Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: imagemag...@packages.debian.org Control: affects -1 + src:imagemagick User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] * CVE-2023-34151 fix was incomplete (Closes: #1070340) * Fix variation of CVE-2023-1289 found by testing. * Fix CVE-2021-20312: Fix a divide by zero (Closes: #1013282) * Fix CVE-2021-20313: Fix a divide by zero [ Impact ] CVE are still opened [ Tests ] Automatic test for CVE-2023-1289, other manual test with libasan [ Risks ] Low review of changes and testing cross checked with santiago [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable
diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog 2024-02-17 15:31:24.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/changelog 2024-07-11 16:52:37.000000000 +0000
@@ -1,3 +1,12 @@
+imagemagick (8:6.9.11.60+dfsg-1.3+deb11u4) bullseye; urgency=medium
+
+ * CVE-2023-34151 fix was incomplete (Closes: #1070340)
+ * Fix variation of CVE-2023-1289 found by testing.
+ * Fix CVE-2021-20312: Fix a divide by zero (Closes: #1013282)
+ * Fix CVE-2021-20313: Fix a divide by zero
+
+ -- Bastien Roucari??s <ro...@debian.org> Thu, 11 Jul 2024 16:52:37 +0000
+
imagemagick (8:6.9.11.60+dfsg-1.3+deb11u3) bullseye-security; urgency=medium
* Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder
@@ -33,7 +42,7 @@
was found in coders/tiff.c in ImageMagick. This issue
may allow a local attacker to trick the user into opening
a specially crafted file, resulting in an application crash
- and denial of service.
+ and denial of service. Fix also CVE-2022-3213.
* Fix CVE-2023-5341: A heap use-after-free flaw was found in
coders/bmp.c
@@ -57,8 +66,11 @@
* Fix CVE-2022-28463: Buffer overflow in cin coder.
* Fix CVE-2022-32545: Value outside the range of unsigned char
(Closes: #1016442)
+ * Fix CVE-2021-40211: Division by zero in function ReadEnhMetaFile
+ of coders/emf.c.
* Fix CVE-2022-32546: Value outside the range of representable
- values of type 'unsigned long' at coders/pcl.c,
+ values of type 'unsigned long' at coders/pcl.c
+ * Fix CVE-2022-32547: fix a misaligned address access.
* Use Salsa CI
-- Bastien Roucari??s <ro...@debian.org> Fri, 29 Dec 2023 11:18:56 +0000
diff -Nru imagemagick-6.9.11.60+dfsg/debian/control imagemagick-6.9.11.60+dfsg/debian/control
--- imagemagick-6.9.11.60+dfsg/debian/control 2024-02-12 19:54:48.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/control 2024-07-11 16:46:06.000000000 +0000
@@ -1,4 +1,4 @@
-# Autogenerated Mon Jul 27 10:33:31 CEST 2020 from make -f debian/rules update_pkg
+# Autogenerated Tue Jun 25 18:15:31 UTC 2024 from make -f debian/rules update_pkg
Source: imagemagick
Section: graphics
Priority: optional
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,166 @@
+From: Cristy <mikayla-gr...@urban-warrior.org>
+Date: Thu, 25 Feb 2021 17:03:18 -0500
+Subject: CVE-2021-20312/CVE-2021-20313 possible divide by zero + clear
+ buffers
+
+---
+ coders/thumbnail.c | 3 ++-
+ magick/cipher.c | 12 ++++++------
+ magick/colorspace.c | 16 ++++++++--------
+ magick/memory.c | 21 ++++++++++++++++-----
+ magick/signature.c | 2 +-
+ 5 files changed, 33 insertions(+), 21 deletions(-)
+
+diff --git a/coders/thumbnail.c b/coders/thumbnail.c
+index f456faa..3833341 100644
+--- a/coders/thumbnail.c
++++ b/coders/thumbnail.c
+@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
+ break;
+ q++;
+ }
+- if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)))
++ if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
++ (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
+ ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+ thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
+ if (thumbnail_image == (Image *) NULL)
+diff --git a/magick/cipher.c b/magick/cipher.c
+index a6d90fc..e7b5a81 100644
+--- a/magick/cipher.c
++++ b/magick/cipher.c
+@@ -485,8 +485,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext,
+ Reset registers.
+ */
+ alpha=0;
+- (void) memset(key,0,sizeof(key));
+- (void) memset(text,0,sizeof(text));
++ (void) ResetMagickMemory(key,0,sizeof(key));
++ (void) ResetMagickMemory(text,0,sizeof(text));
+ }
+
+ /*
+@@ -708,8 +708,8 @@ MagickExport MagickBooleanType PasskeyDecipherImage(Image *image,
+ */
+ quantum_info=DestroyQuantumInfo(quantum_info);
+ aes_info=DestroyAESInfo(aes_info);
+- (void) memset(input_block,0,sizeof(input_block));
+- (void) memset(output_block,0,sizeof(output_block));
++ (void) ResetMagickMemory(input_block,0,sizeof(input_block));
++ (void) ResetMagickMemory(output_block,0,sizeof(output_block));
+ return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
+ }
+
+@@ -925,8 +925,8 @@ MagickExport MagickBooleanType PasskeyEncipherImage(Image *image,
+ */
+ quantum_info=DestroyQuantumInfo(quantum_info);
+ aes_info=DestroyAESInfo(aes_info);
+- (void) memset(input_block,0,sizeof(input_block));
+- (void) memset(output_block,0,sizeof(output_block));
++ (void) ResetMagickMemory(input_block,0,sizeof(input_block));
++ (void) ResetMagickMemory(output_block,0,sizeof(output_block));
+ return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
+ }
+
+diff --git a/magick/colorspace.c b/magick/colorspace.c
+index 5f56ef5..104bc15 100644
+--- a/magick/colorspace.c
++++ b/magick/colorspace.c
+@@ -737,15 +737,15 @@ MagickExport MagickBooleanType RGBTransformImage(Image *image,
+ if (logmap == (Quantum *) NULL)
+ ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+ image->filename);
+- black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
+- film_gamma);
++ black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
++ PerceptibleReciprocal(film_gamma));
+ #if defined(MAGICKCORE_OPENMP_SUPPORT)
+ #pragma omp parallel for schedule(static)
+ #endif
+ for (i=0; i <= (ssize_t) MaxMap; i++)
+ logmap[i]=ScaleMapToQuantum((MagickRealType) (MaxMap*(reference_white+
+- log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002/
+- film_gamma))/1024.0));
++ log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002*
++ PerceptibleReciprocal(film_gamma)))/1024.0));
+ image_view=AcquireAuthenticCacheView(image,exception);
+ #if defined(MAGICKCORE_OPENMP_SUPPORT)
+ #pragma omp parallel for schedule(static) shared(status) \
+@@ -2396,14 +2396,14 @@ MagickExport MagickBooleanType TransformRGBImage(Image *image,
+ if (logmap == (Quantum *) NULL)
+ ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+ image->filename);
+- black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
+- film_gamma);
++ black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
++ PerceptibleReciprocal(film_gamma));
+ for (i=0; i <= (ssize_t) (reference_black*MaxMap/1024.0); i++)
+ logmap[i]=(Quantum) 0;
+ for ( ; i < (ssize_t) (reference_white*MaxMap/1024.0); i++)
+ logmap[i]=ClampToQuantum((MagickRealType) QuantumRange/(1.0-black)*
+- (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002/
+- film_gamma)-black));
++ (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002*
++ PerceptibleReciprocal(film_gamma))-black));
+ for ( ; i <= (ssize_t) MaxMap; i++)
+ logmap[i]=QuantumRange;
+ if (image->storage_class == PseudoClass)
+diff --git a/magick/memory.c b/magick/memory.c
+index 28d4238..1a3aed9 100644
+--- a/magick/memory.c
++++ b/magick/memory.c
+@@ -1270,25 +1270,36 @@ MagickExport MemoryInfo *RelinquishVirtualMemory(MemoryInfo *memory_info)
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %
+ % ResetMagickMemory() fills the first size bytes of the memory area pointed to
+-% by memory with the constant byte c.
++% by memory with the constant byte c. We use a volatile pointer when
++% updating the byte string. Most compilers will avoid optimizing away access
++% to a volatile pointer, even if the pointer appears to be unused after the
++% call.
+ %
+ % The format of the ResetMagickMemory method is:
+ %
+-% void *ResetMagickMemory(void *memory,int byte,const size_t size)
++% void *ResetMagickMemory(void *memory,int c,const size_t size)
+ %
+ % A description of each parameter follows:
+ %
+ % o memory: a pointer to a memory allocation.
+ %
+-% o byte: set the memory to this value.
++% o c: set the memory to this value.
+ %
+ % o size: size of the memory to reset.
+ %
+ */
+-MagickExport void *ResetMagickMemory(void *memory,int byte,const size_t size)
++MagickExport void *ResetMagickMemory(void *memory,int c,const size_t size)
+ {
++ volatile unsigned char
++ *p = memory;
++
++ size_t
++ n = size;
++
+ assert(memory != (void *) NULL);
+- return(memset(memory,byte,size));
++ while (n-- != 0)
++ *p++=(unsigned char) c;
++ return(memory);
+ }
+
+ /*
+diff --git a/magick/signature.c b/magick/signature.c
+index 7a16050..7ead087 100644
+--- a/magick/signature.c
++++ b/magick/signature.c
+@@ -720,7 +720,7 @@ RestoreMSCWarning
+ T=0;
+ T1=0;
+ T2=0;
+- (void) memset(W,0,sizeof(W));
++ (void) ResetMagickMemory(W,0,sizeof(W));
+ }
+
+ /*
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0069-CVE-2023-34151-properly-cast-double-to-size_t.patch imagemagick-6.9.11.60+dfsg/debian/patches/0069-CVE-2023-34151-properly-cast-double-to-size_t.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0069-CVE-2023-34151-properly-cast-double-to-size_t.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0069-CVE-2023-34151-properly-cast-double-to-size_t.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,29 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Tue, 23 Apr 2024 18:19:24 -0400
+Subject: CVE-2023-34151: properly cast double to size_t
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/6341
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070340
+
+forgot to cast double to unsigned int
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9.patch
+---
+ coders/mvg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/mvg.c b/coders/mvg.c
+index 2d503e1..d8e793e 100644
+--- a/coders/mvg.c
++++ b/coders/mvg.c
+@@ -191,8 +191,8 @@ static Image *ReadMVGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ 96.0;
+ draw_info->affine.sy=image->y_resolution == 0.0 ? 1.0 : image->y_resolution/
+ 96.0;
+- image->columns=(size_t) (draw_info->affine.sx*image->columns);
+- image->rows=(size_t) (draw_info->affine.sy*image->rows);
++ image->columns=CastDoubleToUnsigned(draw_info->affine.sx*image->columns);
++ image->rows=CastDoubleToUnsigned(draw_info->affine.sy*image->rows);
+ status=SetImageExtent(image,image->columns,image->rows);
+ if (status == MagickFalse)
+ {
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0070-CVE-2023-34151.patch imagemagick-6.9.11.60+dfsg/debian/patches/0070-CVE-2023-34151.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0070-CVE-2023-34151.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0070-CVE-2023-34151.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,72 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Mon, 21 Feb 2022 11:55:23 -0500
+Subject: CVE-2023-34151
+
+This is a prerequist for fixing it
+
+magick produces incorrect result possibly due to overflow
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4870
+origin: https://github.com/ImageMagick/ImageMagick6/commit/8b7b17c8fef72dab479e6ca676676d8c5e395dd6
+---
+ coders/txt.c | 24 ++++++++++++------------
+ magick/image-private.h | 11 +++++++++++
+ 2 files changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/coders/txt.c b/coders/txt.c
+index 0e5c794..bca071f 100644
+--- a/coders/txt.c
++++ b/coders/txt.c
+@@ -573,18 +573,18 @@ static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ green+=(range+1)/2.0;
+ blue+=(range+1)/2.0;
+ }
+- pixel.red=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+- MagickMax(red+0.5,0.0),range);
+- pixel.green=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+- MagickMax(green+0.5,0.0),range);
+- pixel.blue=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+- MagickMax(blue+0.5,0.0),range);
+- pixel.index=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+- MagickMax(index+0.5,0.0),range);
+- pixel.opacity=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+- MagickMax(opacity+0.5,0.0),range);
+- q=GetAuthenticPixels(image,CastDoubleToLong(x_offset),
+- CastDoubleToLong(y_offset),1,1,exception);
++ pixel.red=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++ red),range);
++ pixel.green=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++ green),range);
++ pixel.blue=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++ blue),range);
++ pixel.index=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++ index),range);
++ pixel.opacity=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++ opacity),range);
++ q=GetAuthenticPixels(image,CastDoubleToLong(x_offset),CastDoubleToLong(
++ y_offset),1,1,exception);
+ if (q == (PixelPacket *) NULL)
+ {
+ status=MagickFalse;
+diff --git a/magick/image-private.h b/magick/image-private.h
+index b269f33..fc7d4b4 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -84,6 +84,17 @@ static inline size_t CastDoubleToUnsigned(const double x)
+ return((size_t) x);
+ }
+
++static inline QuantumAny CastDoubleToQuantumAny(const double x)
++{
++ if (IsNaN(x) != 0)
++ return(0);
++ if (x > ((double) ((QuantumAny) ~0)))
++ return((QuantumAny) ~0);
++ if (x < 0.0)
++ return(0.0);
++ return((QuantumAny) (x+0.5));
++}
++
+ static inline double DegreesToRadians(const double degrees)
+ {
+ return((double) (MagickPI*degrees/180.0));
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0071-incorrect-bounds-checking-for-draw-affine-https-gith.patch imagemagick-6.9.11.60+dfsg/debian/patches/0071-incorrect-bounds-checking-for-draw-affine-https-gith.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0071-incorrect-bounds-checking-for-draw-affine-https-gith.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0071-incorrect-bounds-checking-for-draw-affine-https-gith.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,62 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Sun, 28 Aug 2022 10:55:11 -0400
+Subject: incorrect bounds checking for draw affine @
+ https://github.com/ImageMagick/ImageMagick/issues/5497
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/c5a9368d871943eceafce143bb87612b2a9623b2.patch
+---
+ magick/draw.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 212564f..757d5c4 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -1206,12 +1206,12 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
+ assert(affine != (AffineMatrix *) NULL);
+ extent[0].x=0.0;
+ extent[0].y=0.0;
+- extent[1].x=(double) source->columns-1.0;
++ extent[1].x=(double) source->columns;
+ extent[1].y=0.0;
+- extent[2].x=(double) source->columns-1.0;
+- extent[2].y=(double) source->rows-1.0;
++ extent[2].x=(double) source->columns;
++ extent[2].y=(double) source->rows;
+ extent[3].x=0.0;
+- extent[3].y=(double) source->rows-1.0;
++ extent[3].y=(double) source->rows;
+ for (i=0; i < 4; i++)
+ {
+ point=extent[i];
+@@ -1237,11 +1237,15 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
+ if (SetImageStorageClass(image,DirectClass) == MagickFalse)
+ return(MagickFalse);
+ status=MagickTrue;
+- edge.x1=MagickMax(min.x,0.0);
+- edge.y1=MagickMax(min.y,0.0);
+- edge.x2=MagickMin(max.x,(double) image->columns-1.0);
+- edge.y2=MagickMin(max.y,(double) image->rows-1.0);
++ edge.x1=min.x;
++ edge.y1=min.y;
++ edge.x2=max.x;
++ edge.y2=max.y;
+ inverse_affine=InverseAffineMatrix(affine);
++ if (edge.y1 < 0.0)
++ edge.y1=0.0;
++ if (edge.y2 > (image->rows-1.0))
++ edge.y2=image->rows-1.0;
+ GetMagickPixelPacket(image,&zero);
+ exception=(&image->exception);
+ start=CastDoubleToLong(ceil(edge.y1-0.5));
+@@ -1281,6 +1285,10 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
+ inverse_edge=AffineEdge(source,&inverse_affine,(double) y,&edge);
+ if (inverse_edge.x2 < inverse_edge.x1)
+ continue;
++ if (inverse_edge.x1 < 0.0)
++ inverse_edge.x1=0.0;
++ if (inverse_edge.x2 > image->columns-1.0)
++ inverse_edge.x2=image->columns-1.0;
+ q=GetCacheViewAuthenticPixels(image_view,CastDoubleToLong(
+ ceil(inverse_edge.x1-0.5)),y,(size_t) CastDoubleToLong(floor(
+ inverse_edge.x2+0.5)-ceil(inverse_edge.x1-0.5)+1),1,exception);
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0072-CVE-2023-34151.patch imagemagick-6.9.11.60+dfsg/debian/patches/0072-CVE-2023-34151.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0072-CVE-2023-34151.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0072-CVE-2023-34151.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,102 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Fri, 19 Apr 2024 13:39:44 -0400
+Subject: CVE-2023-34151
+
+improved range checking (https://github.com/ImageMagick/ImageMagick/issues/6341)
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/75ebd9975f6ba8106ec15a6b3e6ba95f4c14e117.patch
+---
+ coders/mvg.c | 4 ++--
+ magick/image-private.h | 46 +++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/coders/mvg.c b/coders/mvg.c
+index d8e793e..d17de75 100644
+--- a/coders/mvg.c
++++ b/coders/mvg.c
+@@ -177,8 +177,8 @@ static Image *ReadMVGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ continue;
+ (void) sscanf(p,"viewbox %lf %lf %lf %lf",&bounds.x1,&bounds.y1,
+ &bounds.x2,&bounds.y2);
+- image->columns=(size_t) floor((bounds.x2-bounds.x1)+0.5);
+- image->rows=(size_t) floor((bounds.y2-bounds.y1)+0.5);
++ image->columns=CastDoubleToUnsigned(floor((bounds.x2-bounds.x1)+0.5));
++ image->rows=CastDoubleToUnsigned(floor((bounds.y2-bounds.y1)+0.5));
+ break;
+ }
+ }
+diff --git a/magick/image-private.h b/magick/image-private.h
+index fc7d4b4..57c5159 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -53,30 +53,25 @@ extern "C" {
+ #define UndefinedCompressionQuality 0UL
+ #define UndefinedTicksPerSecond 100L
+
+-static inline ssize_t CastDoubleToLong(const double value)
++static inline size_t CastDoubleToLong(const double x)
+ {
+- if (IsNaN(value) != 0)
+- return(0);
+- if (value > (double) MAGICK_SSIZE_MAX)
+- return((ssize_t) MAGICK_SSIZE_MAX);
+- if (value < (double) MAGICK_SSIZE_MIN)
+- return((ssize_t) MAGICK_SSIZE_MIN);
+- return((ssize_t) value);
+-}
++ double
++ value;
+
+-static inline size_t CastDoubleToUnsigned(const double x)
+-{
+ if (IsNaN(x) != 0)
+ {
+ errno=ERANGE;
+ return(0);
+ }
+- if (floor(x) > ((double) MAGICK_SSIZE_MAX-1))
++ value=floor(x);
++ if (value > ((double) MAGICK_SSIZE_MAX-1))
+ {
+ errno=ERANGE;
+ return((size_t) MAGICK_SIZE_MAX);
+ }
+- if (ceil(x) < 0.0)
++
++ value=ceil(x);
++ if (value < ((double) MAGICK_SSIZE_MIN+1))
+ {
+ errno=ERANGE;
+ return(0);
+@@ -95,6 +90,31 @@ static inline QuantumAny CastDoubleToQuantumAny(const double x)
+ return((QuantumAny) (x+0.5));
+ }
+
++static inline size_t CastDoubleToUnsigned(const double x)
++{
++ double
++ value;
++
++ if (IsNaN(x) != 0)
++ {
++ errno=ERANGE;
++ return(0);
++ }
++ value=floor(x);
++ if (value > ((double) MAGICK_SIZE_MAX-1))
++ {
++ errno=ERANGE;
++ return((size_t) MAGICK_SIZE_MAX);
++ }
++ value=ceil(x);
++ if (ceil(x) < 0.0)
++ {
++ errno=ERANGE;
++ return(0);
++ }
++ return((size_t) x);
++}
++
+ static inline double DegreesToRadians(const double degrees)
+ {
+ return((double) (MagickPI*degrees/180.0));
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0073-check-for-value-0-ceil-not-required.patch imagemagick-6.9.11.60+dfsg/debian/patches/0073-check-for-value-0-ceil-not-required.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0073-check-for-value-0-ceil-not-required.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0073-check-for-value-0-ceil-not-required.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,54 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Fri, 19 Apr 2024 14:33:05 -0400
+Subject: check for value < 0, ceil() not required
+
+This patch addresses CVE-2023-34151, not a recurring bug of CVE-2022-32546.
+
+Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/6341
+origin: https://github.com/ImageMagick/ImageMagick6/commit/b72508c8fce196cd031856574c202490be830649.patch
+---
+ magick/image-private.h | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/magick/image-private.h b/magick/image-private.h
+index 57c5159..bfc0265 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -67,16 +67,14 @@ static inline size_t CastDoubleToLong(const double x)
+ if (value > ((double) MAGICK_SSIZE_MAX-1))
+ {
+ errno=ERANGE;
+- return((size_t) MAGICK_SIZE_MAX);
+- }
+-
+- value=ceil(x);
++ return((ssize_t) MAGICK_SSIZE_MAX);
++ } value=ceil(x);
+ if (value < ((double) MAGICK_SSIZE_MIN+1))
+ {
+ errno=ERANGE;
+ return(0);
+ }
+- return((size_t) x);
++ return((ssize_t) value);
+ }
+
+ static inline QuantumAny CastDoubleToQuantumAny(const double x)
+@@ -106,13 +104,12 @@ static inline size_t CastDoubleToUnsigned(const double x)
+ errno=ERANGE;
+ return((size_t) MAGICK_SIZE_MAX);
+ }
+- value=ceil(x);
+- if (ceil(x) < 0.0)
++ if (value < 0.0)
+ {
+ errno=ERANGE;
+ return(0);
+ }
+- return((size_t) x);
++ return((size_t) value);
+ }
+
+ static inline double DegreesToRadians(const double degrees)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0074-fix-undefined-behaviors-when-casting-double-to-size_.patch imagemagick-6.9.11.60+dfsg/debian/patches/0074-fix-undefined-behaviors-when-casting-double-to-size_.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0074-fix-undefined-behaviors-when-casting-double-to-size_.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0074-fix-undefined-behaviors-when-casting-double-to-size_.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,42 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Fri, 19 Apr 2024 19:38:56 -0400
+Subject: fix undefined behaviors when casting double to size_t
+
+This patch addresses CVE-2023-34151, not a recurring bug of CVE-2022-32546.
+
+Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/6341
+origin: https://github.com/ImageMagick/ImageMagick6/commit/88789966667b748f14a904f8c9122274810e8a3e
+---
+ magick/image-private.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/magick/image-private.h b/magick/image-private.h
+index bfc0265..839ed72 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -64,12 +64,12 @@ static inline size_t CastDoubleToLong(const double x)
+ return(0);
+ }
+ value=floor(x);
+- if (value > ((double) MAGICK_SSIZE_MAX-1))
++ if (value > ((double) MAGICK_SSIZE_MAX))
+ {
+ errno=ERANGE;
+ return((ssize_t) MAGICK_SSIZE_MAX);
+ } value=ceil(x);
+- if (value < ((double) MAGICK_SSIZE_MIN+1))
++ if (value < ((double) MAGICK_SSIZE_MIN))
+ {
+ errno=ERANGE;
+ return(0);
+@@ -99,7 +99,7 @@ static inline size_t CastDoubleToUnsigned(const double x)
+ return(0);
+ }
+ value=floor(x);
+- if (value > ((double) MAGICK_SIZE_MAX-1))
++ if (value > ((double) MAGICK_SIZE_MAX))
+ {
+ errno=ERANGE;
+ return((size_t) MAGICK_SIZE_MAX);
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0075-use-a-different-path-for-positive-and-negative-value.patch imagemagick-6.9.11.60+dfsg/debian/patches/0075-use-a-different-path-for-positive-and-negative-value.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0075-use-a-different-path-for-positive-and-negative-value.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0075-use-a-different-path-for-positive-and-negative-value.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,49 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Sat, 20 Apr 2024 06:40:49 -0400
+Subject: use a different path for positive and negative values
+
+This patch addresses CVE-2023-34151, not a recurring bug of CVE-2022-32546.
+
+Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/bc5ac19bd93895e5c6158aad0d8e49a0c50b0ebb.patch
+---
+ magick/image-private.h | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/magick/image-private.h b/magick/image-private.h
+index 839ed72..4e03993 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -63,16 +63,23 @@ static inline size_t CastDoubleToLong(const double x)
+ errno=ERANGE;
+ return(0);
+ }
+- value=floor(x);
+- if (value > ((double) MAGICK_SSIZE_MAX))
++ if (x < 0.0)
+ {
+- errno=ERANGE;
+- return((ssize_t) MAGICK_SSIZE_MAX);
+- } value=ceil(x);
+- if (value < ((double) MAGICK_SSIZE_MIN))
++ value=ceil(x);
++ if (value < ((double) MAGICK_SSIZE_MIN))
++ {
++ errno=ERANGE;
++ return((ssize_t) MAGICK_SSIZE_MIN);
++ }
++ }
++ else
+ {
+- errno=ERANGE;
+- return(0);
++ value=floor(x);
++ if (value > ((double) MAGICK_SSIZE_MAX))
++ {
++ errno=ERANGE;
++ return((ssize_t) MAGICK_SSIZE_MAX);
++ }
+ }
+ return((ssize_t) value);
+ }
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0076-use-instead-to-work-around-precision-limitations-of-.patch imagemagick-6.9.11.60+dfsg/debian/patches/0076-use-instead-to-work-around-precision-limitations-of-.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0076-use-instead-to-work-around-precision-limitations-of-.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0076-use-instead-to-work-around-precision-limitations-of-.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,26 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Tue, 23 Apr 2024 11:39:48 -0400
+Subject: use >= instead to work around precision limitations of a double.
+
+This patch addresses CVE-2023-34151, not a recurring bug of CVE-2022-32546.
+
+Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/3252d4771ff1142888ba83c439588969fcea98e4.patch
+---
+ magick/image-private.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/image-private.h b/magick/image-private.h
+index 4e03993..bfe0a81 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -106,7 +106,7 @@ static inline size_t CastDoubleToUnsigned(const double x)
+ return(0);
+ }
+ value=floor(x);
+- if (value > ((double) MAGICK_SIZE_MAX))
++ if (value >= ((double) MAGICK_SIZE_MAX))
+ {
+ errno=ERANGE;
+ return((size_t) MAGICK_SIZE_MAX);
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0077-CVE-2023-1289-recursion-detection-fail.patch imagemagick-6.9.11.60+dfsg/debian/patches/0077-CVE-2023-1289-recursion-detection-fail.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0077-CVE-2023-1289-recursion-detection-fail.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0077-CVE-2023-1289-recursion-detection-fail.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,73 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Mon, 6 Mar 2023 19:50:49 -0500
+Subject: CVE-2023-1289: recursion detection fail
+
+This is a partial revert of the detection recursion
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/1485a4c2cba8ca32981016fa25e7a15ef84f06f6.patch
+---
+ magick/constitute.c | 7 -------
+ magick/draw.c | 1 -
+ magick/image.c | 1 -
+ magick/image.h | 3 ---
+ 4 files changed, 12 deletions(-)
+
+diff --git a/magick/constitute.c b/magick/constitute.c
+index 49e8f82..410c106 100644
+--- a/magick/constitute.c
++++ b/magick/constitute.c
+@@ -563,16 +563,9 @@ MagickExport Image *ReadImage(const ImageInfo *image_info,
+ if ((thread_support & DecoderThreadSupport) == 0)
+ LockSemaphoreInfo(magick_info->semaphore);
+ status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception);
+- if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth)
+- {
+- (void) ThrowMagickException(exception,GetMagickModule(),CoderError,
+- "NumberOfImagesIsNotSupported","`%s'",read_info->magick);
+- status=MagickFalse;
+- }
+ image=(Image *) NULL;
+ if (status != MagickFalse)
+ image=GetImageDecoder(magick_info)(read_info,exception);
+- ((ImageInfo *) image_info)->recursion_depth--;
+ if ((thread_support & DecoderThreadSupport) == 0)
+ UnlockSemaphoreInfo(magick_info->semaphore);
+ }
+diff --git a/magick/draw.c b/magick/draw.c
+index 757d5c4..02b1d75 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5452,7 +5452,6 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ if (primitive_info->text == (char *) NULL)
+ break;
+ clone_info=AcquireImageInfo();
+- clone_info->recursion_depth=draw_info->image_info->recursion_depth;
+ composite_images=(Image *) NULL;
+ if (LocaleNCompare(primitive_info->text,"data:",5) == 0)
+ composite_images=ReadInlineImage(clone_info,primitive_info->text,
+diff --git a/magick/image.c b/magick/image.c
+index 9ee22d8..1fc3617 100644
+--- a/magick/image.c
++++ b/magick/image.c
+@@ -1008,7 +1008,6 @@ MagickExport ImageInfo *CloneImageInfo(const ImageInfo *image_info)
+ clone_info->subimage=image_info->scene; /* deprecated */
+ clone_info->subrange=image_info->number_scenes; /* deprecated */
+ clone_info->channel=image_info->channel;
+- clone_info->recursion_depth=image_info->recursion_depth;
+ clone_info->debug=IsEventLogging();
+ clone_info->signature=image_info->signature;
+ return(clone_info);
+diff --git a/magick/image.h b/magick/image.h
+index e71df13..ac69bef 100644
+--- a/magick/image.h
++++ b/magick/image.h
+@@ -499,9 +499,6 @@ struct _ImageInfo
+
+ MagickBooleanType
+ synchronize;
+-
+- size_t
+- recursion_depth; /* recursion detection */
+ };
+
+ extern MagickExport ExceptionType
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0078-improved-fix-for-possible-DoS-for-certain-SVG-constr.patch imagemagick-6.9.11.60+dfsg/debian/patches/0078-improved-fix-for-possible-DoS-for-certain-SVG-constr.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0078-improved-fix-for-possible-DoS-for-certain-SVG-constr.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0078-improved-fix-for-possible-DoS-for-certain-SVG-constr.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,60 @@
+From: Cristy <mikayla-gr...@urban-warrior.org>
+Date: Thu, 23 Dec 2021 06:46:46 -0500
+Subject: improved fix for possible DoS for certain SVG constructs
+
+This is a partial fix of CVE-2023-1289
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/84ec30550c3146f525383f18a786a6bbd5028a93.patch
+---
+ magick/draw.c | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 02b1d75..bab9b47 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5459,21 +5459,33 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ else
+ if (*primitive_info->text != '\0')
+ {
++ MagickBooleanType
++ status;
++
++ struct stat
++ attributes;
++
+ (void) CopyMagickString(clone_info->filename,primitive_info->text,
+ MagickPathExtent);
+- status&=SetImageInfo(clone_info,1,exception);
+ (void) CopyMagickString(clone_info->filename,primitive_info->text,
+ MagickPathExtent);
+- if (clone_info->size != (char *) NULL)
+- clone_info->size=DestroyString(clone_info->size);
+- if (clone_info->extract != (char *) NULL)
+- clone_info->extract=DestroyString(clone_info->extract);
+- if ((LocaleNCompare(clone_info->magick,"http",4) == 0) ||
+- (LocaleCompare(clone_info->magick,"mpri") == 0))
+- (void) CopyMagickString(clone_info->filename,primitive_info->text,
+- MagickPathExtent);
+- if (*clone_info->filename != '\0')
+- composite_images=ReadImage(clone_info,exception);
++ status=GetPathAttributes(clone_info->filename,&attributes);
++ if ((status != MagickFalse) && (S_ISCHR(attributes.st_mode) == 0))
++ {
++ status&=SetImageInfo(clone_info,1,exception);
++ (void) CopyMagickString(clone_info->filename,
++ primitive_info->text,MagickPathExtent);
++ if (clone_info->size != (char *) NULL)
++ clone_info->size=DestroyString(clone_info->size);
++ if (clone_info->extract != (char *) NULL)
++ clone_info->extract=DestroyString(clone_info->extract);
++ if ((LocaleCompare(clone_info->magick,"file") == 0) ||
++ (LocaleCompare(clone_info->magick,"https") == 0) ||
++ (LocaleCompare(clone_info->magick,"http") == 0) ||
++ (LocaleCompare(clone_info->magick,"mpri") == 0) ||
++ (IsPathAccessible(clone_info->filename) != MagickFalse))
++ composite_images=ReadImage(clone_info,exception);
++ }
+ }
+ clone_info=DestroyImageInfo(clone_info);
+ if (composite_images == (Image *) NULL)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0079-permit-compositing-MPRI-images.patch imagemagick-6.9.11.60+dfsg/debian/patches/0079-permit-compositing-MPRI-images.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0079-permit-compositing-MPRI-images.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0079-permit-compositing-MPRI-images.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,95 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Sat, 29 Jan 2022 11:31:10 -0500
+Subject: permit compositing MPRI images
+
+This is a followup of CVE-2023-1289
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/4dd4d0df449acb13fb859041b4996af58243e352.patch
+---
+ coders/mpr.c | 9 +++++++--
+ magick/draw.c | 41 +++++++++++++++++++++++++----------------
+ 2 files changed, 32 insertions(+), 18 deletions(-)
+
+diff --git a/coders/mpr.c b/coders/mpr.c
+index 9cebc13..24c4e1f 100644
+--- a/coders/mpr.c
++++ b/coders/mpr.c
+@@ -100,8 +100,13 @@ static Image *ReadMPRImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ assert(exception->signature == MagickCoreSignature);
+ image=(Image *) GetImageRegistry(ImageRegistryType,image_info->filename,
+ exception);
+- if (image != (Image *) NULL)
+- (void) SyncImageSettings(image_info,image);
++ if (image == (Image *) NULL)
++ {
++ (void) ThrowMagickException(exception,GetMagickModule(),FileOpenError,
++ "UnableToOpenFile","`%s'",image_info->filename);
++ return(image);
++ }
++ (void) SyncImageSettings(image_info,image);
+ return(image);
+ }
+
+diff --git a/magick/draw.c b/magick/draw.c
+index bab9b47..a8fcb91 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5459,33 +5459,42 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ else
+ if (*primitive_info->text != '\0')
+ {
+- MagickBooleanType
+- status;
++ MagickStatusType
++ path_status;
+
+ struct stat
+ attributes;
+
++ /*
++ Read composite image.
++ */
+ (void) CopyMagickString(clone_info->filename,primitive_info->text,
+ MagickPathExtent);
++ (void) SetImageInfo(clone_info,1,exception);
+ (void) CopyMagickString(clone_info->filename,primitive_info->text,
+ MagickPathExtent);
+- status=GetPathAttributes(clone_info->filename,&attributes);
+- if ((status != MagickFalse) && (S_ISCHR(attributes.st_mode) == 0))
++ if (clone_info->size != (char *) NULL)
++ clone_info->size=DestroyString(clone_info->size);
++ if (clone_info->extract != (char *) NULL)
++ clone_info->extract=DestroyString(clone_info->extract);
++ path_status=GetPathAttributes(clone_info->filename,&attributes);
++ if (path_status != MagickFalse)
+ {
+- status&=SetImageInfo(clone_info,1,exception);
+- (void) CopyMagickString(clone_info->filename,
+- primitive_info->text,MagickPathExtent);
+- if (clone_info->size != (char *) NULL)
+- clone_info->size=DestroyString(clone_info->size);
+- if (clone_info->extract != (char *) NULL)
+- clone_info->extract=DestroyString(clone_info->extract);
+- if ((LocaleCompare(clone_info->magick,"file") == 0) ||
+- (LocaleCompare(clone_info->magick,"https") == 0) ||
+- (LocaleCompare(clone_info->magick,"http") == 0) ||
+- (LocaleCompare(clone_info->magick,"mpri") == 0) ||
+- (IsPathAccessible(clone_info->filename) != MagickFalse))
++ if (S_ISCHR(attributes.st_mode) == 0)
+ composite_images=ReadImage(clone_info,exception);
++ else
++ (void) ThrowMagickException(exception,GetMagickModule(),
++ FileOpenError,"UnableToOpenFile","`%s'",
++ clone_info->filename);
+ }
++ else
++ if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
++ (LocaleCompare(clone_info->magick,"https") != 0) &&
++ (LocaleCompare(clone_info->magick,"http") != 0))
++ composite_images=ReadImage(clone_info,exception);
++ else
++ (void) ThrowMagickException(exception,GetMagickModule(),
++ FileOpenError,"UnableToOpenFile","`%s'",clone_info->filename);
+ }
+ clone_info=DestroyImageInfo(clone_info);
+ if (composite_images == (Image *) NULL)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0080-VID-images-not-permitted-when-compositing.patch imagemagick-6.9.11.60+dfsg/debian/patches/0080-VID-images-not-permitted-when-compositing.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0080-VID-images-not-permitted-when-compositing.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0080-VID-images-not-permitted-when-compositing.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,26 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Mon, 31 Jan 2022 09:44:05 -0500
+Subject: VID images not permitted when compositing
+
+This is a followup of CVE-2023-1289
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/f4529c0dcf3a8f96c438086b28fbef8338cda0b1.patch
+---
+ magick/draw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index a8fcb91..0ab2dde 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5489,8 +5489,9 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ }
+ else
+ if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
++ (LocaleCompare(clone_info->magick,"http") != 0) &&
+ (LocaleCompare(clone_info->magick,"https") != 0) &&
+- (LocaleCompare(clone_info->magick,"http") != 0))
++ (LocaleCompare(clone_info->magick,"vid") != 0))
+ composite_images=ReadImage(clone_info,exception);
+ else
+ (void) ThrowMagickException(exception,GetMagickModule(),
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0081-do-not-composite-SVG-to-avoid-possible-recursion.patch imagemagick-6.9.11.60+dfsg/debian/patches/0081-do-not-composite-SVG-to-avoid-possible-recursion.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0081-do-not-composite-SVG-to-avoid-possible-recursion.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0081-do-not-composite-SVG-to-avoid-possible-recursion.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,42 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Mon, 6 Mar 2023 19:55:46 -0500
+Subject: do not composite SVG to avoid possible recursion
+
+This is a partial fix of CVE-2023-1289
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/75aac79108af0c0b0d7fc88b1f09c340b0d62c85.patch
+---
+ magick/draw.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 0ab2dde..ce22a42 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5459,6 +5459,9 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ else
+ if (*primitive_info->text != '\0')
+ {
++ const MagickInfo
++ *magick_info;
++
+ MagickStatusType
+ path_status;
+
+@@ -5471,6 +5474,16 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+ (void) CopyMagickString(clone_info->filename,primitive_info->text,
+ MagickPathExtent);
+ (void) SetImageInfo(clone_info,1,exception);
++ magick_info=GetMagickInfo(clone_info->magick,exception);
++ if ((magick_info != (const MagickInfo*) NULL) &&
++ (LocaleCompare(magick_info->module,"SVG") == 0))
++ {
++ (void) ThrowMagickException(exception,GetMagickModule(),
++ CorruptImageError,"ImageTypeNotSupported","`%s'",
++ clone_info->filename);
++ clone_info=DestroyImageInfo(clone_info);
++ break;
++ }
+ (void) CopyMagickString(clone_info->filename,primitive_info->text,
+ MagickPathExtent);
+ if (clone_info->size != (char *) NULL)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0082-recursion-detection-framework.patch imagemagick-6.9.11.60+dfsg/debian/patches/0082-recursion-detection-framework.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0082-recursion-detection-framework.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0082-recursion-detection-framework.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,24 @@
+From: Cristy <urban-warr...@imagemagick.org>
+Date: Mon, 6 Mar 2023 15:06:05 -0500
+Subject: recursion detection framework
+
+Avoid a memory leak in previous patches
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/060660bf45e0771cf0431e5c2749aa51fabf23f8.patch
+---
+ magick/draw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index ce22a42..051f2fe 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -1017,6 +1017,8 @@ MagickExport DrawInfo *DestroyDrawInfo(DrawInfo *draw_info)
+ draw_info->clipping_mask=DestroyImage(draw_info->clipping_mask);
+ if (draw_info->composite_mask != (Image *) NULL)
+ draw_info->composite_mask=DestroyImage(draw_info->composite_mask);
++ if (draw_info->image_info != (ImageInfo *) NULL)
++ draw_info->image_info=DestroyImageInfo(draw_info->image_info);
+ draw_info->signature=(~MagickCoreSignature);
+ draw_info=(DrawInfo *) RelinquishMagickMemory(draw_info);
+ return(draw_info);
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0083-Fixed-memory-leak.patch imagemagick-6.9.11.60+dfsg/debian/patches/0083-Fixed-memory-leak.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0083-Fixed-memory-leak.patch 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0083-Fixed-memory-leak.patch 2024-07-11 16:46:06.000000000 +0000
@@ -0,0 +1,21 @@
+From: Dirk Lemstra <d...@lemstra.org>
+Date: Sun, 16 Jul 2023 06:45:32 +0200
+Subject: Fixed memory leak.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/c90e79b3b22fec309cab55af2ee606f71b027b12.patch
+---
+ magick/draw.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 051f2fe..91c4954 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -381,7 +381,6 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info,
+ clone_info->composite_mask=CloneImage(draw_info->composite_mask,0,0,
+ MagickTrue,&draw_info->composite_mask->exception);
+ clone_info->render=draw_info->render;
+- clone_info->image_info=CloneImageInfo(draw_info->image_info);
+ clone_info->debug=IsEventLogging();
+ return(clone_info);
+ }
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series
--- imagemagick-6.9.11.60+dfsg/debian/patches/series 2024-02-17 15:30:20.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/series 2024-07-11 16:46:06.000000000 +0000
@@ -65,3 +65,19 @@
0063-Added-check-for-invalid-size.patch
0064-improve-BMP-error-checking.patch
0065-CVE-2023-5341.patch
+0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch
+0069-CVE-2023-34151-properly-cast-double-to-size_t.patch
+0070-CVE-2023-34151.patch
+0071-incorrect-bounds-checking-for-draw-affine-https-gith.patch
+0072-CVE-2023-34151.patch
+0073-check-for-value-0-ceil-not-required.patch
+0074-fix-undefined-behaviors-when-casting-double-to-size_.patch
+0075-use-a-different-path-for-positive-and-negative-value.patch
+0076-use-instead-to-work-around-precision-limitations-of-.patch
+0077-CVE-2023-1289-recursion-detection-fail.patch
+0078-improved-fix-for-possible-DoS-for-certain-SVG-constr.patch
+0079-permit-compositing-MPRI-images.patch
+0080-VID-images-not-permitted-when-compositing.patch
+0081-do-not-composite-SVG-to-avoid-possible-recursion.patch
+0082-recursion-detection-framework.patch
+0083-Fixed-memory-leak.patch
diff -Nru imagemagick-6.9.11.60+dfsg/debian/rules imagemagick-6.9.11.60+dfsg/debian/rules
--- imagemagick-6.9.11.60+dfsg/debian/rules 2024-02-17 15:28:47.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/rules 2024-07-11 16:46:06.000000000 +0000
@@ -238,6 +238,12 @@
HDRI=$(call HDRI_PART,$*) \
QUANTUMDEPTH=$* \
UCQUANTUMDEPTH=$(call UC,$*) \
+ $(DH_EXEC_SUBST) $(CURDIR)/debian/tests.d/CVE-2023-1289-IMVERSION.QUANTUMDEPTH.in > $(CURDIR)/debian/tests/CVE-2023-1289-$(IMVERSION).$*
+ chmod +x $(CURDIR)/debian/tests/CVE-2023-1289-$(IMVERSION).$*
+ QUANTUM=$(call QUANTUM_PART,$*) \
+ HDRI=$(call HDRI_PART,$*) \
+ QUANTUMDEPTH=$* \
+ UCQUANTUMDEPTH=$(call UC,$*) \
$(DH_EXEC_SUBST) $(CURDIR)/debian/tests.d/perlmagick-IMVERSION.QUANTUMDEPTH.in > $(CURDIR)/debian/tests/perlmagick-$(IMVERSION).$*
chmod +x $(CURDIR)/debian/tests/perlmagick-$(IMVERSION).$*
# clean up
diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests/control imagemagick-6.9.11.60+dfsg/debian/tests/control
--- imagemagick-6.9.11.60+dfsg/debian/tests/control 2024-02-12 19:54:48.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/tests/control 2024-07-11 16:46:06.000000000 +0000
@@ -4,9 +4,17 @@
Tests: perlmagick-6.q16
Depends: libimage-magick-q16-perl, libmagickcore-6.q16-6-extra, libaliased-perl, gsfonts
+Tests: CVE-2023-1289-6.q16
+Depends: imagemagick-6.q16, libmagickcore-6.q16-6-extra, netpbm
+Restrictions: allow-stderr
+
Tests: rose-6.q16hdri
Depends: imagemagick-6.q16hdri, libmagickcore-6.q16hdri-6-extra, netpbm
Tests: perlmagick-6.q16hdri
Depends: libimage-magick-q16hdri-perl, libmagickcore-6.q16hdri-6-extra, libaliased-perl, gsfonts
+Tests: CVE-2023-1289-6.q16hdri
+Depends: imagemagick-6.q16hdri, libmagickcore-6.q16hdri-6-extra, netpbm
+Restrictions: allow-stderr
+
diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests/CVE-2023-1289-6.q16 imagemagick-6.9.11.60+dfsg/debian/tests/CVE-2023-1289-6.q16
--- imagemagick-6.9.11.60+dfsg/debian/tests/CVE-2023-1289-6.q16 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/tests/CVE-2023-1289-6.q16 2024-07-09 13:25:50.000000000 +0000
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+CONVERT=convert-im6.q16
+
+set -e
+tee bad.svg <<"EOF"
+<!DOCTYPE test>
+<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink"; version="1.1">
+<image height="200" width="200" xlink:href="bad.svg" />
+</svg>
+EOF
+
+error_code=0
+$CONVERT -verbose -font OpenSymbol bad.svg t.jpg || error_code=$?
+if [ error_code -gt 126]; then
+ exit $error_code;
+else
+ exit 0;
+fi
+
diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests/CVE-2023-1289-6.q16hdri imagemagick-6.9.11.60+dfsg/debian/tests/CVE-2023-1289-6.q16hdri
--- imagemagick-6.9.11.60+dfsg/debian/tests/CVE-2023-1289-6.q16hdri 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/tests/CVE-2023-1289-6.q16hdri 2024-07-09 13:25:50.000000000 +0000
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+CONVERT=convert-im6.q16hdri
+
+set -e
+tee bad.svg <<"EOF"
+<!DOCTYPE test>
+<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink"; version="1.1">
+<image height="200" width="200" xlink:href="bad.svg" />
+</svg>
+EOF
+
+error_code=0
+$CONVERT -verbose -font OpenSymbol bad.svg t.jpg || error_code=$?
+if [ error_code -gt 126]; then
+ exit $error_code;
+else
+ exit 0;
+fi
+
diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests.d/control.quantum.in imagemagick-6.9.11.60+dfsg/debian/tests.d/control.quantum.in
--- imagemagick-6.9.11.60+dfsg/debian/tests.d/control.quantum.in 2024-02-12 19:54:48.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/tests.d/control.quantum.in 2024-07-11 16:46:06.000000000 +0000
@@ -4,3 +4,7 @@
Tests: perlmagick-${IMVERSION}.${QUANTUMDEPTH}
Depends: libimage-magick-${QUANTUMDEPTH}-perl, libmagickcore-${IMVERSION}.${QUANTUMDEPTH}-${CORESOVERSION}-extra, libaliased-perl, gsfonts
+Tests: CVE-2023-1289-${IMVERSION}.${QUANTUMDEPTH}
+Depends: imagemagick-${IMVERSION}.${QUANTUMDEPTH}, libmagickcore-${IMVERSION}.${QUANTUMDEPTH}-${CORESOVERSION}-extra, netpbm
+Restrictions: allow-stderr
+
diff -Nru imagemagick-6.9.11.60+dfsg/debian/tests.d/CVE-2023-1289-IMVERSION.QUANTUMDEPTH.in imagemagick-6.9.11.60+dfsg/debian/tests.d/CVE-2023-1289-IMVERSION.QUANTUMDEPTH.in
--- imagemagick-6.9.11.60+dfsg/debian/tests.d/CVE-2023-1289-IMVERSION.QUANTUMDEPTH.in 1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/tests.d/CVE-2023-1289-IMVERSION.QUANTUMDEPTH.in 2024-07-09 13:25:50.000000000 +0000
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+CONVERT=convert-im${IMVERSION}.${QUANTUMDEPTH}
+
+set -e
+tee bad.svg <<"EOF"
+<!DOCTYPE test>
+<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink"; version="1.1">
+<image height="200" width="200" xlink:href="bad.svg" />
+</svg>
+EOF
+
+error_code=0
+$CONVERT -verbose -font OpenSymbol bad.svg t.jpg || error_code=$?
+if [ error_code -gt 126]; then
+ exit $error_code;
+else
+ exit 0;
+fi
+
signature.asc
Description: This is a digitally signed message part.
