Forum: >>> Magnum BBS <<<

unblock: imagemagick/8:7.1.1.43+dfsg1-1+deb13u1

From Bastien Roucaries@21:1/5 to Debian Bug Tracking System on Sun Jul 20 11:12:20 2025

XPost: linux.debian.devel.release

This is a multi-part message in MIME format.

--nextPart4800248.8F6SAcFxjW
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="utf-8"

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected], [email protected], [email protected]
Control: affects -1 + src:imagemagick
User: [email protected]
Usertags: unblock

Please unblock package imagemagick

[ Reason ]
CVE fix asked by carnil (security team) here in copy.
Note it is a proposed-testing-update because sid have
some regression

[ Impact ]
CVE are opened

[ Tests ]
Autopkgtest + internal testsuite

[ Risks ]
Low change are self contained

[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing

[ Other info ]
Asked by security team to go before release

unblock imagemagick/8:7.1.1.43+dfsg1-1+deb13u1

--nextPart4800248.8F6SAcFxjW
Content-Disposition: attachment; filename="imagemagick.debdiff" Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-patch; charset="UTF-8"; name="imagemagick.debdiff"

diff -Nru imagemagick-7.1.1.43+dfsg1/debian/changelog imagemagick-7.1.1.43+dfsg1/debian/changelog
--- imagemagick-7.1.1.43+dfsg1/debian/changelog 2024-12-29 12:21:15.000000000 +0100
+++ imagemagick-7.1.1.43+dfsg1/debian/changelog 2025-07-15 22:29:23.000000000 +0200
@@ -1,3 +1,35 @@
+imagemagick (8:7.1.1.43+dfsg1-1+deb13u1) trixie; urgency=medium
+
+ * Fix CVE-2025-53014:
+ A heap buffer overflow was found in the `InterpretImageFilename`
+ function. The issue stems from an off-by-one error that
+ causes out-of-bounds memory access when processing format
+ strings containing consecutive percent signs (`%%`).
+ (Closes: #1109339)
+ * Fix CVE-2025-53015:
+ Infinite loop occur when writing during a specific XMP
+ file conversion command
+ (Closes: #1109339)
+ * Fix CVE-2025-53019:
+ `magick stream` command, specifying
+ multiple consecutive `%d` format specifiers in a
+ filename template causes a memory leak
+ (Closes: #1109339)
+ * Fix CVE-2025-53101:
+ `magick mogrify` command, specifying multiple consecutive
+ `%d` format specifiers in a fi

From Paul Gevers@21:1/5 to Bastien Roucaries on Sun Jul 20 13:20:01 2025

XPost: linux.debian.devel.release
To: [email protected]

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------orYTNhk3ShAs3qGQb9yf69Ob
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

Q29udHJvbDogdGFncyAtMSBtb3JlaW5mbw0KDQpIaSBCYXN0aWVuLA0KDQpPbiAyMC0wNy0y MDI1IDExOjEyLCBCYXN0aWVuIFJvdWNhcmllcyB3cm90ZToNCj4gTm90ZSBpdCBpcyBhIHBy b3Bvc2VkLXRlc3RpbmctdXBkYXRlIGJlY2F1c2Ugc2lkIGhhdmUNCj4gc29tZSByZWdyZXNz aW9uDQoNCg0KSSBhbHJlYWR5IHRvbGQgeW91IGluIGJ1ZyAxMTA0NjMyIG1lc3NhZ2UgMjkg dGhhdCB0aGF0J3Mgbm90IHdoYXQgdHB1IGlzIA0KZm9yLiBJZiB5b3Ugd2FudCB0byBicmlu ZyB0aGUgZml4IHRvIHRyaXhpZSB3aXRob3V0IHdhaXRpbmcgZm9yIHRoZSANCnNlY3VyaXR5 IGFyY2hpdmUgdG8gb3BlbiwgdXBsb2FkIGEgdmVyc2lvbiB0byB1bnN0YWJsZSB3aXRoIHRo ZSB1cHN0cmVhbSANCnZlcnNpb24gYnVtcCByZXZlcnRlZCBhbmQgdGhlIHNlY3VyaXR5IGZp eGVzIGNoZXJyeS1waWNrZWQuDQoNClBhdWwNCg0K

--------------orYTNhk3ShAs3qGQb9yf69Ob--

-----BEGIN PGP SIGNATURE-----

wsC7BAABCABvBYJofM7eCRCcXJnrBb11CkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmcKP6G+PGw2D43lQ43LNO6q9TjSpGJFq427vwF7FdkL /BYhBFi2bUhza+k7BS3mcpxcmesFvXUKAAAA1gf8CCFuOMeLw0WgmkfTr5DiZIPJ gB1CfzoSka+Bn7Rm3wa/H4FgAkmzFsUD1ndVqqgPFLJAby7rkU8akspLWEjMAUdn rIEJ8zILrAPXqyjXxb3g25Okyp2FqUUHRa4d6azwNTuIN6DtAO2D1olZ6/ZNcckE zg/VwxOctBCE3UerFV/d8F8iu96kTqp5rdkZsAvtMj4IF9SPLo+gay4LHJcMhHfy PyuqlAZv8LYuMdq0YNDl2cWnp+Dt27KwBbanQktP3678viaqWyrks+OIZp4vfWuZ FJkr2C7a2QSiGmim3fHY/LuNcChR2nNWUFJoEDBflWUm/s0i3kU4gx7s93p0qQ==
=b1n8
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Bastien Roucaries@21:1/5 to All on Mon Jul 21 22:48:35 2025

XPost: linux.debian.devel.release

Le dimanche 20 juillet 2025, 13:11:26 heure d’été d’Europe centrale Paul Gevers a écrit :

Control: tags -1 moreinfo

Hi Bastien,

On 20-07-2025 11:12, Bastien Roucaries wrote:

Note it is a proposed-testing-update because sid have
some regression

I already told you in bug 1104632 message 29 that that's not what tpu is for. If you want to bring the fix to trixie without waiting for the
security archive to open, upload a version to unstable with the upstream version bump reverted and the security fixes cherry-picked.

Carnil what is your preference ?

Bastien

Paul

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmh+p6MACgkQADoaLapB CF9oWQ//dk3f5hXMZbfUGe0BpHpUizVUZ/QTUK65r2p6Bj4CYnhouXdakC6Yy/9B xXJlyLcC7sQumkRZB5tS4M6lKfvdGtqWjx9KYhPGEWNIh/IN43g9RfoTxrD7V5q8 CYl9cYjP7zjIwC6nIjEX+Va43QMDmxPg06N25pwcUbURlM5pDLglXXcVwlisBOKl Z+we2ICA56yZUzC5vzBXDkOttXorO/vGsGqAwzBcu3MH2EMGceBCHJDI+gGBIlo1 +H0csyhoRPHKZBobHrkRdc5H6te2GfUdrT8OkuyKsY7YJ04tGFBTRJuZVjpK4pB1 pSoK0yK8fh/q9IGX6jkePHqWi0JEP9DS0kM/zR1Bl+Jl8Bm9ZxIDsTiWbw3Caxez t+p/N2stgkD6yIIzxrPfYHT6Shnfnj+DSrjLq7ODvkQZ3+EooHsNVOBhdWINmh1h 9U2srEIU4ft2fdtLcZK+mhfZ+8Kv/HujyaHkjMqKLy0q0WeHxue0IMuw0VZz/YnX fT7C06ReSWc844Av10G7AkY30BfGFWJBuYYQNWmwuSp9vOqlsP7I8erCG8lgiIy0 3gB16k6mUWNrdiNbep5FskiuCIWBvfDrB92mgHcNrHjyAX/CHuYh5mcOC4i73kjj LhD0jFlUdyC6Bc8ekQmdI3HQ2Nb4iV3jzNRg096/Xna4HzNx3Ck=
=741E
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	41:53:58
Calls:	12,109
Files:	15,006
Messages:	6,518,416

unblock: imagemagick/8:7.1.1.43+dfsg1-1+deb13u1

Who's Online

System Info