Import Debian changes 8:6.9.11.60+dfsg-1.6+deb12u2

debian/changelog

+imagemagick (8:6.9.11.60+dfsg-1.6+deb12u2) bookworm; urgency=medium
+
+  * CVE-2023-34151 fix was incomplete (Closes: #1070340)
+  * Fix variation of CVE-2023-1289 found by testing.
+
+ -- Bastien Roucariès <rouca@debian.org>  Thu, 11 Jul 2024 10:48:47 +0000
+
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high
 
   * Acknowledge NMU
@@ -34,7 +41,7 @@ imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high
     was found in coders/tiff.c in ImageMagick. This issue
     may allow a local attacker to trick the user into opening
     a specially crafted file, resulting in an application crash
-    and denial of service.
+    and denial of service. Fix also CVE-2022-3213.
   * Fix CVE-2023-5341: A heap use-after-free flaw was found in
     coders/bmp.c
 

debian/control

-# Autogenerated Mon Jul 27 10:33:31 CEST 2020 from make -f debian/rules update_pkg
+# Autogenerated Mon Jun 24 16:27:31 UTC 2024 from make -f debian/rules update_pkg
 Source: imagemagick
 Section: graphics
 Priority: optional

debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 23 Apr 2024 18:19:24 -0400
+Subject: CVE-2023-34151: properly cast double to size_t
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/6341
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070340
+
+forgot to cast double to unsigned int
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9.patch
+---
+ coders/mvg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/mvg.c b/coders/mvg.c
+index 2d503e1..d8e793e 100644
+--- a/coders/mvg.c
++++ b/coders/mvg.c
+@@ -191,8 +191,8 @@ static Image *ReadMVGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+     96.0;
+   draw_info->affine.sy=image->y_resolution == 0.0 ? 1.0 : image->y_resolution/
+     96.0;
+-  image->columns=(size_t) (draw_info->affine.sx*image->columns);
+-  image->rows=(size_t) (draw_info->affine.sy*image->rows);
++  image->columns=CastDoubleToUnsigned(draw_info->affine.sx*image->columns);
++  image->rows=CastDoubleToUnsigned(draw_info->affine.sy*image->rows);
+   status=SetImageExtent(image,image->columns,image->rows);
+   if (status == MagickFalse)
+     {

debian/patches/0067-CVE-2023-34151.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 21 Feb 2022 11:55:23 -0500
+Subject: CVE-2023-34151
+
+This is a prerequist for fixing it
+
+magick produces incorrect result possibly due to overflow
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4870
+origin: https://github.com/ImageMagick/ImageMagick6/commit/8b7b17c8fef72dab479e6ca676676d8c5e395dd6
+---
+ coders/txt.c           | 24 ++++++++++++------------
+ magick/image-private.h | 11 +++++++++++
+ 2 files changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/coders/txt.c b/coders/txt.c
+index 0e5c794..bca071f 100644
+--- a/coders/txt.c
++++ b/coders/txt.c
+@@ -573,18 +573,18 @@ static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception)
+             green+=(range+1)/2.0;
+             blue+=(range+1)/2.0;
+           }
+-        pixel.red=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+-          MagickMax(red+0.5,0.0),range);
+-        pixel.green=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+-          MagickMax(green+0.5,0.0),range);
+-        pixel.blue=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+-          MagickMax(blue+0.5,0.0),range);
+-        pixel.index=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+-          MagickMax(index+0.5,0.0),range);
+-        pixel.opacity=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+-          MagickMax(opacity+0.5,0.0),range);
+-        q=GetAuthenticPixels(image,CastDoubleToLong(x_offset),
+-          CastDoubleToLong(y_offset),1,1,exception);
++        pixel.red=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++          red),range);
++        pixel.green=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++          green),range);
++        pixel.blue=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++          blue),range);
++        pixel.index=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++          index),range);
++        pixel.opacity=(MagickRealType) ScaleAnyToQuantum(CastDoubleToQuantumAny(
++          opacity),range);
++        q=GetAuthenticPixels(image,CastDoubleToLong(x_offset),CastDoubleToLong(
++          y_offset),1,1,exception);
+         if (q == (PixelPacket *) NULL)
+           {
+             status=MagickFalse;
+diff --git a/magick/image-private.h b/magick/image-private.h
+index b269f33..fc7d4b4 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -84,6 +84,17 @@ static inline size_t CastDoubleToUnsigned(const double x)
+   return((size_t) x);
+ }
+ 
++static inline QuantumAny CastDoubleToQuantumAny(const double x)
++{
++  if (IsNaN(x) != 0)
++    return(0);
++  if (x > ((double) ((QuantumAny) ~0)))
++    return((QuantumAny) ~0);
++  if (x < 0.0)
++    return(0.0);
++  return((QuantumAny) (x+0.5));
++}
++
+ static inline double DegreesToRadians(const double degrees)
+ {
+   return((double) (MagickPI*degrees/180.0));

debian/patches/0068-incorrect-bounds-checking-for-draw-affine-https-gith.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 28 Aug 2022 10:55:11 -0400
+Subject: incorrect bounds checking for draw affine @
+ https://github.com/ImageMagick/ImageMagick/issues/5497
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/c5a9368d871943eceafce143bb87612b2a9623b2.patch
+---
+ magick/draw.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 50ed8e0..14774d6 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -1206,12 +1206,12 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
+   assert(affine != (AffineMatrix *) NULL);
+   extent[0].x=0.0;
+   extent[0].y=0.0;
+-  extent[1].x=(double) source->columns-1.0;
++  extent[1].x=(double) source->columns;
+   extent[1].y=0.0;
+-  extent[2].x=(double) source->columns-1.0;
+-  extent[2].y=(double) source->rows-1.0;
++  extent[2].x=(double) source->columns;
++  extent[2].y=(double) source->rows;
+   extent[3].x=0.0;
+-  extent[3].y=(double) source->rows-1.0;
++  extent[3].y=(double) source->rows;
+   for (i=0; i < 4; i++)
+   {
+     point=extent[i];
+@@ -1237,11 +1237,15 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
+   if (SetImageStorageClass(image,DirectClass) == MagickFalse)
+     return(MagickFalse);
+   status=MagickTrue;
+-  edge.x1=MagickMax(min.x,0.0);
+-  edge.y1=MagickMax(min.y,0.0);
+-  edge.x2=MagickMin(max.x,(double) image->columns-1.0);
+-  edge.y2=MagickMin(max.y,(double) image->rows-1.0);
++  edge.x1=min.x;
++  edge.y1=min.y;
++  edge.x2=max.x;
++  edge.y2=max.y;
+   inverse_affine=InverseAffineMatrix(affine);
++  if (edge.y1 < 0.0)
++    edge.y1=0.0;
++  if (edge.y2 > (image->rows-1.0))
++    edge.y2=image->rows-1.0;
+   GetMagickPixelPacket(image,&zero);
+   exception=(&image->exception);
+   start=CastDoubleToLong(ceil(edge.y1-0.5));
+@@ -1281,6 +1285,10 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
+     inverse_edge=AffineEdge(source,&inverse_affine,(double) y,&edge);
+     if (inverse_edge.x2 < inverse_edge.x1)
+       continue;
++    if (inverse_edge.x1 < 0.0)
++      inverse_edge.x1=0.0;
++    if (inverse_edge.x2 > image->columns-1.0)
++      inverse_edge.x2=image->columns-1.0;
+     q=GetCacheViewAuthenticPixels(image_view,CastDoubleToLong(
+       ceil(inverse_edge.x1-0.5)),y,(size_t) CastDoubleToLong(floor(
+       inverse_edge.x2+0.5)-ceil(inverse_edge.x1-0.5)+1),1,exception);

debian/patches/0069-CVE-2023-34151.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 19 Apr 2024 13:39:44 -0400
+Subject: CVE-2023-34151
+
+improved range checking (https://github.com/ImageMagick/ImageMagick/issues/6341)
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/75ebd9975f6ba8106ec15a6b3e6ba95f4c14e117.patch
+---
+ coders/mvg.c           |  4 ++--
+ magick/image-private.h | 46 +++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/coders/mvg.c b/coders/mvg.c
+index d8e793e..d17de75 100644
+--- a/coders/mvg.c
++++ b/coders/mvg.c
+@@ -177,8 +177,8 @@ static Image *ReadMVGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+           continue;
+         (void) sscanf(p,"viewbox %lf %lf %lf %lf",&bounds.x1,&bounds.y1,
+           &bounds.x2,&bounds.y2);
+-        image->columns=(size_t) floor((bounds.x2-bounds.x1)+0.5);
+-        image->rows=(size_t) floor((bounds.y2-bounds.y1)+0.5);
++        image->columns=CastDoubleToUnsigned(floor((bounds.x2-bounds.x1)+0.5));
++        image->rows=CastDoubleToUnsigned(floor((bounds.y2-bounds.y1)+0.5));
+         break;
+       }
+     }
+diff --git a/magick/image-private.h b/magick/image-private.h
+index fc7d4b4..57c5159 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -53,30 +53,25 @@ extern "C" {
+ #define UndefinedCompressionQuality  0UL
+ #define UndefinedTicksPerSecond  100L
+ 
+-static inline ssize_t CastDoubleToLong(const double value)
++static inline size_t CastDoubleToLong(const double x)
+ {
+-  if (IsNaN(value) != 0)
+-    return(0);
+-  if (value > (double) MAGICK_SSIZE_MAX)
+-    return((ssize_t) MAGICK_SSIZE_MAX);
+-  if (value < (double) MAGICK_SSIZE_MIN)
+-    return((ssize_t) MAGICK_SSIZE_MIN);
+-  return((ssize_t) value);
+-}
++  double
++    value;
+ 
+-static inline size_t CastDoubleToUnsigned(const double x)
+-{
+   if (IsNaN(x) != 0)
+     {
+       errno=ERANGE;
+       return(0);
+     }
+-  if (floor(x) > ((double) MAGICK_SSIZE_MAX-1))
++  value=floor(x);
++  if (value > ((double) MAGICK_SSIZE_MAX-1))
+     {
+       errno=ERANGE;
+       return((size_t) MAGICK_SIZE_MAX);
+     }
+-  if (ceil(x) < 0.0)
++
++  value=ceil(x);
++  if (value < ((double) MAGICK_SSIZE_MIN+1))
+     {
+       errno=ERANGE;
+       return(0);
+@@ -95,6 +90,31 @@ static inline QuantumAny CastDoubleToQuantumAny(const double x)
+   return((QuantumAny) (x+0.5));
+ }
+ 
++static inline size_t CastDoubleToUnsigned(const double x)
++{
++  double
++    value;
++
++  if (IsNaN(x) != 0)
++    {
++      errno=ERANGE;
++      return(0);
++    }
++  value=floor(x);
++  if (value > ((double) MAGICK_SIZE_MAX-1))
++    {
++      errno=ERANGE;
++      return((size_t) MAGICK_SIZE_MAX);
++    }
++  value=ceil(x);
++  if (ceil(x) < 0.0)
++    {
++      errno=ERANGE;
++      return(0);
++    }
++  return((size_t) x);
++}
++
+ static inline double DegreesToRadians(const double degrees)
+ {
+   return((double) (MagickPI*degrees/180.0));

debian/patches/0070-check-for-value-0-ceil-not-required.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 19 Apr 2024 14:33:05 -0400
+Subject: check for value < 0, ceil() not required
+
+This patch addresses CVE-2023-34151, not a recurring bug of CVE-2022-32546.
+
+Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/6341
+origin: https://github.com/ImageMagick/ImageMagick6/commit/b72508c8fce196cd031856574c202490be830649.patch
+---
+ magick/image-private.h | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/magick/image-private.h b/magick/image-private.h
+index 57c5159..bfc0265 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -67,16 +67,14 @@ static inline size_t CastDoubleToLong(const double x)
+   if (value > ((double) MAGICK_SSIZE_MAX-1))
+     {
+       errno=ERANGE;
+-      return((size_t) MAGICK_SIZE_MAX);
+-    }
+-
+-  value=ceil(x);
++      return((ssize_t) MAGICK_SSIZE_MAX);
++    } value=ceil(x);
+   if (value < ((double) MAGICK_SSIZE_MIN+1))
+     {
+       errno=ERANGE;
+       return(0);
+     }
+-  return((size_t) x);
++  return((ssize_t) value);
+ }
+ 
+ static inline QuantumAny CastDoubleToQuantumAny(const double x)
+@@ -106,13 +104,12 @@ static inline size_t CastDoubleToUnsigned(const double x)
+       errno=ERANGE;
+       return((size_t) MAGICK_SIZE_MAX);
+     }
+-  value=ceil(x);
+-  if (ceil(x) < 0.0)
++  if (value < 0.0)
+     {
+       errno=ERANGE;
+       return(0);
+     }
+-  return((size_t) x);
++  return((size_t) value);
+ }
+ 
+ static inline double DegreesToRadians(const double degrees)

debian/patches/0071-fix-undefined-behaviors-when-casting-double-to-size_.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 19 Apr 2024 19:38:56 -0400
+Subject: fix undefined behaviors when casting double to size_t
+
+This is needed for fixing CVE-2023-34151
+
+Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/6341
+origin: https://github.com/ImageMagick/ImageMagick6/commit/88789966667b748f14a904f8c9122274810e8a3e
+---
+ magick/image-private.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/magick/image-private.h b/magick/image-private.h
+index bfc0265..839ed72 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -64,12 +64,12 @@ static inline size_t CastDoubleToLong(const double x)
+       return(0);
+     }
+   value=floor(x);
+-  if (value > ((double) MAGICK_SSIZE_MAX-1))
++  if (value > ((double) MAGICK_SSIZE_MAX))
+     {
+       errno=ERANGE;
+       return((ssize_t) MAGICK_SSIZE_MAX);
+     } value=ceil(x);
+-  if (value < ((double) MAGICK_SSIZE_MIN+1))
++  if (value < ((double) MAGICK_SSIZE_MIN))
+     {
+       errno=ERANGE;
+       return(0);
+@@ -99,7 +99,7 @@ static inline size_t CastDoubleToUnsigned(const double x)
+       return(0);
+     }
+   value=floor(x);
+-  if (value > ((double) MAGICK_SIZE_MAX-1))
++  if (value > ((double) MAGICK_SIZE_MAX))
+     {
+       errno=ERANGE;
+       return((size_t) MAGICK_SIZE_MAX);

debian/patches/0072-use-a-different-path-for-positive-and-negative-value.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 20 Apr 2024 06:40:49 -0400
+Subject: use a different path for positive and negative values
+
+This is needed for fixing CVE-2023-34151
+
+Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/bc5ac19bd93895e5c6158aad0d8e49a0c50b0ebb.patch
+---
+ magick/image-private.h | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/magick/image-private.h b/magick/image-private.h
+index 839ed72..4e03993 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -63,16 +63,23 @@ static inline size_t CastDoubleToLong(const double x)
+       errno=ERANGE;
+       return(0);
+     }
+-  value=floor(x);
+-  if (value > ((double) MAGICK_SSIZE_MAX))
++  if (x < 0.0)
+     {
+-      errno=ERANGE;
+-      return((ssize_t) MAGICK_SSIZE_MAX);
+-    } value=ceil(x);
+-  if (value < ((double) MAGICK_SSIZE_MIN))
++      value=ceil(x);
++      if (value < ((double) MAGICK_SSIZE_MIN))
++        {
++          errno=ERANGE;
++          return((ssize_t) MAGICK_SSIZE_MIN);
++        }
++    }
++  else
+     {
+-      errno=ERANGE;
+-      return(0);
++      value=floor(x);
++      if (value > ((double) MAGICK_SSIZE_MAX))
++        {
++          errno=ERANGE;
++          return((ssize_t) MAGICK_SSIZE_MAX);
++        }
+     }
+   return((ssize_t) value);
+ }

debian/patches/0073-use-instead-to-work-around-precision-limitations-of-.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 23 Apr 2024 11:39:48 -0400
+Subject: use >= instead to work around precision limitations of a double.
+
+This is needed for fixing CVE-2023-34151
+
+Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/3252d4771ff1142888ba83c439588969fcea98e4.patch
+---
+ magick/image-private.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/image-private.h b/magick/image-private.h
+index 4e03993..bfe0a81 100644
+--- a/magick/image-private.h
++++ b/magick/image-private.h
+@@ -106,7 +106,7 @@ static inline size_t CastDoubleToUnsigned(const double x)
+       return(0);
+     }
+   value=floor(x);
+-  if (value > ((double) MAGICK_SIZE_MAX))
++  if (value >= ((double) MAGICK_SIZE_MAX))
+     {
+       errno=ERANGE;
+       return((size_t) MAGICK_SIZE_MAX);

debian/patches/0074-CVE-2023-1289-recursion-detection-fail.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 19:50:49 -0500
+Subject: CVE-2023-1289: recursion detection fail
+
+This is a partial revert of the detection recursion of CVE-2023-1289.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/1485a4c2cba8ca32981016fa25e7a15ef84f06f6.patch
+---
+ magick/constitute.c | 7 -------
+ magick/draw.c       | 1 -
+ magick/image.c      | 1 -
+ magick/image.h      | 3 ---
+ 4 files changed, 12 deletions(-)
+
+diff --git a/magick/constitute.c b/magick/constitute.c
+index 49e8f82..410c106 100644
+--- a/magick/constitute.c
++++ b/magick/constitute.c
+@@ -563,16 +563,9 @@ MagickExport Image *ReadImage(const ImageInfo *image_info,
+       if ((thread_support & DecoderThreadSupport) == 0)
+         LockSemaphoreInfo(magick_info->semaphore);
+       status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception);
+-      if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth)
+-        {
+-          (void) ThrowMagickException(exception,GetMagickModule(),CoderError,
+-            "NumberOfImagesIsNotSupported","`%s'",read_info->magick);
+-          status=MagickFalse;
+-        }
+       image=(Image *) NULL;
+       if (status != MagickFalse)
+         image=GetImageDecoder(magick_info)(read_info,exception);
+-      ((ImageInfo *) image_info)->recursion_depth--;
+       if ((thread_support & DecoderThreadSupport) == 0)
+         UnlockSemaphoreInfo(magick_info->semaphore);
+     }
+diff --git a/magick/draw.c b/magick/draw.c
+index 14774d6..c27cb9a 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5452,7 +5452,6 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+       if (primitive_info->text == (char *) NULL)
+         break;
+       clone_info=AcquireImageInfo();
+-      clone_info->recursion_depth=draw_info->image_info->recursion_depth;
+       composite_images=(Image *) NULL;
+       if (LocaleNCompare(primitive_info->text,"data:",5) == 0)
+         composite_images=ReadInlineImage(clone_info,primitive_info->text,
+diff --git a/magick/image.c b/magick/image.c
+index 9ee22d8..1fc3617 100644
+--- a/magick/image.c
++++ b/magick/image.c
+@@ -1008,7 +1008,6 @@ MagickExport ImageInfo *CloneImageInfo(const ImageInfo *image_info)
+   clone_info->subimage=image_info->scene;  /* deprecated */
+   clone_info->subrange=image_info->number_scenes;  /* deprecated */
+   clone_info->channel=image_info->channel;
+-  clone_info->recursion_depth=image_info->recursion_depth;
+   clone_info->debug=IsEventLogging();
+   clone_info->signature=image_info->signature;
+   return(clone_info);
+diff --git a/magick/image.h b/magick/image.h
+index e71df13..ac69bef 100644
+--- a/magick/image.h
++++ b/magick/image.h
+@@ -499,9 +499,6 @@ struct _ImageInfo
+ 
+   MagickBooleanType
+     synchronize;
+-
+-  size_t
+-    recursion_depth;  /* recursion detection */
+ };
+ 
+ extern MagickExport ExceptionType

debian/patches/0075-improved-fix-for-possible-DoS-for-certain-SVG-constr.patch

+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 23 Dec 2021 06:46:46 -0500
+Subject: improved fix for possible DoS for certain SVG constructs
+
+This is partial fix CVE-2023-1289
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/84ec30550c3146f525383f18a786a6bbd5028a93.patch
+---
+ magick/draw.c | 36 +++++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index c27cb9a..bab9b47 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5459,19 +5459,33 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+       else
+         if (*primitive_info->text != '\0')
+           {
++            MagickBooleanType
++              status;
++
++            struct stat
++              attributes;
++
++            (void) CopyMagickString(clone_info->filename,primitive_info->text,
++              MagickPathExtent);
+             (void) CopyMagickString(clone_info->filename,primitive_info->text,
+               MagickPathExtent);
+-            status&=SetImageInfo(clone_info,1,exception);
+-            if (clone_info->size != (char *) NULL)
+-              clone_info->size=DestroyString(clone_info->size);
+-            if (clone_info->extract != (char *) NULL)
+-              clone_info->extract=DestroyString(clone_info->extract);
+-            if ((LocaleNCompare(clone_info->magick,"http",4) == 0) ||
+-                (LocaleCompare(clone_info->magick,"mpri") == 0))
+-              (void) CopyMagickString(clone_info->filename,primitive_info->text,
+-                MagickPathExtent);
+-            if (*clone_info->filename != '\0')
+-              composite_images=ReadImage(clone_info,exception);
++            status=GetPathAttributes(clone_info->filename,&attributes);
++            if ((status != MagickFalse) && (S_ISCHR(attributes.st_mode) == 0))
++              {
++                status&=SetImageInfo(clone_info,1,exception);
++                (void) CopyMagickString(clone_info->filename,
++                  primitive_info->text,MagickPathExtent);
++                if (clone_info->size != (char *) NULL)
++                  clone_info->size=DestroyString(clone_info->size);
++                if (clone_info->extract != (char *) NULL)
++                  clone_info->extract=DestroyString(clone_info->extract);
++                if ((LocaleCompare(clone_info->magick,"file") == 0) ||
++                    (LocaleCompare(clone_info->magick,"https") == 0) ||
++                    (LocaleCompare(clone_info->magick,"http") == 0) ||
++                    (LocaleCompare(clone_info->magick,"mpri") == 0) ||
++                    (IsPathAccessible(clone_info->filename) != MagickFalse))
++                  composite_images=ReadImage(clone_info,exception);
++              }
+           }
+       clone_info=DestroyImageInfo(clone_info);
+       if (composite_images == (Image *) NULL)

debian/patches/0076-permit-compositing-MPRI-images.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 29 Jan 2022 11:31:10 -0500
+Subject: permit compositing MPRI images
+
+This fix follow up of CVE-2023-1289
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/4dd4d0df449acb13fb859041b4996af58243e352.patch
+---
+ coders/mpr.c  |  9 +++++++--
+ magick/draw.c | 41 +++++++++++++++++++++++++----------------
+ 2 files changed, 32 insertions(+), 18 deletions(-)
+
+diff --git a/coders/mpr.c b/coders/mpr.c
+index 9cebc13..24c4e1f 100644
+--- a/coders/mpr.c
++++ b/coders/mpr.c
+@@ -100,8 +100,13 @@ static Image *ReadMPRImage(const ImageInfo *image_info,ExceptionInfo *exception)
+   assert(exception->signature == MagickCoreSignature);
+   image=(Image *) GetImageRegistry(ImageRegistryType,image_info->filename,
+     exception);
+-  if (image != (Image *) NULL)
+-    (void) SyncImageSettings(image_info,image);
++  if (image == (Image *) NULL)
++    {
++      (void) ThrowMagickException(exception,GetMagickModule(),FileOpenError,
++        "UnableToOpenFile","`%s'",image_info->filename);
++      return(image);
++    }
++  (void) SyncImageSettings(image_info,image);
+   return(image);
+ }
+ 
+diff --git a/magick/draw.c b/magick/draw.c
+index bab9b47..a8fcb91 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5459,33 +5459,42 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+       else
+         if (*primitive_info->text != '\0')
+           {
+-            MagickBooleanType
+-              status;
++            MagickStatusType
++              path_status;
+ 
+             struct stat
+               attributes;
+ 
++            /*
++              Read composite image.
++            */
+             (void) CopyMagickString(clone_info->filename,primitive_info->text,
+               MagickPathExtent);
++            (void) SetImageInfo(clone_info,1,exception);
+             (void) CopyMagickString(clone_info->filename,primitive_info->text,
+               MagickPathExtent);
+-            status=GetPathAttributes(clone_info->filename,&attributes);
+-            if ((status != MagickFalse) && (S_ISCHR(attributes.st_mode) == 0))
++            if (clone_info->size != (char *) NULL)
++              clone_info->size=DestroyString(clone_info->size);
++            if (clone_info->extract != (char *) NULL)
++              clone_info->extract=DestroyString(clone_info->extract);
++            path_status=GetPathAttributes(clone_info->filename,&attributes);
++            if (path_status != MagickFalse)
+               {
+-                status&=SetImageInfo(clone_info,1,exception);
+-                (void) CopyMagickString(clone_info->filename,
+-                  primitive_info->text,MagickPathExtent);
+-                if (clone_info->size != (char *) NULL)
+-                  clone_info->size=DestroyString(clone_info->size);
+-                if (clone_info->extract != (char *) NULL)
+-                  clone_info->extract=DestroyString(clone_info->extract);
+-                if ((LocaleCompare(clone_info->magick,"file") == 0) ||
+-                    (LocaleCompare(clone_info->magick,"https") == 0) ||
+-                    (LocaleCompare(clone_info->magick,"http") == 0) ||
+-                    (LocaleCompare(clone_info->magick,"mpri") == 0) ||
+-                    (IsPathAccessible(clone_info->filename) != MagickFalse))
++                if (S_ISCHR(attributes.st_mode) == 0)
+                   composite_images=ReadImage(clone_info,exception);
++                else
++                  (void) ThrowMagickException(exception,GetMagickModule(),
++                    FileOpenError,"UnableToOpenFile","`%s'",
++                    clone_info->filename);
+               }
++            else
++              if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
++                  (LocaleCompare(clone_info->magick,"https") != 0) &&
++                  (LocaleCompare(clone_info->magick,"http") != 0))
++                composite_images=ReadImage(clone_info,exception);
++              else
++                (void) ThrowMagickException(exception,GetMagickModule(),
++                  FileOpenError,"UnableToOpenFile","`%s'",clone_info->filename);
+           }
+       clone_info=DestroyImageInfo(clone_info);
+       if (composite_images == (Image *) NULL)

debian/patches/0077-VID-images-not-permitted-when-compositing.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 31 Jan 2022 09:44:05 -0500
+Subject: VID images not permitted when compositing
+
+This fix followup of CVE-2023-1289
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/f4529c0dcf3a8f96c438086b28fbef8338cda0b1.patch
+---
+ magick/draw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index a8fcb91..0ab2dde 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5489,8 +5489,9 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+               }
+             else
+               if ((LocaleCompare(clone_info->magick,"ftp") != 0) &&
++                  (LocaleCompare(clone_info->magick,"http") != 0) &&
+                   (LocaleCompare(clone_info->magick,"https") != 0) &&
+-                  (LocaleCompare(clone_info->magick,"http") != 0))
++                  (LocaleCompare(clone_info->magick,"vid") != 0))
+                 composite_images=ReadImage(clone_info,exception);
+               else
+                 (void) ThrowMagickException(exception,GetMagickModule(),

debian/patches/0078-do-not-composite-SVG-to-avoid-possible-recursion.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 19:55:46 -0500
+Subject: do not composite SVG to avoid possible recursion
+
+This is part of fix of CVE-2023-1289
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/75aac79108af0c0b0d7fc88b1f09c340b0d62c85.patch
+---
+ magick/draw.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 0ab2dde..ce22a42 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -5459,6 +5459,9 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+       else
+         if (*primitive_info->text != '\0')
+           {
++            const MagickInfo
++              *magick_info;
++
+             MagickStatusType
+               path_status;
+ 
+@@ -5471,6 +5474,16 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
+             (void) CopyMagickString(clone_info->filename,primitive_info->text,
+               MagickPathExtent);
+             (void) SetImageInfo(clone_info,1,exception);
++            magick_info=GetMagickInfo(clone_info->magick,exception);
++            if ((magick_info != (const MagickInfo*) NULL) &&
++                (LocaleCompare(magick_info->module,"SVG") == 0))
++              {
++                (void) ThrowMagickException(exception,GetMagickModule(),
++                  CorruptImageError,"ImageTypeNotSupported","`%s'",
++                  clone_info->filename);
++                clone_info=DestroyImageInfo(clone_info);
++                break;
++              }
+             (void) CopyMagickString(clone_info->filename,primitive_info->text,
+               MagickPathExtent);
+             if (clone_info->size != (char *) NULL)

debian/patches/0079-recursion-detection-framework.patch

+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 15:06:05 -0500
+Subject: recursion detection framework
+
+Avoid a memory leak in previous patches
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/060660bf45e0771cf0431e5c2749aa51fabf23f8.patch
+---
+ magick/draw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index ce22a42..051f2fe 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -1017,6 +1017,8 @@ MagickExport DrawInfo *DestroyDrawInfo(DrawInfo *draw_info)
+     draw_info->clipping_mask=DestroyImage(draw_info->clipping_mask);
+   if (draw_info->composite_mask != (Image *) NULL)
+     draw_info->composite_mask=DestroyImage(draw_info->composite_mask);
++  if (draw_info->image_info != (ImageInfo *) NULL)
++    draw_info->image_info=DestroyImageInfo(draw_info->image_info);
+   draw_info->signature=(~MagickCoreSignature);
+   draw_info=(DrawInfo *) RelinquishMagickMemory(draw_info);
+   return(draw_info);

debian/patches/0080-Fixed-memory-leak.patch

+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sun, 16 Jul 2023 06:45:32 +0200
+Subject: Fixed memory leak.
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/c90e79b3b22fec309cab55af2ee606f71b027b12.patch
+---
+ magick/draw.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/magick/draw.c b/magick/draw.c
+index 051f2fe..91c4954 100644
+--- a/magick/draw.c
++++ b/magick/draw.c
+@@ -381,7 +381,6 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info,
+     clone_info->composite_mask=CloneImage(draw_info->composite_mask,0,0,
+       MagickTrue,&draw_info->composite_mask->exception);
+   clone_info->render=draw_info->render;
+-  clone_info->image_info=CloneImageInfo(draw_info->image_info);
+   clone_info->debug=IsEventLogging();
+   return(clone_info);
+ }

debian/patches/series

@@ -63,3 +63,18 @@ CVE-2022-32547.patch
 0063-Added-check-for-invalid-size.patch
 0064-improve-BMP-error-checking.patch
 0065-CVE-2023-5341.patch
+0066-CVE-2023-34151-properly-cast-double-to-size_t.patch
+0067-CVE-2023-34151.patch
+0068-incorrect-bounds-checking-for-draw-affine-https-gith.patch
+0069-CVE-2023-34151.patch
+0070-check-for-value-0-ceil-not-required.patch
+0071-fix-undefined-behaviors-when-casting-double-to-size_.patch
+0072-use-a-different-path-for-positive-and-negative-value.patch
+0073-use-instead-to-work-around-precision-limitations-of-.patch
+0074-CVE-2023-1289-recursion-detection-fail.patch
+0075-improved-fix-for-possible-DoS-for-certain-SVG-constr.patch
+0076-permit-compositing-MPRI-images.patch
+0077-VID-images-not-permitted-when-compositing.patch
+0078-do-not-composite-SVG-to-avoid-possible-recursion.patch
+0079-recursion-detection-framework.patch
+0080-Fixed-memory-leak.patch

debian/rules

@@ -240,6 +240,12 @@ update_pkg.%:
 	HDRI=$(call HDRI_PART,$*) \
 	QUANTUMDEPTH=$* \
 	UCQUANTUMDEPTH=$(call UC,$*) \
+	$(DH_EXEC_SUBST) $(CURDIR)/debian/tests.d/CVE-2023-1289-IMVERSION.QUANTUMDEPTH.in > $(CURDIR)/debian/tests/CVE-2023-1289-$(IMVERSION).$*
+	chmod +x $(CURDIR)/debian/tests/CVE-2023-1289-$(IMVERSION).$*
+	QUANTUM=$(call QUANTUM_PART,$*) \
+	HDRI=$(call HDRI_PART,$*) \
+	QUANTUMDEPTH=$* \
+	UCQUANTUMDEPTH=$(call UC,$*) \
 	$(DH_EXEC_SUBST) $(CURDIR)/debian/tests.d/perlmagick-IMVERSION.QUANTUMDEPTH.in > $(CURDIR)/debian/tests/perlmagick-$(IMVERSION).$*
 	chmod +x $(CURDIR)/debian/tests/perlmagick-$(IMVERSION).$*
 	# clean up

debian/tests.d/CVE-2023-1289-IMVERSION.QUANTUMDEPTH.in

+#!/bin/sh
+
+CONVERT=convert-im${IMVERSION}.${QUANTUMDEPTH}
+
+set -e
+tee bad.svg <<"EOF"
+<!DOCTYPE test>
+<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
+<image height="200" width="200" xlink:href="bad.svg" />
+</svg>
+EOF
+
+error_code=0
+$CONVERT -verbose -font OpenSymbol bad.svg t.jpg || error_code=$?
+if [ error_code -gt 126]; then
+    exit $error_code;
+else
+    exit 0;
+fi
+