[Pkg-gmagick-im-team] Bug#1104243: bookworm-pu: package imagemagick/8:6.9.11.60+dfsg-1.6+deb12u3

Sun Apr 27 17:21:19 BST 2025

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: security at debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>

  * CVE-2025-43965: MIFF image depth mishandled after SetQuantumFormat

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
-------------- next part --------------
diffstat for imagemagick-6.9.11.60+dfsg imagemagick-6.9.11.60+dfsg

 changelog                                                               |    7 ++
 patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch |   25 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 33 insertions(+)

diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog

--- imagemagick-6.9.11.60+dfsg/debian/changelog	2024-07-11 13:48:47.000000000 +0300
+++ imagemagick-6.9.11.60+dfsg/debian/changelog	2025-04-26 20:26:11.000000000 +0300
@@ -1,3 +1,10 @@
+imagemagick (8:6.9.11.60+dfsg-1.6+deb12u3) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-43965: MIFF image depth mishandled after SetQuantumFormat
+
+ -- Adrian Bunk <bunk at debian.org>  Sat, 26 Apr 2025 20:26:11 +0300
+
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u2) bookworm; urgency=medium
 
   * CVE-2023-34151 fix was incomplete (Closes: #1070340)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch imagemagick-6.9.11.60+dfsg/debian/patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch	1970-01-01 02:00:00.000000000 +0200
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0001-Update-the-image-depth-after-this-has-been-changed-b.patch	2025-04-26 20:26:11.000000000 +0300
@@ -0,0 +1,25 @@
+From 64789006934b2974390aa060354ad318c34e0f6a Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk at lemstra.org>
+Date: Tue, 11 Feb 2025 22:34:41 +0100
+Subject: Update the image depth after this has been changed by
+ SetQuantumFormat.
+
+---
+ coders/miff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index 888be96a5..0703d4822 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1310,6 +1310,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+     if (quantum_format != UndefinedQuantumFormat)
+       {
+         status=SetQuantumFormat(image,quantum_info,quantum_format);
++        image->depth=GetImageQuantumDepth(image,MagickFalse);
+         if (status == MagickFalse)
+           ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed");
+       }
+-- 
+2.30.2
+
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series
--- imagemagick-6.9.11.60+dfsg/debian/patches/series	2024-07-11 13:48:47.000000000 +0300
+++ imagemagick-6.9.11.60+dfsg/debian/patches/series	2025-04-26 20:26:11.000000000 +0300
@@ -78,3 +78,4 @@
 0078-do-not-composite-SVG-to-avoid-possible-recursion.patch
 0079-recursion-detection-framework.patch
 0080-Fixed-memory-leak.patch
+0001-Update-the-image-depth-after-this-has-been-changed-b.patch
