Version in base suite: 6.9.11.60+dfsg-1.6+deb12u5

Base version: imagemagick_6.9.11.60+dfsg-1.6+deb12u5
Target version: imagemagick_6.9.11.60+dfsg-1.6+deb12u6
Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u6.dsc

 changelog                    |   20 +++++++++++++
 patches/CVE-2026-23874.patch |   37 ++++++++++++++++++++++++
 patches/CVE-2026-23876.patch |   66 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-23952.patch |   43 ++++++++++++++++++++++++++++
 patches/series               |    3 +
 5 files changed, 169 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpwh6_thsa/imagemagick_6.9.11.60+dfsg-1.6+deb12u5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpwh6_thsa/imagemagick_6.9.11.60+dfsg-1.6+deb12u6.dsc: no acceptable signature found
diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog	2025-12-30 16:36:07.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/changelog	2026-01-21 21:54:51.000000000 +0000
@@ -1,3 +1,23 @@
+imagemagick (8:6.9.11.60+dfsg-1.6+deb12u6) bookworm-security; urgency=high
+
+  * Fix CVE-2026-23874 (Closes: #1126075)
+    a stack overflow was found via infinite recursion in
+    MSL (Magick Scripting Language) `<write>` command when
+    writing to MSL format.
+  * Fix CVE-2026-23876 (Closes: #1126076)
+    A heap buffer overflow vulnerability was found in the XBM
+    image decoder (ReadXBMImage) allows an attacker to write
+    controlled data past the allocated heap buffer when
+    processing a maliciously crafted image file.
+    Any operation that reads or identifies an image can
+    trigger the overflow, making it exploitable via common
+    image upload and processing pipelines.
+  * Fix CVE-2026-23952 (Closes: 1126077)
+    NULL pointer dereference was found in MSL parser via <comment>
+    tag before image load
+
+ -- Bastien Roucariès <rouca@debian.org>  Wed, 21 Jan 2026 22:54:51 +0100
+
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u5) bookworm; urgency=medium
 
   * Fix CVE-2025-62171 (Closes: #1118340)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23874.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23874.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23874.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23874.patch	2026-01-21 21:54:51.000000000 +0000
@@ -0,0 +1,37 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 15 Jan 2026 17:50:16 -0500
+Subject: MSL: Stack overflow via infinite recursion in ProcessMSLScript
+
+(cherry picked from commit fe2970bbbe02c6fe875cc2b269390a3165d57706)
+origin: https://github.com/ImageMagick/ImageMagick6/commit/fe2970bbbe02c6fe875cc2b269390a3165d57706
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126075
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844
+---
+ coders/msl.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/coders/msl.c b/coders/msl.c
+index 7560c23..f51b5b0 100644
+--- a/coders/msl.c
++++ b/coders/msl.c
+@@ -7359,8 +7359,18 @@ static void MSLStartElement(void *context,const xmlChar *tag,
+ 
+           /* process */
+           {
+-            *msl_info->image_info[n]->magick='\0';
+-            (void) WriteImage(msl_info->image_info[n], msl_info->image[n]);
++            (void) CopyMagickString(msl_info->image_info[n]->filename,
++              msl_info->image[n]->filename,MagickPathExtent);
++            (void) SetImageInfo(msl_info->image_info[n],1,exception);
++            if (LocaleCompare(msl_info->image_info[n]->magick,"msl") != 0)
++              {
++                *msl_info->image_info[n]->magick='\0';
++                (void) WriteImage(msl_info->image_info[n],msl_info->image[n]);
++              }
++            else
++              (void) ThrowMagickException(msl_info->exception,GetMagickModule(),
++                FileOpenError,"UnableToWriteFile","`%s'",
++                msl_info->image[n]->filename);
+             break;
+           }
+         }
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23876.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23876.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23876.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23876.patch	2026-01-21 21:54:51.000000000 +0000
@@ -0,0 +1,66 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sun, 18 Jan 2026 18:26:36 +0100
+Subject: Added overflow checks to prevent an out of bounds write
+
+(cherry picked from commit 536512a2c60cd6e8c21c1256c2ee4da48d903e0c)
+origin: https://github.com/ImageMagick6/ImageMagick/commit/536512a2c60cd6e8c21c1256c2ee4da48d903e0c
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126076
+---
+ coders/xbm.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/coders/xbm.c b/coders/xbm.c
+index 24a7ee7..06bc63d 100644
+--- a/coders/xbm.c
++++ b/coders/xbm.c
+@@ -203,6 +203,10 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   short int
+     hex_digits[256];
+ 
++  size_t
++    bytes_per_line,
++    length;
++
+   ssize_t
+     y;
+ 
+@@ -212,8 +216,6 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   unsigned int
+     bit,
+     byte,
+-    bytes_per_line,
+-    length,
+     padding,
+     version;
+ 
+@@ -346,15 +348,15 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   if (((image->columns % 16) != 0) && ((image->columns % 16) < 9) &&
+       (version == 10))
+     padding=1;
+-  bytes_per_line=(unsigned int) (image->columns+7)/8+padding;
+-  length=(unsigned int) image->rows;
+-  data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line*
+-    sizeof(*data));
++  bytes_per_line=(image->columns+7)/8+padding;
++  if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows,&length) != MagickFalse)
++    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++  data=(unsigned char *) AcquireQuantumMemory(length,sizeof(*data));
+   if (data == (unsigned char *) NULL)
+     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+   p=data;
+   if (version == 10)
+-    for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
++    for (i=0; i < (ssize_t) length; (i+=2))
+     {
+       c=XBMInteger(image,hex_digits);
+       if (c < 0)
+@@ -367,7 +369,7 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+         *p++=(unsigned char) (c >> 8);
+     }
+   else
+-    for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++)
++    for (i=0; i < (ssize_t) length; i++)
+     {
+       c=XBMInteger(image,hex_digits);
+       if (c < 0)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23952.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23952.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23952.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-23952.patch	2026-01-21 21:54:51.000000000 +0000
@@ -0,0 +1,43 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 15 Jan 2026 17:34:43 -0500
+Subject: 
+ https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8
+
+(cherry picked from commit 0e4023775c8859d2b802e8b459a27b599ca8403a)
+origin: backport, https://github.com/ImageMagick6/ImageMagick/commit/0e4023775c8859d2b802e8b459a27b599ca8403a
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126077
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8
+---
+ coders/msl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/coders/msl.c b/coders/msl.c
+index f51b5b0..2610fe2 100644
+--- a/coders/msl.c
++++ b/coders/msl.c
+@@ -7410,6 +7410,12 @@ static void MSLEndElement(void *context,const xmlChar *tag)
+     {
+       if (LocaleCompare((const char *) tag,"comment") == 0 )
+         {
++          if (msl_info->image[n] == (Image *) NULL)
++            {
++              ThrowMSLException(OptionError,"NoImagesDefined",
++                (const char *) tag);
++              break;
++            }
+           (void) DeleteImageProperty(msl_info->image[n],"comment");
+           if (msl_info->content == (char *) NULL)
+             break;
+@@ -7454,6 +7460,12 @@ static void MSLEndElement(void *context,const xmlChar *tag)
+     {
+       if (LocaleCompare((const char *) tag,"label") == 0 )
+         {
++          if (msl_info->image[n] == (Image *) NULL)
++            {
++              ThrowMSLException(OptionError,"NoImagesDefined",
++                (const char *) tag);
++              break;
++            }
+           (void) DeleteImageProperty(msl_info->image[n],"label");
+           if (msl_info->content == (char *) NULL)
+             break;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series
--- imagemagick-6.9.11.60+dfsg/debian/patches/series	2025-12-30 16:36:07.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/series	2026-01-21 21:54:51.000000000 +0000
@@ -102,3 +102,6 @@
 CVE-2025-68618.patch
 CVE-2025-68950.patch
 CVE-2025-69204.patch
+CVE-2026-23874.patch
+CVE-2026-23876.patch
+CVE-2026-23952.patch