick-1.4+really1.3.40/debian/patches/series 2023-04-17 17:17:10.000000000 +0000 +++ graphicsmagick-1.4+really1.3.40/debian/patches/series 2025-04-11 20:49:23.000000000 +0000 @@ -2,3 +2,5 @@ semaphore_O0_ppc64el.patch fix_bounds_issue_when_concatenating_string.patch eliminate_memory_leak_when_handling_EXIFOrientation.patch +CVE-2025-27795.patch +CVE-2025-32460.patch