Version in base suite: 6.9.11.60+dfsg-1.3 Base version: imagemagick_6.9.11.60+dfsg-1.3 Target version: imagemagick_6.9.11.60+dfsg-1.3+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.3+deb11u1.dsc changelog | 6 ++ patches/move-profile-property-to-cli-option.patch | 63 ++++++++++++++++++++++ patches/series | 1 3 files changed, 70 insertions(+) diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2021-04-20 14:37:59.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2023-02-03 17:59:42.000000000 +0000 @@ -1,3 +1,9 @@ +imagemagick (8:6.9.11.60+dfsg-1.3+deb11u1) bullseye-security; urgency=medium + + * Fix CVE-2022-44267 / CVE-2022-44268 + + -- Moritz Mühlenhoff Fri, 03 Feb 2023 18:59:42 +0100 + imagemagick (8:6.9.11.60+dfsg-1.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/move-profile-property-to-cli-option.patch imagemagick-6.9.11.60+dfsg/debian/patches/move-profile-property-to-cli-option.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/move-profile-property-to-cli-option.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/move-profile-property-to-cli-option.patch 2023-02-03 17:59:36.000000000 +0000 @@ -0,0 +1,63 @@ +Backport of + +From d77c01e560e973177feed4915ffd7dd1a45fd763 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 3 Feb 2023 09:33:01 -0500 +Subject: [PATCH] move `-set profile` handler to CLI + +--- imagemagick-6.9.11.60+dfsg.orig/magick/property.c ++++ imagemagick-6.9.11.60+dfsg/magick/property.c +@@ -4399,26 +4399,6 @@ MagickExport MagickBooleanType SetImageP + geometry=DestroyString(geometry); + break; + } +- if (LocaleCompare("profile",property) == 0) +- { +- ImageInfo +- *image_info; +- +- StringInfo +- *profile; +- +- image_info=AcquireImageInfo(); +- (void) CopyMagickString(image_info->filename,value,MaxTextExtent); +- (void) SetImageInfo(image_info,1,exception); +- profile=FileToStringInfo(image_info->filename,~0UL,exception); +- if (profile != (StringInfo *) NULL) +- { +- status=SetImageProfile(image,image_info->magick,profile); +- profile=DestroyStringInfo(profile); +- } +- image_info=DestroyImageInfo(image_info); +- break; +- } + status=AddValueToSplayTree((SplayTreeInfo *) image->properties, + ConstantString(property),ConstantString(value)); + break; +--- imagemagick-6.9.11.60+dfsg.orig/wand/mogrify.c ++++ imagemagick-6.9.11.60+dfsg/wand/mogrify.c +@@ -2840,7 +2840,23 @@ WandExport MagickBooleanType MogrifyImag + (void) SetImageArtifact(*image,argv[i+1]+7,value); + } + else +- (void) SetImageProperty(*image,argv[i+1],value); ++ if (LocaleCompare(argv[i+1],"profile") == 0) ++ { ++ StringInfo ++ *profile = (StringInfo *) NULL; ++ ++ (void) CopyMagickString(image_info->filename,value,MaxTextExtent); ++ (void) SetImageInfo(image_info,1,exception); ++ if (LocaleCompare(image_info->filename,"-") != 0) ++ profile=FileToStringInfo(image_info->filename,~0UL,exception); ++ if (profile != (StringInfo *) NULL) ++ { ++ status=SetImageProfile(image,image_info->magick,profile); ++ profile=DestroyStringInfo(profile); ++ } ++ } ++ else ++ (void) SetImageProperty(*image,argv[i+1],value); + value=DestroyString(value); + break; + } diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series --- imagemagick-6.9.11.60+dfsg/debian/patches/series 2021-04-19 18:15:53.000000000 +0000 +++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2023-02-03 17:59:07.000000000 +0000 @@ -22,3 +22,4 @@ 0022-FIx-error-in-new-upstream-html.patch 0001-https-github.com-ImageMagick-ImageMagick6-issues-145.patch 0023-disable-ghostscript-formats.patch +move-profile-property-to-cli-option.patch