<div dir="ltr">Hello!<div>Upstream developers of ImageMagick6 fixed CVE-2023-34151 for mvg after all.</div><div>See more info here:</div><div><a href="https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2108156142">https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2108156142</a><br></div><div><br></div><div>I discovered final list of commits fixing problem:</div><div>- <a href="https://github.com/ImageMagick/ImageMagick6/commit/75ebd9975f6ba8106ec15a6b3e6ba95f4c14e117">https://github.com/ImageMagick/ImageMagick6/commit/75ebd9975f6ba8106ec15a6b3e6ba95f4c14e117</a></div><div>- <a href="https://github.com/ImageMagick/ImageMagick6/commit/b72508c8fce196cd031856574c202490be830649">https://github.com/ImageMagick/ImageMagick6/commit/b72508c8fce196cd031856574c202490be830649</a></div><div>- <a href="https://github.com/ImageMagick/ImageMagick6/commit/88789966667b748f14a904f8c9122274810e8a3e">https://github.com/ImageMagick/ImageMagick6/commit/88789966667b748f14a904f8c9122274810e8a3e</a></div><div>- <a href="https://github.com/ImageMagick/ImageMagick6/commit/bc5ac19bd93895e5c6158aad0d8e49a0c50b0ebb">https://github.com/ImageMagick/ImageMagick6/commit/bc5ac19bd93895e5c6158aad0d8e49a0c50b0ebb</a></div><div>- <a href="https://github.com/ImageMagick/ImageMagick6/commit/3252d4771ff1142888ba83c439588969fcea98e4">https://github.com/ImageMagick/ImageMagick6/commit/3252d4771ff1142888ba83c439588969fcea98e4</a></div><div>- <a href="https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9">https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9</a></div><div><br></div><div>And this is also useful to make applying of these commits to version from Debian Buster easier:</div><div>- <a href="https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9">https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9</a></div><div><br></div><div>I squoshed them, slightly adopted to make applicable to target version of imagemagick and finally prepared this patch suitable for imagemagick_6.9.10.23+dfsg-2.1+deb10u7 from Debian Buster:</div><div><a href="https://pastila.nl/?001caded/fa33173a3374db4c55ab654d3e75d668#ZqwgZatwpOmWAtcWUs6QAA==">https://pastila.nl/?001caded/fa33173a3374db4c55ab654d3e75d668#ZqwgZatwpOmWAtcWUs6QAA==</a><br></div><div><br></div><div>I checked, that after application of this patch to imagemagick_6.9.10.23+dfsg-2.1+deb10u7 bug CVE-2023-34151 is not reproducible - there is no error "runtime error: 5e+26 is outside the range of representable values of type 'long unsigned int'" with file piechart.mvg.</div><div><br></div><div>Hope my patch compiled from commits from upstream will be helpful.</div></div>