[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1037219: marked as done (bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2)

Your message dated Sat, 10 Feb 2024 13:02:55 +0000
with message-id <E1rYn0R-002xot-7w@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1037219,
regarding bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1037219: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037219
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: imagemagick@packages.debian.org
Control: affects -1 + src:imagemagick

[ Reason ]
Imagemagick is affected in stable by a few securities problems.

[ Impact ]
Security problems with some exploit (image) in the wild

[ Tests ]
Yes testsuite is included in the package and autopkgtest

[ Risks ]
Code is complex,I prefer to not solve in a single step all the security bugs.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
+  * Fix CVE-2021-3574: memory leak was found in TIFF coder
+  * Fix CVE-2021-4219: a special crafted file could lead to a DOS.
+  * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in
+    some coders (Closes: #1013282)
+  * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c
+  * Fix CVE-2021-20245: Fix a divide by zero in webp coder
+  * Fix CVE-2021-20246: Fix a divide by zero in resample code.
+  * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function.
+  * Fix CVE-2021-39212: Postscript files could be read and written
+    when specifically excluded by a module policy in policy.xml file.
+    (Closes: #996588)
+  * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo()
+    (Closes: #1013282)
+  * Fix CVE-2022-28463: Buffer overflow in cin coder.
+  * Fix CVE-2022-32545: Value outside the range of unsigned char
+    (Closes: #1016442)
+  * Fix CVE-2022-32546: Value outside the range of representable
+    values of type 'unsigned long' at coders/pcl.c,
+  * Use Salsa CI

[ Other info ]
Security team is ok with this.

diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog	2023-02-03 17:59:42.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/changelog	2023-05-26 07:10:27.000000000 +0000
@@ -1,3 +1,27 @@
+imagemagick (8:6.9.11.60+dfsg-1.3+deb11u2) bullseye-security; urgency=medium
+
+  * Fix CVE-2021-3574: memory leak was found in TIFF coder
+  * Fix CVE-2021-4219: a special crafted file could lead to a DOS.
+  * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in
+    some coders (Closes: #1013282)
+  * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c
+  * Fix CVE-2021-20245: Fix a divide by zero in webp coder
+  * Fix CVE-2021-20246: Fix a divide by zero in resample code.
+  * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function.
+  * Fix CVE-2021-39212: Postscript files could be read and written
+    when specifically excluded by a module policy in policy.xml file.
+    (Closes: #996588)
+  * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo()
+    (Closes: #1013282)
+  * Fix CVE-2022-28463: Buffer overflow in cin coder.
+  * Fix CVE-2022-32545: Value outside the range of unsigned char
+    (Closes: #1016442)
+  * Fix CVE-2022-32546: Value outside the range of representable
+    values of type 'unsigned long' at coders/pcl.c,
+  * Use Salsa CI
+
+ -- Bastien Roucariès <rouca@debian.org>  Fri, 26 May 2023 07:10:27 +0000
+
 imagemagick (8:6.9.11.60+dfsg-1.3+deb11u1) bullseye-security; urgency=medium
 
   * Fix CVE-2022-44267 / CVE-2022-44268
diff -Nru imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh
--- imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh	2023-05-26 07:10:27.000000000 +0000
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -x
+set -e
+
+# Debug what repositories are available to begin with
+grep -r "^deb " /etc/apt/sources.*
+
+# Enable the same repositories that were available at build time in
+# registry.salsa.debian.org/salsa-ci-team/pipeline/base:bullseye
+. /etc/os-release
+cat << EOF > /etc/apt/sources.list.d/base-$VERSION_CODENAME-repos.list
+deb http://deb.debian.org/debian $VERSION_CODENAME main
+deb http://deb.debian.org/debian-security $VERSION_CODENAME-security main
+deb http://deb.debian.org/debian $VERSION_CODENAME-updates main
+EOF
+
+apt-get update
+
+# Ref
+# bullseye piuparts test runner environment is missing the bullseye-updates apt repository: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/292
+# piuparts: doesn't install dependencies from experimental or -backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/58
+# autopkgtest: doesn't install dependencies from experimental or backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/85
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,40 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Tue, 13 Apr 2021 21:41:34 -0400
+Subject: CVE-2021-3574: memory leak
+
+Memory leak due to crafted tiff file
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/3540
+origin: https://github.com/ImageMagick/ImageMagick6/commit/cd7f9fb7751b0d59d5a74b12d971155caad5a792.patch
+---
+ coders/tiff.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index a3caa..8e89e 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1332,6 +1332,11 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         TIFFClose(tiff);
+         ThrowReaderException(CorruptImageError,"UnsupportedBitsPerPixel");
+       }
++    if (samples_per_pixel > MaxPixelChannels)
++      {
++        TIFFClose(tiff);
++        ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
++      }
+     if (sample_format == SAMPLEFORMAT_IEEEFP)
+       (void) SetImageProperty(image,"quantum:format","floating-point");
+     switch (photometric)
+@@ -1700,11 +1705,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+       }
+     if (image->matte != MagickFalse)
+       (void) SetImageAlphaChannel(image,OpaqueAlphaChannel);
+-    if (samples_per_pixel > MaxPixelChannels)
+-      {
+-        TIFFClose(tiff);
+-        ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
+-      }
+     method=ReadGenericMethod;
+     rows_per_strip=(uint32) image->rows;
+     if (TIFFGetField(tiff,TIFFTAG_ROWSPERSTRIP,&rows_per_strip) == 1)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0027-CVE-2021-4219-Dos.patch imagemagick-6.9.11.60+dfsg/debian/patches/0027-CVE-2021-4219-Dos.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0027-CVE-2021-4219-Dos.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0027-CVE-2021-4219-Dos.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,26 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 22 Dec 2021 16:00:28 -0500
+Subject: CVE-2021-4219: Dos
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4626
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023282
+origin: https://github.com/ImageMagick/ImageMagick6/commit/c10351c16b8d2cabd11d2627a02de522570f6ceb.patch
+---
+ magick/draw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 75b3d..ba216 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5452,7 +5452,9 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+           {
+             (void) CopyMagickString(clone_info->filename,primitive_info->text,
+               MagickPathExtent);
+-            status&=SetImageInfo(clone_info,0,exception);
++            status&=SetImageInfo(clone_info,1,exception);
++            (void) CopyMagickString(clone_info->filename,primitive_info->text,
++              MagickPathExtent);
+             if (clone_info->size != (char *) NULL)
+               clone_info->size=DestroyString(clone_info->size);
+             if (clone_info->extract != (char *) NULL)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0028-CVE-2021-20241.patch imagemagick-6.9.11.60+dfsg/debian/patches/0028-CVE-2021-20241.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0028-CVE-2021-20241.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0028-CVE-2021-20241.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,26 @@
+From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+Date: Tue, 2 Feb 2021 16:10:05 +0800
+Subject: CVE-2021-20241:
+
+fix division by zero in WriteJP2Image() in coders/jp2.c
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745.patch
+---
+ coders/jp2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/jp2.c b/coders/jp2.c
+index 0354f..b5078 100644
+--- a/coders/jp2.c
++++ b/coders/jp2.c
+@@ -1064,8 +1064,8 @@ static MagickBooleanType WriteJP2Image(const ImageInfo *image_info,Image *image)
+ 
+         scale=(double) (((size_t) 1UL << jp2_image->comps[i].prec)-1)/
+           QuantumRange;
+-        q=jp2_image->comps[i].data+(y/jp2_image->comps[i].dy*
+-          image->columns/jp2_image->comps[i].dx+x/jp2_image->comps[i].dx);
++        q=jp2_image->comps[i].data+(ssize_t) (y*PerceptibleReciprocal(jp2_image->comps[i].dy)*
++          image->columns*PerceptibleReciprocal(jp2_image->comps[i].dx)+x*PerceptibleReciprocal(jp2_image->comps[i].dx));
+         switch (i)
+         {
+           case 0:
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0029-CVE-2021-20243.patch imagemagick-6.9.11.60+dfsg/debian/patches/0029-CVE-2021-20243.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0029-CVE-2021-20243.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0029-CVE-2021-20243.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,23 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 3 Feb 2021 15:30:39 -0500
+Subject: CVE-2021-20243
+
+bug: https://github.com/ImageMagick/ImageMagick/pull/3177
+origin: https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745.patch
+---
+ magick/resize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/resize.c b/magick/resize.c
+index fe662..56e94 100644
+--- a/magick/resize.c
++++ b/magick/resize.c
+@@ -1611,7 +1611,7 @@ MagickExport MagickRealType GetResizeFilterWeight(
+   */
+   assert(resize_filter != (ResizeFilter *) NULL);
+   assert(resize_filter->signature == MagickCoreSignature);
+-  x_blur=fabs((double) x)/resize_filter->blur;  /* X offset with blur scaling */
++  x_blur=fabs((double) x)*PerceptibleReciprocal(resize_filter->blur); /* X offset with blur scaling */
+   if ((resize_filter->window_support < MagickEpsilon) ||
+       (resize_filter->window == Box))
+     scale=1.0;  /* Point or Box Filter -- avoid division by zero */
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch imagemagick-6.9.11.60+dfsg/debian/patches/0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,37 @@
+From: ruc_zhangxiaohui <553441439@qq.com>
+Date: Thu, 4 Feb 2021 04:19:08 +0800
+Subject: CVE-2021-20244: uses the PerceptibleReciprocal() to prevent the
+ divide-by-zero from occurring (#3194)
+
+A crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/c8d674946a687f40a126166edf470733fc8ede02.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+Co-authored-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+(cherry picked from commit 329dd528ab79531d884c0ba131e97d43f872ab5d)
+
+This backports the fix for CVE-2021-20244 to IM6.
+---
+ magick/visual-effects.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/magick/visual-effects.c b/magick/visual-effects.c
+index 11dce..46f1d 100644
+--- a/magick/visual-effects.c
++++ b/magick/visual-effects.c
+@@ -1101,11 +1101,11 @@ MagickExport Image *ImplodeImage(const Image *image,const double amount,
+           */
+           factor=1.0;
+           if (distance > 0.0)
+-            factor=pow(sin((double) (MagickPI*sqrt((double) distance)/
+-              radius/2)),-amount);
++            factor=pow(sin((double) (MagickPI*sqrt((double) distance)*
++              PerceptibleReciprocal(radius)/2)),-amount);
+           status=InterpolateMagickPixelPacket(image,image_view,
+-            UndefinedInterpolatePixel,(double) (factor*delta.x/scale.x+
+-            center.x),(double) (factor*delta.y/scale.y+center.y),&pixel,
++            UndefinedInterpolatePixel,(double) (factor*delta.x*PerceptibleReciprocal(scale.x)+
++            center.x),(double) (factor*delta.y*PerceptibleReciprocal(scale.y)+center.y),&pixel,
+             exception);
+           if (status == MagickFalse)
+             break;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch imagemagick-6.9.11.60+dfsg/debian/patches/0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,26 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 3 Feb 2021 16:04:25 -0500
+Subject: CVE-2021-20245 Division by zero in WriteAnimatedWEBPImage() in
+ coders/webp.c
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/3176
+origin: https://github.com/ImageMagick/ImageMagick6/commit/a78d92dc0f468e79c3d761aae9707042952cdaca.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+---
+ coders/webp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/coders/webp.c b/coders/webp.c
+index 3c7d9..2bad2b 100644
+--- a/coders/webp.c
++++ b/coders/webp.c
+@@ -881,7 +881,8 @@ static MagickBooleanType WriteAnimatedWEBPImage(const ImageInfo *image_info,
+ 
+     WriteSingleWEBPImage(image_info, image, &picture, current, exception);
+ 
+-    effective_delta = image->delay*1000/image->ticks_per_second;
++    effective_delta = image->delay*1000*PerceptibleReciprocal(
++      image->ticks_per_second);
+     if (effective_delta < 10)
+       effective_delta = 100; /* Consistent with gif2webp */
+     frame_timestamp+=effective_delta;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch imagemagick-6.9.11.60+dfsg/debian/patches/0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,28 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 3 Feb 2021 15:50:29 -0500
+Subject: CVE-2021-20246: division by zero in MagickCore/resample.c
+
+bug:https://github.com/ImageMagick/ImageMagick/issues/3195
+origin: https://github.com/ImageMagick/ImageMagick6/commit/f3190d4a6e6e8556575c84b5d976f77d111caa74.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+---
+ magick/resample.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/magick/resample.c b/magick/resample.c
+index 593af..d5c72 100644
+--- a/magick/resample.c
++++ b/magick/resample.c
+@@ -1212,10 +1212,10 @@ MagickExport void ScaleResampleFilter(ResampleFilter *resample_filter,
+   { double scale;
+ #if FILTER_LUT
+     /* scale so that F = WLUT_WIDTH; -- hardcoded */
+-    scale = (double)WLUT_WIDTH/F;
++    scale=(double) WLUT_WIDTH*PerceptibleReciprocal(F);
+ #else
+     /* scale so that F = resample_filter->F (support^2) */
+-    scale = resample_filter->F/F;
++    scale=resample_filter->F*PerceptibleReciprocal(F);
+ #endif
+     resample_filter->A = A*scale;
+     resample_filter->B = B*scale;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch imagemagick-6.9.11.60+dfsg/debian/patches/0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,24 @@
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Feb 2021 19:34:36 -0500
+Subject: CVE-2021-20309: Division by zero in WaveImage()
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/3296
+origin:  https://github.com/ImageMagick/ImageMagick6/commit/f1e68d22d1b35459421710587a0dcbab6900b51f.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+---
+ magick/visual-effects.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/visual-effects.c b/magick/visual-effects.c
+index 46f1d..87fd0b 100644
+--- a/magick/visual-effects.c
++++ b/magick/visual-effects.c
+@@ -3328,7 +3328,7 @@ MagickExport Image *WaveImage(const Image *image,const double amplitude,
+     }
+   for (i=0; i < (ssize_t) wave_image->columns; i++)
+     sine_map[i]=(float) fabs(amplitude)+amplitude*sin((double)
+-      ((2.0*MagickPI*i)/wave_length));
++      ((2.0*MagickPI*i)*PerceptibleReciprocal(wave_length)));
+   /*
+     Wave image.
+   */
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch imagemagick-6.9.11.60+dfsg/debian/patches/0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,68 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 11 Sep 2021 10:57:09 +0200
+Subject: [partial] CVE-2021-39212: Fixed incorrect check when module is used
+ as the domain in policy.xml that would allow the use of a disabled module.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/8cd2fcd33460826628a7590dc3ce74d7785e1598.patch
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996588
+bug-ubuntu-security: https://ubuntu.com/security/CVE-2021-39212
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
+---
+ magick/module.c | 10 +++++-----
+ magick/static.c |  8 ++++----
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/magick/module.c b/magick/module.c
+index 9f160..1ea993 100644
+--- a/magick/module.c
++++ b/magick/module.c
+@@ -1279,18 +1279,18 @@ MagickExport MagickBooleanType OpenModule(const char *module,
+   module_info=(ModuleInfo *) GetModuleInfo(module,exception);
+   if (module_info != (ModuleInfo *) NULL)
+     return(MagickTrue);
++  (void) CopyMagickString(module_name,module,MaxTextExtent);
++  p=GetCoderInfo(module,exception);
++  if (p != (CoderInfo *) NULL)
++    (void) CopyMagickString(module_name,p->name,MaxTextExtent);
+   rights=ReadPolicyRights;
+-  if (IsRightsAuthorized(ModulePolicyDomain,rights,module) == MagickFalse)
++  if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+     {
+       errno=EPERM;
+       (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+         "NotAuthorized","`%s'",module);
+       return(MagickFalse);
+     }
+-  (void) CopyMagickString(module_name,module,MaxTextExtent);
+-  p=GetCoderInfo(module,exception);
+-  if (p != (CoderInfo *) NULL)
+-    (void) CopyMagickString(module_name,p->name,MaxTextExtent);
+   if (GetValueFromSplayTree(module_list,module_name) != (void *) NULL)
+     return(MagickTrue);  /* module already opened, return */
+   /*
+diff --git a/magick/static.c b/magick/static.c
+index 8c68f..a2b11 100644
+--- a/magick/static.c
++++ b/magick/static.c
+@@ -395,17 +395,17 @@ MagickExport MagickBooleanType RegisterStaticModule(const char *module,
+   */
+   assert(module != (const char *) NULL);
+   (void) CopyMagickString(module_name,module,MagickPathExtent);
++  p=GetCoderInfo(module,exception);
++  if (p != (CoderInfo *) NULL)
++    (void) CopyMagickString(module_name,p->name,MagickPathExtent);
+   rights=ReadPolicyRights;
+-  if (IsRightsAuthorized(ModulePolicyDomain,rights,module) == MagickFalse)
++  if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+     {
+       errno=EPERM;
+       (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+         "NotAuthorized","`%s'",module);
+       return(MagickFalse);
+     }
+-  p=GetCoderInfo(module,exception);
+-  if (p != (CoderInfo *) NULL)
+-    (void) CopyMagickString(module_name,p->name,MagickPathExtent);
+   extent=sizeof(MagickModules)/sizeof(MagickModules[0]);
+   for (i=0; i < (ssize_t) extent; i++)
+     if (LocaleCompare(MagickModules[i].module,module_name) == 0)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch imagemagick-6.9.11.60+dfsg/debian/patches/0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,36 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 11 Sep 2021 12:30:44 +0200
+Subject: [partial] CVE-2021-39212: Added missing policy checks in
+ RegisterStaticModules.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/69ea5587de17ef89476be47a3cb7f855c0355a74
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996588
+bug-ubuntu-security: https://ubuntu.com/security/CVE-2021-39212
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
+---
+ magick/static.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/magick/static.c b/magick/static.c
+index a2b11..3b036 100644
+--- a/magick/static.c
++++ b/magick/static.c
+@@ -398,7 +398,7 @@ MagickExport MagickBooleanType RegisterStaticModule(const char *module,
+   p=GetCoderInfo(module,exception);
+   if (p != (CoderInfo *) NULL)
+     (void) CopyMagickString(module_name,p->name,MagickPathExtent);
+-  rights=ReadPolicyRights;
++  rights=AllPolicyRights;
+   if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+     {
+       errno=EPERM;
+@@ -452,6 +452,9 @@ MagickExport void RegisterStaticModules(void)
+   {
+     if (MagickModules[i].registered == MagickFalse)
+       {
++        if (IsRightsAuthorized(ModulePolicyDomain,AllPolicyRights,
++              MagickModules[i].module) == MagickFalse)
++          continue;
+         (void) (MagickModules[i].register_module)();
+         MagickModules[i].registered=MagickTrue;
+       }
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch imagemagick-6.9.11.60+dfsg/debian/patches/0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,27 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 11 Sep 2021 12:43:45 +0200
+Subject: [partial] CVE-2021-39212: Use AllPolicyRights instead.
+
+(cherry picked from commit b60e17133b982d28816386b83174c2bc06dd39bd)
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/b60e17133b982d28816386b83174c2bc06dd39bd
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996588
+bug-ubuntu-security: https://ubuntu.com/security/CVE-2021-39212
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
+---
+ magick/module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/module.c b/magick/module.c
+index 1ea993..da267 100644
+--- a/magick/module.c
++++ b/magick/module.c
+@@ -1283,7 +1283,7 @@ MagickExport MagickBooleanType OpenModule(const char *module,
+   p=GetCoderInfo(module,exception);
+   if (p != (CoderInfo *) NULL)
+     (void) CopyMagickString(module_name,p->name,MaxTextExtent);
+-  rights=ReadPolicyRights;
++  rights=AllPolicyRights;
+   if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+     {
+       errno=EPERM;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0037-CVE-2021-39212-Use-the-correct-rights.patch imagemagick-6.9.11.60+dfsg/debian/patches/0037-CVE-2021-39212-Use-the-correct-rights.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0037-CVE-2021-39212-Use-the-correct-rights.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0037-CVE-2021-39212-Use-the-correct-rights.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,65 @@
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 11 Sep 2021 17:01:23 +0200
+Subject: CVE-2021-39212: Use the correct rights.
+
+(cherry picked from commit 428e68597fa904d0bdc133d878e12acd7dc60fa3)
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/428e68597fa904d0bdc133d878e12acd7dc60fa3
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996588
+bug-ubuntu-security: https://ubuntu.com/security/CVE-2021-39212
+bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
+---
+ magick/module.c | 2 +-
+ magick/static.c | 8 ++++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/magick/module.c b/magick/module.c
+index da267..3d177 100644
+--- a/magick/module.c
++++ b/magick/module.c
+@@ -1283,7 +1283,7 @@ MagickExport MagickBooleanType OpenModule(const char *module,
+   p=GetCoderInfo(module,exception);
+   if (p != (CoderInfo *) NULL)
+     (void) CopyMagickString(module_name,p->name,MaxTextExtent);
+-  rights=AllPolicyRights;
++  rights=ReadPolicyRights|WritePolicyRights;
+   if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+     {
+       errno=EPERM;
+diff --git a/magick/static.c b/magick/static.c
+index 3b036..1268d 100644
+--- a/magick/static.c
++++ b/magick/static.c
+@@ -398,7 +398,7 @@ MagickExport MagickBooleanType RegisterStaticModule(const char *module,
+   p=GetCoderInfo(module,exception);
+   if (p != (CoderInfo *) NULL)
+     (void) CopyMagickString(module_name,p->name,MagickPathExtent);
+-  rights=AllPolicyRights;
++  rights=ReadPolicyRights|WritePolicyRights;
+   if (IsRightsAuthorized(ModulePolicyDomain,rights,module_name) == MagickFalse)
+     {
+       errno=EPERM;
+@@ -441,18 +441,22 @@ MagickExport MagickBooleanType RegisterStaticModule(const char *module,
+ */
+ MagickExport void RegisterStaticModules(void)
+ {
++  PolicyRights
++    rights;
++
+   size_t
+     extent;
+ 
+   ssize_t
+     i;
+ 
++  rights=ReadPolicyRights|WritePolicyRights;
+   extent=sizeof(MagickModules)/sizeof(MagickModules[0]);
+   for (i=0; i < (ssize_t) extent; i++)
+   {
+     if (MagickModules[i].registered == MagickFalse)
+       {
+-        if (IsRightsAuthorized(ModulePolicyDomain,AllPolicyRights,
++        if (IsRightsAuthorized(ModulePolicyDomain,rights,
+               MagickModules[i].module) == MagickFalse)
+           continue;
+         (void) (MagickModules[i].register_module)();
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch imagemagick-6.9.11.60+dfsg/debian/patches/0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,38 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 15 Mar 2022 21:59:36 -0400
+Subject: Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo()
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4947
+bug-debian: https://bugs.debian.org/1013282
+origin: https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f.patch
+---
+ coders/dcm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index d274ad..439aa 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3242,15 +3242,15 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+           RelinquishMagickMemory(info_copy);
+         }
+ 
+-      /*
+-        If we're entering a sequence, push the current image parameters onto
+-        the stack, so we can restore them at the end of the sequence.
+-      */
+       if (strcmp(explicit_vr,"SQ") == 0)
+         {
+-          DCMInfo *info_copy = (DCMInfo *) AcquireMagickMemory(sizeof(info));
+-          memcpy(info_copy,&info,sizeof(info));
+-          AppendValueToLinkedList(stack,info_copy);
++          /*
++            If we're entering a sequence, push the current image parameters
++            onto the stack, so we can restore them at the end of the sequence.
++          */
++          DCMInfo *clone_info = (DCMInfo *) AcquireMagickMemory(sizeof(info));
++          (void) memcpy(clone_info,&info,sizeof(info));
++          AppendValueToLinkedList(stack,clone_info);
+           sequence_depth++;
+         }
+ 
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch imagemagick-6.9.11.60+dfsg/debian/patches/0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,25 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 26 Mar 2022 09:27:36 -0400
+Subject: CVE-2022-28463: buffer overflow in cin coder
+
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
+bug: https://github.com/ImageMagick/ImageMagick/issues/4988
+origin: https://github.com/ImageMagick/ImageMagick6/commit/e6ea5876e0228165ee3abc6e959aa174cee06680.patch
+(cherry picked from commit e6ea5876e0228165ee3abc6e959aa174cee06680)
+---
+ coders/cin.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/cin.c b/coders/cin.c
+index 2f814e..67c56 100644
+--- a/coders/cin.c
++++ b/coders/cin.c
+@@ -450,6 +450,8 @@ static Image *ReadCINImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   image->endian=(magick[0] == 0x80) && (magick[1] == 0x2a) &&
+     (magick[2] == 0x5f) && (magick[3] == 0xd7) ? MSBEndian : LSBEndian;
+   cin.file.image_offset=ReadBlobLong(image);
++  if (cin.file.image_offset < 712)
++    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+   offset+=4;
+   cin.file.generic_length=ReadBlobLong(image);
+   offset+=4;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch imagemagick-6.9.11.60+dfsg/debian/patches/0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,111 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 19 Mar 2022 07:01:57 -0400
+Subject: CVE-2022-32545: undefined behavior value outside char range
+
+bug: https://github.com/ImageMagick/ImageMagick/pull/4963
+bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2091811
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016442
+origin: https://github.com/ImageMagick/ImageMagick6/commit/450949ed017f009b399c937cf362f0058eacc5fa.patch
+
+(cherry picked from commit 450949ed017f009b399c937cf362f0058eacc5fa)
+---
+ coders/emf.c    | 3 ++-
+ coders/psd.c    | 5 +++--
+ magick/widget.c | 6 ++++++
+ wand/animate.c  | 5 ++++-
+ wand/display.c  | 5 ++++-
+ 5 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/coders/emf.c b/coders/emf.c
+index 6a9db..fd93c 100644
+--- a/coders/emf.c
++++ b/coders/emf.c
+@@ -411,7 +411,8 @@ static HENHMETAFILE ReadEnhMetaFile(const char *path,ssize_t *width,
+     }
+   ReadFile(hFile,pBits,dwSize,&dwSize,NULL);
+   CloseHandle(hFile);
+-  if (((PAPMHEADER) pBits)->dwKey != 0x9ac6cdd7l)
++  if (((PAPMHEADER) pBits)->dwKey != 0x9ac6cdd7l ||
++      (((PAPMHEADER) pBits)->wInch == 0))
+     {
+       pBits=(BYTE *) DestroyString((char *) pBits);
+       return((HENHMETAFILE) NULL);
+diff --git a/coders/psd.c b/coders/psd.c
+index 3dc25..5c70c 100644
+--- a/coders/psd.c
++++ b/coders/psd.c
+@@ -1045,8 +1045,9 @@ static MagickBooleanType ReadPSDChannelPixels(Image *image,
+           number_bits=8;
+         for (bit=0; bit < number_bits; bit++)
+         {
+-          SetPSDPixel(image,channels,type,packet_size,(((unsigned char) pixel)
+-            & (0x01 << (7-bit))) != 0 ? 0 : QuantumRange,q++,indexes,x++);
++          SetPSDPixel(image,channels,type,packet_size,
++            (((unsigned char) ((ssize_t) pixel)) & (0x01 << (7-bit))) != 0 ? 0 :
++            QuantumRange,q++,indexes,x++);
+         }
+         if (x != (ssize_t) image->columns)
+           x--;
+diff --git a/magick/widget.c b/magick/widget.c
+index e93a3..605558 100644
+--- a/magick/widget.c
++++ b/magick/widget.c
+@@ -7858,6 +7858,8 @@ MagickExport int XMenuWidget(Display *display,XWindows *windows,
+             break;
+           }
+         state&=(~InactiveWidgetState);
++        if (selection_info.height == 0)
++          break;
+         id=(event.xbutton.y-top_offset)/(int) selection_info.height;
+         selection_info.id=id;
+         if ((id < 0) || (id >= (int) number_selections))
+@@ -7911,6 +7913,8 @@ MagickExport int XMenuWidget(Display *display,XWindows *windows,
+         if (event.xcrossing.state == 0)
+           break;
+         state&=(~InactiveWidgetState);
++        if (selection_info.height == 0)
++          break;
+         id=((event.xcrossing.y-top_offset)/(int) selection_info.height);
+         if ((selection_info.id >= 0) &&
+             (selection_info.id < (int) number_selections))
+@@ -7997,6 +8001,8 @@ MagickExport int XMenuWidget(Display *display,XWindows *windows,
+           break;
+         if (state & InactiveWidgetState)
+           break;
++        if (selection_info.height == 0)
++          break;
+         id=(event.xmotion.y-top_offset)/(int) selection_info.height;
+         if ((selection_info.id >= 0) &&
+             (selection_info.id < (int) number_selections))
+diff --git a/wand/animate.c b/wand/animate.c
+index 0f704..adc84 100644
+--- a/wand/animate.c
++++ b/wand/animate.c
+@@ -1143,7 +1143,10 @@ WandExport MagickBooleanType AnimateImageCommand(ImageInfo *image_info,
+             if (i == (ssize_t) argc)
+               ThrowAnimateException(OptionError,"MissingArgument",option);
+             if (XRemoteCommand(display,resource_info.window_id,argv[i]) != 0)
+-              return(MagickFalse);
++              {
++                DestroyAnimate();
++                return(MagickFalse);
++              }
+             i--;
+             break;
+           }
+diff --git a/wand/display.c b/wand/display.c
+index b7b9e..27aba 100644
+--- a/wand/display.c
++++ b/wand/display.c
+@@ -1491,7 +1491,10 @@ WandExport MagickBooleanType DisplayImageCommand(ImageInfo *image_info,
+             if (i == (ssize_t) argc)
+               ThrowDisplayException(OptionError,"MissingArgument",option);
+             if (XRemoteCommand(display,resource_info.window_id,argv[i]) != 0)
+-              return(MagickFalse);
++              {
++                DestroyDisplay();
++                return(MagickFalse);
++              }
+             i--;
+             break;
+           }
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0041-CVE-2022-32546-outside-the-range-of-representable-va.patch imagemagick-6.9.11.60+dfsg/debian/patches/0041-CVE-2022-32546-outside-the-range-of-representable-va.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0041-CVE-2022-32546-outside-the-range-of-representable-va.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0041-CVE-2022-32546-outside-the-range-of-representable-va.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,27 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 24 Mar 2022 11:38:59 -0400
+Subject: CVE-2022-32546 outside the range of representable values of type
+ 'unsigned long' at coders/pcl.c,
+
+bug: https://github.com/ImageMagick/ImageMagick/pull/4986
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016442
+origin: https://github.com/ImageMagick/ImageMagick6/commit/29c8abce0da56b536542f76a9ddfebdaab5b2943.patch
+---
+ coders/pcl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/pcl.c b/coders/pcl.c
+index a6bd6..f1d9a 100644
+--- a/coders/pcl.c
++++ b/coders/pcl.c
+@@ -294,8 +294,8 @@ static Image *ReadPCLImage(const ImageInfo *image_info,ExceptionInfo *exception)
+     /*
+       Set PCL render geometry.
+     */
+-    width=(size_t) floor(bounds.x2-bounds.x1+0.5);
+-    height=(size_t) floor(bounds.y2-bounds.y1+0.5);
++    width=(size_t) CastDoubleToLong(floor(bounds.x2-bounds.x1+0.5));
++    height=(size_t) CastDoubleToLong(floor(bounds.y2-bounds.y1+0.5));
+     if (width > page.width)
+       page.width=width;
+     if (height > page.height)
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch imagemagick-6.9.11.60+dfsg/debian/patches/0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch	2023-05-25 21:50:29.000000000 +0000
@@ -0,0 +1,33 @@
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 9 Apr 2022 08:40:54 -0400
+Subject: Fix CVE-2022-32547: unaligned access in property
+
+bug: https://github.com/ImageMagick/ImageMagick/pull/5034
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016442
+origin: https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b.patch
+bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2091813
+---
+ magick/property.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/magick/property.c b/magick/property.c
+index 0381b..f83954 100644
+--- a/magick/property.c
++++ b/magick/property.c
+@@ -1513,12 +1513,14 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
+             }
+             case EXIF_FMT_SINGLE:
+             {
+-              EXIFMultipleValues(4,"%f",(double) *(float *) p1);
++              EXIFMultipleValues(4,"%.20g",(double)
++                ReadPropertySignedLong(endian,p1));
+               break;
+             }
+             case EXIF_FMT_DOUBLE:
+             {
+-              EXIFMultipleValues(8,"%f",*(double *) p1);
++              EXIFMultipleValues(8,"%.20g",(double)
++                ReadPropertySignedLong(endian,p1));
+               break;
+             }
+             case EXIF_FMT_STRING:
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series
--- imagemagick-6.9.11.60+dfsg/debian/patches/series	2023-02-03 17:59:07.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/series	2023-05-25 21:50:29.000000000 +0000
@@ -23,3 +23,20 @@
 0001-https-github.com-ImageMagick-ImageMagick6-issues-145.patch
 0023-disable-ghostscript-formats.patch
 move-profile-property-to-cli-option.patch
+0026-CVE-2021-3574-memory-leak.patch
+0027-CVE-2021-4219-Dos.patch
+0028-CVE-2021-20241.patch
+0029-CVE-2021-20243.patch
+0030-CVE-2021-20244-uses-the-PerceptibleReciprocal-to-pre.patch
+0031-CVE-2021-20245-Division-by-zero-in-WriteAnimatedWEBP.patch
+0032-CVE-2021-20246-division-by-zero-in-MagickCore-resamp.patch
+0033-CVE-2021-20309-Division-by-zero-in-WaveImage.patch
+0034-partial-CVE-2021-39212-Fixed-incorrect-check-when-mo.patch
+0035-partial-CVE-2021-39212-Added-missing-policy-checks-i.patch
+0036-partial-CVE-2021-39212-Use-AllPolicyRights-instead.patch
+0037-CVE-2021-39212-Use-the-correct-rights.patch
+0038-Fix-CVE-2022-1114-Heap-use-after-free-in-RelinquishD.patch
+0039-CVE-2022-28463-buffer-overflow-in-cin-coder.patch
+0040-CVE-2022-32545-undefined-behavior-value-outside-char.patch
+0041-CVE-2022-32546-outside-the-range-of-representable-va.patch
+0042-Fix-CVE-2022-32547-unaligned-access-in-property.patch
diff -Nru imagemagick-6.9.11.60+dfsg/debian/salsa-ci-enable-sec-and-update-repos.sh imagemagick-6.9.11.60+dfsg/debian/salsa-ci-enable-sec-and-update-repos.sh
--- imagemagick-6.9.11.60+dfsg/debian/salsa-ci-enable-sec-and-update-repos.sh	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/salsa-ci-enable-sec-and-update-repos.sh	2023-05-26 07:10:27.000000000 +0000
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -x
+set -e
+
+# Debug what repositories are available to begin with
+grep -r "^deb " /etc/apt/sources.*
+
+# Enable the same repositories that were available at build time in
+# registry.salsa.debian.org/salsa-ci-team/pipeline/base:bullseye
+. /etc/os-release
+cat << EOF > /etc/apt/sources.list.d/base-$VERSION_CODENAME-repos.list
+deb http://deb.debian.org/debian $VERSION_CODENAME main
+deb http://deb.debian.org/debian-security $VERSION_CODENAME-security main
+deb http://deb.debian.org/debian $VERSION_CODENAME-updates main
+EOF
+
+apt-get update
+
+# Ref
+# bullseye piuparts test runner environment is missing the bullseye-updates apt repository: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/292
+# piuparts: doesn't install dependencies from experimental or -backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/58
+# autopkgtest: doesn't install dependencies from experimental or backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/85
diff -Nru imagemagick-6.9.11.60+dfsg/debian/salsa-ci.yml imagemagick-6.9.11.60+dfsg/debian/salsa-ci.yml
--- imagemagick-6.9.11.60+dfsg/debian/salsa-ci.yml	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/salsa-ci.yml	2023-05-26 07:10:27.000000000 +0000
@@ -0,0 +1,8 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bullseye'
+  SALSA_CI_PIUPARTS_PRE_INSTALL_SCRIPT: 'debian/salsa-ci-enable-sec-and-update-repos.sh'

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Version: 11.9

The upload requested in this bug has been released as part of 11.9.

--- End Message ---
Reply to: