Unfortunately, I couldn't create patch for imagemagick from Debian Bookworm. So I sent only patch for imagemagick from Debian Buster.
вт, 14 мая 2024 г. в 15:38, Сергей Сёмин <syominser...@gmail.com>: > Hello! > Upstream developers of ImageMagick6 fixed CVE-2023-34151 for mvg after all. > See more info here: > > https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2108156142 > > I discovered final list of commits fixing problem: > - > https://github.com/ImageMagick/ImageMagick6/commit/75ebd9975f6ba8106ec15a6b3e6ba95f4c14e117 > - > https://github.com/ImageMagick/ImageMagick6/commit/b72508c8fce196cd031856574c202490be830649 > - > https://github.com/ImageMagick/ImageMagick6/commit/88789966667b748f14a904f8c9122274810e8a3e > - > https://github.com/ImageMagick/ImageMagick6/commit/bc5ac19bd93895e5c6158aad0d8e49a0c50b0ebb > - > https://github.com/ImageMagick/ImageMagick6/commit/3252d4771ff1142888ba83c439588969fcea98e4 > - > https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9 > > And this is also useful to make applying of these commits to version > from Debian Buster easier: > - > https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9 > > I squoshed them, slightly adopted to make applicable to target version of > imagemagick and finally prepared this patch suitable for > imagemagick_6.9.10.23+dfsg-2.1+deb10u7 from Debian Buster: > > https://pastila.nl/?001caded/fa33173a3374db4c55ab654d3e75d668#ZqwgZatwpOmWAtcWUs6QAA== > > I checked, that after application of this patch to > imagemagick_6.9.10.23+dfsg-2.1+deb10u7 bug CVE-2023-34151 is not > reproducible - there is no error "runtime error: 5e+26 is outside the range > of representable values of type 'long unsigned int'" with file piechart.mvg. > > Hope my patch compiled from commits from upstream will be helpful. >
