Version in base suite: 6.9.11.60+dfsg-1.6+deb12u9 Version in overlay suite: 6.9.11.60+dfsg-1.6+deb12u10 Base version: imagemagick_6.9.11.60+dfsg-1.6+deb12u10 Target version: imagemagick_6.9.11.60+dfsg-1.6+deb12u11 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u10.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u11.dsc changelog | 27 ++++++++++- control | 2 patches/0007-Improve-policy-in-order-to-be-safer.patch | 14 ++--- patches/0023-disable-ghostscript-formats.patch | 10 ++-- patches/CVE-2026-48733.patch | 33 +++++++++++++ patches/CVE-2026-48734.patch | 41 +++++++++++++++++ patches/CVE-2026-48994.patch | 35 ++++++++++++++ patches/CVE-2026-49218.patch | 29 ++++++++++++ patches/CVE-2026-53460.patch | 29 ++++++++++++ patches/CVE-2026-53463.patch | 39 ++++++++++++++++ patches/series | 6 ++ rules | 6 ++ tests.d/control.quantum.in | 4 + tests.d/policy-IMVERSION.QUANTUMDEPTH.in | 38 +++++++++++++++ tests/control | 8 +++ tests/policy-6.q16 | 38 +++++++++++++++ tests/policy-6.q16hdri | 38 +++++++++++++++ 17 files changed, 384 insertions(+), 13 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbwesiqia/imagemagick_6.9.11.60+dfsg-1.6+deb12u10.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbwesiqia/imagemagick_6.9.11.60+dfsg-1.6+deb12u11.dsc: no acceptable signature found diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2026-05-27 20:36:03.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2026-06-21 13:40:05.000000000 +0000 @@ -1,3 +1,28 @@ +imagemagick (8:6.9.11.60+dfsg-1.6+deb12u11) bookworm-security; urgency=high + + * Fix CVE-2026-48733: + An infinite loop in the subimage-search operation can happen + when using a crafted image. + * Fix CVE-2026-48734: + A crafted MVG file could result in a stack overflow due to a missing depth + or visited-set check + * Fix CVE-2026-48994: + A missing check of a return value could lead to a heap buffer over-write in the MAT + decoder on 32-bit systems. + * Fix CVE-2026-49218: + A missing check in the DCM decoder could result in an image with invalid dimensions + and that could cause crashes in other operation. + * Fix CVE-2026-53460: + A missing check for maximum memory request in AcquireAlignedMemory + could trigger an out-of-Memory condition. + * Fix CVE-2026-53463: + When passing incorrect arguments in the distort operation a + null pointer deference will occur. + * Fix default policy.xml HTTP/HTTPS/URL delegate rules are no-ops + (Closes: #1140176) + + -- Bastien Roucariès Sun, 21 Jun 2026 15:40:05 +0200 + imagemagick (8:6.9.11.60+dfsg-1.6+deb12u10) bookworm-security; urgency=high * Fix CVE-2026-33901 regression: @@ -13,7 +38,7 @@ Due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply. - * Fix CVE-2026-45359: + * Fix CVE-2026-45358: Heap Buffer Over-Read in connected components when the user supplies an invalid keep-top define. An invalid connected-components:keep-top value could result diff -Nru imagemagick-6.9.11.60+dfsg/debian/control imagemagick-6.9.11.60+dfsg/debian/control --- imagemagick-6.9.11.60+dfsg/debian/control 2026-05-27 20:34:21.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/control 2026-06-21 08:43:07.000000000 +0000 @@ -1,4 +1,4 @@ -# Autogenerated Mon Jun 24 16:27:31 UTC 2024 from make -f debian/rules update_pkg +# Autogenerated Sun Jun 21 10:43:07 CEST 2026 from make -f debian/rules update_pkg Source: imagemagick Section: graphics Priority: optional diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0007-Improve-policy-in-order-to-be-safer.patch imagemagick-6.9.11.60+dfsg/debian/patches/0007-Improve-policy-in-order-to-be-safer.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/0007-Improve-policy-in-order-to-be-safer.patch 2026-05-27 20:34:21.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/0007-Improve-policy-in-order-to-be-safer.patch 2026-06-21 10:00:28.000000000 +0000 @@ -12,10 +12,10 @@ config/policy.xml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) -diff --git a/config/policy.xml b/config/policy.xml -index 2ed14de8a6..54e64782b3 100644 ---- a/config/policy.xml -+++ b/config/policy.xml +Index: imagemagick/config/policy.xml +=================================================================== +--- imagemagick.orig/config/policy.xml 2026-06-21 11:59:11.196629856 +0200 ++++ imagemagick/config/policy.xml 2026-06-21 12:00:19.921527219 +0200 @@ -57,26 +57,36 @@ --> @@ -55,9 +55,9 @@ + + + -+ -+ -+ ++ ++ ++ + + diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0023-disable-ghostscript-formats.patch imagemagick-6.9.11.60+dfsg/debian/patches/0023-disable-ghostscript-formats.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/0023-disable-ghostscript-formats.patch 2026-05-27 20:34:21.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/0023-disable-ghostscript-formats.patch 2026-06-21 10:52:43.000000000 +0000 @@ -8,10 +8,12 @@ config/policy.xml | 5 +++++ 1 file changed, 5 insertions(+) ---- a/config/policy.xml -+++ b/config/policy.xml -@@ -86,4 +86,11 @@ - +Index: imagemagick/config/policy.xml +=================================================================== +--- imagemagick.orig/config/policy.xml 2026-06-21 12:52:39.877333328 +0200 ++++ imagemagick/config/policy.xml 2026-06-21 12:52:39.874583415 +0200 +@@ -89,4 +89,11 @@ + + diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48733.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48733.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48733.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48733.patch 2026-06-21 08:37:11.000000000 +0000 @@ -0,0 +1,33 @@ +From: Cristy +Date: Mon, 18 May 2026 21:52:10 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5v62-8fq6-cp9m + +an infinite loop in the subimage-search operation can happen when using a crafted image. + +(cherry picked from commit 1a59a4f31acca06f90a1f83424ef991a60f76b61) + +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/1a59a4f31acca06f90a1f83424ef991a60f76b61 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5v62-8fq6-cp9m +--- + magick/compare.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/magick/compare.c b/magick/compare.c +index 12a253c..7656dbb 100644 +--- a/magick/compare.c ++++ b/magick/compare.c +@@ -2133,6 +2133,13 @@ MagickExport Image *SimilarityMetricImage(Image *image,const Image *reference, + *similarity_metric=MagickMaximumValue; + if (ValidateImageMorphology(image,reference) == MagickFalse) + ThrowImageException(ImageError,"ImageMorphologyDiffers"); ++ if ((image->columns < reference->columns) || ++ (image->rows < reference->rows)) ++ { ++ (void) ThrowMagickException(&image->exception,GetMagickModule(), ++ OptionWarning,"GeometryDoesNotContainImage","`%s'",image->filename); ++ return((Image *) NULL); ++ } + similarity_image=CloneImage(image,image->columns-reference->columns+1, + image->rows-reference->rows+1,MagickTrue,exception); + if (similarity_image == (Image *) NULL) diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48734.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48734.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48734.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48734.patch 2026-06-21 08:37:11.000000000 +0000 @@ -0,0 +1,41 @@ +From: Cristy +Date: Mon, 18 May 2026 21:56:35 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h36c-3666-h489 + +a crafted MVG file could result in a stack overflow due to a missing depth or visited-set check + +(cherry picked from commit 60153856299c66689e3620b8347c0cc32c807d95) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h36c-3666-h489 +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/60153856299c66689e3620b8347c0cc32c807d95 +--- + magick/draw.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/magick/draw.c b/magick/draw.c +index be9d4aa..bf3efb6 100644 +--- a/magick/draw.c ++++ b/magick/draw.c +@@ -2502,6 +2502,7 @@ static MagickBooleanType RenderMVGContent(Image *image, + *macros; + + ssize_t ++ classDepth = 0, + defsDepth, + j, + k, +@@ -2698,6 +2699,13 @@ static MagickBooleanType RenderMVGContent(Image *image, + } + if (LocaleCompare(token,graphic_context[n]->id) == 0) + break; ++ if (classDepth++ > MagickMaxRecursionDepth) ++ { ++ (void) ThrowMagickException(&image->exception,GetMagickModule(), ++ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",token); ++ status=MagickFalse; ++ break; ++ } + mvg_class=(const char *) GetValueFromSplayTree(macros,token); + if ((mvg_class != (const char *) NULL) && (p > primitive)) + { diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48994.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48994.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48994.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-48994.patch 2026-06-21 08:37:11.000000000 +0000 @@ -0,0 +1,35 @@ +From: Dirk Lemstra +Date: Sun, 24 May 2026 10:01:44 +0200 +Subject: Added extra checks to prevent an overflow on 32-bit systems + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4v89-6mgq-6rgc) + +(cherry picked from commit 662a1667d115a65b22a3792755431fc9c1f31d89) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4v89-6mgq-6rgc +origin: https://github.com/ImageMagick/ImageMagick6/commit/662a1667d115a65b22a3792755431fc9c1f31d89 +--- + coders/mat.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/coders/mat.c b/coders/mat.c +index 7477ad6..b693822 100644 +--- a/coders/mat.c ++++ b/coders/mat.c +@@ -755,8 +755,15 @@ static Image *ReadMATImageV4(const ImageInfo *image_info,Image *image, + if (HDR.Type[0] != 0) + SetQuantumEndian(image,quantum_info,MSBEndian); + status=SetQuantumFormat(image,quantum_info,format_type); +- status=SetQuantumDepth(image,quantum_info,depth); +- status=SetQuantumEndian(image,quantum_info,endian); ++ if (status != MagickFalse) ++ status=SetQuantumDepth(image,quantum_info,depth); ++ if (status != MagickFalse) ++ status=SetQuantumEndian(image,quantum_info,endian); ++ if (status == MagickFalse) ++ { ++ quantum_info=DestroyQuantumInfo(quantum_info); ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ } + SetQuantumScale(quantum_info,1.0); + pixels=(unsigned char *) GetQuantumPixels(quantum_info); + for (y=0; y < (ssize_t) image->rows; y++) diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-49218.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-49218.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-49218.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-49218.patch 2026-06-21 08:37:11.000000000 +0000 @@ -0,0 +1,29 @@ +From: Dirk Lemstra +Date: Sun, 24 May 2026 18:31:18 +0200 +Subject: Added missing check for returning an image with zero columns or rows + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8pj9-6897-74xc) + +(cherry picked from commit 14faf35495e9191f54bc63df44383a76f5cf16d9) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8pj9-6897-74xc +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/14faf35495e9191f54bc63df44383a76f5cf16d9 +--- + coders/dcm.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/coders/dcm.c b/coders/dcm.c +index f28d813b..9254ab0 100644 +--- a/coders/dcm.c ++++ b/coders/dcm.c +@@ -4376,7 +4376,10 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) + redmap=(int *) RelinquishMagickMemory(redmap); + if (image == (Image *) NULL) + return(image); +- (void) CloseBlob(image); ++ if (CloseBlob(image) == MagickFalse) ++ status=MagickFalse; ++ if ((image->rows == 0) || (image->columns == 0)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader") + if (status == MagickFalse) + return(DestroyImageList(image)); + return(GetFirstImageInList(image)); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-53460.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-53460.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-53460.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-53460.patch 2026-06-21 08:37:11.000000000 +0000 @@ -0,0 +1,29 @@ +From: Cristy +Date: Thu, 28 May 2026 09:27:44 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q62c-h75r-2xhc + +(cherry picked from commit 3396cbf4049c4576814b45bb6094ac3ad5493115) + +a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q62c-h75r-2xhc +origin: https://github.com/ImageMagick/ImageMagick6/commit/3396cbf4049c4576814b45bb6094ac3ad5493115 +--- + magick/memory.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/magick/memory.c b/magick/memory.c +index 1a3aed9..26a6a30 100644 +--- a/magick/memory.c ++++ b/magick/memory.c +@@ -367,7 +367,8 @@ MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum) + size_t + size; + +- if (HeapOverflowSanityCheckGetSize(count,quantum,&size) != MagickFalse) ++ if ((HeapOverflowSanityCheckGetSize(count,quantum,&size) != MagickFalse) || ++ (size > GetMaxMemoryRequest())) + { + errno=ENOMEM; + return(NULL); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-53463.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-53463.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-53463.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-53463.patch 2026-06-21 08:37:11.000000000 +0000 @@ -0,0 +1,39 @@ +From: Cristy +Date: Sun, 31 May 2026 06:54:55 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p9rq-q46c-g4x6 + +when passing incorrect arguments in the distort operation a null pointer deference will occur + +(cherry picked from commit 3492c2ef45160d0fdfe34724fa6bce07583d3ec1) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p9rq-q46c-g4x6 +origin: https://github.com/ImageMagick/ImageMagick6/commit/3492c2ef45160d0fdfe34724fa6bce07583d3ec1 +--- + magick/distort.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/magick/distort.c b/magick/distort.c +index 4719180..06dc820 100644 +--- a/magick/distort.c ++++ b/magick/distort.c +@@ -1285,11 +1285,18 @@ static double *GenerateCoefficients(const Image *image, + Coeff 2,3 center of distortion of input image + Coefficents 4,5 Center of Distortion of dest (determined later) + */ ++ if (number_arguments < 1) { ++ coeff = (double *) RelinquishMagickMemory(coeff); ++ (void) ThrowMagickException(exception,GetMagickModule(),OptionError, ++ "InvalidArgument", "%s : 'Needs at least 1 argument'", ++ CommandOptionToMnemonic(MagickDistortOptions, *method) ); ++ return((double *) NULL); ++ } + if ( arguments[0] < MagickEpsilon || arguments[0] > 160.0 ) { ++ coeff=(double *) RelinquishMagickMemory(coeff); + (void) ThrowMagickException(exception,GetMagickModule(),OptionError, + "InvalidArgument", "%s : Invalid FOV Angle", + CommandOptionToMnemonic(MagickDistortOptions, *method) ); +- coeff=(double *) RelinquishMagickMemory(coeff); + return((double *) NULL); + } + coeff[0] = DegreesToRadians(arguments[0]); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series --- imagemagick-6.9.11.60+dfsg/debian/patches/series 2026-05-27 20:34:21.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2026-06-21 08:37:11.000000000 +0000 @@ -185,3 +185,9 @@ CVE-2026-46559.patch port-distribute-cache-to-6.9.13-48.patch distribute-cache-backport.patch +CVE-2026-48733.patch +CVE-2026-48734.patch +CVE-2026-48994.patch +CVE-2026-49218.patch +CVE-2026-53460.patch +CVE-2026-53463.patch diff -Nru imagemagick-6.9.11.60+dfsg/debian/rules imagemagick-6.9.11.60+dfsg/debian/rules --- imagemagick-6.9.11.60+dfsg/debian/rules 2026-05-27 20:34:21.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/rules 2026-06-21 08:42:10.000000000 +0000 @@ -248,6 +248,12 @@ UCQUANTUMDEPTH=$(call UC,$*) \ $(DH_EXEC_SUBST) $(CURDIR)/debian/tests.d/perlmagick-IMVERSION.QUANTUMDEPTH.in > $(CURDIR)/debian/tests/perlmagick-$(IMVERSION).$* chmod +x $(CURDIR)/debian/tests/perlmagick-$(IMVERSION).$* + QUANTUM=$(call QUANTUM_PART,$*) \ + HDRI=$(call HDRI_PART,$*) \ + QUANTUMDEPTH=$* \ + UCQUANTUMDEPTH=$(call UC,$*) \ + $(DH_EXEC_SUBST) $(CURDIR)/debian/tests.d/policy-IMVERSION.QUANTUMDEPTH.in > $(CURDIR)/debian/tests/policy-$(IMVERSION).$* + chmod +x $(CURDIR)/debian/tests/policy-$(IMVERSION).$* # clean up rm -f $(CURDIR)/debian/control.d/quantum.$* diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests/control imagemagick-6.9.11.60+dfsg/debian/tests/control --- imagemagick-6.9.11.60+dfsg/debian/tests/control 2026-05-27 20:34:21.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/tests/control 2026-06-21 08:43:07.000000000 +0000 @@ -8,6 +8,10 @@ Depends: imagemagick-6.q16, libmagickcore-6.q16-6-extra, netpbm Restrictions: allow-stderr +Tests: policy-6.q16 +Depends: @, curl, busybox, iproute2 +Restrictions: allow-stderr + Tests: rose-6.q16hdri Depends: imagemagick-6.q16hdri, libmagickcore-6.q16hdri-6-extra, netpbm @@ -18,3 +22,7 @@ Depends: imagemagick-6.q16hdri, libmagickcore-6.q16hdri-6-extra, netpbm Restrictions: allow-stderr +Tests: policy-6.q16hdri +Depends: @, curl, busybox, iproute2 +Restrictions: allow-stderr + diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests/policy-6.q16 imagemagick-6.9.11.60+dfsg/debian/tests/policy-6.q16 --- imagemagick-6.9.11.60+dfsg/debian/tests/policy-6.q16 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/tests/policy-6.q16 2026-06-21 08:43:07.000000000 +0000 @@ -0,0 +1,38 @@ +#!/usr/bin/sh + +CONVERT=convert-im6.q16 + +set -e + +clean() { + [ -n "$OUTDIR" ] && rm -rf "$OUTDIR" || true + [ -n "$SERVERPID" ] && kill "$SERVERPID" 2>/dev/null || true +} + +trap clean EXIT INT TERM + +OUTDIR="$(mktemp -d)" + +(cd $OUTDIR ; convert logo: logo.png) + +# Find a random free port +PORT=$(shuf -i 20000-40000 -n 1) +while ss -ltn | grep -q ":$PORT "; do + PORT=$(shuf -i 20000-40000 -n 1) +done + +echo "Using random port $PORT" + +busybox httpd -v -f -p "$PORT" -h "$OUTDIR" & +SERVERPID=$! +sleep 1 + +# should fail +"$CONVERT" -verbose "http://127.0.0.1:$PORT/logo.png" "$OUTDIR/out.jpeg" || true +if [ ! -f "$OUTDIR/out.jpeg" ] ; then + echo "✔ policy block HTTP correctly" + exit 0; +else + echo "❌ policy failure" + exit 1 +fi \ No newline at end of file diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests/policy-6.q16hdri imagemagick-6.9.11.60+dfsg/debian/tests/policy-6.q16hdri --- imagemagick-6.9.11.60+dfsg/debian/tests/policy-6.q16hdri 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/tests/policy-6.q16hdri 2026-06-21 08:43:07.000000000 +0000 @@ -0,0 +1,38 @@ +#!/usr/bin/sh + +CONVERT=convert-im6.q16hdri + +set -e + +clean() { + [ -n "$OUTDIR" ] && rm -rf "$OUTDIR" || true + [ -n "$SERVERPID" ] && kill "$SERVERPID" 2>/dev/null || true +} + +trap clean EXIT INT TERM + +OUTDIR="$(mktemp -d)" + +(cd $OUTDIR ; convert logo: logo.png) + +# Find a random free port +PORT=$(shuf -i 20000-40000 -n 1) +while ss -ltn | grep -q ":$PORT "; do + PORT=$(shuf -i 20000-40000 -n 1) +done + +echo "Using random port $PORT" + +busybox httpd -v -f -p "$PORT" -h "$OUTDIR" & +SERVERPID=$! +sleep 1 + +# should fail +"$CONVERT" -verbose "http://127.0.0.1:$PORT/logo.png" "$OUTDIR/out.jpeg" || true +if [ ! -f "$OUTDIR/out.jpeg" ] ; then + echo "✔ policy block HTTP correctly" + exit 0; +else + echo "❌ policy failure" + exit 1 +fi \ No newline at end of file diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests.d/control.quantum.in imagemagick-6.9.11.60+dfsg/debian/tests.d/control.quantum.in --- imagemagick-6.9.11.60+dfsg/debian/tests.d/control.quantum.in 2026-05-27 20:34:21.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/tests.d/control.quantum.in 2026-06-21 08:43:02.000000000 +0000 @@ -8,3 +8,7 @@ Depends: imagemagick-${IMVERSION}.${QUANTUMDEPTH}, libmagickcore-${IMVERSION}.${QUANTUMDEPTH}-${CORESOVERSION}-extra, netpbm Restrictions: allow-stderr +Tests: policy-${IMVERSION}.${QUANTUMDEPTH} +Depends: @, curl, busybox, iproute2 +Restrictions: allow-stderr + diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests.d/policy-IMVERSION.QUANTUMDEPTH.in imagemagick-6.9.11.60+dfsg/debian/tests.d/policy-IMVERSION.QUANTUMDEPTH.in --- imagemagick-6.9.11.60+dfsg/debian/tests.d/policy-IMVERSION.QUANTUMDEPTH.in 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/tests.d/policy-IMVERSION.QUANTUMDEPTH.in 2026-06-21 08:40:47.000000000 +0000 @@ -0,0 +1,38 @@ +#!/usr/bin/sh + +CONVERT=convert-im${IMVERSION}.${QUANTUMDEPTH} + +set -e + +clean() { + [ -n "$OUTDIR" ] && rm -rf "$OUTDIR" || true + [ -n "$SERVERPID" ] && kill "$SERVERPID" 2>/dev/null || true +} + +trap clean EXIT INT TERM + +OUTDIR="$(mktemp -d)" + +(cd $OUTDIR ; convert logo: logo.png) + +# Find a random free port +PORT=$(shuf -i 20000-40000 -n 1) +while ss -ltn | grep -q ":$PORT "; do + PORT=$(shuf -i 20000-40000 -n 1) +done + +echo "Using random port $PORT" + +busybox httpd -v -f -p "$PORT" -h "$OUTDIR" & +SERVERPID=$! +sleep 1 + +# should fail +"$CONVERT" -verbose "http://127.0.0.1:$PORT/logo.png" "$OUTDIR/out.jpeg" || true +if [ ! -f "$OUTDIR/out.jpeg" ] ; then + echo "✔ policy block HTTP correctly" + exit 0; +else + echo "❌ policy failure" + exit 1 +fi \ No newline at end of file