Version in base suite: 6.9.11.60+dfsg-1.6+deb12u3 Base version: imagemagick_6.9.11.60+dfsg-1.6+deb12u3 Target version: imagemagick_6.9.11.60+dfsg-1.6+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u4.dsc changelog | 59 ++++++++ patches/CVE-2025-53014.patch | 23 +++ patches/CVE-2025-53019.patch | 24 +++ patches/CVE-2025-53101.patch | 51 +++++++ patches/CVE-2025-55154.patch | 85 ++++++++++++ patches/CVE-2025-55212-1.patch | 23 +++ patches/CVE-2025-55212-2.patch | 37 +++++ patches/CVE-2025-55298-1.patch | 63 +++++++++ patches/CVE-2025-55298-2.patch | 257 ++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-55298-pre1.patch | 214 +++++++++++++++++++++++++++++++ patches/CVE-2025-55298-pre2.patch | 30 ++++ patches/CVE-2025-55298-pre3.patch | 27 +++ patches/CVE-2025-55298-pre4.patch | 101 ++++++++++++++ patches/CVE-2025-57803-pre1.patch | 50 +++++++ patches/CVE-2025-57803.patch | 59 ++++++++ patches/CVE-2025-57807.patch | 45 ++++++ patches/series | 16 ++ patches/statistic-private.patch | 30 ++++ 18 files changed, 1194 insertions(+) diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2025-04-26 17:26:11.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2025-09-07 21:54:25.000000000 +0000 @@ -1,3 +1,62 @@ +imagemagick (8:6.9.11.60+dfsg-1.6+deb12u4) bookworm-security; urgency=medium + + * Fix CVE-2025-53014: + A heap buffer overflow was found in the `InterpretImageFilename` + function. The issue stems from an off-by-one error that causes + out-of-bounds memory access when processing format strings + containing consecutive percent signs (`%%`). + (Closes: #1109339) + * Fix CVE-2025-53019: + ImageMagick's `magick stream` command, specifying multiple + consecutive `%d` format specifiers in a filename template + causes a memory leak + * Fix CVE-2025-53101: + ImageMagick's `magick mogrify` command, specifying + multiple consecutive `%d` format specifiers in a filename + template causes internal pointer arithmetic to generate + an address below the beginning of the stack buffer, + resulting in a stack overflow through `vsnprintf()`. + * Fix CVE-2025-55154: + the magnified size calculations in ReadOneMNGIMage + (in coders/png.c) are unsafe and can overflow, + leading to memory corruption. + (Closes: #1111103) + * Fix CVE-2025-55212: + passing a geometry string containing only a colon (":") + to montage -geometry leads GetGeometry() to set width/height + to 0. Later, ThumbnailImage() divides by these zero dimensions, + triggering a crash (SIGFPE/abort) + (Closes: #1111587) + * Fix CVE-2025-55298: + A format string bug vulnerability exists in InterpretImageFilename + function where user input is directly passed to FormatLocaleString + without proper sanitization. An attacker can overwrite arbitrary + memory regions, enabling a wide range of attacks from heap + overflow to remote code execution. + (Closes: #1111586) + * Fix CVE-2025-57803: + A 32-bit integer overflow in the BMP encoder’s scanline-stride + computation collapses bytes_per_line (stride) to a tiny + value while the per-row writer still emits 3 × width bytes + for 24-bpp images. The row base pointer advances using the + (overflowed) stride, so the first row immediately writes + past its slot and into adjacent heap memory with + attacker-controlled bytes. + (Closes: #1112469) + * Fix CVE-2025-57807: + A security problem was found in SeekBlob(), which permits + advancing the stream offset beyond the current end without + increasing capacity, and WriteBlob(), which then expands by + quantum + length (amortized) instead of offset + length, + and copies to data + offset. When offset ≫ extent, the + copy targets memory beyond the allocation, producing a + deterministic heap write on 64-bit builds. No 2⁶⁴ + arithmetic wrap, external delegates, or policy settings + are required. + (Closes: #1114520) + + -- Bastien Roucariès Sun, 07 Sep 2025 23:54:25 +0200 + imagemagick (8:6.9.11.60+dfsg-1.6+deb12u3) bookworm; urgency=medium * Non-maintainer upload. diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53014.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53014.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53014.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53014.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,23 @@ +From: Dirk Lemstra +Date: Thu, 26 Jun 2025 23:01:07 +0200 +Subject: [PATCH] Correct out of bounds read of a single byte. + +Origin: backport, https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f +--- + magick/image.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/magick/image.c b/magick/image.c +index 1fc3617..57ea3d1 100644 +--- a/magick/image.c ++++ b/magick/image.c +@@ -1682,7 +1682,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + q=(char *) p+1; + if (*q == '%') + { +- p=q+1; ++ p++; + continue; + } + field_width=0; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53019.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53019.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53019.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53019.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,24 @@ +From: Dirk Lemstra +Date: Fri, 27 Jun 2025 14:51:57 +0200 +Subject: [PATCH] Fixed memory leak when entering StreamImage multiple times. + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc +--- + magick/stream.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/magick/stream.c b/magick/stream.c +index a44b550..ea6ddd9 100644 +--- a/magick/stream.c ++++ b/magick/stream.c +@@ -1275,7 +1275,8 @@ MagickExport Image *StreamImage(const ImageInfo *image_info, + assert(exception != (ExceptionInfo *) NULL); + read_info=CloneImageInfo(image_info); + stream_info->image_info=image_info; +- stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL); ++ if (stream_info->quantum_info == (QuantumInfo *) NULL) ++ stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL); + if (stream_info->quantum_info == (QuantumInfo *) NULL) + { + read_info=DestroyImageInfo(read_info); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53101.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53101.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53101.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-53101.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,51 @@ +From: Cristy +Date: Fri, 27 Jun 2025 20:03:11 -0400 +Subject: CVE-2025-53101 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9 +origin: https://github.com/ImageMagick/ImageMagick6/commit/643deeb60803488373cd4799b24d5786af90972e +--- + magick/image.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/magick/image.c b/magick/image.c +index 57ea3d1..509c1ab 100644 +--- a/magick/image.c ++++ b/magick/image.c +@@ -1671,7 +1671,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + *p; + + ssize_t +- field_width, + offset; + + canonical=MagickFalse; +@@ -1685,21 +1684,23 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + p++; + continue; + } +- field_width=0; +- if (*q == '0') +- field_width=(ssize_t) strtol(q,&q,10); + switch (*q) + { + case 'd': + case 'o': + case 'x': + { ++ ssize_t ++ count; ++ + q++; + c=(*q); + *q='\0'; +- (void) FormatLocaleString(filename+(p-format-offset),(size_t) ++ count=FormatLocaleString(filename+(p-format-offset),(size_t) + (MaxTextExtent-(p-format-offset)),p,value); +- offset+=(4-field_width); ++ if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset)))) ++ return(0); ++ offset+=(ssize_t) ((q-p)-count); + *q=c; + (void) ConcatenateMagickString(filename,q,MaxTextExtent); + canonical=MagickTrue; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55154.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55154.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55154.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55154.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,85 @@ +From: Cristy +Date: Sat, 9 Aug 2025 08:28:19 -0400 +Subject: CVE-2025-55154 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82 +origin: https://github.com/ImageMagick/ImageMagick6/commit/14234b2d3be45af1f71ffafd260532bbd8f81d39 +--- + coders/png.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index af8d957..72ddbe8 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -6646,7 +6646,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + if (((mng_info->magn_methx > 0) && (mng_info->magn_methx <= 5)) && + ((mng_info->magn_methy > 0) && (mng_info->magn_methy <= 5))) + { +- png_uint_32 ++ size_t + magnified_height, + magnified_width; + +@@ -6660,19 +6660,19 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + mng_info->magn_methy = 1; + if (mng_info->magn_methx == 1) + { +- magnified_width=mng_info->magn_ml; ++ magnified_width=(size_t) mng_info->magn_ml; + + if (image->columns > 1) + magnified_width += mng_info->magn_mr; + + if (image->columns > 2) +- magnified_width += (png_uint_32) ++ magnified_width += (size_t) + ((image->columns-2)*(mng_info->magn_mx)); + } + + else + { +- magnified_width=(png_uint_32) image->columns; ++ magnified_width=(size_t) image->columns; + + if (image->columns > 1) + magnified_width += mng_info->magn_ml-1; +@@ -6681,25 +6681,25 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + magnified_width += mng_info->magn_mr-1; + + if (image->columns > 3) +- magnified_width += (png_uint_32) ++ magnified_width += (size_t) + ((image->columns-3)*(mng_info->magn_mx-1)); + } + + if (mng_info->magn_methy == 1) + { +- magnified_height=mng_info->magn_mt; ++ magnified_height=(size_t) mng_info->magn_mt; + + if (image->rows > 1) + magnified_height += mng_info->magn_mb; + + if (image->rows > 2) +- magnified_height += (png_uint_32) ++ magnified_height += (size_t) + ((image->rows-2)*(mng_info->magn_my)); + } + + else + { +- magnified_height=(png_uint_32) image->rows; ++ magnified_height=(size_t) image->rows; + + if (image->rows > 1) + magnified_height += mng_info->magn_mt-1; +@@ -6708,7 +6708,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + magnified_height += mng_info->magn_mb-1; + + if (image->rows > 3) +- magnified_height += (png_uint_32) ++ magnified_height += (size_t) + ((image->rows-3)*(mng_info->magn_my-1)); + } + diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55212-1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55212-1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55212-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55212-1.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,23 @@ +From: Dirk Lemstra +Date: Thu, 14 Aug 2025 21:23:43 +0200 +Subject: [PATCH] Added checks for invalid with or height to ThumbnailImage + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/5fddcf974342d8e5e02f604bc2297c038e3d4196 +--- + magick/resize.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/magick/resize.c b/magick/resize.c +index 56e945e..e123e12 100644 +--- a/magick/resize.c ++++ b/magick/resize.c +@@ -3727,6 +3727,8 @@ MagickExport Image *ThumbnailImage(const Image *image,const size_t columns, + assert(image->signature == MagickCoreSignature); + if (image->debug != MagickFalse) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); ++ if ((columns == 0) || (rows == 0)) ++ ThrowImageException(ImageError,"NegativeOrZeroImageSize"); + assert(exception != (ExceptionInfo *) NULL); + assert(exception->signature == MagickCoreSignature); + x_factor=(MagickRealType) columns/(MagickRealType) image->columns; diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55212-2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55212-2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55212-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55212-2.patch 2025-09-07 21:54:25.000000000 +0000 @@ -0,0 +1,37 @@ +From: Cristy +Date: Sun, 17 Aug 2025 14:34:13 -0400 +Subject: [PATCH] CVE-2025-55212 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw +origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/3482953ef0af1e538cb776162a8d278141e0b9a0 +--- + magick/resize.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/magick/resize.c b/magick/resize.c +index e123e12..14019dd 100644 +--- a/magick/resize.c ++++ b/magick/resize.c +@@ -80,6 +80,7 @@ + #if defined(MAGICKCORE_LQR_DELEGATE) + #include + #endif ++#include "magick/pixel-accessor.h" + + /* + Typedef declarations. +@@ -3727,12 +3728,10 @@ MagickExport Image *ThumbnailImage(const Image *image,const size_t columns, + assert(image->signature == MagickCoreSignature); + if (image->debug != MagickFalse) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); +- if ((columns == 0) || (rows == 0)) +- ThrowImageException(ImageError,"NegativeOrZeroImageSize"); + assert(exception != (ExceptionInfo *) NULL); + assert(exception->signature == MagickCoreSignature); +- x_factor=(MagickRealType) columns/(MagickRealType) image->columns; +- y_factor=(MagickRealType) rows/(MagickRealType) image->rows; ++ x_factor=((MagickRealType) columns)*MagickSafeReciprocal((MagickRealType) image->columns); ++ y_factor=((MagickRealType) rows)*MagickSafeReciprocal((MagickRealType) image->rows); + if ((x_factor*y_factor) > 0.1) + thumbnail_image=ResizeImage(image,columns,rows,image->filter,image->blur, + exception); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-1.patch 2025-09-07 21:54:25.000000000 +0000 @@ -0,0 +1,63 @@ +From: Cristy +Date: Sun, 17 Aug 2025 14:16:19 -0400 +Subject: [1/2] CVE-2025-55298 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645 +origin: https://github.com/ImageMagick/ImageMagick/commit/731ce3a7aa7fabebaa322711c04ce5f5cf22edf4 + + +(cherry picked from commit 731ce3a7aa7fabebaa322711c04ce5f5cf22edf4) +--- + magick/image.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +Index: imagemagick/magick/image.c +=================================================================== +--- imagemagick.orig/magick/image.c 2025-09-07 23:47:52.986987309 +0200 ++++ imagemagick/magick/image.c 2025-09-07 23:47:52.982987293 +0200 +@@ -1655,6 +1655,31 @@ + % o filename: return the formatted filename in this character buffer. + % + */ ++ ++static inline MagickBooleanType PercentNInvalidOperation(char *filename) ++{ ++ MagickBooleanType ++ match = MagickFalse; ++ ++ size_t ++ length = strlen(filename); ++ ++ ssize_t ++ i; ++ ++ for (i=0; i < (ssize_t) length-1; i++) ++ { ++ if ((filename[i] == '%') && ++ ((filename[i+1] == 'n') || (filename[i+1] == 'N'))) ++ { ++ filename[i]='?'; ++ filename[i+1]='?'; ++ match=MagickTrue; ++ } ++ } ++ return(match); ++} ++ + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + Image *image,const char *format,int value,char *filename) + { +@@ -1673,6 +1698,13 @@ + (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) + return(strlen(filename)); ++ if (PercentNInvalidOperation(filename) != MagickFalse) ++ { ++ errno=EPERM; ++ (void) ThrowMagickException(&image->exception,GetMagickModule(), ++ OptionError,"InvalidArgument","`%s'",filename); ++ return(0); ++ } + while ((cursor=strchr(cursor,'%')) != (const char *) NULL) + { + const char diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-2.patch 2025-09-07 21:54:25.000000000 +0000 @@ -0,0 +1,257 @@ +From: Cristy +Date: Sun, 17 Aug 2025 19:10:56 -0400 +Subject: [2/2] CVE-2025-55298 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645 +origin: https://github.com/ImageMagick/ImageMagick/commit/d789bdf7aabb955b88fbc95653aa9dbf6c5d259f + +(cherry picked from commit d789bdf7aabb955b88fbc95653aa9dbf6c5d259f) +--- + magick/image.c | 180 ++++++++++++++++++++++++++++++--------------------------- + 1 file changed, 95 insertions(+), 85 deletions(-) + +Index: imagemagick/magick/image.c +=================================================================== +--- imagemagick.orig/magick/image.c 2025-09-07 23:47:56.935003710 +0200 ++++ imagemagick/magick/image.c 2025-09-07 23:47:56.931003692 +0200 +@@ -1656,28 +1656,39 @@ + % + */ + +-static inline MagickBooleanType PercentNInvalidOperation(char *filename) ++static inline MagickBooleanType IsValidFormatSpecifier(const char *start, ++ const char *end) + { +- MagickBooleanType +- match = MagickFalse; ++ char ++ specifier = end[-1]; + + size_t +- length = strlen(filename); ++ length = end-start; + +- ssize_t +- i; ++ /* ++ Is this a valid format specifier? ++ */ ++ if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o')) ++ return(MagickFalse); ++ if ((length == 1) && (*start == specifier)) ++ return(MagickTrue); ++ if (length >= 2) ++ { ++ size_t ++ i = 0; + +- for (i=0; i < (ssize_t) length-1; i++) +- { +- if ((filename[i] == '%') && +- ((filename[i+1] == 'n') || (filename[i+1] == 'N'))) +- { +- filename[i]='?'; +- filename[i+1]='?'; +- match=MagickTrue; +- } +- } +- return(match); ++ if (*start == '0') ++ { ++ if ((length >= 3) && (start[1] == '0')) ++ return(MagickFalse); ++ i=1; ++ } ++ for ( ; i < (length-1); i++) ++ if (isdigit((int) ((unsigned char) start[i])) == 0) ++ return(MagickFalse); ++ return(MagickTrue); ++ } ++ return(MagickFalse); + } + + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, +@@ -1690,82 +1701,89 @@ + const char + *cursor = format; + +- /* +- Start with a copy of the format string. +- */ + assert(format != (const char *) NULL); + assert(filename != (char *) NULL); +- (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) +- return(strlen(filename)); +- if (PercentNInvalidOperation(filename) != MagickFalse) + { +- errno=EPERM; +- (void) ThrowMagickException(&image->exception,GetMagickModule(), +- OptionError,"InvalidArgument","`%s'",filename); +- return(0); ++ (void) CopyMagickString(filename,format,MagickPathExtent); ++ return(strlen(filename)); + } +- while ((cursor=strchr(cursor,'%')) != (const char *) NULL) ++ while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1))) + { + const char +- *q = cursor; ++ *specifier_start, ++ *start; + +- ssize_t +- offset = (ssize_t) (cursor-format); +- +- cursor++; /* move past '%' */ ++ if (*cursor != '%') ++ { ++ *p++=(*cursor++); ++ continue; ++ } ++ start=cursor++; /* Skip '%' */ + if (*cursor == '%') + { +- /* +- Escaped %%. +- */ ++ *p++='%'; + cursor++; + continue; + } +- /* +- Skip padding digits like %03d. +- */ +- if (isdigit((int) ((unsigned char) *cursor)) != 0) +- (void) strtol(cursor,(char **) &cursor,10); +- switch (*cursor) +- { +- case 'd': +- case 'o': +- case 'x': ++ specifier_start=cursor; ++ while (isdigit((int) ((unsigned char) *cursor)) != 0) ++ cursor++; ++ if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x')) + { +- ssize_t +- count; ++ const char ++ *specifier_end = cursor+1; + +- count=FormatLocaleString(pattern,sizeof(pattern),q,value); +- if ((count <= 0) || (count >= MagickPathExtent) || +- ((offset+count) >= MagickPathExtent)) +- return(0); +- (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- +- offset)); +- cursor++; +- break; ++ if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse) ++ { ++ char ++ format_specifier[MagickPathExtent]; ++ ++ size_t ++ length = cursor-specifier_start; ++ ++ ssize_t ++ count; ++ ++ (void) snprintf(format_specifier,sizeof(format_specifier), ++ "%%%.*s%c",(int) length,specifier_start,*cursor); ++ count=FormatLocaleString(pattern,sizeof(pattern),format_specifier, ++ value); ++ if ((count <= 0) || ((p-filename+count) >= MagickPathExtent)) ++ return(0); ++ (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename)); ++ p+=strlen(pattern); ++ cursor++; ++ continue; ++ } ++ else ++ { ++ /* ++ Invalid specifier — treat as literal. ++ */ ++ cursor=start; ++ *p++=(*cursor++); ++ continue; ++ } + } +- case '[': ++ if (*cursor == '[') + { + const char + *end = strchr(cursor,']'), + *option = (const char *) NULL; + + size_t +- extent = (size_t) (end-cursor-1), +- option_length, +- tail_length; +- +- /* +- Handle %[key:value]; +- */ ++ extent, ++ option_length; ++ + if (end == (const char *) NULL) +- break; ++ continue; ++ extent=(size_t) (end-cursor-1); + if (extent >= sizeof(pattern)) +- break; ++ continue; + (void) CopyMagickString(pattern,cursor+1,extent+1); + pattern[extent]='\0'; +- if (image != (Image *) NULL) ++ if (image != NULL) + { + option=GetImageProperty(image,pattern); + if (option == (const char *) NULL) +@@ -1775,32 +1793,24 @@ + (image_info != (ImageInfo *) NULL)) + option=GetImageOption(image_info,pattern); + if (option == (const char *) NULL) +- break; ++ continue; + option_length=strlen(option); +- tail_length=strlen(end+1); +- if ((offset+option_length+tail_length+1) > MagickPathExtent) ++ if ((p-filename+option_length) >= MagickPathExtent) + return(0); +- (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- +- offset)); +- (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) ( +- MagickPathExtent-offset-option_length-tail_length-1)); ++ (void) CopyMagickString(p,option,MagickPathExtent-(p-filename)); ++ p+=option_length; + cursor=end+1; +- break; ++ continue; + } +- default: +- break; +- } +- } +- for (p=filename; *p != '\0'; ) +- { + /* +- Replace "%%" with "%". ++ Invalid or unsupported specifier — treat as literal. + */ +- if ((*p == '%') && (*(p+1) == '%')) +- (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */ +- else +- p++; ++ cursor=start; ++ if ((p-filename+1) >= MagickPathExtent) ++ return(0); ++ *p++=(*cursor++); + } ++ *p='\0'; + return(strlen(filename)); + } + diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre1.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,214 @@ +From: Cristy +Date: Sat, 19 Jul 2025 13:39:46 -0400 +Subject: CVE-2025-55298 prepare + +Crop filename pattern %03d no longer works in ImageMagick 7 + +bug: https://github.com/ImageMagick/ImageMagick/issues/8261 +origin: https://github.com/ImageMagick/ImageMagick/commit/1242136dfdbb2549bacdaddb9b8a5e75fe043789 + +(cherry picked from commit 1242136dfdbb2549bacdaddb9b8a5e75fe043789) +--- + magick/image.c | 152 ++++++++++++++++++++++++--------------------------------- + 1 file changed, 65 insertions(+), 87 deletions(-) + +diff --git a/magick/image.c b/magick/image.c +index 509c1ab..2dc5b78 100644 +--- a/magick/image.c ++++ b/magick/image.c +@@ -1656,35 +1656,45 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image) + % + */ + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, +- Image *image,const char *format,int value,char *filename) ++ Image *image,const char *format,int value,char *filename, ++ ExceptionInfo *exception) + { + char +- *q; +- +- int +- c; +- +- MagickBooleanType +- canonical; ++ *p = filename, ++ pattern[MagickPathExtent]; + + const char +- *p; ++ *cursor = format; + +- ssize_t +- offset; +- +- canonical=MagickFalse; +- offset=0; +- (void) CopyMagickString(filename,format,MaxTextExtent); +- for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) ++ /* ++ Start with a copy of the format string. ++ */ ++ (void) CopyMagickString(filename,format,MagickPathExtent); ++ if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) ++ return(strlen(filename)); ++ while ((cursor=strchr(cursor,'%')) != (const char *) NULL) + { +- q=(char *) p+1; +- if (*q == '%') ++ const char ++ *q = cursor; ++ ++ ssize_t ++ offset = (ssize_t) (cursor-format); ++ ++ cursor++; /* move past '%' */ ++ if (*cursor == '%') + { +- p++; ++ /* ++ Escaped %%. ++ */ ++ cursor++; + continue; + } +- switch (*q) ++ /* ++ Skip padding digits like %03d. ++ */ ++ if (*cursor == '0') ++ (void) strtol(cursor,(char **) &cursor,10); ++ switch (*cursor) + { + case 'd': + case 'o': +@@ -1693,94 +1703,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + ssize_t + count; + +- q++; +- c=(*q); +- *q='\0'; +- count=FormatLocaleString(filename+(p-format-offset),(size_t) +- (MaxTextExtent-(p-format-offset)),p,value); +- if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset)))) ++ count=FormatLocaleString(pattern,sizeof(pattern),q,value); ++ if ((count <= 0) || (count >= MagickPathExtent)) + return(0); +- offset+=(ssize_t) ((q-p)-count); +- *q=c; +- (void) ConcatenateMagickString(filename,q,MaxTextExtent); +- canonical=MagickTrue; +- if (*(q-1) != '%') +- break; +- p++; ++ if ((offset+count) >= MagickPathExtent) ++ return(0); ++ (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- ++ offset)); ++ cursor++; + break; + } + case '[': + { +- char +- pattern[MaxTextExtent]; +- + const char +- *value; ++ *end = strchr(cursor,']'), ++ *option = (const char *) NULL; + +- char +- *r; +- +- ssize_t +- i; +- +- ssize_t +- depth; ++ size_t ++ extent = (size_t) (end-cursor); + + /* +- Image option. ++ Handle %[key:value]; + */ +- if (strchr(p,']') == (char *) NULL) ++ if (end == (const char *) NULL) + break; +- depth=1; +- r=q+1; +- for (i=0; (i < (MaxTextExtent-1L)) && (*r != '\0'); i++) +- { +- if (*r == '[') +- depth++; +- if (*r == ']') +- depth--; +- if (depth <= 0) +- break; +- pattern[i]=(*r++); +- } +- pattern[i]='\0'; +- if (LocaleNCompare(pattern,"filename:",9) != 0) ++ if (extent >= sizeof(pattern)) + break; +- value=(const char *) NULL; ++ (void) CopyMagickString(pattern,cursor,extent); ++ pattern[extent]='\0'; + if (image != (Image *) NULL) +- value=GetImageProperty(image,pattern); +- if ((value == (const char *) NULL) && +- (image != (Image *) NULL)) +- value=GetImageArtifact(image,pattern); +- if ((value == (const char *) NULL) && ++ option=GetImageProperty(image,pattern,exception); ++ if ((option == (const char *) NULL) && (image != (Image *)NULL)) ++ option=GetImageArtifact(image,pattern); ++ if ((option == (const char *) NULL) && + (image_info != (ImageInfo *) NULL)) +- value=GetImageOption(image_info,pattern); +- if (value == (const char *) NULL) +- break; +- q--; +- c=(*q); +- *q='\0'; +- (void) CopyMagickString(filename+(p-format-offset),value,(size_t) +- (MaxTextExtent-(p-format-offset))); +- offset+=strlen(pattern)-strlen(value)+3; +- *q=c; +- (void) ConcatenateMagickString(filename,r+1,MaxTextExtent); +- canonical=MagickTrue; +- if (*(q-1) != '%') ++ option=GetImageOption(image_info,pattern); ++ if (option == (const char *) NULL) + break; +- p++; ++ (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- ++ offset)); ++ cursor=end+1; + break; + } + default: + break; + } + } +- if (canonical == MagickFalse) +- (void) CopyMagickString(filename,format,MaxTextExtent); +- else +- for (q=filename; *q != '\0'; q++) +- if ((*q == '%') && (*(q+1) == '%')) +- (void) CopyMagickString(q,q+1,(size_t) (MaxTextExtent-(q-filename))); ++ for (p=filename; *p != '\0'; ) ++ { ++ /* ++ Replace "%%" with "%". ++ */ ++ if ((*p == '%') && (*(p+1) == '%')) ++ (void) memmove(p,p+1,strlen(p)); /* shift left */ ++ else ++ p++; ++ } + return(strlen(filename)); + } + diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre2.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre2.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre2.patch 2025-09-07 21:54:25.000000000 +0000 @@ -0,0 +1,30 @@ +commit 2a68d6873954b05d4fad678dc8ff811416915c48 +Author: Cristy +Date: Sat Jul 19 13:48:59 2025 -0400 + + eliminate compiler exception + +origin: https://github.com/ImageMagick/ImageMagick/commit/2a68d6873954b05d4fad678dc8ff811416915c48 +Index: imagemagick/magick/image.c +=================================================================== +--- imagemagick.orig/magick/image.c 2025-09-07 23:46:32.602657882 +0200 ++++ imagemagick/magick/image.c 2025-09-07 23:46:32.598657865 +0200 +@@ -1656,8 +1656,7 @@ + % + */ + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, +- Image *image,const char *format,int value,char *filename, +- ExceptionInfo *exception) ++ Image *image,const char *format,int value,char *filename) + { + char + *p = filename, +@@ -1732,7 +1731,7 @@ + (void) CopyMagickString(pattern,cursor,extent); + pattern[extent]='\0'; + if (image != (Image *) NULL) +- option=GetImageProperty(image,pattern,exception); ++ option=GetImageProperty(image,pattern); + if ((option == (const char *) NULL) && (image != (Image *)NULL)) + option=GetImageArtifact(image,pattern); + if ((option == (const char *) NULL) && diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre3.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre3.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre3.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre3.patch 2025-09-07 21:54:25.000000000 +0000 @@ -0,0 +1,27 @@ +From: Cristy +Date: Sat, 19 Jul 2025 14:26:08 -0400 +Subject: CVE-2025-55298 prepare + +don't forget the end filename segment + +origin: https://github.com/ImageMagick/ImageMagick/commit/29e72edc9d3a4e87c4d6d102a8e2a7e0e9054ee4 + + +(cherry picked from commit 29e72edc9d3a4e87c4d6d102a8e2a7e0e9054ee4) +--- + magick/image.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: imagemagick/magick/image.c +=================================================================== +--- imagemagick.orig/magick/image.c 2025-09-07 23:46:41.778695032 +0200 ++++ imagemagick/magick/image.c 2025-09-07 23:46:41.774695015 +0200 +@@ -1741,6 +1741,8 @@ + break; + (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- + offset)); ++ (void) ConcatenateMagickString(p+offset+strlen(option),end+1,(size_t) ++ (MagickPathExtent-offset-strlen(option)-strlen(end)-1)); + cursor=end+1; + break; + } diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre4.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre4.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre4.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-55298-pre4.patch 2025-09-07 21:54:25.000000000 +0000 @@ -0,0 +1,101 @@ +From: Cristy +Date: Sat, 19 Jul 2025 16:06:42 -0400 +Subject: CVE-2025-55298 prepare + +more boundary checks + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/c70a18c3ac9579e25255fe0279bf81878a403b66 + +(cherry-picked from c70a18c3ac9579e25255fe0279bf81878a403b66) +--- + magick/image.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +Index: imagemagick/magick/image.c +=================================================================== +--- imagemagick.orig/magick/image.c 2025-09-07 23:46:50.682731197 +0200 ++++ imagemagick/magick/image.c 2025-09-07 23:47:33.998908710 +0200 +@@ -1668,6 +1668,8 @@ + /* + Start with a copy of the format string. + */ ++ assert(format != (const char *) NULL); ++ assert(filename != (char *) NULL); + (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) + return(strlen(filename)); +@@ -1691,7 +1693,7 @@ + /* + Skip padding digits like %03d. + */ +- if (*cursor == '0') ++ if (isdigit((int) ((unsigned char) *cursor)) != 0) + (void) strtol(cursor,(char **) &cursor,10); + switch (*cursor) + { +@@ -1703,9 +1705,8 @@ + count; + + count=FormatLocaleString(pattern,sizeof(pattern),q,value); +- if ((count <= 0) || (count >= MagickPathExtent)) +- return(0); +- if ((offset+count) >= MagickPathExtent) ++ if ((count <= 0) || (count >= MagickPathExtent) || ++ ((offset+count) >= MagickPathExtent)) + return(0); + (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- + offset)); +@@ -1719,7 +1720,9 @@ + *option = (const char *) NULL; + + size_t +- extent = (size_t) (end-cursor); ++ extent = (size_t) (end-cursor-1), ++ option_length, ++ tail_length; + + /* + Handle %[key:value]; +@@ -1728,21 +1731,27 @@ + break; + if (extent >= sizeof(pattern)) + break; +- (void) CopyMagickString(pattern,cursor,extent); ++ (void) CopyMagickString(pattern,cursor+1,extent+1); + pattern[extent]='\0'; + if (image != (Image *) NULL) +- option=GetImageProperty(image,pattern); +- if ((option == (const char *) NULL) && (image != (Image *)NULL)) +- option=GetImageArtifact(image,pattern); ++ { ++ option=GetImageProperty(image,pattern); ++ if (option == (const char *) NULL) ++ option=GetImageArtifact(image,pattern); ++ } + if ((option == (const char *) NULL) && + (image_info != (ImageInfo *) NULL)) + option=GetImageOption(image_info,pattern); + if (option == (const char *) NULL) + break; ++ option_length=strlen(option); ++ tail_length=strlen(end+1); ++ if ((offset+option_length+tail_length+1) > MagickPathExtent) ++ return(0); + (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- + offset)); +- (void) ConcatenateMagickString(p+offset+strlen(option),end+1,(size_t) +- (MagickPathExtent-offset-strlen(option)-strlen(end)-1)); ++ (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) ( ++ MagickPathExtent-offset-option_length-tail_length-1)); + cursor=end+1; + break; + } +@@ -1756,7 +1765,7 @@ + Replace "%%" with "%". + */ + if ((*p == '%') && (*(p+1) == '%')) +- (void) memmove(p,p+1,strlen(p)); /* shift left */ ++ (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */ + else + p++; + } diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57803-pre1.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57803-pre1.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57803-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57803-pre1.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,50 @@ +From: Cristy +Date: Fri, 20 Oct 2023 20:09:48 -0400 +Subject: correct bytes per line calculation + +origin: backport, https://github.com/ImageMagick/ImageMagick6/337225582be0e4b3c6a395c5fcc2732684a2b3ab +--- + coders/bmp.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/coders/bmp.c b/coders/bmp.c +index b837b28..356a032 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -976,18 +976,18 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (bmp_info.compression == BI_RLE4) + bmp_info.bits_per_pixel<<=1; +- bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32); ++ bytes_per_line=image->columns*(4*(bmp_info.bits_per_pixel+31)/32); + length=(size_t) bytes_per_line*image->rows; + if ((MagickSizeType) (length/256) > blob_size) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line, ++ image->columns+1UL)*sizeof(*pixels)); ++ if (pixel_info == (MemoryInfo *) NULL) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); + if ((bmp_info.compression == BI_RGB) || + (bmp_info.compression == BI_BITFIELDS)) + { +- pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line, +- image->columns+256UL)*sizeof(*pixels)); +- if (pixel_info == (MemoryInfo *) NULL) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); +- pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); + if (image->debug != MagickFalse) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Reading pixels (%.20g bytes)",(double) length); +@@ -1004,11 +1004,6 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Convert run-length encoded raster pixels. + */ +- pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line, +- image->columns+256UL)*sizeof(*pixels)); +- if (pixel_info == (MemoryInfo *) NULL) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); +- pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); + status=DecodeImage(image,bmp_info.compression,pixels, + image->columns*image->rows); + if (status == MagickFalse) diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57803.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57803.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57803.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57803.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,59 @@ +From: Cristy +Date: Sat, 23 Aug 2025 09:16:48 -0400 +Subject: CVE-2025-57803 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/e49c68c88eed6e68145480a471650daa9ed87217 + +(cherry picked from commit e49c68c88eed6e68145480a471650daa9ed87217) +--- + coders/bmp.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/coders/bmp.c b/coders/bmp.c +index 356a032..c6ec39e 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -512,6 +512,11 @@ static MagickBooleanType IsBMP(const unsigned char *magick,const size_t length) + % + */ + ++static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y) ++{ ++ return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse); ++} ++ + static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + BMPInfo +@@ -545,6 +550,7 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + size_t + bit, + bytes_per_line, ++ extent, + length; + + ssize_t +@@ -976,12 +982,18 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (bmp_info.compression == BI_RLE4) + bmp_info.bits_per_pixel<<=1; +- bytes_per_line=image->columns*(4*(bmp_info.bits_per_pixel+31)/32); +- length=(size_t) bytes_per_line*image->rows; ++ extent=image->columns*bmp_info.bits_per_pixel; ++ bytes_per_line=4*((extent+31)/32); ++ if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ length=bytes_per_line*image->rows; + if ((MagickSizeType) (length/256) > blob_size) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); +- pixel_info=AcquireVirtualMemory(image->rows,MagickMax(bytes_per_line, +- image->columns+1UL)*sizeof(*pixels)); ++ extent=MagickMax(bytes_per_line,image->columns+1UL); ++ if ((BMPOverflowCheck(image->rows,extent) != MagickFalse) || ++ (BMPOverflowCheck(extent,sizeof(*pixels)) != MagickFalse)) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ pixel_info=AcquireVirtualMemory(image->rows,extent*sizeof(*pixels)); + if (pixel_info == (MemoryInfo *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57807.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57807.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57807.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2025-57807.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,45 @@ +From: Cristy +Date: Sun, 24 Aug 2025 12:32:07 -0400 +Subject: CVE-2025-57807 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-23hg-53q6-hqfg +origin: https://github.com/ImageMagick/ImageMagick/commit/ab1bb3d8ed06d0ed6aa5038b6a74aebf53af9ccf + + +(cherry picked from commit ab1bb3d8ed06d0ed6aa5038b6a74aebf53af9ccf) +--- + magick/blob.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/magick/blob.c b/magick/blob.c +index ea9df03..a60fcda 100644 +--- a/magick/blob.c ++++ b/magick/blob.c +@@ -1298,7 +1298,7 @@ static inline ssize_t WriteBlobStream(Image *image,const size_t length, + extent=(MagickSizeType) (blob_info->offset+(MagickOffsetType) length); + if (extent >= blob_info->extent) + { +- extent=blob_info->extent+blob_info->quantum+length; ++ extent+=blob_info->quantum+length; + blob_info->quantum<<=1; + if (SetBlobExtent(image,extent) == MagickFalse) + return(0); +@@ -4974,12 +4974,15 @@ MagickExport ssize_t WriteBlob(Image *image,const size_t length, + } + case BlobStream: + { +- if ((blob_info->offset+(MagickOffsetType) length) >= +- (MagickOffsetType) blob_info->extent) ++ MagickSizeType ++ extent; ++ ++ extent=(MagickSizeType) (blob_info->offset+(MagickOffsetType) length); ++ if (extent >= blob_info->extent) + { + if (blob_info->mapped != MagickFalse) + return(0); +- blob_info->extent+=length+blob_info->quantum; ++ blob_info->extent=extent+blob_info->quantum+length; + blob_info->quantum<<=1; + blob_info->data=(unsigned char *) ResizeQuantumMemory( + blob_info->data,blob_info->extent+1,sizeof(*blob_info->data)); diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series --- imagemagick-6.9.11.60+dfsg/debian/patches/series 2025-04-26 17:26:11.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2025-09-07 21:53:01.000000000 +0000 @@ -79,3 +79,19 @@ 0079-recursion-detection-framework.patch 0080-Fixed-memory-leak.patch 0001-Update-the-image-depth-after-this-has-been-changed-b.patch +CVE-2025-53014.patch +CVE-2025-53019.patch +CVE-2025-53101.patch +CVE-2025-55154.patch +statistic-private.patch +CVE-2025-55212-1.patch +CVE-2025-55212-2.patch +CVE-2025-55298-pre1.patch +CVE-2025-55298-pre2.patch +CVE-2025-55298-pre3.patch +CVE-2025-55298-pre4.patch +CVE-2025-55298-1.patch +CVE-2025-55298-2.patch +CVE-2025-57803-pre1.patch +CVE-2025-57803.patch +CVE-2025-57807.patch diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/statistic-private.patch imagemagick-6.9.11.60+dfsg/debian/patches/statistic-private.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/statistic-private.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/statistic-private.patch 2025-09-07 21:53:01.000000000 +0000 @@ -0,0 +1,30 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sun, 7 Sep 2025 21:27:45 +0200 +Subject: Private alias for easing backport + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e92b6cc3e96d5175974626317512dd9 +--- + magick/pixel-accessor.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/magick/pixel-accessor.h b/magick/pixel-accessor.h +index c89ae90..683778b 100644 +--- a/magick/pixel-accessor.h ++++ b/magick/pixel-accessor.h +@@ -133,7 +133,15 @@ static inline double PerceptibleReciprocal(const double x) + if ((sign*x) >= MagickEpsilon) + return(1.0/x); + return(sign/MagickEpsilon); +-} ++} ++ ++static inline double MagickSafeReciprocal(const double x) ++{ ++ if ((x > -MagickEpsilon) && (x < MagickEpsilon)) ++ return(1.0/MagickEpsilon); ++ return(1.0/x); ++} ++ + + static inline MagickRealType GetPixelLuma(const Image *magick_restrict image, + const PixelPacket *magick_restrict pixel)