diff options
| author | Naman Jain <nmjain23@gmail.com> | 2026-04-14 09:34:05 +0530 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-29 10:14:24 +0530 |
| commit | 098a230565c965933efa4519c6919852098ff5a9 (patch) | |
| tree | a014739b1a43a781a83f2a8bb720a696691e40b3 | |
| parent | 5124ac4a658899158f4a7a2ddf1d2ca931ec7d0e (diff) | |
| download | meta-openembedded-098a230565c965933efa4519c6919852098ff5a9.tar.gz | |
imagemagick: Fix CVEs
Fix the following CVEs-
CVE-2026-24481 CVE-2026-25638 CVE-2026-25794 CVE-2026-25795
CVE-2026-25796 CVE-2026-25797 CVE-2026-25798 CVE-2026-25799
CVE-2026-25897 CVE-2026-25898 CVE-2026-25965 CVE-2026-25966
CVE-2026-25967 CVE-2026-25968 CVE-2026-25969 CVE-2026-25970
CVE-2026-25982 CVE-2026-25985 CVE-2026-25986 CVE-2026-25987
CVE-2026-25988 CVE-2026-26066 CVE-2026-26283 CVE-2026-26284
CVE-2026-26983
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
29 files changed, 2121 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-24481.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-24481.patch new file mode 100644 index 0000000000..abfa1f817c --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-24481.patch | |||
| @@ -0,0 +1,30 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Fri, 23 Jan 2026 13:19:06 +0100 | ||
| 3 | Subject: Initialize the pixels with empty values to prevent possible heap | ||
| 4 | information disclosure (GHSA-96pc-27rx-pr36) | ||
| 5 | |||
| 6 | (cherry picked from commit 51c9d33f4770cdcfa1a029199375d570af801c97) | ||
| 7 | |||
| 8 | CVE: CVE-2026-24481 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick6/commit/38872ec2a70084813883ea152f18497911823c18] | ||
| 10 | |||
| 11 | origin: https://github.com/ImageMagick/ImageMagick/commit/51c9d33f4770cdcfa1a029199375d570af801c97 | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-96pc-27rx-pr36 | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/psd.c | 1 + | ||
| 17 | 1 file changed, 1 insertion(+) | ||
| 18 | |||
| 19 | diff --git a/coders/psd.c b/coders/psd.c | ||
| 20 | index 050abcd..7e2b3eb 100644 | ||
| 21 | --- a/coders/psd.c | ||
| 22 | +++ b/coders/psd.c | ||
| 23 | @@ -1331,6 +1331,7 @@ static MagickBooleanType ReadPSDChannelZip(Image *image, | ||
| 24 | ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", | ||
| 25 | image->filename); | ||
| 26 | } | ||
| 27 | + memset(pixels,0,count*sizeof(*pixels)); | ||
| 28 | if (ReadBlob(image,compact_size,compact_pixels) != (ssize_t) compact_size) | ||
| 29 | { | ||
| 30 | pixels=(unsigned char *) RelinquishMagickMemory(pixels); | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25638.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25638.patch new file mode 100644 index 0000000000..025ff90c40 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25638.patch | |||
| @@ -0,0 +1,29 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Tue, 3 Feb 2026 22:06:12 +0100 | ||
| 3 | Subject: Fixed memory leak when writing MSL files (GHSA-gxcx-qjqp-8vjw) | ||
| 4 | |||
| 5 | (cherry picked from commit 1e88fca11c7b8517100d518bc99bd8c474f02f88) | ||
| 6 | |||
| 7 | CVE: CVE-2026-25638 | ||
| 8 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1e88fca11c7b8517100d518bc99bd8c474f02f88] | ||
| 9 | |||
| 10 | origin: https://github.com/ImageMagick/ImageMagick/commit/1e88fca11c7b8517100d518bc99bd8c474f02f88 | ||
| 11 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gxcx-qjqp-8vjw | ||
| 12 | |||
| 13 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 14 | --- | ||
| 15 | coders/msl.c | 1 + | ||
| 16 | 1 file changed, 1 insertion(+) | ||
| 17 | |||
| 18 | diff --git a/coders/msl.c b/coders/msl.c | ||
| 19 | index 43c4b73..9facbf2 100644 | ||
| 20 | --- a/coders/msl.c | ||
| 21 | +++ b/coders/msl.c | ||
| 22 | @@ -7887,6 +7887,7 @@ static MagickBooleanType WriteMSLImage(const ImageInfo *image_info,Image *image, | ||
| 23 | (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); | ||
| 24 | msl_image=CloneImage(image,0,0,MagickTrue,exception); | ||
| 25 | status=ProcessMSLScript(image_info,&msl_image,exception); | ||
| 26 | + msl_image=DestroyImageList(msl_image); | ||
| 27 | return(status); | ||
| 28 | } | ||
| 29 | #endif | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch new file mode 100644 index 0000000000..f67ab86ad1 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch | |||
| @@ -0,0 +1,60 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Fri, 6 Feb 2026 21:03:53 +0100 | ||
| 3 | Subject: Prevent out of bounds heap write in uhdr encoder | ||
| 4 | (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h) | ||
| 5 | |||
| 6 | (cherry picked from commit ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed) | ||
| 7 | |||
| 8 | Subject: [PATCH] CVE-2026-25794 | ||
| 9 | CVE: CVE-2026-25794 | ||
| 10 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed] | ||
| 11 | |||
| 12 | origin: https://github.com/ImageMagick/ImageMagick/commit/ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed | ||
| 13 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h | ||
| 14 | |||
| 15 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 16 | --- | ||
| 17 | coders/uhdr.c | 24 ++++++++++++++++-------- | ||
| 18 | 1 file changed, 16 insertions(+), 8 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/coders/uhdr.c b/coders/uhdr.c | ||
| 21 | index 0a25676..a527465 100644 | ||
| 22 | --- a/coders/uhdr.c | ||
| 23 | +++ b/coders/uhdr.c | ||
| 24 | @@ -618,20 +618,28 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info, | ||
| 25 | { | ||
| 26 | /* Classify image as hdr/sdr intent basing on depth */ | ||
| 27 | int | ||
| 28 | - bpp = image->depth >= hdrIntentMinDepth ? 2 : 1; | ||
| 29 | - | ||
| 30 | - int | ||
| 31 | - aligned_width = image->columns + (image->columns & 1); | ||
| 32 | - | ||
| 33 | - int | ||
| 34 | - aligned_height = image->rows + (image->rows & 1); | ||
| 35 | + bpp; | ||
| 36 | |||
| 37 | ssize_t | ||
| 38 | - picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */; | ||
| 39 | + aligned_height, | ||
| 40 | + aligned_width; | ||
| 41 | + | ||
| 42 | + size_t | ||
| 43 | + picSize; | ||
| 44 | |||
| 45 | void | ||
| 46 | *crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL; | ||
| 47 | |||
| 48 | + if (((double) image->columns > sqrt(MAGICK_SSIZE_MAX/3.0)) || | ||
| 49 | + ((double) image->rows > sqrt(MAGICK_SSIZE_MAX/3.0))) | ||
| 50 | + { | ||
| 51 | + (void) ThrowMagickException(exception,GetMagickModule(),ImageError, | ||
| 52 | + "WidthOrHeightExceedsLimit","%s",image->filename); | ||
| 53 | + goto next_image; | ||
| 54 | + } | ||
| 55 | + bpp = image->depth >= hdrIntentMinDepth ? 2 : 1; | ||
| 56 | + aligned_width = image->columns + (image->columns & 1); | ||
| 57 | + picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */; | ||
| 58 | if (IssRGBCompatibleColorspace(image->colorspace) && !IsGrayColorspace(image->colorspace)) | ||
| 59 | { | ||
| 60 | if (image->depth >= hdrIntentMinDepth && hdr_ct == UHDR_CT_LINEAR) | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25795.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25795.patch new file mode 100644 index 0000000000..c969c8d425 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25795.patch | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Fri, 6 Feb 2026 21:16:10 +0100 | ||
| 3 | Subject: Fixed NULL pointer dereference in ReadSFWImage (GHSA-p33r-fqw2-rqmm) | ||
| 4 | |||
| 5 | (cherry picked from commit 0c7d0b9671ae2616fca106dcada45536eb4df5dc) | ||
| 6 | |||
| 7 | CVE: CVE-2026-25795 | ||
| 8 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/0c7d0b9671ae2616fca106dcada45536eb4df5dc] | ||
| 9 | |||
| 10 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p33r-fqw2-rqmm | ||
| 11 | origin: https://github.com/ImageMagick/ImageMagick/commit/0c7d0b9671ae2616fca106dcada45536eb4df5dc | ||
| 12 | |||
| 13 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 14 | --- | ||
| 15 | coders/sfw.c | 2 +- | ||
| 16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 17 | |||
| 18 | diff --git a/coders/sfw.c b/coders/sfw.c | ||
| 19 | index 22ebcd9..46c67b4 100644 | ||
| 20 | --- a/coders/sfw.c | ||
| 21 | +++ b/coders/sfw.c | ||
| 22 | @@ -317,9 +317,9 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 23 | if ((unique_file == -1) || (file == (FILE *) NULL)) | ||
| 24 | { | ||
| 25 | buffer=(unsigned char *) RelinquishMagickMemory(buffer); | ||
| 26 | - read_info=DestroyImageInfo(read_info); | ||
| 27 | (void) CopyMagickString(image->filename,read_info->filename, | ||
| 28 | MagickPathExtent); | ||
| 29 | + read_info=DestroyImageInfo(read_info); | ||
| 30 | ThrowFileException(exception,FileOpenError,"UnableToCreateTemporaryFile", | ||
| 31 | image->filename); | ||
| 32 | image=DestroyImageList(image); | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25796.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25796.patch new file mode 100644 index 0000000000..7bd577b4dd --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25796.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Fri, 6 Feb 2026 21:10:47 +0100 | ||
| 3 | Subject: Prevent memory leak in early exits (GHSA-g2pr-qxjg-7r2w) | ||
| 4 | |||
| 5 | (cherry picked from commit 93ad259ce4f6d641eea0bee73f374af90f35efc3) | ||
| 6 | |||
| 7 | CVE: CVE-2026-25796 | ||
| 8 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/93ad259ce4f6d641eea0bee73f374af90f35efc3] | ||
| 9 | |||
| 10 | origin: https://github.com/ImageMagick/ImageMagick/commit/93ad259ce4f6d641eea0bee73f374af90f35efc3 | ||
| 11 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g2pr-qxjg-7r2w | ||
| 12 | |||
| 13 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 14 | --- | ||
| 15 | coders/stegano.c | 11 +++++++++-- | ||
| 16 | 1 file changed, 9 insertions(+), 2 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/coders/stegano.c b/coders/stegano.c | ||
| 19 | index 111640a..5f91bd9 100644 | ||
| 20 | --- a/coders/stegano.c | ||
| 21 | +++ b/coders/stegano.c | ||
| 22 | @@ -150,15 +150,22 @@ static Image *ReadSTEGANOImage(const ImageInfo *image_info, | ||
| 23 | return(DestroyImage(image)); | ||
| 24 | watermark->depth=MAGICKCORE_QUANTUM_DEPTH; | ||
| 25 | if (AcquireImageColormap(image,MaxColormapSize,exception) == MagickFalse) | ||
| 26 | - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); | ||
| 27 | + { | ||
| 28 | + watermark=DestroyImage(watermark); | ||
| 29 | + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); | ||
| 30 | + } | ||
| 31 | if (image_info->ping != MagickFalse) | ||
| 32 | { | ||
| 33 | + watermark=DestroyImage(watermark); | ||
| 34 | (void) CloseBlob(image); | ||
| 35 | return(GetFirstImageInList(image)); | ||
| 36 | } | ||
| 37 | status=SetImageExtent(image,image->columns,image->rows,exception); | ||
| 38 | if (status == MagickFalse) | ||
| 39 | - return(DestroyImageList(image)); | ||
| 40 | + { | ||
| 41 | + watermark=DestroyImage(watermark); | ||
| 42 | + return(DestroyImageList(image)); | ||
| 43 | + } | ||
| 44 | for (y=0; y < (ssize_t) image->rows; y++) | ||
| 45 | { | ||
| 46 | q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_1.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_1.patch new file mode 100644 index 0000000000..295b686a91 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_1.patch | |||
| @@ -0,0 +1,344 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Fri, 6 Feb 2026 21:28:50 +0100 | ||
| 3 | Subject: Prevent code injection via PostScript header | ||
| 4 | (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v) | ||
| 5 | |||
| 6 | (cherry picked from commit 26088a83d71e9daa203d54a56fe3c31f3f85463d) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25797 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/26088a83d71e9daa203d54a56fe3c31f3f85463d] | ||
| 10 | |||
| 11 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/26088a83d71e9daa203d54a56fe3c31f3f85463d | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/ps.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
| 17 | coders/ps2.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
| 18 | coders/ps3.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
| 19 | 3 files changed, 243 insertions(+), 3 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/coders/ps.c b/coders/ps.c | ||
| 22 | index 8af2af7..3999cf9 100644 | ||
| 23 | --- a/coders/ps.c | ||
| 24 | +++ b/coders/ps.c | ||
| 25 | @@ -1086,6 +1086,82 @@ static inline unsigned char *PopHexPixel(const char hex_digits[][3], | ||
| 26 | return(pixels); | ||
| 27 | } | ||
| 28 | |||
| 29 | +static inline void FilenameToTitle(const char *filename,char *title, | ||
| 30 | + const size_t extent) | ||
| 31 | +{ | ||
| 32 | + int | ||
| 33 | + depth = 0; | ||
| 34 | + | ||
| 35 | + ssize_t | ||
| 36 | + i, | ||
| 37 | + offset = 0; | ||
| 38 | + | ||
| 39 | + if (extent == 0) | ||
| 40 | + return; | ||
| 41 | + for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++) | ||
| 42 | + { | ||
| 43 | + unsigned char | ||
| 44 | + c = filename[i]; | ||
| 45 | + | ||
| 46 | + /* | ||
| 47 | + Only allow printable ASCII. | ||
| 48 | + */ | ||
| 49 | + if ((c < 32) || (c > 126)) | ||
| 50 | + { | ||
| 51 | + title[offset++]='_'; | ||
| 52 | + continue; | ||
| 53 | + } | ||
| 54 | + /* | ||
| 55 | + Percent signs break DSC parsing. | ||
| 56 | + */ | ||
| 57 | + if (c == '%') | ||
| 58 | + { | ||
| 59 | + title[offset++]='_'; | ||
| 60 | + continue; | ||
| 61 | + } | ||
| 62 | + /* | ||
| 63 | + Parentheses must remain balanced. | ||
| 64 | + */ | ||
| 65 | + if (c == '(') | ||
| 66 | + { | ||
| 67 | + depth++; | ||
| 68 | + title[offset++] = '('; | ||
| 69 | + continue; | ||
| 70 | + } | ||
| 71 | + if (c == ')') | ||
| 72 | + { | ||
| 73 | + if (depth <= 0) | ||
| 74 | + title[offset++]='_'; | ||
| 75 | + else | ||
| 76 | + { | ||
| 77 | + depth--; | ||
| 78 | + title[offset++]=')'; | ||
| 79 | + } | ||
| 80 | + continue; | ||
| 81 | + } | ||
| 82 | + /* | ||
| 83 | + Everything else is allowed. | ||
| 84 | + */ | ||
| 85 | + title[offset++]=c; | ||
| 86 | + } | ||
| 87 | + /* | ||
| 88 | + If parentheses remain unbalanced, close them. | ||
| 89 | + */ | ||
| 90 | + while ((depth > 0) && ((offset+1) < (ssize_t) extent)) { | ||
| 91 | + title[offset++]=')'; | ||
| 92 | + depth--; | ||
| 93 | + } | ||
| 94 | + title[offset]='\0'; | ||
| 95 | + /* | ||
| 96 | + Ensure non-empty result. | ||
| 97 | + */ | ||
| 98 | + if (offset == 0) | ||
| 99 | + { | ||
| 100 | + (void) CopyMagickString(title,"Untitled",extent-1); | ||
| 101 | + title[extent-1]='\0'; | ||
| 102 | + } | ||
| 103 | +} | ||
| 104 | + | ||
| 105 | static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image, | ||
| 106 | ExceptionInfo *exception) | ||
| 107 | { | ||
| 108 | @@ -1554,6 +1630,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image, | ||
| 109 | text_size=(size_t) (MultilineCensus(value)*pointsize+12); | ||
| 110 | if (page == 1) | ||
| 111 | { | ||
| 112 | + char | ||
| 113 | + title[MagickPathExtent]; | ||
| 114 | + | ||
| 115 | /* | ||
| 116 | Output Postscript header. | ||
| 117 | */ | ||
| 118 | @@ -1564,8 +1643,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image, | ||
| 119 | MagickPathExtent); | ||
| 120 | (void) WriteBlobString(image,buffer); | ||
| 121 | (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n"); | ||
| 122 | + FilenameToTitle(image->filename,title,MagickPathExtent); | ||
| 123 | (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: (%s)\n", | ||
| 124 | - image->filename); | ||
| 125 | + title); | ||
| 126 | (void) WriteBlobString(image,buffer); | ||
| 127 | timer=GetMagickTime(); | ||
| 128 | (void) FormatMagickTime(timer,sizeof(date),date); | ||
| 129 | diff --git a/coders/ps2.c b/coders/ps2.c | ||
| 130 | index f840782..10670a7 100644 | ||
| 131 | --- a/coders/ps2.c | ||
| 132 | +++ b/coders/ps2.c | ||
| 133 | @@ -225,6 +225,82 @@ static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info, | ||
| 134 | return(status); | ||
| 135 | } | ||
| 136 | |||
| 137 | +static inline void FilenameToTitle(const char *filename,char *title, | ||
| 138 | + const size_t extent) | ||
| 139 | +{ | ||
| 140 | + int | ||
| 141 | + depth = 0; | ||
| 142 | + | ||
| 143 | + ssize_t | ||
| 144 | + i, | ||
| 145 | + offset = 0; | ||
| 146 | + | ||
| 147 | + if (extent == 0) | ||
| 148 | + return; | ||
| 149 | + for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++) | ||
| 150 | + { | ||
| 151 | + unsigned char | ||
| 152 | + c = filename[i]; | ||
| 153 | + | ||
| 154 | + /* | ||
| 155 | + Only allow printable ASCII. | ||
| 156 | + */ | ||
| 157 | + if ((c < 32) || (c > 126)) | ||
| 158 | + { | ||
| 159 | + title[offset++]='_'; | ||
| 160 | + continue; | ||
| 161 | + } | ||
| 162 | + /* | ||
| 163 | + Percent signs break DSC parsing. | ||
| 164 | + */ | ||
| 165 | + if (c == '%') | ||
| 166 | + { | ||
| 167 | + title[offset++]='_'; | ||
| 168 | + continue; | ||
| 169 | + } | ||
| 170 | + /* | ||
| 171 | + Parentheses must remain balanced. | ||
| 172 | + */ | ||
| 173 | + if (c == '(') | ||
| 174 | + { | ||
| 175 | + depth++; | ||
| 176 | + title[offset++] = '('; | ||
| 177 | + continue; | ||
| 178 | + } | ||
| 179 | + if (c == ')') | ||
| 180 | + { | ||
| 181 | + if (depth <= 0) | ||
| 182 | + title[offset++]='_'; | ||
| 183 | + else | ||
| 184 | + { | ||
| 185 | + depth--; | ||
| 186 | + title[offset++]=')'; | ||
| 187 | + } | ||
| 188 | + continue; | ||
| 189 | + } | ||
| 190 | + /* | ||
| 191 | + Everything else is allowed. | ||
| 192 | + */ | ||
| 193 | + title[offset++]=c; | ||
| 194 | + } | ||
| 195 | + /* | ||
| 196 | + If parentheses remain unbalanced, close them. | ||
| 197 | + */ | ||
| 198 | + while ((depth > 0) && ((offset+1) < (ssize_t) extent)) { | ||
| 199 | + title[offset++]=')'; | ||
| 200 | + depth--; | ||
| 201 | + } | ||
| 202 | + title[offset]='\0'; | ||
| 203 | + /* | ||
| 204 | + Ensure non-empty result. | ||
| 205 | + */ | ||
| 206 | + if (offset == 0) | ||
| 207 | + { | ||
| 208 | + (void) CopyMagickString(title,"Untitled",extent-1); | ||
| 209 | + title[extent-1]='\0'; | ||
| 210 | + } | ||
| 211 | +} | ||
| 212 | + | ||
| 213 | static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image, | ||
| 214 | ExceptionInfo *exception) | ||
| 215 | { | ||
| 216 | @@ -547,6 +623,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image, | ||
| 217 | text_size=(size_t) (MultilineCensus(value)*pointsize+12); | ||
| 218 | if (page == 1) | ||
| 219 | { | ||
| 220 | + char | ||
| 221 | + title[MagickPathExtent]; | ||
| 222 | + | ||
| 223 | /* | ||
| 224 | Output Postscript header. | ||
| 225 | */ | ||
| 226 | @@ -557,8 +636,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image, | ||
| 227 | MagickPathExtent); | ||
| 228 | (void) WriteBlobString(image,buffer); | ||
| 229 | (void) WriteBlobString(image,"%%Creator: (ImageMagick)\n"); | ||
| 230 | + FilenameToTitle(image->filename,title,MagickPathExtent); | ||
| 231 | (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: (%s)\n", | ||
| 232 | - image->filename); | ||
| 233 | + title); | ||
| 234 | (void) WriteBlobString(image,buffer); | ||
| 235 | timer=GetMagickTime(); | ||
| 236 | (void) FormatMagickTime(timer,sizeof(date),date); | ||
| 237 | diff --git a/coders/ps3.c b/coders/ps3.c | ||
| 238 | index d3e870c..b135b46 100644 | ||
| 239 | --- a/coders/ps3.c | ||
| 240 | +++ b/coders/ps3.c | ||
| 241 | @@ -203,6 +203,82 @@ ModuleExport void UnregisterPS3Image(void) | ||
| 242 | % | ||
| 243 | */ | ||
| 244 | |||
| 245 | +static inline void FilenameToTitle(const char *filename,char *title, | ||
| 246 | + const size_t extent) | ||
| 247 | +{ | ||
| 248 | + int | ||
| 249 | + depth = 0; | ||
| 250 | + | ||
| 251 | + ssize_t | ||
| 252 | + i, | ||
| 253 | + offset = 0; | ||
| 254 | + | ||
| 255 | + if (extent == 0) | ||
| 256 | + return; | ||
| 257 | + for (i=0; (filename[i] != '\0') && ((offset+1) < (ssize_t) extent); i++) | ||
| 258 | + { | ||
| 259 | + unsigned char | ||
| 260 | + c = filename[i]; | ||
| 261 | + | ||
| 262 | + /* | ||
| 263 | + Only allow printable ASCII. | ||
| 264 | + */ | ||
| 265 | + if ((c < 32) || (c > 126)) | ||
| 266 | + { | ||
| 267 | + title[offset++]='_'; | ||
| 268 | + continue; | ||
| 269 | + } | ||
| 270 | + /* | ||
| 271 | + Percent signs break DSC parsing. | ||
| 272 | + */ | ||
| 273 | + if (c == '%') | ||
| 274 | + { | ||
| 275 | + title[offset++]='_'; | ||
| 276 | + continue; | ||
| 277 | + } | ||
| 278 | + /* | ||
| 279 | + Parentheses must remain balanced. | ||
| 280 | + */ | ||
| 281 | + if (c == '(') | ||
| 282 | + { | ||
| 283 | + depth++; | ||
| 284 | + title[offset++] = '('; | ||
| 285 | + continue; | ||
| 286 | + } | ||
| 287 | + if (c == ')') | ||
| 288 | + { | ||
| 289 | + if (depth <= 0) | ||
| 290 | + title[offset++]='_'; | ||
| 291 | + else | ||
| 292 | + { | ||
| 293 | + depth--; | ||
| 294 | + title[offset++]=')'; | ||
| 295 | + } | ||
| 296 | + continue; | ||
| 297 | + } | ||
| 298 | + /* | ||
| 299 | + Everything else is allowed. | ||
| 300 | + */ | ||
| 301 | + title[offset++]=c; | ||
| 302 | + } | ||
| 303 | + /* | ||
| 304 | + If parentheses remain unbalanced, close them. | ||
| 305 | + */ | ||
| 306 | + while ((depth > 0) && ((offset+1) < (ssize_t) extent)) { | ||
| 307 | + title[offset++]=')'; | ||
| 308 | + depth--; | ||
| 309 | + } | ||
| 310 | + title[offset]='\0'; | ||
| 311 | + /* | ||
| 312 | + Ensure non-empty result. | ||
| 313 | + */ | ||
| 314 | + if (offset == 0) | ||
| 315 | + { | ||
| 316 | + (void) CopyMagickString(title,"Untitled",extent-1); | ||
| 317 | + title[extent-1]='\0'; | ||
| 318 | + } | ||
| 319 | +} | ||
| 320 | + | ||
| 321 | static MagickBooleanType Huffman2DEncodeImage(const ImageInfo *image_info, | ||
| 322 | Image *image,Image *inject_image,ExceptionInfo *exception) | ||
| 323 | { | ||
| 324 | @@ -1007,6 +1083,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image, | ||
| 325 | is_gray=IdentifyImageCoderGray(image,exception); | ||
| 326 | if (page == 1) | ||
| 327 | { | ||
| 328 | + char | ||
| 329 | + title[MagickPathExtent]; | ||
| 330 | + | ||
| 331 | /* | ||
| 332 | Postscript header on the first page. | ||
| 333 | */ | ||
| 334 | @@ -1019,8 +1098,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image, | ||
| 335 | (void) FormatLocaleString(buffer,MagickPathExtent, | ||
| 336 | "%%%%Creator: ImageMagick %s\n",MagickLibVersionText); | ||
| 337 | (void) WriteBlobString(image,buffer); | ||
| 338 | + FilenameToTitle(image->filename,title,MagickPathExtent); | ||
| 339 | (void) FormatLocaleString(buffer,MagickPathExtent,"%%%%Title: %s\n", | ||
| 340 | - image->filename); | ||
| 341 | + title); | ||
| 342 | (void) WriteBlobString(image,buffer); | ||
| 343 | timer=GetMagickTime(); | ||
| 344 | (void) FormatMagickTime(timer,sizeof(date),date); | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_2.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_2.patch new file mode 100644 index 0000000000..a1872b7ee9 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25797_2.patch | |||
| @@ -0,0 +1,143 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Fri, 20 Feb 2026 14:08:15 +0100 | ||
| 3 | Subject: Properly escape the strings that are written as raw html | ||
| 4 | (GHSA-rw6c-xp26-225v) | ||
| 5 | |||
| 6 | (cherry picked from commit 81129f79ad622ff4c1d729828a34ab0f49ec89f6) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25797 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/81129f79ad622ff4c1d729828a34ab0f49ec89f6] | ||
| 10 | |||
| 11 | origin: https://github.com/ImageMagick/ImageMagick/commit/81129f79ad622ff4c1d729828a34ab0f49ec89f6 | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/html.c | 65 +++++++++++++++++++++++++++++++++++------------------------ | ||
| 17 | 1 file changed, 39 insertions(+), 26 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/coders/html.c b/coders/html.c | ||
| 20 | index 739cb12..1e171cb 100644 | ||
| 21 | --- a/coders/html.c | ||
| 22 | +++ b/coders/html.c | ||
| 23 | @@ -204,6 +204,21 @@ ModuleExport void UnregisterHTMLImage(void) | ||
| 24 | % | ||
| 25 | */ | ||
| 26 | |||
| 27 | +static void WriteHtmlEncodedString(Image *image,const char* value) | ||
| 28 | +{ | ||
| 29 | + char | ||
| 30 | + *encoded_value; | ||
| 31 | + | ||
| 32 | + encoded_value=AcquireString(value); | ||
| 33 | + (void) SubstituteString(&encoded_value,"<","<"); | ||
| 34 | + (void) SubstituteString(&encoded_value,">",">"); | ||
| 35 | + (void) SubstituteString(&encoded_value,"&","&"); | ||
| 36 | + (void) SubstituteString(&encoded_value,"\"","""); | ||
| 37 | + (void) SubstituteString(&encoded_value,"'","'"); | ||
| 38 | + WriteBlobString(image,encoded_value); | ||
| 39 | + encoded_value=DestroyString(encoded_value); | ||
| 40 | +} | ||
| 41 | + | ||
| 42 | static ssize_t WriteURLComponent(Image *image,const int c) | ||
| 43 | { | ||
| 44 | char | ||
| 45 | @@ -318,29 +333,29 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, | ||
| 46 | "\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n"); | ||
| 47 | (void) WriteBlobString(image,"<html>\n"); | ||
| 48 | (void) WriteBlobString(image,"<head>\n"); | ||
| 49 | + (void) WriteBlobString(image,"<title>"); | ||
| 50 | value=GetImageProperty(image,"label",exception); | ||
| 51 | if (value != (const char *) NULL) | ||
| 52 | - (void) FormatLocaleString(buffer,MagickPathExtent,"<title>%s</title>\n", | ||
| 53 | - value); | ||
| 54 | + WriteHtmlEncodedString(image,value); | ||
| 55 | else | ||
| 56 | { | ||
| 57 | GetPathComponent(filename,BasePath,basename); | ||
| 58 | - (void) FormatLocaleString(buffer,MagickPathExtent, | ||
| 59 | - "<title>%s</title>\n",basename); | ||
| 60 | + WriteHtmlEncodedString(image,basename); | ||
| 61 | } | ||
| 62 | - (void) WriteBlobString(image,buffer); | ||
| 63 | + (void) WriteBlobString(image,"</title>\n"); | ||
| 64 | (void) WriteBlobString(image,"</head>\n"); | ||
| 65 | (void) WriteBlobString(image,"<body style=\"text-align: center;\">\n"); | ||
| 66 | - (void) FormatLocaleString(buffer,MagickPathExtent,"<h1>%s</h1>\n", | ||
| 67 | - image->filename); | ||
| 68 | - (void) WriteBlobString(image,buffer); | ||
| 69 | + (void) WriteBlobString(image,"<h1>"); | ||
| 70 | + WriteHtmlEncodedString(image,image->filename); | ||
| 71 | + (void) WriteBlobString(image,"</h1>"); | ||
| 72 | (void) WriteBlobString(image,"<div>\n"); | ||
| 73 | (void) CopyMagickString(filename,image->filename,MagickPathExtent); | ||
| 74 | AppendImageFormat("png",filename); | ||
| 75 | - (void) FormatLocaleString(buffer,MagickPathExtent,"<img usemap=\"#%s\" " | ||
| 76 | - "src=\"%s\" style=\"border: 0;\" alt=\"Image map\" />\n",mapname, | ||
| 77 | - filename); | ||
| 78 | - (void) WriteBlobString(image,buffer); | ||
| 79 | + (void) WriteBlobString(image,"<img usemap=\"#"); | ||
| 80 | + WriteHtmlEncodedString(image,mapname); | ||
| 81 | + (void) WriteBlobString(image,"\" src=\""); | ||
| 82 | + WriteHtmlEncodedString(image,filename); | ||
| 83 | + (void) WriteBlobString(image,"\" style=\"border: 0;\" alt=\"Image map\" />\n"); | ||
| 84 | /* | ||
| 85 | Determine the size and location of each image tile. | ||
| 86 | */ | ||
| 87 | @@ -350,18 +365,18 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, | ||
| 88 | /* | ||
| 89 | Write an image map. | ||
| 90 | */ | ||
| 91 | - (void) FormatLocaleString(buffer,MagickPathExtent, | ||
| 92 | - "<map id=\"%s\" name=\"%s\">\n",mapname,mapname); | ||
| 93 | - (void) WriteBlobString(image,buffer); | ||
| 94 | - (void) FormatLocaleString(buffer,MagickPathExtent," <area href=\"%s", | ||
| 95 | - url); | ||
| 96 | - (void) WriteBlobString(image,buffer); | ||
| 97 | + (void) WriteBlobString(image,"<map id=\""); | ||
| 98 | + WriteHtmlEncodedString(image,mapname); | ||
| 99 | + (void) WriteBlobString(image,"\" name=\""); | ||
| 100 | + WriteHtmlEncodedString(image,mapname); | ||
| 101 | + (void) WriteBlobString(image,"\">\n<area href=\""); | ||
| 102 | + WriteHtmlEncodedString(image,url); | ||
| 103 | if (image->directory == (char *) NULL) | ||
| 104 | { | ||
| 105 | + WriteHtmlEncodedString(image,image->filename); | ||
| 106 | (void) FormatLocaleString(buffer,MagickPathExtent, | ||
| 107 | - "%s\" shape=\"rect\" coords=\"0,0,%.20g,%.20g\" alt=\"\" />\n", | ||
| 108 | - image->filename,(double) geometry.width-1,(double) geometry.height- | ||
| 109 | - 1); | ||
| 110 | + "\" shape=\"rect\" coords=\"0,0,%.20g,%.20g\" alt=\"\" />\n", | ||
| 111 | + (double) geometry.width-1,(double) geometry.height-1); | ||
| 112 | (void) WriteBlobString(image,buffer); | ||
| 113 | } | ||
| 114 | else | ||
| 115 | @@ -378,9 +393,9 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, | ||
| 116 | (void) WriteBlobString(image,buffer); | ||
| 117 | if (*(p+1) != '\0') | ||
| 118 | { | ||
| 119 | - (void) FormatLocaleString(buffer,MagickPathExtent, | ||
| 120 | - " <area href=%s\"",url); | ||
| 121 | - (void) WriteBlobString(image,buffer); | ||
| 122 | + (void) WriteBlobString(image," <area href=\""); | ||
| 123 | + WriteHtmlEncodedString(image,url); | ||
| 124 | + (void) WriteBlobString(image,"\""); | ||
| 125 | } | ||
| 126 | geometry.x+=(ssize_t) geometry.width; | ||
| 127 | if ((geometry.x+4) >= (ssize_t) image->columns) | ||
| 128 | @@ -390,7 +405,6 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, | ||
| 129 | } | ||
| 130 | } | ||
| 131 | (void) WriteBlobString(image,"</map>\n"); | ||
| 132 | - (void) CopyMagickString(filename,image->filename,MagickPathExtent); | ||
| 133 | (void) WriteBlobString(image,"</div>\n"); | ||
| 134 | (void) WriteBlobString(image,"</body>\n"); | ||
| 135 | (void) WriteBlobString(image,"</html>\n"); | ||
| 136 | @@ -398,7 +412,6 @@ static MagickBooleanType WriteHTMLImage(const ImageInfo *image_info, | ||
| 137 | /* | ||
| 138 | Write the image as PNG. | ||
| 139 | */ | ||
| 140 | - (void) CopyMagickString(image->filename,filename,MagickPathExtent); | ||
| 141 | AppendImageFormat("png",image->filename); | ||
| 142 | next=GetNextImageInList(image); | ||
| 143 | image->next=NewImageList(); | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch new file mode 100644 index 0000000000..18758b625b --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch | |||
| @@ -0,0 +1,109 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | From: Naman Jain <namanj1@kpit.com> | ||
| 3 | Date: Sun, 1 Feb 2026 14:56:14 -0500 | ||
| 4 | Subject: [PATCH] CVE-2026-25798 | ||
| 5 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4 | ||
| 6 | |||
| 7 | a NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. | ||
| 8 | |||
| 9 | (cherry picked from commit 16dd3158ce197c6f65e7798a7a5cc4538bb0303e) | ||
| 10 | |||
| 11 | CVE: CVE-2026-25798 | ||
| 12 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/16dd3158ce197c6f65e7798a7a5cc4538bb0303e] | ||
| 13 | |||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4 | ||
| 15 | origin: https://github.com/ImageMagick/ImageMagick/commit/16dd3158ce197c6f65e7798a7a5cc4538bb0303e | ||
| 16 | |||
| 17 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 18 | --- | ||
| 19 | MagickCore/cache.c | 37 +++++++++++++++++++++++++++++++++---- | ||
| 20 | coders/sixel.c | 4 ++-- | ||
| 21 | 2 files changed, 35 insertions(+), 6 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/MagickCore/cache.c b/MagickCore/cache.c | ||
| 24 | index 8df6945..5a36189 100644 | ||
| 25 | --- a/MagickCore/cache.c | ||
| 26 | +++ b/MagickCore/cache.c | ||
| 27 | @@ -3500,6 +3500,25 @@ static MagickBooleanType MaskPixelCacheNexus(Image *image,NexusInfo *nexus_info, | ||
| 28 | % | ||
| 29 | */ | ||
| 30 | |||
| 31 | +static inline MagickBooleanType CacheOverflowSanityCheckGetSize( | ||
| 32 | + const MagickSizeType count,const size_t quantum,MagickSizeType *const extent) | ||
| 33 | +{ | ||
| 34 | + MagickSizeType | ||
| 35 | + length; | ||
| 36 | + | ||
| 37 | + if ((count == 0) || (quantum == 0)) | ||
| 38 | + return(MagickTrue); | ||
| 39 | + length=count*quantum; | ||
| 40 | + if (quantum != (length/count)) | ||
| 41 | + { | ||
| 42 | + errno=ENOMEM; | ||
| 43 | + return(MagickTrue); | ||
| 44 | + } | ||
| 45 | + if (extent != NULL) | ||
| 46 | + *extent=length; | ||
| 47 | + return(MagickFalse); | ||
| 48 | +} | ||
| 49 | + | ||
| 50 | static MagickBooleanType OpenPixelCacheOnDisk(CacheInfo *cache_info, | ||
| 51 | const MapMode mode) | ||
| 52 | { | ||
| 53 | @@ -3650,7 +3669,7 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, | ||
| 54 | status; | ||
| 55 | |||
| 56 | MagickSizeType | ||
| 57 | - length, | ||
| 58 | + length = 0, | ||
| 59 | number_pixels; | ||
| 60 | |||
| 61 | size_t | ||
| 62 | @@ -3723,12 +3742,22 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, | ||
| 63 | packet_size=MagickMax(cache_info->number_channels,1)*sizeof(Quantum); | ||
| 64 | if (image->metacontent_extent != 0) | ||
| 65 | packet_size+=cache_info->metacontent_extent; | ||
| 66 | - length=number_pixels*packet_size; | ||
| 67 | + if (CacheOverflowSanityCheckGetSize(number_pixels,packet_size,&length) != MagickFalse) | ||
| 68 | + { | ||
| 69 | + cache_info->storage_class=UndefinedClass; | ||
| 70 | + cache_info->length=0; | ||
| 71 | + ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", | ||
| 72 | + image->filename); | ||
| 73 | + } | ||
| 74 | columns=(size_t) (length/cache_info->rows/packet_size); | ||
| 75 | if ((cache_info->columns != columns) || ((ssize_t) cache_info->columns < 0) || | ||
| 76 | ((ssize_t) cache_info->rows < 0)) | ||
| 77 | - ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", | ||
| 78 | - image->filename); | ||
| 79 | + { | ||
| 80 | + cache_info->storage_class=UndefinedClass; | ||
| 81 | + cache_info->length=0; | ||
| 82 | + ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", | ||
| 83 | + image->filename); | ||
| 84 | + } | ||
| 85 | cache_info->length=length; | ||
| 86 | if (image->ping != MagickFalse) | ||
| 87 | { | ||
| 88 | diff --git a/coders/sixel.c b/coders/sixel.c | ||
| 89 | index 08ca474..11d857d 100644 | ||
| 90 | --- a/coders/sixel.c | ||
| 91 | +++ b/coders/sixel.c | ||
| 92 | @@ -544,7 +544,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 93 | if (max_x < position_x) | ||
| 94 | max_x = position_x; | ||
| 95 | if (max_y < (position_y + i)) | ||
| 96 | - max_y = position_y + i; | ||
| 97 | + max_y = (int) (position_y + i); | ||
| 98 | } | ||
| 99 | sixel_vertical_mask <<= 1; | ||
| 100 | } | ||
| 101 | @@ -577,7 +577,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 102 | if (max_x < (position_x+repeat_count-1)) | ||
| 103 | max_x = position_x+repeat_count-1; | ||
| 104 | if (max_y < (position_y+i+n-1)) | ||
| 105 | - max_y = position_y+i+n-1; | ||
| 106 | + max_y = (int) (position_y+i+n-1); | ||
| 107 | i+=(n-1); | ||
| 108 | sixel_vertical_mask <<= (n-1); | ||
| 109 | } | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25799.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25799.patch new file mode 100644 index 0000000000..8dc511d2a4 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25799.patch | |||
| @@ -0,0 +1,42 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Sat, 31 Jan 2026 12:56:17 -0500 | ||
| 3 | Subject: [PATCH] CVE-2026-25798 | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6 | ||
| 5 | |||
| 6 | a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. | ||
| 7 | |||
| 8 | (cherry picked from commit 412f3c8bc1d3b6890aad72376cd992c9b5177037) | ||
| 9 | |||
| 10 | CVE: CVE-2026-25799 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/412f3c8bc1d3b6890aad72376cd992c9b5177037] | ||
| 12 | |||
| 13 | origin: https://github.com/ImageMagick/ImageMagick/commit/412f3c8bc1d3b6890aad72376cd992c9b5177037 | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6 | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | coders/yuv.c | 4 ++-- | ||
| 19 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/coders/yuv.c b/coders/yuv.c | ||
| 22 | index a1d5bf1..1817c43 100644 | ||
| 23 | --- a/coders/yuv.c | ||
| 24 | +++ b/coders/yuv.c | ||
| 25 | @@ -165,7 +165,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 26 | vertical_factor=horizontal_factor; | ||
| 27 | if ((flags & SigmaValue) != 0) | ||
| 28 | vertical_factor=(ssize_t) geometry_info.sigma; | ||
| 29 | - if ((horizontal_factor != 1) && (horizontal_factor != 2) && | ||
| 30 | + if ((horizontal_factor != 1) && (horizontal_factor != 2) || | ||
| 31 | (vertical_factor != 1) && (vertical_factor != 2)) | ||
| 32 | ThrowReaderException(CorruptImageError,"UnexpectedSamplingFactor"); | ||
| 33 | } | ||
| 34 | @@ -670,7 +670,7 @@ static MagickBooleanType WriteYUVImage(const ImageInfo *image_info,Image *image, | ||
| 35 | vertical_factor=horizontal_factor; | ||
| 36 | if ((flags & SigmaValue) != 0) | ||
| 37 | vertical_factor=(ssize_t) geometry_info.sigma; | ||
| 38 | - if ((horizontal_factor != 1) && (horizontal_factor != 2) && | ||
| 39 | + if ((horizontal_factor != 1) && (horizontal_factor != 2) || | ||
| 40 | (vertical_factor != 1) && (vertical_factor != 2)) | ||
| 41 | ThrowWriterException(CorruptImageError,"UnexpectedSamplingFactor"); | ||
| 42 | } | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25897.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25897.patch new file mode 100644 index 0000000000..f1db20a6ad --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25897.patch | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Fri, 6 Feb 2026 22:21:19 +0100 | ||
| 3 | Subject: Added extra check to prevent out of bounds heap write on 32-bit | ||
| 4 | systems (GHSA-6j5f-24fw-pqp4) | ||
| 5 | |||
| 6 | (cherry picked from commit 23fde73188ea32c15b607571775d4f92bdb75e60) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25897 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/23fde73188ea32c15b607571775d4f92bdb75e60] | ||
| 10 | |||
| 11 | origin: https://github.com/ImageMagick/ImageMagick/commit/23fde73188ea32c15b607571775d4f92bdb75e60 | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6j5f-24fw-pqp4 | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/sun.c | 5 +++++ | ||
| 17 | 1 file changed, 5 insertions(+) | ||
| 18 | |||
| 19 | diff --git a/coders/sun.c b/coders/sun.c | ||
| 20 | index f1452c5..76d7607 100644 | ||
| 21 | --- a/coders/sun.c | ||
| 22 | +++ b/coders/sun.c | ||
| 23 | @@ -470,6 +470,11 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 24 | sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); | ||
| 25 | ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); | ||
| 26 | } | ||
| 27 | + if (image->rows > (MAGICK_SIZE_MAX - pixels_length)) | ||
| 28 | + { | ||
| 29 | + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); | ||
| 30 | + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); | ||
| 31 | + } | ||
| 32 | sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length+image->rows, | ||
| 33 | sizeof(*sun_pixels)); | ||
| 34 | if (sun_pixels == (unsigned char *) NULL) | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_1.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_1.patch new file mode 100644 index 0000000000..8e68732131 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_1.patch | |||
| @@ -0,0 +1,39 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Fri, 6 Feb 2026 20:55:43 +0100 | ||
| 3 | Subject: Fixed out of bound read with negative pixel index | ||
| 4 | (GHSA-vpxv-r9pg-7gpr) | ||
| 5 | |||
| 6 | (cherry picked from commit c9c87dbaba56bf82aebd3392e11f0ffd93709b12) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25898 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c9c87dbaba56bf82aebd3392e11f0ffd93709b12] | ||
| 10 | |||
| 11 | origin: https://github.com/ImageMagick/ImageMagick/commit/c9c87dbaba56bf82aebd3392e11f0ffd93709b12 | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/uil.c | 7 +++++-- | ||
| 17 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/coders/uil.c b/coders/uil.c | ||
| 20 | index 74c45c7..ffcab49 100644 | ||
| 21 | --- a/coders/uil.c | ||
| 22 | +++ b/coders/uil.c | ||
| 23 | @@ -352,11 +352,14 @@ static MagickBooleanType WriteUILImage(const ImageInfo *image_info,Image *image, | ||
| 24 | for (x=0; x < (ssize_t) image->columns; x++) | ||
| 25 | { | ||
| 26 | k=((ssize_t) GetPixelIndex(image,p) % MaxCixels); | ||
| 27 | + if (k < 0) | ||
| 28 | + k=0; | ||
| 29 | symbol[0]=Cixel[k]; | ||
| 30 | for (j=1; j < (int) characters_per_pixel; j++) | ||
| 31 | { | ||
| 32 | - k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % | ||
| 33 | - MaxCixels; | ||
| 34 | + k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % MaxCixels; | ||
| 35 | + if (k < 0) | ||
| 36 | + k=0; | ||
| 37 | symbol[j]=Cixel[k]; | ||
| 38 | } | ||
| 39 | symbol[j]='\0'; | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_2.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_2.patch new file mode 100644 index 0000000000..563d5612b0 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25898_2.patch | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Sun, 8 Feb 2026 14:15:46 +0100 | ||
| 3 | Subject: Fixed out of bound read with negative pixel index | ||
| 4 | (GHSA-vpxv-r9pg-7gpr) | ||
| 5 | |||
| 6 | (cherry picked from commit 21525d8f27b86e8063fe359616086fd6b71eb05b) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25898 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/21525d8f27b86e8063fe359616086fd6b71eb05b] | ||
| 10 | |||
| 11 | origin: https://github.com/ImageMagick/ImageMagick/commit/21525d8f27b86e8063fe359616086fd6b71eb05b | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/xpm.c | 4 ++++ | ||
| 17 | 1 file changed, 4 insertions(+) | ||
| 18 | |||
| 19 | diff --git a/coders/xpm.c b/coders/xpm.c | ||
| 20 | index 1dda89f..4a77b48 100644 | ||
| 21 | --- a/coders/xpm.c | ||
| 22 | +++ b/coders/xpm.c | ||
| 23 | @@ -1131,10 +1131,14 @@ static MagickBooleanType WriteXPMImage(const ImageInfo *image_info,Image *image, | ||
| 24 | for (x=0; x < (ssize_t) image->columns; x++) | ||
| 25 | { | ||
| 26 | k=((ssize_t) GetPixelIndex(image,p) % MaxCixels); | ||
| 27 | + if (k < 0) | ||
| 28 | + k=0; | ||
| 29 | symbol[0]=Cixel[k]; | ||
| 30 | for (j=1; j < (ssize_t) characters_per_pixel; j++) | ||
| 31 | { | ||
| 32 | k=(((int) GetPixelIndex(image,p)-k)/MaxCixels) % MaxCixels; | ||
| 33 | + if (k < 0) | ||
| 34 | + k=0; | ||
| 35 | symbol[j]=Cixel[k]; | ||
| 36 | } | ||
| 37 | symbol[j]='\0'; | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25965.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25965.patch new file mode 100644 index 0000000000..d57b62e83a --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25965.patch | |||
| @@ -0,0 +1,322 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Tue, 3 Feb 2026 21:09:59 +0100 | ||
| 3 | Subject: Prevent path traversal of paths that are blocked in the security | ||
| 4 | policy (GHSA-8jvj-p28h-9gm7) | ||
| 5 | |||
| 6 | (cherry picked from commit 4a9dc1075dcad3ab0579e1b37dbe854c882699a5) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25965 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/4a9dc1075dcad3ab0579e1b37dbe854c882699a5] | ||
| 10 | |||
| 11 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/4a9dc1075dcad3ab0579e1b37dbe854c882699a5 | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8jvj-p28h-9gm7 | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | MagickCore/module.c | 11 +++-- | ||
| 17 | MagickCore/policy.c | 39 ++++++++++----- | ||
| 18 | MagickCore/token.c | 2 + | ||
| 19 | MagickCore/utility-private.h | 115 +++++++++++++++++++++++++++++++++++++++++++ | ||
| 20 | MagickCore/utility.c | 28 +++++++---- | ||
| 21 | 5 files changed, 169 insertions(+), 26 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/MagickCore/module.c b/MagickCore/module.c | ||
| 24 | index e36214d..5332a71 100644 | ||
| 25 | --- a/MagickCore/module.c | ||
| 26 | +++ b/MagickCore/module.c | ||
| 27 | @@ -584,15 +584,16 @@ static MagickBooleanType GetMagickModulePath(const char *filename, | ||
| 28 | (void) ConcatenateMagickString(path,DirectorySeparator, | ||
| 29 | MagickPathExtent); | ||
| 30 | (void) ConcatenateMagickString(path,filename,MagickPathExtent); | ||
| 31 | -#if defined(MAGICKCORE_HAVE_REALPATH) | ||
| 32 | { | ||
| 33 | char | ||
| 34 | - resolved_path[PATH_MAX+1]; | ||
| 35 | + *real_path = realpath_utf8(path); | ||
| 36 | |||
| 37 | - if (realpath(path,resolved_path) != (char *) NULL) | ||
| 38 | - (void) CopyMagickString(path,resolved_path,MagickPathExtent); | ||
| 39 | + if (real_path != (char *) NULL) | ||
| 40 | + { | ||
| 41 | + (void) CopyMagickString(path,real_path,MagickPathExtent); | ||
| 42 | + real_path=DestroyString(real_path); | ||
| 43 | + } | ||
| 44 | } | ||
| 45 | -#endif | ||
| 46 | if (IsPathAccessible(path) != MagickFalse) | ||
| 47 | { | ||
| 48 | module_path=DestroyString(module_path); | ||
| 49 | diff --git a/MagickCore/policy.c b/MagickCore/policy.c | ||
| 50 | index 8cfcee0..0e036c0 100644 | ||
| 51 | --- a/MagickCore/policy.c | ||
| 52 | +++ b/MagickCore/policy.c | ||
| 53 | @@ -640,6 +640,9 @@ static MagickBooleanType IsPolicyCacheInstantiated(ExceptionInfo *exception) | ||
| 54 | MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, | ||
| 55 | const PolicyRights rights,const char *pattern) | ||
| 56 | { | ||
| 57 | + char | ||
| 58 | + *real_pattern = (char *) NULL; | ||
| 59 | + | ||
| 60 | const PolicyInfo | ||
| 61 | *policy_info; | ||
| 62 | |||
| 63 | @@ -647,7 +650,8 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, | ||
| 64 | *exception; | ||
| 65 | |||
| 66 | MagickBooleanType | ||
| 67 | - authorized; | ||
| 68 | + authorized, | ||
| 69 | + match; | ||
| 70 | |||
| 71 | ElementInfo | ||
| 72 | *p; | ||
| 73 | @@ -671,22 +675,33 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, | ||
| 74 | *policy; | ||
| 75 | |||
| 76 | policy=(const PolicyInfo *) p->value; | ||
| 77 | - if ((policy->domain == domain) && | ||
| 78 | - (GlobExpression(pattern,policy->pattern,MagickFalse) != MagickFalse)) | ||
| 79 | + if (policy->domain == domain) | ||
| 80 | { | ||
| 81 | - if ((rights & ReadPolicyRights) != 0) | ||
| 82 | - authorized=(policy->rights & ReadPolicyRights) != 0 ? MagickTrue : | ||
| 83 | - MagickFalse; | ||
| 84 | - if ((rights & WritePolicyRights) != 0) | ||
| 85 | - authorized=(policy->rights & WritePolicyRights) != 0 ? MagickTrue : | ||
| 86 | - MagickFalse; | ||
| 87 | - if ((rights & ExecutePolicyRights) != 0) | ||
| 88 | - authorized=(policy->rights & ExecutePolicyRights) != 0 ? MagickTrue : | ||
| 89 | - MagickFalse; | ||
| 90 | + if ((policy->domain == PathPolicyDomain) && | ||
| 91 | + (real_pattern == (const char *) NULL)) | ||
| 92 | + real_pattern=realpath_utf8(pattern); | ||
| 93 | + if (real_pattern != (char*) NULL) | ||
| 94 | + match=GlobExpression(real_pattern,policy->pattern,MagickFalse); | ||
| 95 | + else | ||
| 96 | + match=GlobExpression(pattern,policy->pattern,MagickFalse); | ||
| 97 | + if (match != MagickFalse) | ||
| 98 | + { | ||
| 99 | + if ((rights & ReadPolicyRights) != 0) | ||
| 100 | + authorized=(policy->rights & ReadPolicyRights) != 0 ? MagickTrue : | ||
| 101 | + MagickFalse; | ||
| 102 | + if ((rights & WritePolicyRights) != 0) | ||
| 103 | + authorized=(policy->rights & WritePolicyRights) != 0 ? | ||
| 104 | + MagickTrue : MagickFalse; | ||
| 105 | + if ((rights & ExecutePolicyRights) != 0) | ||
| 106 | + authorized=(policy->rights & ExecutePolicyRights) != 0 ? | ||
| 107 | + MagickTrue : MagickFalse; | ||
| 108 | + } | ||
| 109 | } | ||
| 110 | p=p->next; | ||
| 111 | } | ||
| 112 | UnlockSemaphoreInfo(policy_semaphore); | ||
| 113 | + if (real_pattern != (char *) NULL) | ||
| 114 | + real_pattern=DestroyString(real_pattern); | ||
| 115 | return(authorized); | ||
| 116 | } | ||
| 117 | |||
| 118 | diff --git a/MagickCore/token.c b/MagickCore/token.c | ||
| 119 | index 9763069..70085b4 100644 | ||
| 120 | --- a/MagickCore/token.c | ||
| 121 | +++ b/MagickCore/token.c | ||
| 122 | @@ -518,6 +518,7 @@ MagickExport MagickBooleanType GlobExpression( | ||
| 123 | target=DestroyString(target); | ||
| 124 | break; | ||
| 125 | } | ||
| 126 | +#if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) | ||
| 127 | case '\\': | ||
| 128 | { | ||
| 129 | pattern+=GetUTFOctets(pattern); | ||
| 130 | @@ -525,6 +526,7 @@ MagickExport MagickBooleanType GlobExpression( | ||
| 131 | break; | ||
| 132 | magick_fallthrough; | ||
| 133 | } | ||
| 134 | +#endif | ||
| 135 | default: | ||
| 136 | { | ||
| 137 | if (case_insensitive != MagickFalse) | ||
| 138 | diff --git a/MagickCore/utility-private.h b/MagickCore/utility-private.h | ||
| 139 | index b3d951c..c28d4c5 100644 | ||
| 140 | --- a/MagickCore/utility-private.h | ||
| 141 | +++ b/MagickCore/utility-private.h | ||
| 142 | @@ -252,6 +252,121 @@ static inline FILE *popen_utf8(const char *command,const char *type) | ||
| 143 | #endif | ||
| 144 | } | ||
| 145 | |||
| 146 | +static inline char *realpath_utf8(const char *path) | ||
| 147 | +{ | ||
| 148 | +#if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) | ||
| 149 | +#if defined(MAGICKCORE_HAVE_REALPATH) | ||
| 150 | + return(realpath(path,(char *) NULL)); | ||
| 151 | +#else | ||
| 152 | + return(AcquireString(path)); | ||
| 153 | +#endif | ||
| 154 | +#else | ||
| 155 | + char | ||
| 156 | + *real_path; | ||
| 157 | + | ||
| 158 | + DWORD | ||
| 159 | + final_path_length, | ||
| 160 | + full_path_length; | ||
| 161 | + | ||
| 162 | + HANDLE | ||
| 163 | + file_handle; | ||
| 164 | + | ||
| 165 | + int | ||
| 166 | + length, | ||
| 167 | + utf8_length; | ||
| 168 | + | ||
| 169 | + wchar_t | ||
| 170 | + *clean_path, | ||
| 171 | + *full_path, | ||
| 172 | + *wide_path; | ||
| 173 | + | ||
| 174 | + /* | ||
| 175 | + Convert UTF-8 to UTF-16. | ||
| 176 | + */ | ||
| 177 | + if (path == (const char *) NULL) | ||
| 178 | + return((char *) NULL); | ||
| 179 | + length=MultiByteToWideChar(CP_UTF8,0,path,-1,NULL,0); | ||
| 180 | + if (length <= 0) | ||
| 181 | + return((char *) NULL); | ||
| 182 | + wide_path=(wchar_t *) AcquireQuantumMemory(length,sizeof(wchar_t)); | ||
| 183 | + if (wide_path == (wchar_t *) NULL) | ||
| 184 | + return((char *) NULL); | ||
| 185 | + MultiByteToWideChar(CP_UTF8,0,path,-1,wide_path,length); | ||
| 186 | + /* | ||
| 187 | + Normalize syntactically. | ||
| 188 | + */ | ||
| 189 | + full_path_length=GetFullPathNameW(wide_path,0,NULL,NULL); | ||
| 190 | + if (full_path_length == 0) | ||
| 191 | + { | ||
| 192 | + wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); | ||
| 193 | + return((char *) NULL); | ||
| 194 | + } | ||
| 195 | + full_path=(wchar_t *) AcquireQuantumMemory(full_path_length,sizeof(wchar_t)); | ||
| 196 | + if (full_path == (wchar_t *) NULL) | ||
| 197 | + { | ||
| 198 | + wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); | ||
| 199 | + return((char *) NULL); | ||
| 200 | + } | ||
| 201 | + GetFullPathNameW(wide_path,full_path_length,full_path,NULL); | ||
| 202 | + wide_path=(wchar_t *) RelinquishMagickMemory(wide_path); | ||
| 203 | + /* | ||
| 204 | + Open the file/directory to resolve symlinks. | ||
| 205 | + */ | ||
| 206 | + file_handle=CreateFileW(full_path,GENERIC_READ,FILE_SHARE_READ | | ||
| 207 | + FILE_SHARE_WRITE | FILE_SHARE_DELETE,NULL,OPEN_EXISTING, | ||
| 208 | + FILE_FLAG_BACKUP_SEMANTICS,NULL); | ||
| 209 | + if (file_handle != INVALID_HANDLE_VALUE) | ||
| 210 | + { | ||
| 211 | + /* | ||
| 212 | + Resolve final canonical path. | ||
| 213 | + */ | ||
| 214 | + final_path_length=GetFinalPathNameByHandleW(file_handle,NULL,0, | ||
| 215 | + FILE_NAME_NORMALIZED); | ||
| 216 | + if (final_path_length == 0) | ||
| 217 | + { | ||
| 218 | + CloseHandle(file_handle); | ||
| 219 | + full_path=(wchar_t *) RelinquishMagickMemory(full_path); | ||
| 220 | + return((char *) NULL); | ||
| 221 | + } | ||
| 222 | + full_path=(wchar_t *) RelinquishMagickMemory(full_path); | ||
| 223 | + full_path=(wchar_t *) AcquireQuantumMemory(final_path_length, | ||
| 224 | + sizeof(wchar_t)); | ||
| 225 | + if (full_path == (wchar_t *) NULL) | ||
| 226 | + { | ||
| 227 | + CloseHandle(file_handle); | ||
| 228 | + return((char *) NULL); | ||
| 229 | + } | ||
| 230 | + GetFinalPathNameByHandleW(file_handle,full_path,final_path_length, | ||
| 231 | + FILE_NAME_NORMALIZED); | ||
| 232 | + CloseHandle(file_handle); | ||
| 233 | + } | ||
| 234 | + /* | ||
| 235 | + Remove \\?\ prefix for POSIX-like behavior. | ||
| 236 | + */ | ||
| 237 | + clean_path=full_path; | ||
| 238 | + if (wcsncmp(full_path,L"\\\\?\\",4) == 0) | ||
| 239 | + clean_path=full_path+4; | ||
| 240 | + /* | ||
| 241 | + Convert UTF-16 to UTF-8. | ||
| 242 | + */ | ||
| 243 | + utf8_length=WideCharToMultiByte(CP_UTF8,0,clean_path,-1,NULL,0,NULL,NULL); | ||
| 244 | + if (utf8_length <= 0) | ||
| 245 | + { | ||
| 246 | + full_path=(wchar_t *) RelinquishMagickMemory(full_path); | ||
| 247 | + return NULL; | ||
| 248 | + } | ||
| 249 | + real_path=(char *) AcquireQuantumMemory(utf8_length,sizeof(char)); | ||
| 250 | + if (real_path == (char *) NULL) | ||
| 251 | + { | ||
| 252 | + full_path=(wchar_t *) RelinquishMagickMemory(full_path); | ||
| 253 | + return NULL; | ||
| 254 | + } | ||
| 255 | + WideCharToMultiByte(CP_UTF8,0,clean_path,-1,real_path,utf8_length,NULL,NULL); | ||
| 256 | + full_path=(wchar_t *) RelinquishMagickMemory(full_path); | ||
| 257 | + return(real_path); | ||
| 258 | +#endif | ||
| 259 | +} | ||
| 260 | + | ||
| 261 | static inline int remove_utf8(const char *path) | ||
| 262 | { | ||
| 263 | #if !defined(MAGICKCORE_WINDOWS_SUPPORT) || defined(__CYGWIN__) | ||
| 264 | diff --git a/MagickCore/utility.c b/MagickCore/utility.c | ||
| 265 | index bbeef37..4fd6e9c 100644 | ||
| 266 | --- a/MagickCore/utility.c | ||
| 267 | +++ b/MagickCore/utility.c | ||
| 268 | @@ -1042,16 +1042,23 @@ MagickPrivate MagickBooleanType GetExecutionPath(char *path,const size_t extent) | ||
| 269 | #if defined(MAGICKCORE_HAVE__NSGETEXECUTABLEPATH) | ||
| 270 | { | ||
| 271 | char | ||
| 272 | - executable_path[PATH_MAX << 1], | ||
| 273 | - execution_path[PATH_MAX+1]; | ||
| 274 | + executable_path[PATH_MAX << 1]; | ||
| 275 | |||
| 276 | uint32_t | ||
| 277 | length; | ||
| 278 | |||
| 279 | length=sizeof(executable_path); | ||
| 280 | - if ((_NSGetExecutablePath(executable_path,&length) == 0) && | ||
| 281 | - (realpath(executable_path,execution_path) != (char *) NULL)) | ||
| 282 | - (void) CopyMagickString(path,execution_path,extent); | ||
| 283 | + if (_NSGetExecutablePath(executable_path,&length) == 0) | ||
| 284 | + { | ||
| 285 | + char | ||
| 286 | + *real_path = realpath_utf8(executable_path); | ||
| 287 | + | ||
| 288 | + if (real_path != (char *) NULL) | ||
| 289 | + { | ||
| 290 | + (void) CopyMagickString(path,real_path,extent); | ||
| 291 | + real_path=DestroyString(real_path); | ||
| 292 | + } | ||
| 293 | + } | ||
| 294 | } | ||
| 295 | #endif | ||
| 296 | #if defined(MAGICKCORE_HAVE_GETEXECNAME) | ||
| 297 | @@ -1097,10 +1104,13 @@ MagickPrivate MagickBooleanType GetExecutionPath(char *path,const size_t extent) | ||
| 298 | if (count != -1) | ||
| 299 | { | ||
| 300 | char | ||
| 301 | - execution_path[PATH_MAX+1]; | ||
| 302 | + *real_path = realpath_utf8(program_name); | ||
| 303 | |||
| 304 | - if (realpath(program_name,execution_path) != (char *) NULL) | ||
| 305 | - (void) CopyMagickString(path,execution_path,extent); | ||
| 306 | + if (real_path != (char *) NULL) | ||
| 307 | + { | ||
| 308 | + (void) CopyMagickString(path,real_path,extent); | ||
| 309 | + real_path=DestroyString(real_path); | ||
| 310 | + } | ||
| 311 | } | ||
| 312 | if (program_name != program_invocation_name) | ||
| 313 | program_name=(char *) RelinquishMagickMemory(program_name); | ||
| 314 | @@ -1882,7 +1892,7 @@ MagickPrivate MagickBooleanType ShredFile(const char *path) | ||
| 315 | { | ||
| 316 | char | ||
| 317 | *property; | ||
| 318 | - | ||
| 319 | + | ||
| 320 | passes=0; | ||
| 321 | property=GetEnvironmentValue("MAGICK_SHRED_PASSES"); | ||
| 322 | if (property != (char *) NULL) | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25966.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25966.patch new file mode 100644 index 0000000000..324443e5f0 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25966.patch | |||
| @@ -0,0 +1,56 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Tue, 3 Feb 2026 20:00:28 +0100 | ||
| 3 | Subject: Block reading from fd: in our more secure policies by default | ||
| 4 | (GHSA-xwc6-v6g8-pw2h) | ||
| 5 | |||
| 6 | (cherry picked from commit 8d4c67a90ae458fb36393a05c0069e9123ac174c) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25966 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/8d4c67a90ae458fb36393a05c0069e9123ac174c] | ||
| 10 | |||
| 11 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/8d4c67a90ae458fb36393a05c0069e9123ac174c | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2h | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | config/policy-secure.xml | 1 + | ||
| 17 | config/policy-websafe.xml | 1 + | ||
| 18 | www/security-policy.html | 1 + | ||
| 19 | 3 files changed, 3 insertions(+) | ||
| 20 | |||
| 21 | diff --git a/config/policy-secure.xml b/config/policy-secure.xml | ||
| 22 | index 0d312d2..4239822 100644 | ||
| 23 | --- a/config/policy-secure.xml | ||
| 24 | +++ b/config/policy-secure.xml | ||
| 25 | @@ -88,6 +88,7 @@ | ||
| 26 | <policy domain="filter" rights="none" pattern="*"/> | ||
| 27 | <!-- Don't read/write from/to stdin/stdout. --> | ||
| 28 | <policy domain="path" rights="none" pattern="-"/> | ||
| 29 | + <policy domain="path" rights="none" pattern="fd:*"/> | ||
| 30 | <!-- don't read sensitive paths. --> | ||
| 31 | <policy domain="path" rights="none" pattern="/etc/*"/> | ||
| 32 | <!-- Indirect reads are not permitted. --> | ||
| 33 | diff --git a/config/policy-websafe.xml b/config/policy-websafe.xml | ||
| 34 | index 05327e3..544bf74 100644 | ||
| 35 | --- a/config/policy-websafe.xml | ||
| 36 | +++ b/config/policy-websafe.xml | ||
| 37 | @@ -84,6 +84,7 @@ | ||
| 38 | <policy domain="filter" rights="none" pattern="*"/> | ||
| 39 | <!-- Don't read/write from/to stdin/stdout. --> | ||
| 40 | <policy domain="path" rights="none" pattern="-"/> | ||
| 41 | + <policy domain="path" rights="none" pattern="fd:*"/> | ||
| 42 | <!-- don't read sensitive paths. --> | ||
| 43 | <policy domain="path" rights="none" pattern="/etc/*"/> | ||
| 44 | <!-- Indirect reads are not permitted. --> | ||
| 45 | diff --git a/www/security-policy.html b/www/security-policy.html | ||
| 46 | index af8c206..b254962 100644 | ||
| 47 | --- a/www/security-policy.html | ||
| 48 | +++ b/www/security-policy.html | ||
| 49 | @@ -250,6 +250,7 @@ | ||
| 50 | <policy domain="filter" rights="none" pattern="*"/> | ||
| 51 | <!-- Don't read/write from/to stdin/stdout. --> | ||
| 52 | <policy domain="path" rights="none" pattern="-"/> | ||
| 53 | + <policy domain="path" rights="none" pattern="fd:*"/> | ||
| 54 | <!-- don't read sensitive paths. --> | ||
| 55 | <policy domain="path" rights="none" pattern="/etc/*"/> | ||
| 56 | <!-- Indirect reads are not permitted. --> | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25967.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25967.patch new file mode 100644 index 0000000000..d9b7efc9c1 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25967.patch | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Sat, 31 Jan 2026 12:59:33 -0500 | ||
| 3 | Subject: [PATCH] CVE-2026-25967 | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-72hf-fj62-w6j4 | ||
| 5 | |||
| 6 | a stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. | ||
| 7 | |||
| 8 | (cherry picked from commit 9afe96cc325da1e4349fbd7418675af2f8708c10) | ||
| 9 | |||
| 10 | CVE: CVE-2026-25967 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/9afe96cc325da1e4349fbd7418675af2f8708c10] | ||
| 12 | |||
| 13 | origin: https://github.com/ImageMagick/ImageMagick/commit/9afe96cc325da1e4349fbd7418675af2f8708c10 | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-72hf-fj62-w6j4 | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | coders/ftxt.c | 4 ++-- | ||
| 19 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/coders/ftxt.c b/coders/ftxt.c | ||
| 22 | index d665bec..e9bb47f 100644 | ||
| 23 | --- a/coders/ftxt.c | ||
| 24 | +++ b/coders/ftxt.c | ||
| 25 | @@ -197,11 +197,11 @@ static int ReadInt(Image * image,MagickBooleanType *eofInp,int *chPushed, | ||
| 26 | if (p-buffer >= MaxTextExtent) | ||
| 27 | { | ||
| 28 | *eofInp=MagickTrue; | ||
| 29 | - continue; | ||
| 30 | + break; | ||
| 31 | } | ||
| 32 | chIn=ReadChar(image,chPushed); | ||
| 33 | } | ||
| 34 | - if (p==buffer) | ||
| 35 | + if (p == buffer) | ||
| 36 | { | ||
| 37 | *eofInp=MagickTrue; | ||
| 38 | return(0); | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25968.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25968.patch new file mode 100644 index 0000000000..548c7e82f1 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25968.patch | |||
| @@ -0,0 +1,39 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Tue, 3 Feb 2026 22:40:04 +0100 | ||
| 3 | Subject: Patch to resolve possible out of bounds write in the msl decoder | ||
| 4 | (GHSA-3mwp-xqp2-q6ph). | ||
| 5 | |||
| 6 | (cherry picked from commit 56f02958890b820cf2d0a6ecb04eb6f58ea75628) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25968 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/56f02958890b820cf2d0a6ecb04eb6f58ea75628] | ||
| 10 | |||
| 11 | origin: https://github.com/ImageMagick/ImageMagick/commit/56f02958890b820cf2d0a6ecb04eb6f58ea75628 | ||
| 12 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3mwp-xqp2-q6ph | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/msl.c | 9 +++++---- | ||
| 17 | 1 file changed, 5 insertions(+), 4 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/coders/msl.c b/coders/msl.c | ||
| 20 | index 9facbf2..4af3a71 100644 | ||
| 21 | --- a/coders/msl.c | ||
| 22 | +++ b/coders/msl.c | ||
| 23 | @@ -5827,11 +5827,12 @@ static void MSLStartElement(void *context,const xmlChar *tag, | ||
| 24 | Quantum opac = OpaqueAlpha; | ||
| 25 | ssize_t len = (ssize_t) strlen( value ); | ||
| 26 | |||
| 27 | - if (value[len-1] == '%') { | ||
| 28 | - char tmp[100]; | ||
| 29 | + if ((len > 0) && (value[len-1] == '%')) { | ||
| 30 | + char *tmp = AcquireString(value); | ||
| 31 | (void) CopyMagickString(tmp,value,(size_t) len); | ||
| 32 | - opac = StringToLong( tmp ); | ||
| 33 | - opac = (int)(QuantumRange * ((float)opac/100)); | ||
| 34 | + opac = (Quantum) StringToLong( tmp ); | ||
| 35 | + tmp=DestroyString(tmp); | ||
| 36 | + opac = (Quantum)(QuantumRange * ((float)opac/100)); | ||
| 37 | } else | ||
| 38 | opac = StringToLong( value ); | ||
| 39 | (void) SetImageAlpha( msl_info->image[n], (Quantum) opac, | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25969.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25969.patch new file mode 100644 index 0000000000..4432a5c9d8 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25969.patch | |||
| @@ -0,0 +1,63 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Wed, 28 Jan 2026 20:33:56 -0500 | ||
| 3 | Subject: [PATCH] CVE-2026-25969 | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xgm3-v4r9-wfgm | ||
| 5 | |||
| 6 | a memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. | ||
| 7 | |||
| 8 | (cherry picked from commit a253d1b124ebdcc2832daac6f9a35c362635b40e) | ||
| 9 | |||
| 10 | CVE: CVE-2026-25969 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/a253d1b124ebdcc2832daac6f9a35c362635b40e] | ||
| 12 | |||
| 13 | [backport] | ||
| 14 | - do not change border parameters, keep old parameter in patch context | ||
| 15 | |||
| 16 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/a253d1b124ebdcc2832daac6f9a35c362635b40e | ||
| 17 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xgm3-v4r9-wfgm | ||
| 18 | |||
| 19 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 20 | --- | ||
| 21 | coders/ashlar.c | 7 +++++-- | ||
| 22 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/coders/ashlar.c b/coders/ashlar.c | ||
| 25 | index a44976f..1984215 100644 | ||
| 26 | --- a/coders/ashlar.c | ||
| 27 | +++ b/coders/ashlar.c | ||
| 28 | @@ -543,7 +543,8 @@ static Image *ASHLARImage(ImageInfo *image_info,Image *image, | ||
| 29 | geometry.height=(size_t) geometry.height/7; | ||
| 30 | geometry.x=(ssize_t) pow((double) geometry.width,0.25); | ||
| 31 | geometry.y=(ssize_t) pow((double) geometry.height,0.25); | ||
| 32 | - image_info->extract=AcquireString(""); | ||
| 33 | + if (image_info->extract == (char *) NULL) | ||
| 34 | + image_info->extract=AcquireString(""); | ||
| 35 | if (image_info->extract != (char *) NULL) | ||
| 36 | (void) FormatLocaleString(image_info->extract,MagickPathExtent, | ||
| 37 | "%gx%g%+g%+g",(double) geometry.width,(double) geometry.height, | ||
| 38 | @@ -707,7 +708,6 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info, | ||
| 39 | if (value != (const char *) NULL) | ||
| 40 | tiles_per_page=(size_t) MagickMax(StringToInteger(value),1); | ||
| 41 | ashlar_images=NewImageList(); | ||
| 42 | - write_info=CloneImageInfo(image_info); | ||
| 43 | for (i=0; i < (ssize_t) GetImageListLength(image); i+=(ssize_t) tiles_per_page) | ||
| 44 | { | ||
| 45 | char | ||
| 46 | @@ -726,7 +726,9 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info, | ||
| 47 | ashlar_images=DestroyImageList(ashlar_images); | ||
| 48 | break; | ||
| 49 | } | ||
| 50 | + write_info=CloneImageInfo(image_info); | ||
| 51 | ashlar_image=ASHLARImage(write_info,clone_images,exception); | ||
| 52 | + write_info=DestroyImageInfo(write_info); | ||
| 53 | clone_images=DestroyImageList(clone_images); | ||
| 54 | if (ashlar_image == (Image *) NULL) | ||
| 55 | { | ||
| 56 | @@ -741,6 +743,7 @@ static MagickBooleanType WriteASHLARImage(const ImageInfo *image_info, | ||
| 57 | ashlar_images=GetFirstImageInList(ashlar_images); | ||
| 58 | (void) CopyMagickString(ashlar_images->filename,image_info->filename, | ||
| 59 | MagickPathExtent); | ||
| 60 | + write_info=CloneImageInfo(image_info); | ||
| 61 | *write_info->magick='\0'; | ||
| 62 | (void) SetImageInfo(write_info,(unsigned int) | ||
| 63 | GetImageListLength(ashlar_images),exception); | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970.patch new file mode 100644 index 0000000000..0483050a2b --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970.patch | |||
| @@ -0,0 +1,139 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Sun, 1 Feb 2026 13:55:34 -0500 | ||
| 3 | Subject: | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr | ||
| 5 | |||
| 6 | (cherry picked from commit 729253dc16e1a1ec4cac891a12d597e3fa9336b3) | ||
| 7 | |||
| 8 | CVE: CVE-2026-25970 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/729253dc16e1a1ec4cac891a12d597e3fa9336b3] | ||
| 10 | |||
| 11 | a signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows | ||
| 12 | |||
| 13 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/729253dc16e1a1ec4cac891a12d597e3fa9336b3 | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | coders/sixel.c | 39 +++++++++++++++++++++------------------ | ||
| 19 | 1 file changed, 21 insertions(+), 18 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/coders/sixel.c b/coders/sixel.c | ||
| 22 | index aa9ce70..a75ee32 100644 | ||
| 23 | --- a/coders/sixel.c | ||
| 24 | +++ b/coders/sixel.c | ||
| 25 | @@ -250,7 +250,6 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 26 | c, | ||
| 27 | color_index, | ||
| 28 | g, | ||
| 29 | - i, | ||
| 30 | n, | ||
| 31 | max_color_index, | ||
| 32 | max_x, | ||
| 33 | @@ -261,23 +260,24 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 34 | r, | ||
| 35 | repeat_count, | ||
| 36 | sixel_palet[SIXEL_PALETTE_MAX], | ||
| 37 | - sixel_vertical_mask, | ||
| 38 | - x, | ||
| 39 | - y; | ||
| 40 | + sixel_vertical_mask; | ||
| 41 | |||
| 42 | sixel_pixel_t | ||
| 43 | *dmbuf, | ||
| 44 | *imbuf; | ||
| 45 | |||
| 46 | size_t | ||
| 47 | - extent, | ||
| 48 | - offset; | ||
| 49 | + extent; | ||
| 50 | |||
| 51 | ssize_t | ||
| 52 | dmsx, | ||
| 53 | dmsy, | ||
| 54 | + i, | ||
| 55 | imsx, | ||
| 56 | - imsy; | ||
| 57 | + imsy, | ||
| 58 | + offset, | ||
| 59 | + x, | ||
| 60 | + y; | ||
| 61 | |||
| 62 | extent=strlen((char *) p); | ||
| 63 | position_x=position_y=0; | ||
| 64 | @@ -294,7 +294,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 65 | imsy=2048; | ||
| 66 | if (SetImageExtent(image,(size_t) imsx,(size_t) imsy,exception) == MagickFalse) | ||
| 67 | return(MagickFalse); | ||
| 68 | - imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t) imsx,(size_t) imsy*sizeof(sixel_pixel_t)); | ||
| 69 | + imbuf=(sixel_pixel_t *) AcquireQuantumMemory((size_t) imsx, | ||
| 70 | + (size_t) imsy*sizeof(sixel_pixel_t)); | ||
| 71 | if (imbuf == (sixel_pixel_t *) NULL) | ||
| 72 | return(MagickFalse); | ||
| 73 | for (n = 0; n < 16; n++) | ||
| 74 | @@ -315,8 +316,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 75 | sixel_palet[n++]=SIXEL_RGB(i*11,i*11,i*11); | ||
| 76 | for (; n < SIXEL_PALETTE_MAX; n++) | ||
| 77 | sixel_palet[n]=SIXEL_RGB(255,255,255); | ||
| 78 | - for (i = 0; i < imsx * imsy; i++) | ||
| 79 | - imbuf[i]=background_color_index; | ||
| 80 | + for (i = 0; i < (imsx*imsy); i++) | ||
| 81 | + imbuf[i]=(sixel_pixel_t) background_color_index; | ||
| 82 | while (*p != '\0') | ||
| 83 | { | ||
| 84 | if ((p[0] == '\033' && p[1] == 'P') || (*p == 0x90)) | ||
| 85 | @@ -409,7 +410,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 86 | } | ||
| 87 | (void) memset(dmbuf,background_color_index,(size_t) dmsx*(size_t) | ||
| 88 | dmsy*sizeof(sixel_pixel_t)); | ||
| 89 | - for (y = 0; y < imsy; ++y) | ||
| 90 | + for (y=0; y < imsy; ++y) | ||
| 91 | (void) memcpy(dmbuf+dmsx*y,imbuf+imsx*y,(size_t) imsx* | ||
| 92 | sizeof(sixel_pixel_t)); | ||
| 93 | imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf); | ||
| 94 | @@ -486,7 +487,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 95 | } | ||
| 96 | else if ((*p >= '?') && (*p <= '\177')) | ||
| 97 | { | ||
| 98 | - if ((imsx < (position_x + repeat_count)) || (imsy < (position_y + 6))) | ||
| 99 | + if ((imsx < ((ssize_t) position_x+repeat_count)) || | ||
| 100 | + (imsy < ((ssize_t) position_y+6))) | ||
| 101 | { | ||
| 102 | ssize_t | ||
| 103 | nx, | ||
| 104 | @@ -495,7 +497,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 105 | nx=imsx*2; | ||
| 106 | ny=imsy*2; | ||
| 107 | |||
| 108 | - while ((nx < (position_x + repeat_count)) || (ny < (position_y + 6))) | ||
| 109 | + while ((nx < ((ssize_t) position_x+repeat_count)) || (ny < ((ssize_t) position_y+6))) | ||
| 110 | { | ||
| 111 | nx *= 2; | ||
| 112 | ny *= 2; | ||
| 113 | @@ -535,9 +537,9 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 114 | { | ||
| 115 | if ((b & sixel_vertical_mask) != 0) | ||
| 116 | { | ||
| 117 | - offset=(size_t) (imsx*((ssize_t) position_y+i)+ | ||
| 118 | + offset=(ssize_t) (imsx*((ssize_t) position_y+i)+ | ||
| 119 | (ssize_t) position_x); | ||
| 120 | - if (offset >= (size_t) (imsx*imsy)) | ||
| 121 | + if (offset >= (imsx*imsy)) | ||
| 122 | { | ||
| 123 | imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf); | ||
| 124 | return(MagickFalse); | ||
| 125 | @@ -567,10 +569,11 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 126 | } | ||
| 127 | for (y = position_y + i; y < position_y + i + n; ++y) | ||
| 128 | { | ||
| 129 | - offset=(size_t) ((ssize_t) imsx*y+(ssize_t) position_x); | ||
| 130 | - if ((offset+(size_t) repeat_count) >= (size_t) (imsx*imsy)) | ||
| 131 | + offset=(imsx*y+position_x); | ||
| 132 | + if ((offset+repeat_count) >= (imsx*imsy)) | ||
| 133 | { | ||
| 134 | - imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf); | ||
| 135 | + imbuf=(sixel_pixel_t *) | ||
| 136 | + RelinquishMagickMemory(imbuf); | ||
| 137 | return(MagickFalse); | ||
| 138 | } | ||
| 139 | for (x = 0; x < repeat_count; x++) | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970_pre1.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970_pre1.patch new file mode 100644 index 0000000000..15488934f4 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25970_pre1.patch | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Wed, 28 Jan 2026 19:50:14 -0500 | ||
| 3 | Subject: | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4x | ||
| 5 | |||
| 6 | This fix int to size_t and is needed for fully fix CVE-2026-25970 | ||
| 7 | |||
| 8 | CVE: CVE-2026-25970 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/266e59ed8d886a76355c863bd38ff5ac34537673] | ||
| 10 | |||
| 11 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/266e59ed8d886a76355c863bd38ff5ac34537673 | ||
| 12 | (cherry picked from commit 266e59ed8d886a76355c863bd38ff5ac34537673) | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/sixel.c | 12 +++++++----- | ||
| 17 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/coders/sixel.c b/coders/sixel.c | ||
| 20 | index 11d857d..aa9ce70 100644 | ||
| 21 | --- a/coders/sixel.c | ||
| 22 | +++ b/coders/sixel.c | ||
| 23 | @@ -249,12 +249,8 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 24 | background_color_index, | ||
| 25 | c, | ||
| 26 | color_index, | ||
| 27 | - dmsx, | ||
| 28 | - dmsy, | ||
| 29 | g, | ||
| 30 | i, | ||
| 31 | - imsx, | ||
| 32 | - imsy, | ||
| 33 | n, | ||
| 34 | max_color_index, | ||
| 35 | max_x, | ||
| 36 | @@ -277,6 +273,12 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 37 | extent, | ||
| 38 | offset; | ||
| 39 | |||
| 40 | + ssize_t | ||
| 41 | + dmsx, | ||
| 42 | + dmsy, | ||
| 43 | + imsx, | ||
| 44 | + imsy; | ||
| 45 | + | ||
| 46 | extent=strlen((char *) p); | ||
| 47 | position_x=position_y=0; | ||
| 48 | max_x=max_y=0; | ||
| 49 | @@ -486,7 +488,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, | ||
| 50 | { | ||
| 51 | if ((imsx < (position_x + repeat_count)) || (imsy < (position_y + 6))) | ||
| 52 | { | ||
| 53 | - int | ||
| 54 | + ssize_t | ||
| 55 | nx, | ||
| 56 | ny; | ||
| 57 | |||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25982.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25982.patch new file mode 100644 index 0000000000..cd6074db97 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25982.patch | |||
| @@ -0,0 +1,77 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Tue, 3 Feb 2026 21:53:39 +0100 | ||
| 3 | Subject: Added checks to prevent an out of bounds read (GHSA-pmq6-8289-hx3v) | ||
| 4 | |||
| 5 | (cherry picked from commit 4e1f5381d4ccbb6b71927e94c5d257fa883b3af7) | ||
| 6 | |||
| 7 | CVE: CVE-2026-25982 | ||
| 8 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/4e1f5381d4ccbb6b71927e94c5d257fa883b3af7] | ||
| 9 | |||
| 10 | origin: https://github.com/ImageMagick/ImageMagick/commit/4e1f5381d4ccbb6b71927e94c5d257fa883b3af7 | ||
| 11 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pmq6-8289-hx3v | ||
| 12 | |||
| 13 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 14 | --- | ||
| 15 | coders/dcm.c | 18 +++++++++++++++--- | ||
| 16 | 1 file changed, 15 insertions(+), 3 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/coders/dcm.c b/coders/dcm.c | ||
| 19 | index df45d71..fdd3b93 100644 | ||
| 20 | --- a/coders/dcm.c | ||
| 21 | +++ b/coders/dcm.c | ||
| 22 | @@ -2704,6 +2704,7 @@ typedef struct _DCMInfo | ||
| 23 | |||
| 24 | size_t | ||
| 25 | bits_allocated, | ||
| 26 | + bits_per_entry, | ||
| 27 | bytes_per_pixel, | ||
| 28 | depth, | ||
| 29 | mask, | ||
| 30 | @@ -3158,6 +3159,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 31 | */ | ||
| 32 | (void) CopyMagickString(photometric,"MONOCHROME1 ",MagickPathExtent); | ||
| 33 | info.bits_allocated=8; | ||
| 34 | + info.bits_per_entry=1; | ||
| 35 | info.bytes_per_pixel=1; | ||
| 36 | info.depth=8; | ||
| 37 | info.mask=0xffff; | ||
| 38 | @@ -3695,7 +3697,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 39 | else | ||
| 40 | index=(unsigned short) (*p | (*(p+1) << 8)); | ||
| 41 | map.red[i]=(int) index; | ||
| 42 | - p+=(ptrdiff_t) 2; | ||
| 43 | + p+=(ptrdiff_t) info.bits_per_entry; | ||
| 44 | } | ||
| 45 | break; | ||
| 46 | } | ||
| 47 | @@ -3727,7 +3729,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 48 | else | ||
| 49 | index=(unsigned short) (*p | (*(p+1) << 8)); | ||
| 50 | map.green[i]=(int) index; | ||
| 51 | - p+=(ptrdiff_t) 2; | ||
| 52 | + p+=(ptrdiff_t) info.bits_per_entry; | ||
| 53 | } | ||
| 54 | break; | ||
| 55 | } | ||
| 56 | @@ -3759,10 +3761,20 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 57 | else | ||
| 58 | index=(unsigned short) (*p | (*(p+1) << 8)); | ||
| 59 | map.blue[i]=(int) index; | ||
| 60 | - p+=(ptrdiff_t) 2; | ||
| 61 | + p+=(ptrdiff_t) info.bits_per_entry; | ||
| 62 | } | ||
| 63 | break; | ||
| 64 | } | ||
| 65 | + case 0x3002: | ||
| 66 | + { | ||
| 67 | + /* | ||
| 68 | + Bytes per entry. | ||
| 69 | + */ | ||
| 70 | + info.bits_per_entry=(size_t) datum; | ||
| 71 | + if ((info.bits_per_entry == 0) || (info.bits_per_entry > 2)) | ||
| 72 | + ThrowDCMException(CorruptImageError,"ImproperImageHeader") | ||
| 73 | + break; | ||
| 74 | + } | ||
| 75 | default: | ||
| 76 | break; | ||
| 77 | } | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25985.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25985.patch new file mode 100644 index 0000000000..e2f2093ad1 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25985.patch | |||
| @@ -0,0 +1,67 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Sat, 7 Feb 2026 22:30:57 -0500 | ||
| 3 | Subject: | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84 | ||
| 5 | |||
| 6 | a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. | ||
| 7 | |||
| 8 | (cherry picked from commit 1a51eb9af00c36724660e294520878fd1f13e312) | ||
| 9 | |||
| 10 | CVE: CVE-2026-25985 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1a51eb9af00c36724660e294520878fd1f13e312] | ||
| 12 | |||
| 13 | origin: https://github.com/ImageMagick/ImageMagick/commit/1a51eb9af00c36724660e294520878fd1f13e312 | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84 | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | MagickCore/draw.c | 16 ++++++++-------- | ||
| 19 | 1 file changed, 8 insertions(+), 8 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/MagickCore/draw.c b/MagickCore/draw.c | ||
| 22 | index d1c0651..2faa8f0 100644 | ||
| 23 | --- a/MagickCore/draw.c | ||
| 24 | +++ b/MagickCore/draw.c | ||
| 25 | @@ -2297,7 +2297,7 @@ static MagickBooleanType CheckPrimitiveExtent(MVGInfo *mvg_info, | ||
| 26 | extent=(double) mvg_info->offset+pad+(PrimitiveExtentPad+1)*(double) quantum; | ||
| 27 | if (extent <= (double) *mvg_info->extent) | ||
| 28 | return(MagickTrue); | ||
| 29 | - if ((extent >= (double) MAGICK_SSIZE_MAX) || (IsNaN(extent) != 0)) | ||
| 30 | + if ((extent >= (double) GetMaxMemoryRequest()) || (IsNaN(extent) != 0)) | ||
| 31 | return(MagickFalse); | ||
| 32 | if (mvg_info->offset > 0) | ||
| 33 | { | ||
| 34 | @@ -6401,7 +6401,7 @@ static MagickBooleanType TraceBezier(MVGInfo *mvg_info, | ||
| 35 | for (j=i+1; j < (ssize_t) number_coordinates; j++) | ||
| 36 | { | ||
| 37 | alpha=fabs(primitive_info[j].point.x-primitive_info[i].point.x); | ||
| 38 | - if (alpha > (double) MAGICK_SSIZE_MAX) | ||
| 39 | + if (alpha > (double) GetMaxMemoryRequest()) | ||
| 40 | { | ||
| 41 | (void) ThrowMagickException(mvg_info->exception,GetMagickModule(), | ||
| 42 | ResourceLimitError,"MemoryAllocationFailed","`%s'",""); | ||
| 43 | @@ -6410,18 +6410,18 @@ static MagickBooleanType TraceBezier(MVGInfo *mvg_info, | ||
| 44 | if (alpha > (double) quantum) | ||
| 45 | quantum=(size_t) alpha; | ||
| 46 | alpha=fabs(primitive_info[j].point.y-primitive_info[i].point.y); | ||
| 47 | - if (alpha > (double) MAGICK_SSIZE_MAX) | ||
| 48 | - { | ||
| 49 | - (void) ThrowMagickException(mvg_info->exception,GetMagickModule(), | ||
| 50 | - ResourceLimitError,"MemoryAllocationFailed","`%s'",""); | ||
| 51 | - return(MagickFalse); | ||
| 52 | - } | ||
| 53 | if (alpha > (double) quantum) | ||
| 54 | quantum=(size_t) alpha; | ||
| 55 | } | ||
| 56 | } | ||
| 57 | primitive_info=(*mvg_info->primitive_info)+mvg_info->offset; | ||
| 58 | quantum=MagickMin(quantum/number_coordinates,BezierQuantum); | ||
| 59 | + if (quantum > (double) GetMaxMemoryRequest()) | ||
| 60 | + { | ||
| 61 | + (void) ThrowMagickException(mvg_info->exception,GetMagickModule(), | ||
| 62 | + ResourceLimitError,"MemoryAllocationFailed","`%s'",""); | ||
| 63 | + return(MagickFalse); | ||
| 64 | + } | ||
| 65 | coefficients=(double *) AcquireQuantumMemory(number_coordinates, | ||
| 66 | sizeof(*coefficients)); | ||
| 67 | points=(PointInfo *) AcquireQuantumMemory(quantum,number_coordinates* | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25986.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25986.patch new file mode 100644 index 0000000000..10be76cb90 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25986.patch | |||
| @@ -0,0 +1,42 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Sat, 7 Feb 2026 17:42:01 -0500 | ||
| 3 | Subject: | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mqfc-82jx-3mr2 | ||
| 5 | |||
| 6 | A heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. | ||
| 7 | |||
| 8 | (cherry picked from commit b9c80ad3ca802b6883da25f153c4fdf72c017eba) | ||
| 9 | |||
| 10 | CVE: CVE-2026-25986 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/b9c80ad3ca802b6883da25f153c4fdf72c017eba] | ||
| 12 | |||
| 13 | origin: https://github.com/ImageMagick/ImageMagick/commit/b9c80ad3ca802b6883da25f153c4fdf72c017eba | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mqfc-82jx-3mr2 | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | coders/yuv.c | 4 ++-- | ||
| 19 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/coders/yuv.c b/coders/yuv.c | ||
| 22 | index 1817c43..21486fc 100644 | ||
| 23 | --- a/coders/yuv.c | ||
| 24 | +++ b/coders/yuv.c | ||
| 25 | @@ -261,7 +261,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 26 | chroma_image->columns,1,exception); | ||
| 27 | if (chroma_pixels == (Quantum *) NULL) | ||
| 28 | break; | ||
| 29 | - for (x=0; x < (ssize_t) image->columns; x+=2) | ||
| 30 | + for (x=0; x < (ssize_t) (image->columns-1); x+=2) | ||
| 31 | { | ||
| 32 | SetPixelRed(chroma_image,0,chroma_pixels); | ||
| 33 | if (quantum == 1) | ||
| 34 | @@ -740,7 +740,7 @@ static MagickBooleanType WriteYUVImage(const ImageInfo *image_info,Image *image, | ||
| 35 | exception); | ||
| 36 | if (s == (const Quantum *) NULL) | ||
| 37 | break; | ||
| 38 | - for (x=0; x < (ssize_t) yuv_image->columns; x+=2) | ||
| 39 | + for (x=0; x < (ssize_t) (yuv_image->columns-1); x+=2) | ||
| 40 | { | ||
| 41 | if (quantum == 1) | ||
| 42 | { | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25987.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25987.patch new file mode 100644 index 0000000000..b34f598761 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25987.patch | |||
| @@ -0,0 +1,44 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Sat, 7 Feb 2026 18:03:19 -0500 | ||
| 3 | Subject: | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7 | ||
| 5 | |||
| 6 | a heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding | ||
| 7 | |||
| 8 | (cherry picked from commit bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a) | ||
| 9 | |||
| 10 | CVE: CVE-2026-25987 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a] | ||
| 12 | |||
| 13 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7 | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | coders/map.c | 6 ++++-- | ||
| 19 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/coders/map.c b/coders/map.c | ||
| 22 | index 6b0f992..f5dbcdb 100644 | ||
| 23 | --- a/coders/map.c | ||
| 24 | +++ b/coders/map.c | ||
| 25 | @@ -160,6 +160,8 @@ static Image *ReadMAPImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 26 | if (status == MagickFalse) | ||
| 27 | ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); | ||
| 28 | depth=GetImageQuantumDepth(image,MagickTrue); | ||
| 29 | + if ((depth <= 8) && (image->colors > 256)) | ||
| 30 | + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); | ||
| 31 | packet_size=(size_t) (depth/8); | ||
| 32 | pixels=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size* | ||
| 33 | sizeof(*pixels)); | ||
| 34 | @@ -236,8 +238,8 @@ static Image *ReadMAPImage(const ImageInfo *image_info,ExceptionInfo *exception) | ||
| 35 | p++; | ||
| 36 | if (image->colors > 256) | ||
| 37 | { | ||
| 38 | - index=ConstrainColormapIndex(image,(ssize_t) (((size_t) index << 8)+ | ||
| 39 | - (size_t) (*p)),exception); | ||
| 40 | + index=(Quantum) ConstrainColormapIndex(image,(ssize_t) | ||
| 41 | + (((size_t) index << 8)+(size_t) (*p)),exception); | ||
| 42 | p++; | ||
| 43 | } | ||
| 44 | SetPixelIndex(image,index,q); | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25988.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25988.patch new file mode 100644 index 0000000000..f371140c3c --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25988.patch | |||
| @@ -0,0 +1,50 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Sat, 7 Feb 2026 17:53:18 -0500 | ||
| 3 | Subject: | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7 | ||
| 5 | |||
| 6 | sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks | ||
| 7 | |||
| 8 | (cherry picked from commit 4354fc1d554ec2e6314aed13536efa7bde9593d2) | ||
| 9 | |||
| 10 | CVE: CVE-2026-25988 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/4354fc1d554ec2e6314aed13536efa7bde9593d2] | ||
| 12 | |||
| 13 | origin: https://github.com/ImageMagick/ImageMagick/commit/4354fc1d554ec2e6314aed13536efa7bde9593d2 | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7 | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | coders/msl.c | 5 +++-- | ||
| 19 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/coders/msl.c b/coders/msl.c | ||
| 22 | index e2ad95a..be45dbf 100644 | ||
| 23 | --- a/coders/msl.c | ||
| 24 | +++ b/coders/msl.c | ||
| 25 | @@ -240,7 +240,7 @@ static int IsPathDirectory(const char *path) | ||
| 26 | return(1); | ||
| 27 | } | ||
| 28 | |||
| 29 | -static void MSLPushImage(MSLInfo *msl_info,Image *image) | ||
| 30 | +static ssize_t MSLPushImage(MSLInfo *msl_info,Image *image) | ||
| 31 | { | ||
| 32 | ssize_t | ||
| 33 | n; | ||
| 34 | @@ -274,6 +274,7 @@ static void MSLPushImage(MSLInfo *msl_info,Image *image) | ||
| 35 | ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed") | ||
| 36 | if (msl_info->number_groups != 0) | ||
| 37 | msl_info->group_info[msl_info->number_groups-1].numImages++; | ||
| 38 | + return(n); | ||
| 39 | } | ||
| 40 | |||
| 41 | static void MSLPopImage(MSLInfo *msl_info) | ||
| 42 | @@ -3071,7 +3072,7 @@ static void MSLStartElement(void *context,const xmlChar *tag, | ||
| 43 | { | ||
| 44 | if (LocaleCompare((const char *) tag,"image") == 0) | ||
| 45 | { | ||
| 46 | - MSLPushImage(msl_info,(Image *) NULL); | ||
| 47 | + n=MSLPushImage(msl_info,(Image *) NULL); | ||
| 48 | if (attributes == (const xmlChar **) NULL) | ||
| 49 | break; | ||
| 50 | for (i=0; (attributes[i] != (const xmlChar *) NULL); i++) | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26066.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26066.patch new file mode 100644 index 0000000000..72cb4944bf --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26066.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Thu, 12 Feb 2026 07:49:05 +0100 | ||
| 3 | Subject: Fixed possible infinite loop (GHSA-v994-63cg-9wj3) | ||
| 4 | |||
| 5 | CVE: CVE-2026-26066 | ||
| 6 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/880057ce34f6da9dff2fe3b290bbbc45b743e613] | ||
| 7 | |||
| 8 | origin: https://github.com/ImageMagick/ImageMagick/commit/880057ce34f6da9dff2fe3b290bbbc45b743e613 | ||
| 9 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3 | ||
| 10 | |||
| 11 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 12 | --- | ||
| 13 | coders/meta.c | 8 ++++---- | ||
| 14 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
| 15 | |||
| 16 | diff --git a/coders/meta.c b/coders/meta.c | ||
| 17 | index c76bbd5..55a5888 100644 | ||
| 18 | --- a/coders/meta.c | ||
| 19 | +++ b/coders/meta.c | ||
| 20 | @@ -1904,7 +1904,7 @@ static int formatIPTC(Image *ifile, Image *ofile) | ||
| 21 | foundiptc = 0; /* found the IPTC-Header */ | ||
| 22 | tagsfound = 0; /* number of tags found */ | ||
| 23 | |||
| 24 | - c = ReadBlobByte(ifile); | ||
| 25 | + c=ReadBlobByte(ifile); | ||
| 26 | while (c != EOF) | ||
| 27 | { | ||
| 28 | if (c == 0x1c) | ||
| 29 | @@ -1915,17 +1915,17 @@ static int formatIPTC(Image *ifile, Image *ofile) | ||
| 30 | return(-1); | ||
| 31 | else | ||
| 32 | { | ||
| 33 | - c=0; | ||
| 34 | + c=ReadBlobByte(ifile); | ||
| 35 | continue; | ||
| 36 | } | ||
| 37 | } | ||
| 38 | |||
| 39 | /* we found the 0x1c tag and now grab the dataset and record number tags */ | ||
| 40 | - c = ReadBlobByte(ifile); | ||
| 41 | + c=ReadBlobByte(ifile); | ||
| 42 | if (c == EOF) | ||
| 43 | return(-1); | ||
| 44 | dataset = (unsigned char) c; | ||
| 45 | - c = ReadBlobByte(ifile); | ||
| 46 | + c=ReadBlobByte(ifile); | ||
| 47 | if (c == EOF) | ||
| 48 | return(-1); | ||
| 49 | recnum = (unsigned char) c; | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26283.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26283.patch new file mode 100644 index 0000000000..7888fc2c9b --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26283.patch | |||
| @@ -0,0 +1,33 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Fri, 13 Feb 2026 18:57:09 -0500 | ||
| 3 | Subject: | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v | ||
| 5 | |||
| 6 | a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails | ||
| 7 | |||
| 8 | (cherry picked from commit c448c6920a985872072fc7be6034f678c087de9b) | ||
| 9 | |||
| 10 | CVE: CVE-2026-26283 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c448c6920a985872072fc7be6034f678c087de9b] | ||
| 12 | |||
| 13 | origin: https://github.com/ImageMagick/ImageMagick/commit/c448c6920a985872072fc7be6034f678c087de9b | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | coders/jpeg.c | 2 +- | ||
| 19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 20 | |||
| 21 | diff --git a/coders/jpeg.c b/coders/jpeg.c | ||
| 22 | index 8cbfa27..7ead4e5 100644 | ||
| 23 | --- a/coders/jpeg.c | ||
| 24 | +++ b/coders/jpeg.c | ||
| 25 | @@ -2707,7 +2707,7 @@ static MagickBooleanType WriteJPEGImage_(const ImageInfo *image_info, | ||
| 26 | status=WriteJPEGImage(extent_info,jpeg_image,exception); | ||
| 27 | (void) RelinquishUniqueFileResource(jpeg_image->filename); | ||
| 28 | if (status == MagickFalse) | ||
| 29 | - continue; | ||
| 30 | + break; | ||
| 31 | if (GetBlobSize(jpeg_image) <= extent) | ||
| 32 | minimum=jpeg_image->quality+1; | ||
| 33 | else | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26284.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26284.patch new file mode 100644 index 0000000000..7d25bfa2f2 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26284.patch | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | From: Dirk Lemstra <dirk@lemstra.org> | ||
| 2 | Date: Tue, 27 Jan 2026 21:45:02 +0100 | ||
| 3 | Subject: Corrected loop initialization to prevent out of bounds read | ||
| 4 | (GHSA-wrhr-rf8j-r842) | ||
| 5 | |||
| 6 | (cherry picked from commit 0c9ffcf55763e5daf1b61dfed0deed1aa43e217f) | ||
| 7 | |||
| 8 | CVE: CVE-2026-26284 | ||
| 9 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/0c9ffcf55763e5daf1b61dfed0deed1aa43e217f] | ||
| 10 | |||
| 11 | Bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842 | ||
| 12 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0c9ffcf55763e5daf1b61dfed0deed1aa43e217f | ||
| 13 | |||
| 14 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 15 | --- | ||
| 16 | coders/pcd.c | 2 +- | ||
| 17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 18 | |||
| 19 | diff --git a/coders/pcd.c b/coders/pcd.c | ||
| 20 | index e6a361c..279c85f 100644 | ||
| 21 | --- a/coders/pcd.c | ||
| 22 | +++ b/coders/pcd.c | ||
| 23 | @@ -313,7 +313,7 @@ static MagickBooleanType DecodeImage(Image *image,unsigned char *luma, | ||
| 24 | Decode luminance or chrominance deltas. | ||
| 25 | */ | ||
| 26 | r=pcd_table[plane]; | ||
| 27 | - for (i=0; ((i < (ssize_t) length) && ((sum & r->mask) != r->sequence)); i++) | ||
| 28 | + for (i=1; ((i < pcd_length[plane]) && ((sum & r->mask) != r->sequence)); i++) | ||
| 29 | r++; | ||
| 30 | if ((row > image->rows) || (r == (PCDTable *) NULL)) | ||
| 31 | { | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26983.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26983.patch new file mode 100644 index 0000000000..72b5779a22 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-26983.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From: Cristy <urban-warrior@imagemagick.org> | ||
| 2 | Date: Mon, 16 Feb 2026 10:00:58 -0500 | ||
| 3 | Subject: | ||
| 4 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w8mw-frc6-r7m8 | ||
| 5 | |||
| 6 | the MSL interpreter crashes when processing a invalid `<map>` element that causes it to use an image after it has been freed | ||
| 7 | |||
| 8 | (cherry picked from commit 7cfae4da24a995fb05386d77364ff404a7cca7bc) | ||
| 9 | |||
| 10 | CVE: CVE-2026-26983 | ||
| 11 | Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/7cfae4da24a995fb05386d77364ff404a7cca7bc] | ||
| 12 | |||
| 13 | origin: backport, https://github.com/ImageMagick/ImageMagick/commit/7cfae4da24a995fb05386d77364ff404a7cca7bc | ||
| 14 | bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w8mw-frc6-r7m8 | ||
| 15 | |||
| 16 | Signed-off-by: Naman Jain <namanj1@kpit.com> | ||
| 17 | --- | ||
| 18 | coders/msl.c | 9 ++++++--- | ||
| 19 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/coders/msl.c b/coders/msl.c | ||
| 22 | index be45dbf..bee781e 100644 | ||
| 23 | --- a/coders/msl.c | ||
| 24 | +++ b/coders/msl.c | ||
| 25 | @@ -3390,10 +3390,13 @@ static void MSLStartElement(void *context,const xmlChar *tag, | ||
| 26 | quantize_info=AcquireQuantizeInfo(msl_info->image_info[n]); | ||
| 27 | quantize_info->dither_method=dither != MagickFalse ? | ||
| 28 | RiemersmaDitherMethod : NoDitherMethod; | ||
| 29 | - (void) RemapImages(quantize_info,msl_info->image[n], | ||
| 30 | - affinity_image,exception); | ||
| 31 | + if (affinity_image != (Image *) NULL) | ||
| 32 | + { | ||
| 33 | + (void) RemapImages(quantize_info,msl_info->image[n], | ||
| 34 | + affinity_image,exception); | ||
| 35 | + affinity_image=DestroyImage(affinity_image); | ||
| 36 | + } | ||
| 37 | quantize_info=DestroyQuantizeInfo(quantize_info); | ||
| 38 | - affinity_image=DestroyImage(affinity_image); | ||
| 39 | break; | ||
| 40 | } | ||
| 41 | if (LocaleCompare((const char *) tag,"matte-floodfill") == 0) | ||
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb index ffc26e7169..acb6a16b1a 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb | |||
| @@ -29,6 +29,34 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt | |||
| 29 | file://CVE-2025-68618.patch \ | 29 | file://CVE-2025-68618.patch \ |
| 30 | file://CVE-2025-68950.patch \ | 30 | file://CVE-2025-68950.patch \ |
| 31 | file://CVE-2025-69204.patch \ | 31 | file://CVE-2025-69204.patch \ |
| 32 | file://CVE-2026-24481.patch \ | ||
| 33 | file://CVE-2026-25638.patch \ | ||
| 34 | file://CVE-2026-25794.patch \ | ||
| 35 | file://CVE-2026-25795.patch \ | ||
| 36 | file://CVE-2026-25796.patch \ | ||
| 37 | file://CVE-2026-25797_1.patch \ | ||
| 38 | file://CVE-2026-25797_2.patch \ | ||
| 39 | file://CVE-2026-25798.patch \ | ||
| 40 | file://CVE-2026-25799.patch \ | ||
| 41 | file://CVE-2026-25897.patch \ | ||
| 42 | file://CVE-2026-25898_1.patch \ | ||
| 43 | file://CVE-2026-25898_2.patch \ | ||
| 44 | file://CVE-2026-25965.patch \ | ||
| 45 | file://CVE-2026-25966.patch \ | ||
| 46 | file://CVE-2026-25967.patch \ | ||
| 47 | file://CVE-2026-25968.patch \ | ||
| 48 | file://CVE-2026-25969.patch \ | ||
| 49 | file://CVE-2026-25970_pre1.patch \ | ||
| 50 | file://CVE-2026-25970.patch \ | ||
| 51 | file://CVE-2026-25982.patch \ | ||
| 52 | file://CVE-2026-25985.patch \ | ||
| 53 | file://CVE-2026-25986.patch \ | ||
| 54 | file://CVE-2026-25987.patch \ | ||
| 55 | file://CVE-2026-25988.patch \ | ||
| 56 | file://CVE-2026-26066.patch \ | ||
| 57 | file://CVE-2026-26283.patch \ | ||
| 58 | file://CVE-2026-26284.patch \ | ||
| 59 | file://CVE-2026-26983.patch \ | ||
| 32 | " | 60 | " |
| 33 | SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb" | 61 | SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb" |
| 34 | 62 | ||
