Version in base suite: 7.1.1.43+dfsg1-1+deb13u8 Base version: imagemagick_7.1.1.43+dfsg1-1+deb13u8 Target version: imagemagick_7.1.1.43+dfsg1-1+deb13u9 Base file: /srv/ftp-master.debian.org/ftp/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u8.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/i/imagemagick/imagemagick_7.1.1.43+dfsg1-1+deb13u9.dsc changelog | 80 +++++++++++ patches/CVE-2026-33901_bug420_1.patch | 27 +++ patches/CVE-2026-33901_bug420_2.patch | 24 +++ patches/CVE-2026-42050.patch | 39 +++++ patches/CVE-2026-42326.patch | 26 +++ patches/CVE-2026-45031.patch | 26 +++ patches/CVE-2026-45358.patch | 31 ++++ patches/CVE-2026-45359.patch | 28 ++++ patches/CVE-2026-45624.patch | 29 ++++ patches/CVE-2026-45664_1.patch | 49 +++++++ patches/CVE-2026-45664_2.patch | 115 ++++++++++++++++ patches/CVE-2026-46520.patch | 34 +++++ patches/CVE-2026-46521.patch | 42 ++++++ patches/CVE-2026-46521_pre1.patch | 84 ++++++++++++ patches/CVE-2026-46522.patch | 55 ++++++++ patches/CVE-2026-46523.patch | 28 ++++ patches/CVE-2026-46557.patch | 46 ++++++ patches/CVE-2026-46559.patch | 61 ++++++++ patches/CVE-2026-46692.patch | 56 ++++++++ patches/CVE-2026-46693_1.patch | 49 +++++++ patches/CVE-2026-46693_2.patch | 190 ++++++++++++++++++++++++++++ patches/CVE-2026-46693_3.patch | 46 ++++++ patches/CVE-2026-47165_CVE-2026-47166.patch | 83 ++++++++++++ patches/series | 22 +++ 24 files changed, 1270 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpvmplmpz2/imagemagick_7.1.1.43+dfsg1-1+deb13u8.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpvmplmpz2/imagemagick_7.1.1.43+dfsg1-1+deb13u9.dsc: no acceptable signature found diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog --- imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-04-22 14:06:47.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2026-05-24 16:01:44.000000000 +0000 @@ -1,3 +1,83 @@ +imagemagick (8:7.1.1.43+dfsg1-1+deb13u9) trixie-security; urgency=high + + * Fix CVE-2026-33901 regression: + Previous fix breaks rendering of some MVG files. + * Fix CVE-2026-42050: + A malicious MIFF file could trigger an overflow when a user opens it + in the he display tool and right-clicks a tile to invoke the + Load/Update menu item. + * Fix CVE-2026-42326: + Heap Buffer Over-Read in IPTC encoder + * Fix CVE-2026-45031: + Policy Bypass in PSD decoder. Due to a missing check in the + PSD decoder it would be possible to bypass the list-length + resource policy when decoding a PSD image. Other security + limits would still apply. + * Fix CVE-2026-45358: + Heap Buffer Over-Read of a single byte in meta encoder. + An of by one in the meta encoder could result in an out + of bounds read of a single byte in the meta encoder. + * Fix CVE-2026-45359: + Heap Buffer Over-Read in connected components when the user + supplies an invalid keep-top define. + An invalid connected-components:keep-top value could result + in a heap buffer over-read when performing the connected components + operation. + * Fix CVE-2026-45624: + Heap Buffer Over-Read of 24 bytes in distort operation. + When performing a polynomial distortion an out of bounds over-read of + 24 bytes can occur when specifying specific arguments. + * Fix CVE-2026-45664: + Policy Bypass in MNG decoder + Because of a missing check in the MNG coder it would be possible + to read more images than the list limit policy would allow + resulting in excessive resource use. + * Fix CVE-2026-46520: + Heap Buffer Over-Write in IPL decoder when reading multiple + images of different dimensions + When reading multiple images with different dimensions an out of + bounds heap write can occur. + * Fix CVE-2026-46521: + Heap Buffer Over-Write in MIFF encoder when using LZMA compression. + When using LZMA compression in the MIFF encoder an out of bounds + write can occur due to a missing check + * Fix CVE-2026-46522: + Infinite Loop in the MIFF decoder can lead to CPU exhaustion. + Due to a missing check in the MIFF decoder a crafted file could + cause an infinite loop resulting in CPU exhaustion. + * Fix CVE-2026-46523: + Use-After-Free in MSL decoder. + A crafted MSL image can trigger a heap-use-after-free. + * Fix CVE-2026-46557: + Stack overflow in fx operation. + Due to a missing depth check a stack overflow can occur in the + fx operation by passing a crafted argument. + * Fix CVE-2026-46559: + Heap Buffer Over-Write of a single byte in the JP2 encoder. + An incorrect check in the JP2 will result in an heap buffer over + write of a single byte when specifying certain options. + * Fix CVE-2026-46692: + Heap Buffer Over-Write in distributed pixel cache server + An attacker who can connect to a magick -distribute-cache + service can cause a heap buffer over-write in the server process. + * Fix CVE-2026-46693: + Race Condition in distributed pixel cache server can result + in file descriptor hijacking + An attacker who can connect to a magick -distribute-cache service can + hijack a file descriptor in the server process when a race condition is met. + * Fix CVE-2026-47165: + Information Disclosure in distributed pixel cache server because it is + not using a challenge–response authentication model. + The distributed pixel cache was originally designed to operate without a + challenge–response authentication model. However, given today’s heightened + security expectations, we have changed our implementation. + * Fix CVE-2026-47166: + Heap Buffer Over-Read in distributed pixel cache server. + An attacker who can connect to a magick -distribute-cache service + can cause a heap buffer over-read in the server process. + + -- Bastien Roucariès Sun, 24 May 2026 18:01:44 +0200 + imagemagick (8:7.1.1.43+dfsg1-1+deb13u8) trixie-security; urgency=high * Fix CVE-2026-32636: diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901_bug420_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901_bug420_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901_bug420_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901_bug420_1.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,27 @@ +From: Cristy +Date: Sat, 25 Apr 2026 16:33:25 -0400 +Subject: https://github.com/ImageMagick/ImageMagick6/issues/420 + +CVE-2026-33901 patch breaks rendering + +bug: https://github.com/ImageMagick/ImageMagick6/issues/420 +origin: https://github.com/ImageMagick/ImageMagick/commit/50507967ae868d7d159057bb08897091bc4800a8 +--- + MagickCore/draw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index 73d6397..ef66aa9 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -3569,8 +3569,8 @@ static MagickBooleanType RenderMVGContent(Image *image, + continue; + break; + } +- if ((q == (char *) NULL) || (p == (char *) NULL) || ((q-4) < p) || +- ((q-p+4+1) > MagickPathExtent)) ++ if ((q == (char *) NULL) || (p == (char *) NULL) || ++ ((q-4) < p) || ((size_t) (q-p+4+1) > extent)) + { + status=MagickFalse; + break; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901_bug420_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901_bug420_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901_bug420_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-33901_bug420_2.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,24 @@ +From: Cristy +Date: Mon, 27 Apr 2026 19:24:50 -0400 +Subject: https://github.com/ImageMagick/ImageMagick6/issues/420 + CVE-2026-33901 patch breaks rendering + +bug: https://github.com/ImageMagick/ImageMagick6/issues/420 +origin: https://github.com/ImageMagick/ImageMagick/commit/ab89688f34618fba733275ff718a6088c463ba4c +--- + MagickCore/draw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MagickCore/draw.c b/MagickCore/draw.c +index ef66aa9..e3fb634 100644 +--- a/MagickCore/draw.c ++++ b/MagickCore/draw.c +@@ -3458,7 +3458,7 @@ static MagickBooleanType RenderMVGContent(Image *image, + } + if ((q == (char *) NULL) || (*q == '\0') || + (p == (char *) NULL) || ((q-4) < p) || +- ((q-p+4+1) > MagickPathExtent)) ++ ((q-p+4+1) > extent)) + { + status=MagickFalse; + break; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-42050.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-42050.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-42050.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-42050.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,39 @@ +From: Cristy +Date: Sat, 18 Apr 2026 11:47:24 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7mxf-ff4f-jj7p + +a malicious MIFF file could trigger an overflow when a user opens it in the display tool and right-clicks a tile to invoke the Load / Update menu item. + +(cherry picked from commit 25980041f145afc621233a1c050291231b627c48) + +origin: https://github.com/ImageMagick/ImageMagick/commit/25980041f145afc621233a1c050291231b627c48 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7mxf-ff4f-jj7p +--- + MagickCore/display.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/MagickCore/display.c b/MagickCore/display.c +index 024162d..7fefafb 100644 +--- a/MagickCore/display.c ++++ b/MagickCore/display.c +@@ -13192,7 +13192,8 @@ static Image *XTileImage(Display *display,XResourceInfo *resource_info, + if (id < 0) + return((Image *) NULL); + q=p; +- while ((*q != '\xff') && (*q != '\0')) ++ while ((*q != '\xff') && (*q != '\0') && ++ ((size_t) (q-p) < sizeof(filename))) + q++; + (void) CopyMagickString(filename,p,(size_t) (q-p+1)); + /* +@@ -13285,7 +13286,8 @@ static Image *XTileImage(Display *display,XResourceInfo *resource_info, + *image_view; + + q=p; +- while ((*q != '\xff') && (*q != '\0')) ++ while ((*q != '\xff') && (*q != '\0') && ++ ((size_t) (q-p) < sizeof(filename))) + q++; + (void) CopyMagickString(filename,p,(size_t) (q-p+1)); + p=q; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-42326.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-42326.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-42326.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-42326.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,26 @@ +From: Cristy +Date: Sat, 25 Apr 2026 22:26:09 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7wff-wpr6-vmhm + +Heap Buffer Over-Read in IPTC encoder + +origin: https://github.com/ImageMagick/ImageMagick/commit/06301590988fc62e17b4ae6e937d411cc1089ef1 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7wff-wpr6-vmhm +--- + coders/meta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/meta.c b/coders/meta.c +index 55a5888..f1a7042 100644 +--- a/coders/meta.c ++++ b/coders/meta.c +@@ -1755,7 +1755,7 @@ iptc_find: + info_length++; + tag_length|=(unsigned int) c; + } +- if (tag_length > (length+1)) ++ if (tag_length > length) + break; + p+=(ptrdiff_t) tag_length; + length-=tag_length; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45031.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45031.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45031.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45031.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dirk Lemstra +Date: Tue, 5 May 2026 22:31:57 +0200 +Subject: Added missing check for the list length limit in the PSD decoder + (GHSA-cwpj-h54c-xjpx) + +origin: https://github.com/ImageMagick/ImageMagick/commit/a96763d717e27d6d136aa734d1cf4b33a91555d0 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cwpj-h54c-xjpx +--- + coders/psd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/coders/psd.c b/coders/psd.c +index 7e2b3eb..404bd5f 100644 +--- a/coders/psd.c ++++ b/coders/psd.c +@@ -1962,6 +1962,10 @@ static MagickBooleanType ReadPSDLayersInternal(Image *image, + image->alpha_trait=BlendPixelTrait; + } + ++ if (AcquireMagickResource(ListLengthResource,number_layers) == MagickFalse) ++ ThrowBinaryException(ResourceLimitError,"ListLengthExceedsLimit", ++ image->filename); ++ + /* + We only need to know if the image has an alpha channel + */ diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45358.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45358.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45358.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45358.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,31 @@ +From: Cristy +Date: Sat, 9 May 2026 18:48:00 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr6r-hmj8-pr7r + +Heap Buffer Over-Read of a single byte in meta encoder + +(cherry picked from commit 2cf3b5750bd7c96fbb92c3f02823ecd63f8dd232) +origin: https://github.com/ImageMagick/ImageMagick/commit/2cf3b5750bd7c96fbb92c3f02823ecd63f8dd232 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr6r-hmj8-pr7r +--- + coders/meta.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/coders/meta.c b/coders/meta.c +index f1a7042..0fe2d96 100644 +--- a/coders/meta.c ++++ b/coders/meta.c +@@ -1659,7 +1659,11 @@ static size_t GetIPTCStream(unsigned char **info,size_t length) + return(tag_length); + } + if ((tag_length & 0x01) != 0) +- tag_length++; ++ { ++ tag_length++; ++ if (tag_length > extent) ++ break; ++ } + p+=(ptrdiff_t) tag_length; + extent-=tag_length; + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45359.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45359.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45359.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45359.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cristy +Date: Sat, 9 May 2026 15:26:00 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhrh-72hq-w8m7 + +Heap Buffer Over-Read in connected components when the user supplies an invalid keep-top define + +origin: https://github.com/ImageMagick/ImageMagick/commit/9f18e2890088705c9a3dc867a7f2e31be50b8f41 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhrh-72hq-w8m7 +--- + MagickCore/vision.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/MagickCore/vision.c b/MagickCore/vision.c +index 7cf5476..ab12ed5 100644 +--- a/MagickCore/vision.c ++++ b/MagickCore/vision.c +@@ -1207,6 +1207,10 @@ MagickExport Image *ConnectedComponentsImage(const Image *image, + Keep top objects. + */ + top_ids=(ssize_t) StringToLong(artifact); ++ if (top_ids < 0) ++ top_ids=0; ++ if (top_ids >= (ssize_t) component_image->colors) ++ top_ids=(ssize_t) component_image->colors-1; + top_objects=(CCObjectInfo *) AcquireQuantumMemory(component_image->colors, + sizeof(*top_objects)); + if (top_objects == (CCObjectInfo *) NULL) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45624.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45624.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45624.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45624.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,29 @@ +From: Cristy +Date: Sun, 10 May 2026 20:29:23 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pfvh-m9xv-8966 + +Heap Buffer Over-Read of 24 bytes in distort operation. + +(cherry picked from commit a66ab7bc559f041b1434606496b5b4b0906ff9a2) + +origin: https://github.com/ImageMagick/ImageMagick/commit/a66ab7bc559f041b1434606496b5b4b0906ff9a2 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pfvh-m9xv-8966 +--- + MagickCore/distort.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/MagickCore/distort.c b/MagickCore/distort.c +index 6d84275..d81f68a 100644 +--- a/MagickCore/distort.c ++++ b/MagickCore/distort.c +@@ -431,7 +431,8 @@ static double *GenerateCoefficients(const Image *image, + "Invalid order, should be integer 1 to 5, or 1.5"); + return((double *) NULL); + } +- if ( number_arguments < 1+i*cp_size ) { ++ if ((number_arguments < (1+i*cp_size)) || ++ (((number_arguments-1) % cp_size) != 0)) { + (void) ThrowMagickException(exception,GetMagickModule(),OptionError, + "InvalidArgument", "%s : 'require at least %.20g CPs'", + "Polynomial", (double) i); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45664_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45664_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45664_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45664_1.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,49 @@ +From: Cristy +Date: Mon, 11 May 2026 14:22:13 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6 + +Policy Bypass in MNG decoder +Because of a missing check in the MNG coder it would be possible +to read more images than the list limit policy would allow resulting in excessive resource use. + +(cherry picked from commit 6dc0130dbbde34b13126bc4fe25789f894b9e0c1) + +origin: https://github.com/ImageMagick/ImageMagick/commit/6dc0130dbbde34b13126bc4fe25789f894b9e0c1 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6 +--- + coders/png.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index f6b5909..62ce823 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -5039,6 +5039,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + final_image_delay, + frame_delay, + insert_layers, ++ number_loops=0, + mng_iterations=1, + simplicity=0, + subframe_height=0, +@@ -5840,8 +5841,9 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + + else + { +- if ((MagickSizeType) loop_iters > GetMagickResourceLimit(ListLengthResource)) +- loop_iters=(ssize_t) GetMagickResourceLimit(ListLengthResource); ++ if ((MagickSizeType) number_loops+loop_iters > GetMagickResourceLimit(ListLengthResource)) ++ ThrowReaderException(ResourceLimitError, ++ "ListLengthExceedsLimit"); + if (loop_iters >= 2147483647L) + loop_iters=2147483647L; + if (image_info->number_scenes != 0) +@@ -5849,6 +5851,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + loop_iters=(ssize_t) image_info->number_scenes; + mng_info->loop_jump[loop_level]=TellBlob(image); + mng_info->loop_count[loop_level]=loop_iters; ++ number_loops+=loop_iters; + } + + mng_info->loop_iteration[loop_level]=0; diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45664_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45664_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45664_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-45664_2.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,115 @@ +From: Cristy +Date: Mon, 11 May 2026 19:14:38 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6 + +Policy Bypass in MNG decoder +Because of a missing check in the MNG coder it would be possible +to read more images than the list limit policy would allow resulting in excessive resource use. + +origin: https://github.com/ImageMagick/ImageMagick/commit/10a1a2285659fe1f8978f338319727dfda19500d +(cherry picked from commit 10a1a2285659fe1f8978f338319727dfda19500d) +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6 +--- + coders/png.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index 62ce823..ea3fc8d 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -464,6 +464,8 @@ static SemaphoreInfo + waste more memory. + */ + #define MNG_MAX_OBJECTS 256 ++#define MNG_MAX_LOOP_NESTING 256 ++#define MNG_MAX_LOOP_OPS 1000000 + + /* + Maximum valid size_t in PNG/MNG chunks is (2^31)-1 +@@ -578,7 +580,7 @@ typedef struct _MngReadInfo + have_global_srgb; + + MagickOffsetType +- loop_jump[256]; ++ loop_jump[MNG_MAX_LOOP_NESTING]; + + MngBox + clip, +@@ -613,8 +615,8 @@ typedef struct _MngReadInfo + + ssize_t + image_found, +- loop_count[256], +- loop_iteration[256], ++ loop_count[MNG_MAX_LOOP_NESTING], ++ loop_iteration[MNG_MAX_LOOP_NESTING], + scenes_found, + x_off[MNG_MAX_OBJECTS], + y_off[MNG_MAX_OBJECTS]; +@@ -623,7 +625,7 @@ typedef struct _MngReadInfo + /* These flags could be combined into one byte */ + exists[MNG_MAX_OBJECTS], + frozen[MNG_MAX_OBJECTS], +- loop_active[256], ++ loop_active[MNG_MAX_LOOP_NESTING], + invisible[MNG_MAX_OBJECTS], + viewable[MNG_MAX_OBJECTS]; + +@@ -5039,7 +5041,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + final_image_delay, + frame_delay, + insert_layers, +- number_loops=0, ++ number_loop_ops=0, + mng_iterations=1, + simplicity=0, + subframe_height=0, +@@ -5823,6 +5825,8 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + if (memcmp(type,mng_LOOP,4) == 0) + { + ssize_t loop_iters=1; ++ if (number_loop_ops++ > MNG_MAX_LOOP_OPS) ++ ThrowReaderException(ResourceLimitError,"too many LOOP/ENDL ops"); + if (length > 4) + { + loop_level=chunk[0]; +@@ -5841,9 +5845,6 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + + else + { +- if ((MagickSizeType) number_loops+loop_iters > GetMagickResourceLimit(ListLengthResource)) +- ThrowReaderException(ResourceLimitError, +- "ListLengthExceedsLimit"); + if (loop_iters >= 2147483647L) + loop_iters=2147483647L; + if (image_info->number_scenes != 0) +@@ -5851,7 +5852,6 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + loop_iters=(ssize_t) image_info->number_scenes; + mng_info->loop_jump[loop_level]=TellBlob(image); + mng_info->loop_count[loop_level]=loop_iters; +- number_loops+=loop_iters; + } + + mng_info->loop_iteration[loop_level]=0; +@@ -5862,6 +5862,8 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + + if (memcmp(type,mng_ENDL,4) == 0) + { ++ if (number_loop_ops++ > MNG_MAX_LOOP_OPS) ++ ThrowReaderException(ResourceLimitError,"too many LOOP/ENDL ops"); + if (length > 0) + { + loop_level=chunk[0]; +@@ -5893,9 +5895,8 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + + if (mng_info->loop_count[loop_level] > 0) + { +- offset= +- SeekBlob(image,mng_info->loop_jump[loop_level], +- SEEK_SET); ++ offset=SeekBlob(image, ++ mng_info->loop_jump[loop_level],SEEK_SET); + + if (offset < 0) + { diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46520.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46520.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46520.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46520.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,34 @@ +From: Cristy +Date: Tue, 12 May 2026 12:28:23 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-36wm-hprc-mcf5 + +Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions +When reading multiple images with different dimensions an out of bounds heap write can occur. + +(cherry picked from commit 3aa35741316909f9e384d13cee197334dc3296d7) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-36wm-hprc-mcf5 +origin: https://github.com/ImageMagick/ImageMagick/commit/3aa35741316909f9e384d13cee197334dc3296d7 +--- + coders/ipl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/coders/ipl.c b/coders/ipl.c +index c65299d..780979b 100644 +--- a/coders/ipl.c ++++ b/coders/ipl.c +@@ -635,6 +635,13 @@ static MagickBooleanType WriteIPLImage(const ImageInfo *image_info,Image *image, + /* + Convert MIFF to IPL raster pixels. + */ ++ if (SetQuantumDepth(image,quantum_info,quantum_info->depth) == MagickFalse) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(), ++ CorruptImageError,"AnErrorHasOccurredWritingToFile","`%s'", ++ image->filename); ++ break; ++ } + pixels=(unsigned char *) GetQuantumPixels(quantum_info); + if(ipl_info.colors == 1){ + /* Red frame */ diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46521.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46521.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46521.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46521.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,42 @@ +From: Cristy +Date: Tue, 12 May 2026 12:38:03 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jcqp-6r6f-3mfx + +Heap Buffer Over-Write in MIFF encoder when using LZMA compression + +When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check. + +(cherry picked from commit 188fcf538f58a60109ebd008e2c40d29cf3966d7) + +origin: https://github.com/ImageMagick/ImageMagick/commit/188fcf538f58a60109ebd008e2c40d29cf3966d7 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jcqp-6r6f-3mfx +--- + coders/miff.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/coders/miff.c b/coders/miff.c +index 77e9250..08617cd 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -2179,8 +2179,9 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info, + if (compression == RLECompression) + packet_size++; + } +- length=MagickMax(BZipMaxExtent(packet_size*image->columns),ZipMaxExtent( +- packet_size*image->columns)); ++ length=MagickMax(MagickMax(BZipMaxExtent(packet_size* ++ image->columns),LZMAMaxExtent(packet_size*image->columns)), ++ ZipMaxExtent(packet_size*image->columns)); + if ((compression == BZipCompression) || (compression == ZipCompression)) + if (length != (size_t) ((unsigned int) length)) + compression=NoCompression; +@@ -2583,7 +2584,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info, + code=(int) lzma_easy_encoder(&lzma_info,(uint32_t) (image->quality/10), + LZMA_CHECK_SHA256); + if (code != LZMA_OK) +- status=MagickTrue; ++ status=MagickFalse; + break; + } + #endif diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46521_pre1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46521_pre1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46521_pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46521_pre1.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,84 @@ +From: Dirk Lemstra +Date: Sat, 8 Feb 2025 14:55:53 +0100 +Subject: Small refactor in setting the packet_size when the + number_meta_channels is not zero. + +(cherry picked from commit 0f920c21a2edaaee7a6c00670072109424b76661) + +origin: https://github.com/ImageMagick/ImageMagick/commit/0f920c21a2edaaee7a6c00670072109424b76661 +--- + coders/miff.c | 50 ++++++++++++++++++++++++++++---------------------- + 1 file changed, 28 insertions(+), 22 deletions(-) + +diff --git a/coders/miff.c b/coders/miff.c +index 47fa753..77e9250 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1339,19 +1339,22 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + if (status == MagickFalse) + ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed"); + } +- packet_size=(size_t) (image->depth/8); +- if (image->storage_class == DirectClass) +- packet_size=(size_t) (3*image->depth/8); +- if (IsGrayColorspace(image->colorspace) != MagickFalse) +- packet_size=image->depth/8; +- if (image->alpha_trait != UndefinedPixelTrait) +- packet_size+=image->depth/8; +- if (image->colorspace == CMYKColorspace) +- packet_size+=image->depth/8; + if (image->number_meta_channels != 0) + packet_size=GetImageChannels(image)*image->depth/8; +- if (image->compression == RLECompression) +- packet_size++; ++ else ++ { ++ packet_size=(size_t) (image->depth/8); ++ if (image->storage_class == DirectClass) ++ packet_size=(size_t) (3*image->depth/8); ++ if (IsGrayColorspace(image->colorspace) != MagickFalse) ++ packet_size=image->depth/8; ++ if (image->alpha_trait != UndefinedPixelTrait) ++ packet_size+=image->depth/8; ++ if (image->colorspace == CMYKColorspace) ++ packet_size+=image->depth/8; ++ if (image->compression == RLECompression) ++ packet_size++; ++ } + compress_extent=MagickMax(MagickMax(BZipMaxExtent(packet_size* + image->columns),LZMAMaxExtent(packet_size*image->columns)), + ZipMaxExtent(packet_size*image->columns)); +@@ -2160,19 +2163,22 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info, + default: + break; + } +- packet_size=(size_t) (image->depth/8); +- if (image->storage_class == DirectClass) +- packet_size=(size_t) (3*image->depth/8); +- if (IsGrayColorspace(image->colorspace) != MagickFalse) +- packet_size=(size_t) (image->depth/8); +- if (image->alpha_trait != UndefinedPixelTrait) +- packet_size+=image->depth/8; +- if (image->colorspace == CMYKColorspace) +- packet_size+=image->depth/8; +- if (compression == RLECompression) +- packet_size++; + if (image->number_meta_channels != 0) + packet_size=GetImageChannels(image)*image->depth/8; ++ else ++ { ++ packet_size=(size_t) (image->depth/8); ++ if (image->storage_class == DirectClass) ++ packet_size=(size_t) (3*image->depth/8); ++ if (IsGrayColorspace(image->colorspace) != MagickFalse) ++ packet_size=(size_t) (image->depth/8); ++ if (image->alpha_trait != UndefinedPixelTrait) ++ packet_size+=image->depth/8; ++ if (image->colorspace == CMYKColorspace) ++ packet_size+=image->depth/8; ++ if (compression == RLECompression) ++ packet_size++; ++ } + length=MagickMax(BZipMaxExtent(packet_size*image->columns),ZipMaxExtent( + packet_size*image->columns)); + if ((compression == BZipCompression) || (compression == ZipCompression)) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46522.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46522.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46522.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46522.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,55 @@ +From: Cristy +Date: Wed, 13 May 2026 15:51:15 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5 + +Infinite Loop in the MIFF decoder can lead to CPU exhaustion + +Due to a missing check in the MIFF decoder a crafted file could cause an infinite loop resulting in CPU exhaustion. + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5 +origin: https://github.com/ImageMagick/ImageMagick/commit/e8431d4a282013851cb698fdf29b1d7ad80ad7cb +--- + coders/miff.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/coders/miff.c b/coders/miff.c +index 08617cd..03db7f9 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1501,6 +1501,11 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + ThrowMIFFException(CorruptImageError, + "UnableToReadImageData"); + } ++ if (length == 0) ++ { ++ (void) BZ2_bzDecompressEnd(&bzip_info); ++ ThrowMIFFException(CorruptImageError,"UnexpectedEndOfFile"); ++ } + } + code=BZ2_bzDecompress(&bzip_info); + if ((code != BZ_OK) && (code != BZ_STREAM_END)) +@@ -1540,6 +1545,11 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + ThrowMIFFException(CorruptImageError, + "UnableToReadImageData"); + } ++ if (length == 0) ++ { ++ lzma_end(&lzma_info); ++ ThrowMIFFException(CorruptImageError,"UnexpectedEndOfFile"); ++ } + } + code=(int) lzma_code(&lzma_info,LZMA_RUN); + if (code == LZMA_STREAM_END) +@@ -1582,6 +1592,11 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + ThrowMIFFException(CorruptImageError, + "UnableToReadImageData"); + } ++ if (length == 0) ++ { ++ (void) inflateEnd(&zip_info); ++ ThrowMIFFException(CorruptImageError,"UnexpectedEndOfFile"); ++ } + } + code=inflate(&zip_info,Z_SYNC_FLUSH); + if ((code != Z_OK) && (code != Z_STREAM_END)) diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46523.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46523.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46523.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46523.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,28 @@ +From: Cristy +Date: Wed, 13 May 2026 19:08:43 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5r4x-w6p5-222q + +(cherry picked from commit 4d92249c84536a20e9723376ec016b4950dcb454) + +Use-After-Free in MSL decoder +A crafted MSL image can trigger a heap-use-after-free. + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5r4x-w6p5-222q +origin: https://github.com/ImageMagick/ImageMagick/commit/4d92249c84536a20e9723376ec016b4950dcb454 +--- + coders/msl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/coders/msl.c b/coders/msl.c +index 5bbdf04..340fd2e 100644 +--- a/coders/msl.c ++++ b/coders/msl.c +@@ -7585,6 +7585,7 @@ ModuleExport size_t RegisterMSLImage(void) + entry->decoder=(DecodeImageHandler *) ReadMSLImage; + #endif + entry->format_type=ImplicitFormatType; ++ entry->flags^=CoderBlobSupportFlag; + (void) RegisterMagickInfo(entry); + return(MagickImageCoderSignature); + } diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46557.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46557.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46557.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46557.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,46 @@ +From: Cristy +Date: Thu, 14 May 2026 19:41:53 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rcr6-g7jc-f57g + +(cherry picked from commit 06fb1aa7589f4eec363b33c2bbda5986a92bb259) + +Stack overflow in fx operation + +Due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument. + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rcr6-g7jc-f57g +origin: https://github.com/ImageMagick/ImageMagick/commit/06fb1aa7589f4eec363b33c2bbda5986a92bb259 +--- + MagickCore/fx.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/MagickCore/fx.c b/MagickCore/fx.c +index 73b2420..42d6d8e 100644 +--- a/MagickCore/fx.c ++++ b/MagickCore/fx.c +@@ -2170,12 +2170,22 @@ static MagickBooleanType GetOperand ( + } + return MagickTrue; + } else if (OprIsUnaryPrefix (op)) { ++ MagickBooleanType operand_ok; + if (!PushOperatorStack (pfx, (int) op)) return MagickFalse; + pfx->pex++; + SkipSpaces (pfx); + if (!*pfx->pex) return MagickFalse; +- +- if (!GetOperand (pfx, UserSymbol, NewUserSymbol, UserSymNdx, needPopAll)) { ++ if (pfx->teDepth >= MagickMaxRecursionDepth) { ++ (void) ThrowMagickException ( ++ pfx->exception, GetMagickModule(), OptionError, ++ "Expression too deeply nested", "(depth %i exceeds limit %i)", ++ pfx->teDepth, MagickMaxRecursionDepth); ++ return MagickFalse; ++ } ++ pfx->teDepth++; ++ operand_ok=GetOperand (pfx, UserSymbol, NewUserSymbol, UserSymNdx, needPopAll); ++ pfx->teDepth--; ++ if (!operand_ok) { + (void) ThrowMagickException ( + pfx->exception, GetMagickModule(), OptionError, + "After unary, bad operand at", "'%s'", diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46559.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46559.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46559.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46559.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,61 @@ +From: Cristy +Date: Wed, 13 May 2026 16:45:31 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-533m-3wf6-c33v + +Heap Buffer Over-Write of a single byte in the JP2 encoder +An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options. + +(cherry picked from commit ff2f155f2874737380a80195c5849a2f06cb6ff7) + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-533m-3wf6-c33v +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/ff2f155f2874737380a80195c5849a2f06cb6ff7 +--- + coders/jp2.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/coders/jp2.c b/coders/jp2.c +index 1a5f575..c103bed 100644 +--- a/coders/jp2.c ++++ b/coders/jp2.c +@@ -1038,14 +1038,17 @@ static MagickBooleanType WriteJP2Image(const ImageInfo *image_info,Image *image, + const char + *p; + ++ size_t ++ extent = sizeof(parameters->tcp_distoratio)/ ++ sizeof(*parameters->tcp_distoratio); ++ + /* + Set quality PSNR. + */ + p=option; +- for (i=0; sscanf(p,"%f",¶meters->tcp_distoratio[i]) == 1; i++) ++ for (i=0; (i < (ssize_t) (extent-1)) && ++ (MagickSscanf(p,"%f",¶meters->tcp_distoratio[i]) == 1); i++) + { +- if (i > 100) +- break; + while ((*p != '\0') && (*p != ',')) + p++; + if (*p == '\0') +@@ -1076,14 +1079,16 @@ static MagickBooleanType WriteJP2Image(const ImageInfo *image_info,Image *image, + const char + *p; + ++ size_t ++ extent = sizeof(parameters->tcp_rates)/sizeof(*parameters->tcp_rates); ++ + /* + Set compression rate. + */ + p=option; +- for (i=0; sscanf(p,"%f",¶meters->tcp_rates[i]) == 1; i++) ++ for (i=0; (i < (ssize_t) (extent-1)) && ++ (MagickSscanf(p,"%f",¶meters->tcp_rates[i]) == 1); i++) + { +- if (i >= 100) +- break; + while ((*p != '\0') && (*p != ',')) + p++; + if (*p == '\0') diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46692.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46692.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46692.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46692.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,56 @@ +From: Cristy +Date: Thu, 14 May 2026 19:01:44 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p93h-f2jc-477j + +Heap Buffer Over-Write in distributed pixel cache server +An attacker who can connect to a magick -distribute-cache service can cause a heap buffer +over-write in the server process. + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p93h-f2jc-477j +origin: https://github.com/ImageMagick/ImageMagick/commit/75bcc76eac8b26ce0d6900117c9b308b0aed5719 +--- + MagickCore/distribute-cache.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/MagickCore/distribute-cache.c b/MagickCore/distribute-cache.c +index 9a17637..e7883ab 100644 +--- a/MagickCore/distribute-cache.c ++++ b/MagickCore/distribute-cache.c +@@ -724,6 +724,7 @@ static MagickBooleanType WriteDistributeCacheMetacontent( + count; + + MagickSizeType ++ extent, + length; + + Quantum +@@ -759,6 +760,9 @@ static MagickBooleanType WriteDistributeCacheMetacontent( + (void) memcpy(®ion.y,p,sizeof(region.y)); + p+=(ptrdiff_t) sizeof(region.y); + (void) memcpy(&length,p,sizeof(length)); ++ extent=((MagickSizeType) region.width*region.height*sizeof(Quantum)); ++ if (length > extent) ++ return(MagickFalse); + p+=(ptrdiff_t) sizeof(length); + q=GetAuthenticPixels(image,region.x,region.y,region.width,region.height, + exception); +@@ -784,6 +788,7 @@ static MagickBooleanType WriteDistributeCachePixels(SplayTreeInfo *registry, + count; + + MagickSizeType ++ extent, + length; + + Quantum +@@ -817,6 +822,10 @@ static MagickBooleanType WriteDistributeCachePixels(SplayTreeInfo *registry, + (void) memcpy(®ion.y,p,sizeof(region.y)); + p+=(ptrdiff_t) sizeof(region.y); + (void) memcpy(&length,p,sizeof(length)); ++ extent=((MagickSizeType) region.width*region.height*image->number_channels* ++ sizeof(Quantum)); ++ if (length > extent) ++ return(MagickFalse); + p+=(ptrdiff_t) sizeof(length); + q=GetAuthenticPixels(image,region.x,region.y,region.width,region.height, + exception); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_1.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_1.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_1.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,49 @@ +From: Cristy +Date: Thu, 14 May 2026 10:31:10 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92 + +Race Condition in distributed pixel cache server can result in file descriptor hijacking +An attacker who can connect to a magick -distribute-cache service can hijack a file descriptor +in the server process when a race condition is met. + +[backport] +- adaptation needed due to fix of CVE-2026-46692 + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92 +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/adb4b8d7e1e4014892b71837842326c96c2a625b +--- + MagickCore/distribute-cache.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/MagickCore/distribute-cache.c b/MagickCore/distribute-cache.c +index e7883ab..ae1784d 100644 +--- a/MagickCore/distribute-cache.c ++++ b/MagickCore/distribute-cache.c +@@ -724,7 +724,6 @@ static MagickBooleanType WriteDistributeCacheMetacontent( + count; + + MagickSizeType +- extent, + length; + + Quantum +@@ -788,7 +787,6 @@ static MagickBooleanType WriteDistributeCachePixels(SplayTreeInfo *registry, + count; + + MagickSizeType +- extent, + length; + + Quantum +@@ -822,10 +820,6 @@ static MagickBooleanType WriteDistributeCachePixels(SplayTreeInfo *registry, + (void) memcpy(®ion.y,p,sizeof(region.y)); + p+=(ptrdiff_t) sizeof(region.y); + (void) memcpy(&length,p,sizeof(length)); +- extent=((MagickSizeType) region.width*region.height*image->number_channels* +- sizeof(Quantum)); +- if (length > extent) +- return(MagickFalse); + p+=(ptrdiff_t) sizeof(length); + q=GetAuthenticPixels(image,region.x,region.y,region.width,region.height, + exception); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_2.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_2.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_2.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,190 @@ +From: Cristy +Date: Thu, 14 May 2026 19:26:01 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92 + +Race Condition in distributed pixel cache server can result in file descriptor hijacking +An attacker who can connect to a magick -distribute-cache service can hijack a file descriptor +in the server process when a race condition is met. + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92 +origin: https://github.com/ImageMagick/ImageMagick/commit/99711276aefec757dabb28ea8bf85bf504a0888c +--- + MagickCore/distribute-cache.c | 80 +++++++++++++++++++++++++------------------ + 1 file changed, 47 insertions(+), 33 deletions(-) + +diff --git a/MagickCore/distribute-cache.c b/MagickCore/distribute-cache.c +index ae1784d..4f0cdfb 100644 +--- a/MagickCore/distribute-cache.c ++++ b/MagickCore/distribute-cache.c +@@ -830,15 +830,14 @@ static MagickBooleanType WriteDistributeCachePixels(SplayTreeInfo *registry, + return(MagickFalse); + return(SyncAuthenticPixels(image,exception)); + } +- +-static HANDLER_RETURN_TYPE DistributePixelCacheClient(void *socket) ++static HANDLER_RETURN_TYPE DistributePixelCacheClient(void *socket_arg) + { + char + *shared_secret; + + ExceptionInfo + *exception; +- ++ + MagickBooleanType + status = MagickFalse; + +@@ -850,7 +849,8 @@ static HANDLER_RETURN_TYPE DistributePixelCacheClient(void *socket) + session_key; + + SOCKET_TYPE +- client_socket; ++ client_socket, ++ *client_socket_ptr = (SOCKET_TYPE *) socket_arg; + + SplayTreeInfo + *registry; +@@ -864,7 +864,9 @@ static HANDLER_RETURN_TYPE DistributePixelCacheClient(void *socket) + /* + Generate session key. + */ +- shared_secret=GetPolicyValue("cache:shared-secret"); ++ client_socket=(*client_socket_ptr); ++ client_socket_ptr=(SOCKET_TYPE *) RelinquishMagickMemory(client_socket_ptr); ++ shared_secret = GetPolicyValue("cache:shared-secret"); + if (shared_secret == (char *) NULL) + ThrowFatalException(CacheFatalError,"shared secret required"); + nonce=StringToStringInfo(shared_secret); +@@ -877,7 +879,6 @@ static HANDLER_RETURN_TYPE DistributePixelCacheClient(void *socket) + */ + registry=NewSplayTree((int (*)(const void *,const void *)) NULL, + (void *(*)(void *)) NULL,RelinquishImageRegistry); +- client_socket=(*(SOCKET_TYPE *) socket); + count=dpc_send(client_socket,sizeof(session_key),&session_key); + for (status=MagickFalse; ; ) + { +@@ -928,9 +929,7 @@ static HANDLER_RETURN_TYPE DistributePixelCacheClient(void *socket) + default: + break; + } +- if (status == MagickFalse) +- break; +- if (command == 'd') ++ if ((status == MagickFalse) || (command == 'd')) + break; + } + count=dpc_send(client_socket,sizeof(status),&status); +@@ -954,7 +953,7 @@ MagickExport void DistributePixelCacheServer(const int port, + attributes; + + pthread_t +- threads; ++ thread_id; + #elif defined(_MSC_VER) + DWORD + threadID; +@@ -962,12 +961,12 @@ MagickExport void DistributePixelCacheServer(const int port, + Not implemented! + #endif + +- struct addrinfo +- *p; +- + SOCKET_TYPE + server_socket; + ++ struct addrinfo ++ *p; ++ + struct addrinfo + hint, + *result; +@@ -984,24 +983,23 @@ MagickExport void DistributePixelCacheServer(const int port, + #if defined(MAGICKCORE_HAVE_WINSOCK2) + InitializeWinsock2(MagickFalse); + #endif +- (void) memset(&hint,0,sizeof(hint)); ++ memset(&hint,0,sizeof(hint)); + hint.ai_family=AF_INET; + hint.ai_socktype=SOCK_STREAM; + hint.ai_flags=AI_PASSIVE; +- (void) FormatLocaleString(service,MagickPathExtent,"%d",port); +- status=getaddrinfo((const char *) NULL,service,&hint,&result); ++ FormatLocaleString(service,MagickPathExtent,"%d",port); ++ status=getaddrinfo(NULL,service,&hint,&result); + if (status != 0) +- ThrowFatalException(CacheFatalError,"UnableToListen"); ++ ThrowFatalException(CacheFatalError, "UnableToListen"); + server_socket=(SOCKET_TYPE) 0; +- for (p=result; p != (struct addrinfo *) NULL; p=p->ai_next) ++ for (p=result; p != NULL; p=p->ai_next) + { + int +- one; ++ one = 1; + + server_socket=socket(p->ai_family,p->ai_socktype,p->ai_protocol); + if (server_socket == -1) + continue; +- one=1; + status=setsockopt(server_socket,SOL_SOCKET,SO_REUSEADDR,(char *) &one, + (socklen_t) sizeof(one)); + if (status == -1) +@@ -1025,27 +1023,43 @@ MagickExport void DistributePixelCacheServer(const int port, + ThrowFatalException(CacheFatalError,"UnableToListen"); + #if defined(MAGICKCORE_THREAD_SUPPORT) + pthread_attr_init(&attributes); ++ pthread_attr_setdetachstate(&attributes,PTHREAD_CREATE_DETACHED); + #endif + for ( ; ; ) + { + SOCKET_TYPE +- client_socket; ++ *client_socket_ptr; + + socklen_t +- length; +- +- length=(socklen_t) sizeof(address); +- client_socket=accept(server_socket,(struct sockaddr *) &address,&length); +- if (client_socket == -1) +- ThrowFatalException(CacheFatalError,"UnableToEstablishConnection"); ++ length = (socklen_t) sizeof(address); ++ ++ client_socket_ptr=(SOCKET_TYPE *) AcquireMagickMemory(sizeof(SOCKET_TYPE)); ++ if (client_socket_ptr == NULL) ++ continue; /* skip connection */ ++ *client_socket_ptr=accept(server_socket,(struct sockaddr *) &address, ++ &length); ++ if (*client_socket_ptr == -1) ++ { ++ client_socket_ptr=(SOCKET_TYPE *) RelinquishMagickMemory( ++ client_socket_ptr); ++ continue; ++ } + #if defined(MAGICKCORE_THREAD_SUPPORT) +- status=pthread_create(&threads,&attributes,DistributePixelCacheClient, +- (void *) &client_socket); +- if (status == -1) +- ThrowFatalException(CacheFatalError,"UnableToCreateClientThread"); ++ status=pthread_create(&thread_id, &attributes,DistributePixelCacheClient, ++ (void *) client_socket_ptr); ++ if (status != 0) ++ { ++ CLOSE_SOCKET(*client_socket_ptr); ++ RelinquishMagickMemory(client_socket_ptr); ++ ThrowFatalException(CacheFatalError,"UnableToCreateClientThread"); ++ } + #elif defined(_MSC_VER) +- if (CreateThread(0,0,DistributePixelCacheClient,(void*) &client_socket,0,&threadID) == (HANDLE) NULL) +- ThrowFatalException(CacheFatalError,"UnableToCreateClientThread"); ++ if (CreateThread(0,0,DistributePixelCacheClient,(void*) client_socket_ptr,0,&threadID) == (HANDLE) NULL) ++ { ++ CLOSE_SOCKET(*client_socket_ptr); ++ RelinquishMagickMemory(client_socket_ptr); ++ ThrowFatalException(CacheFatalError,"UnableToCreateClientThread"); ++ } + #else + Not implemented! + #endif diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_3.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_3.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_3.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-46693_3.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,46 @@ +From: Cristy +Date: Thu, 14 May 2026 18:48:58 -0400 +Subject: + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92 + +Race Condition in distributed pixel cache server can result in file descriptor hijacking +An attacker who can connect to a magick -distribute-cache service can hijack a file descriptor +in the server process when a race condition is met. + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92 +origin: https://github.com/ImageMagick/ImageMagick/commit/d954e9c48a7b2bdb76f0c9a3f8bc0e22071288e6 +--- + MagickCore/distribute-cache.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/MagickCore/distribute-cache.c b/MagickCore/distribute-cache.c +index 4f0cdfb..1b70e5b 100644 +--- a/MagickCore/distribute-cache.c ++++ b/MagickCore/distribute-cache.c +@@ -724,6 +724,7 @@ static MagickBooleanType WriteDistributeCacheMetacontent( + count; + + MagickSizeType ++ extent, + length; + + Quantum +@@ -787,6 +788,7 @@ static MagickBooleanType WriteDistributeCachePixels(SplayTreeInfo *registry, + count; + + MagickSizeType ++ extent, + length; + + Quantum +@@ -820,6 +822,10 @@ static MagickBooleanType WriteDistributeCachePixels(SplayTreeInfo *registry, + (void) memcpy(®ion.y,p,sizeof(region.y)); + p+=(ptrdiff_t) sizeof(region.y); + (void) memcpy(&length,p,sizeof(length)); ++ extent=((MagickSizeType) region.width*region.height*image->number_channels* ++ sizeof(Quantum)); ++ if (length > extent) ++ return(MagickFalse); + p+=(ptrdiff_t) sizeof(length); + q=GetAuthenticPixels(image,region.x,region.y,region.width,region.height, + exception); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-47165_CVE-2026-47166.patch imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-47165_CVE-2026-47166.patch --- imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-47165_CVE-2026-47166.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/CVE-2026-47165_CVE-2026-47166.patch 2026-05-24 14:24:29.000000000 +0000 @@ -0,0 +1,83 @@ +From: Cristy +Date: Sat, 16 May 2026 16:21:30 -0400 +Subject: validate the DPC pixel cache on read + +(cherry picked from commit bb79e91155127dd6c3c18a01c8761e9c2ea82d70) + +[debian] +This fix CVE-2026-4716[56] + +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-2rgj-gx5x-f62w +origin: https://github.com/ImageMagick/ImageMagick/commit/bb79e91155127dd6c3c18a01c8761e9c2ea82d70 +--- + MagickCore/distribute-cache.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/MagickCore/distribute-cache.c b/MagickCore/distribute-cache.c +index 1b70e5b..112a7f9 100644 +--- a/MagickCore/distribute-cache.c ++++ b/MagickCore/distribute-cache.c +@@ -587,6 +587,23 @@ static MagickBooleanType OpenDistributeCache(SplayTreeInfo *registry,int file, + return(status); + } + ++static inline MagickBooleanType ValidateDistributedPixelCache( ++ const RectangleInfo *region,const size_t per_pixel, ++ const MagickSizeType length) ++{ ++ size_t ++ extent = 0, ++ pixels = 0; ++ ++ if (HeapOverflowSanityCheckGetSize(region->width,region->height,&pixels) != MagickFalse) ++ return(MagickFalse); ++ if (HeapOverflowSanityCheckGetSize(pixels,per_pixel,&extent) != MagickFalse) ++ return(MagickFalse); ++ if (length > (MagickSizeType) extent) ++ return(MagickFalse); ++ return(MagickTrue); ++} ++ + static MagickBooleanType ReadDistributeCacheMetacontent(SplayTreeInfo *registry, + int file,const size_t session_key,ExceptionInfo *exception) + { +@@ -611,6 +628,9 @@ static MagickBooleanType ReadDistributeCacheMetacontent(SplayTreeInfo *registry, + RectangleInfo + region; + ++ size_t ++ per_pixel; ++ + unsigned char + message[MagickPathExtent], + *q; +@@ -637,6 +657,9 @@ static MagickBooleanType ReadDistributeCacheMetacontent(SplayTreeInfo *registry, + q+=(ptrdiff_t) sizeof(region.y); + (void) memcpy(&length,q,sizeof(length)); + q+=(ptrdiff_t) sizeof(length); ++ per_pixel=image->number_meta_channels*sizeof(Quantum); ++ if (ValidateDistributedPixelCache(®ion,per_pixel,length) == MagickFalse) ++ return(MagickFalse); + p=GetVirtualPixels(image,region.x,region.y,region.width,region.height, + exception); + if (p == (const Quantum *) NULL) +@@ -669,6 +692,9 @@ static MagickBooleanType ReadDistributeCachePixels(SplayTreeInfo *registry, + RectangleInfo + region; + ++ size_t ++ per_pixel; ++ + unsigned char + message[MagickPathExtent], + *q; +@@ -694,6 +720,9 @@ static MagickBooleanType ReadDistributeCachePixels(SplayTreeInfo *registry, + (void) memcpy(®ion.y,q,sizeof(region.y)); + q+=(ptrdiff_t) sizeof(region.y); + (void) memcpy(&length,q,sizeof(length)); ++ per_pixel=image->number_channels*sizeof(Quantum); ++ if (ValidateDistributedPixelCache(®ion,per_pixel,length) == MagickFalse) ++ return(MagickFalse); + q+=(ptrdiff_t) sizeof(length); + p=GetVirtualPixels(image,region.x,region.y,region.width,region.height, + exception); diff -Nru imagemagick-7.1.1.43+dfsg1/debian/patches/series imagemagick-7.1.1.43+dfsg1/debian/patches/series --- imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-04-22 10:38:04.000000000 +0000 +++ imagemagick-7.1.1.43+dfsg1/debian/patches/series 2026-05-24 14:24:29.000000000 +0000 @@ -151,3 +151,25 @@ CVE-2026-40310.patch CVE-2026-40311.patch CVE-2026-40312.patch +CVE-2026-42050.patch +CVE-2026-42326.patch +CVE-2026-45031.patch +CVE-2026-45358.patch +CVE-2026-45359.patch +CVE-2026-33901_bug420_1.patch +CVE-2026-33901_bug420_2.patch +CVE-2026-45624.patch +CVE-2026-45664_1.patch +CVE-2026-45664_2.patch +CVE-2026-46520.patch +CVE-2026-46521_pre1.patch +CVE-2026-46521.patch +CVE-2026-46522.patch +CVE-2026-46523.patch +CVE-2026-46557.patch +CVE-2026-46559.patch +CVE-2026-46692.patch +CVE-2026-46693_1.patch +CVE-2026-46693_2.patch +CVE-2026-46693_3.patch +CVE-2026-47165_CVE-2026-47166.patch