Commit 9c362af89 for imagemagick.org

commit 9c362af895d46b89329e8fb9d2f1ef66752b40c2
Author: Cristy <urban-warrior@imagemagick.org>
Date:   Thu Jun 18 20:01:04 2026 -0400

    https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-365g-65p5-w84r

diff --git a/coders/svg.c b/coders/svg.c
index d63bff446..98b82d767 100644
--- a/coders/svg.c
+++ b/coders/svg.c
@@ -69,6 +69,7 @@
 #include "MagickCore/option.h"
 #include "MagickCore/pixel-accessor.h"
 #include "MagickCore/policy.h"
+#include "MagickCore/policy-private.h"
 #include "MagickCore/property.h"
 #include "MagickCore/quantum-private.h"
 #include "MagickCore/resource_.h"
@@ -3217,7 +3218,8 @@ static Image *RenderMSVGImage(const ImageInfo *image_info,Image *image,
             (void) xmlCtxtUseOptions(parser,XML_PARSE_HUGE);
           option=GetImageOption(image_info,"svg:substitute-entities");
           if ((option != (char *) NULL) &&
-              (IsStringTrue(option) != MagickFalse))
+              (IsStringTrue(option) != MagickFalse) &&
+              (IsRightsAuthorizedByName(SystemPolicyDomain,"svg",ReadPolicyRights | WritePolicyRights,"substitute-entities") != MagickFalse))
             (void) xmlCtxtUseOptions(parser,XML_PARSE_NOENT);
           while ((n=ReadBlob(image,MagickPathExtent-1,message)) != 0)
           {
diff --git a/config/policy-open.xml b/config/policy-open.xml
index 22a09557e..033ec8a8f 100644
--- a/config/policy-open.xml
+++ b/config/policy-open.xml
@@ -155,4 +155,6 @@
   <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
   <!-- If the basename of path is a symbolic link, the open fails -->
   <!-- <policy domain="system" name="symlink" rights="none" pattern="follow"/> -->
+  <!-- Blocks all SVG entity‑substitution attempts by denying the svg:substitute-entities define -->
+  <!-- <policy domain="system" name="svg" rights="none" pattern="substitute-entities"/> -->
 </policymap>