-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Dec 2025 17:36:07 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc imagemagick-common imagemagick-doc libimage-magick-perl libmagick++-6-headers libmagick++-dev libmagickcore-6-headers libmagickcore-dev libmagickwand-6-headers libmagickwand-dev perlmagick
Architecture: all
Version: 8:6.9.11.60+dfsg-1.6+deb12u5
Distribution: bookworm
Urgency: medium
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 1118340 1122584 1122827
Changes:
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u5) bookworm; urgency=medium
 .
   * Fix CVE-2025-62171 (Closes: #1118340)
     Integer Overflow in BMP Decoder (ReadBMP):
     CVE-2025-57803 claims to be patched, but the fix is incomplete
     and ineffective.
     .
     The patch added BMPOverflowCheck() but placed it
     after the overflow occurs, making it useless.
     A malicious 58-byte BMP file can trigger AddressSanitizer
     crashes and DoS.
   * Fix CVE-2025-65955 (Closes: #1122827)
     A vulnerability was found in ImageMagick’s Magick++ layer that
     manifests when Options::fontFamily is invoked with an empty
     string. Clearing a font family calls RelinquishMagickMemory on
     _drawInfo->font, freeing the font string but leaving _drawInfo->font
     pointing to freed memory while _drawInfo->family is set to that
     (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font
     re-frees or dereferences dangling memory. DestroyDrawInfo and other
     setters (Options::font, Image::font) assume _drawInfo->font remains
     valid, so destruction or subsequent updates trigger crashes or heap
     corruption
   * Fix CVE-2025-66628 (Closes: #1122584)
     The TIM (PSX TIM) image parser contains a critical integer overflow
     vulnerability in its ReadTIMImage function (coders/tim.c). The code
     reads width and height (16-bit values) from the file header and
     calculates image_size = 2 * width * height without checking for
     overflow. On 32-bit systems (or where size_t is 32-bit), this
     calculation can overflow if width and height are large (e.g., 65535),
     wrapping around to a small value
   * Fix CVE-2025-68469
     ImageMagick crashes when processing a crafted TIFF file.
   * Fix CVE-2025-68618:
     Magick's failure to limit the depth of SVG file reads caused
     a DoS attack.
   * Fix CVE-2025-68950:
     Magick's failure to limit MVG mutual references forming a loop
   * Fix CVE-2025-69204:
     Converting a malicious MVG file to SVG caused an integer overflow.
Checksums-Sha1:
 f25f144efd0159865204065e96ac4193417f0a80 168264 imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 1d83d8a764d1024ae55575895d21f0ed39b6d38e 7890732 imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 dbdc823946a99782b61c6daadb5a2881db643266 1512 imagemagick-common_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 eb49afaefcc8c0acbd21d6ff60318bdb811553d9 1616 imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 9afeba5b576533d7b9fd57d640252c41fb8789da 18952 imagemagick_6.9.11.60+dfsg-1.6+deb12u5_all-buildd.buildinfo
 848551dcfb49164103b393c9fc71a135be22cb5d 53296 libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 595facde28fef5a8882f249b7cc590c55841fc0c 47512 libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 78b6918db6e91a64e3f057bf88d714a414cc8467 1364 libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 51ef42b5fcc181d590a662f6fc27489d2424ec1b 50920 libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 5bfbf5af7a214d575cde88543dc7c2ad215162a0 1336 libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 21b97c42ee6a85e952f0e0d9d50a803f629764f0 10492 libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 680409d8c47f56cc3bc0fe84932954258ba6a2b5 1324 libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 5907173aaa5d4a1491fe4d7258c0298d4aebb5ef 1360 perlmagick_6.9.11.60+dfsg-1.6+deb12u5_all.deb
Checksums-Sha256:
 c1142fd3a2664a03b478e192e7e10ab08656f3117cb94b1106d8da4be3030417 168264 imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 102a3a4cc076ab55ca3e44f757cbef0013f67e4d2f25e984933b68b3e6436eb1 7890732 imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 ff47f3ea74e9f12772437a17632c453615c865f65e5632dbc0f14d2cb96a5599 1512 imagemagick-common_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 5915a461ab5de2352bbfd8609259ad57ee4e47b50f6bd0b17b41928174cd0bf8 1616 imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 16b47d586f470df97d612bf99e38c36f3bbd8b8f2616f910d602405604bc0a0d 18952 imagemagick_6.9.11.60+dfsg-1.6+deb12u5_all-buildd.buildinfo
 b2dc060f2cbbf9b8515b55a2a8592f11189a04f605db7370494b144f536dd89d 53296 libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 6ddcdc2cd0cd01d951290903530073951a1f31abba9d4698cefa82ae763d87a2 47512 libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 3ec2dea7e6db39357a3dfbd20a76024a8c4bce7bd74e3b3167b84433d58509a5 1364 libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 20f8285b02bd1792c962cc241b73586c7e74dbf784e57206fa351f4aa7085c78 50920 libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 28f9a975a253676adb65163a2d42bc2cc245dfabc7d39d32c3d9d0bef27bb52f 1336 libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 486a29375b3c618fb94172d245fe122aad90f77a1e624bfb065a6aa8a4dd7bca 10492 libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 82b0663c8c56e177ffaa8964aabf9ec29b5047d850b8e78087a6511c39d93559 1324 libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 8e2aadc73b3d137e19f60a8adfbc4e5a2bcadd0ee830802fe117bd9bbfce6b96 1360 perlmagick_6.9.11.60+dfsg-1.6+deb12u5_all.deb
Files:
 95ffecfc739a2250291a531b31b3aae1 168264 graphics optional imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 7f287fe25097461ea87746c5d756cf5d 7890732 doc optional imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 42b34e73fd052ff55e7c243d13f8902d 1512 oldlibs optional imagemagick-common_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 58e30c244280df07d6aedd5e92825eca 1616 oldlibs optional imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 b9597d1e9ce526c741c91ce50da6976b 18952 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u5_all-buildd.buildinfo
 cd964ca1e783a6008e02169c626ced2d 53296 perl optional libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 bcded36eb1cebb8beae72d72d0bc3f54 47512 libdevel optional libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 3ba7f3c0c20643c868fbb66288ddd82a 1364 oldlibs optional libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 499cc316d6b70d90a916e4f630a92e16 50920 libdevel optional libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 d17d030548300f58da1f60c0d1ffd3b7 1336 oldlibs optional libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 2e4334418f511eb75df74ebbe9ee7c1b 10492 libdevel optional libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 e247d321b7bbe2d973d9f61a7c08d412 1324 oldlibs optional libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u5_all.deb
 1e6bf284ef80f240b25fa8732b151a12 1360 oldlibs optional perlmagick_6.9.11.60+dfsg-1.6+deb12u5_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELusn8jY95Sf7obGlx30Wh8LXl/YFAmlZgrYACgkQx30Wh8LX
l/Y+wA/9HXtq4CPZxWHSsvS7y7tWd+JXjWvD2YLDlw3qE08Wdam3GNDQLQE6oRH+
vPUhgdC0kzW3CPdTYO/2O+TbHUaJYc96wHGSzcJ4bhSvuBbblHQLmcnA5HL92hfz
mQ4k6rFHCrGxX5ZpDEeZJ3CakwxmQDSzUVDH7qePz1+lvEj2G2xA/8bda59cZN8y
dA+0YarNq+nH8H/TGvY5JmZNY38JDFenmyvR26opySQQ8c2NmMfbnoDW556RjH2/
WUZPRWWQ5/gbUYFm2UFaWfKNlgVPr/7WAru90D2DWt+/kcuAUUFzT8hMizJWzWGu
ML+3nbO9ks8jOUeeT7xUQyQFrcSfQJnu5zm36vdH8TY1xqPJVLmyTQGhA2003/P2
4tPX6myLiqteBsiRvdG2oOXG2mhrBPs2Cv1qFhXLaetfkU1YzRqqkjfAHinVHYGM
Cm3EJOfbgswlkLcCdrKRxqiCUW+jWCxDfiR1dNzF2sR42sPIenUAAiUFOT13sfqu
8ULq8cIpaLw3sSaEWOvGFYhiNcyb45L5pGObWRVSaIfAFooA883x+cSwlF7zhDVb
o98gfRqHlXb1/crC9tcdidYU5nQ/KXy/KJ2gj/AeIHjQ8TSTX1BtSA2yzaAoaea8
ZWLOz4QVEX1tQCRyso7plIa2BRlyJ8mzoqw1KDOLFq+ZYJNx/zg=
=1tc+
-----END PGP SIGNATURE-----