Version in base suite: 7.1.1.43+dfsg1-1+deb13u4 Base version: imagemagick_7.1.1.43+dfsg1-1+deb13u4 Target version: imagemagick_7.1.1.43+dfsg1-1+deb13u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u5.dsc changelog | 26 ++++++++++++++++ patches/CVE-2026-22770.patch | 40 +++++++++++++++++++++++++ patches/CVE-2026-23874.patch | 39 +++++++++++++++++++++++++ patches/CVE-2026-23876.patch | 67 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-23952.patch | 57 ++++++++++++++++++++++++++++++++++++ patches/series | 4 ++ 6 files changed, 233 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpa3fpll30/imagemagick_7.1.1.43+dfsg1-1+deb13u4.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpa3fpll30/imagemagick_7.1.1.43+dfsg1-1+deb13u5.dsc: no acceptable signature found diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog --- imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-12-28 23:33:04.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-01-21 21:54:51.000000000 +0000 @@ -1,3 +1,29 @@ +imagemagick (8:7.1.1.43+dfsg1-1+deb13u5) trixie-security; urgency=high + + * Fix CVE-2026-22770 (Closes: #1126074) + The BilateralBlurImage method will allocate a set of + double buffers inside AcquireBilateralTLS. + The last element in the set is not properly initialized. + This will result in a release of an invalid pointer + inside DestroyBilateralTLS when the memory allocation fails + * Fix CVE-2026-23874 (Closes: #1126075) + a stack overflow was found via infinite recursion in + MSL (Magick Scripting Language) `` command when + writing to MSL format. + * Fix CVE-2026-23876 (Closes: #1126076) + A heap buffer overflow vulnerability was found in the XBM + image decoder (ReadXBMImage) allows an attacker to write + controlled data past the allocated heap buffer when + processing a maliciously crafted image file. + Any operation that reads or identifies an image can + trigger the overflow, making it exploitable via common + image upload and processing pipelines. + * Fix CVE-2026-23952 (Closes: 1126077) + NULL pointer dereference was found in MSL parser via + tag before image load + + -- Bastien Roucariès Wed, 21 Jan 2026 22:54:51 +0100 + imagemagick (8:7.1.1.43+dfsg1-1+deb13u4) trixie; urgency=high * Fix CVE-2025-62594 (Closes: #1119296) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-22770.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-22770.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-22770.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-22770.patch 2026-01-21 21:54:51.000000000 +0000 @@ -0,0 +1,40 @@ +From: Dirk Lemstra +Date: Sun, 4 Jan 2026 15:26:48 +0100 +Subject: Correct memset initialization and add an overflow check + (GHSA-39h3-g67r-7g3c) + +origin: https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126074 +--- + MagickCore/effect.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/MagickCore/effect.c b/MagickCore/effect.c +index a58e16f..8baf1c3 100644 +--- a/MagickCore/effect.c ++++ b/MagickCore/effect.c +@@ -875,16 +875,21 @@ static double **AcquireBilateralTLS(const size_t number_threads, + double + **weights; + ++ size_t ++ count; ++ + ssize_t + i; + ++ if (HeapOverflowSanityCheckGetSize(height,sizeof(**weights),&count) != MagickFalse) ++ return((double **) NULL); + weights=(double **) AcquireQuantumMemory(number_threads+1,sizeof(*weights)); + if (weights == (double **) NULL) + return((double **) NULL); +- (void) memset(weights,0,number_threads*sizeof(*weights)); ++ (void) memset(weights,0,(number_threads+1)*sizeof(*weights)); + for (i=0; i <= (ssize_t) number_threads; i++) + { +- weights[i]=(double *) AcquireQuantumMemory(width,height*sizeof(**weights)); ++ weights[i]=(double *) AcquireQuantumMemory(width,count); + if (weights[i] == (double *) NULL) + return(DestroyBilateralTLS(number_threads,weights)); + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23874.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23874.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23874.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23874.patch 2026-01-21 21:54:51.000000000 +0000 @@ -0,0 +1,39 @@ +From: Cristy +Date: Thu, 15 Jan 2026 17:50:19 -0500 +Subject: MSL: Stack overflow via infinite recursion in ProcessMSLScript + +(cherry picked from commit 2a09644b10a5b146e0a7c63b778bd74a112ebec3) +origin: https://github.com/ImageMagick/ImageMagick/commit/2a09644b10a5b146e0a7c63b778bd74a112ebec3 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126075 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844 +--- + coders/msl.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/coders/msl.c b/coders/msl.c +index 80468b1..423215d 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -7041,9 +7041,19 @@ static void MSLStartElement(void *context,const xmlChar *tag, + + /* process */ + { +- *msl_info->image_info[n]->magick='\0'; +- (void) WriteImage(msl_info->image_info[n], msl_info->image[n], +- msl_info->exception); ++ (void) CopyMagickString(msl_info->image_info[n]->filename, ++ msl_info->image[n]->filename,MagickPathExtent); ++ (void) SetImageInfo(msl_info->image_info[n],1,exception); ++ if (LocaleCompare(msl_info->image_info[n]->magick,"msl") != 0) ++ { ++ *msl_info->image_info[n]->magick='\0'; ++ (void) WriteImage(msl_info->image_info[n],msl_info->image[n], ++ msl_info->exception); ++ } ++ else ++ (void) ThrowMagickException(msl_info->exception,GetMagickModule(), ++ FileOpenError,"UnableToWriteFile","`%s'", ++ msl_info->image[n]->filename); + break; + } + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23876.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23876.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23876.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23876.patch 2026-01-21 21:54:51.000000000 +0000 @@ -0,0 +1,67 @@ +From: Dirk Lemstra +Date: Sun, 18 Jan 2026 17:54:12 +0100 +Subject: Added overflow checks to prevent an out of bounds write + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8) + +(cherry picked from commit 2fae24192b78fdfdd27d766fd21d90aeac6ea8b8) +origin: https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126076 +--- + coders/xbm.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/coders/xbm.c b/coders/xbm.c +index 9bebe15..540253d 100644 +--- a/coders/xbm.c ++++ b/coders/xbm.c +@@ -196,6 +196,10 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + short int + hex_digits[256]; + ++ size_t ++ bytes_per_line, ++ length; ++ + ssize_t + i, + x, +@@ -208,8 +212,6 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + unsigned int + bit, + byte, +- bytes_per_line, +- length, + padding, + version; + +@@ -344,15 +346,15 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (((image->columns % 16) != 0) && ((image->columns % 16) < 9) && + (version == 10)) + padding=1; +- bytes_per_line=(unsigned int) (image->columns+7)/8+padding; +- length=(unsigned int) image->rows; +- data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line* +- sizeof(*data)); ++ bytes_per_line=(image->columns+7)/8+padding; ++ if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows,&length) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ data=(unsigned char *) AcquireQuantumMemory(length,sizeof(*data)); + if (data == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + p=data; + if (version == 10) +- for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2)) ++ for (i=0; i < (ssize_t) length; i+=2) + { + c=XBMInteger(image,hex_digits); + if (c < 0) +@@ -365,7 +367,7 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + *p++=(unsigned char) (c >> 8); + } + else +- for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++) ++ for (i=0; i < (ssize_t) length; i++) + { + c=XBMInteger(image,hex_digits); + if (c < 0) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23952.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23952.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23952.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-23952.patch 2026-01-21 21:54:51.000000000 +0000 @@ -0,0 +1,57 @@ +From: Cristy +Date: Thu, 15 Jan 2026 17:34:46 -0500 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 + +(cherry picked from commit 1eefab41bc0ab1c6c2c1fd3e4a49e3ee1849751d) +origin: https://github.com/ImageMagick/ImageMagick/commit/1eefab41bc0ab1c6c2c1fd3e4a49e3ee1849751d +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126077 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 +--- + PerlMagick/quantum/quantum.pm | 2 +- + coders/msl.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/PerlMagick/quantum/quantum.pm b/PerlMagick/quantum/quantum.pm +index dbf00fd..a781439 100644 +--- a/PerlMagick/quantum/quantum.pm ++++ b/PerlMagick/quantum/quantum.pm +@@ -6,7 +6,7 @@ package Image::Magick::Q16HDRI; + # You may not use this file except in compliance with the License. You may + # obtain a copy of the License at + # +-# https://imagemagick.org/script/license.php ++# https://imagemagick.org/license/ + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, +diff --git a/coders/msl.c b/coders/msl.c +index 423215d..43c4b73 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -7098,6 +7098,12 @@ static void MSLEndElement(void *context,const xmlChar *tag) + { + if (LocaleCompare((const char *) tag,"comment") == 0 ) + { ++ if (msl_info->image[n] == (Image *) NULL) ++ { ++ ThrowMSLException(OptionError,"NoImagesDefined", ++ (const char *) tag); ++ break; ++ } + (void) DeleteImageProperty(msl_info->image[n],"comment"); + if (msl_info->content == (char *) NULL) + break; +@@ -7147,6 +7153,12 @@ static void MSLEndElement(void *context,const xmlChar *tag) + { + if (LocaleCompare((const char *) tag,"label") == 0 ) + { ++ if (msl_info->image[n] == (Image *) NULL) ++ { ++ ThrowMSLException(OptionError,"NoImagesDefined", ++ (const char *) tag); ++ break; ++ } + (void) DeleteImageProperty(msl_info->image[n],"label"); + if (msl_info->content == (char *) NULL) + break; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series --- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2025-12-28 23:33:04.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-01-21 21:54:51.000000000 +0000 @@ -60,3 +60,7 @@ CVE-2025-68950_pre1.patch CVE-2025-68950.patch CVE-2025-69204.patch +CVE-2026-22770.patch +CVE-2026-23874.patch +CVE-2026-23876.patch +CVE-2026-23952.patch