Hi! Rouca, thank you for installing the latest version of imagemagick in the Debian FTP archive! As I see, the new version of imagemagick with fully fixed CVE-2023-34151 is 8:6.9.13.12+dfsg1-1. And now it is already included in sid distribution: https://packages.debian.org/sid/imagemagick
I have checked that method of reproducing CVE-2023-34151 described earlier (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070340#30) not working with new version 8:6.9.13.12+dfsg1-1 of imagemagick in environment of Debian Bookworm: vagrant@bookworm:~/imagemagick-6.9.13.12+dfsg1$ ./magick.sh identify mvg:piechart.mvg identify: width or height exceeds limit `piechart.mvg' @ error/cache.c/OpenPixelCache/3926. So I think CVE-2023-34151 is really fully fixed in 8:6.9.13.12+dfsg1-1 version of imagemagick. Rouca, please, could you explain to me, is it true that this version (or more recent) is expected to appear in Debian Bookworm distribution in the future? Is it possible to make a guess how long it could take to appear the new version of imagemagick in Debian Bookworm with fully fixed CVE-2023-34151? My question is because of my interest in fixing this CVE in Debian Bookworm. Thanks Sergei
