6 files changed, 247 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch
new file mode 100644
index 0000000000..0bdd67c30b
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch
@@ -0,0 +1,44 @@
+From 8043433ba9ce0c550e09f2b3b6a3f5f62d802e6d Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 15 Mar 2022 21:59:33 -0400
+Subject: [PATCH] Coders:
+ https://github.com/ImageMagick/ImageMagick/issues/4947
+CVE: CVE-2022-1114
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f.patch]
+Comments: Refreshed the patch as per codebase
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ coders/dcm.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+diff --git a/coders/dcm.c b/coders/dcm.c
+index ce6cecbd68d..879d5694d2a 100644
+--- a/coders/dcm.c
+++ b/coders/dcm.c
+@@ -3239,18 +3239,17 @@ static Image *ReadDCMImage(const ImageIn
+           RelinquishMagickMemory(info_copy);
+         }
+ 
+-      /*
+-        If we're entering a sequence, push the current image parameters onto
+-        the stack, so we can restore them at the end of the sequence.
+-      */
+       if (strcmp(explicit_vr,"SQ") == 0)
+         {
+-          info_copy=(DCMInfo *) AcquireMagickMemory(sizeof(info));
+-          memcpy(info_copy,&info,sizeof(info));
+-          AppendValueToLinkedList(stack,info_copy);
+          /*
+            If we're entering a sequence, push the current image parameters
+            onto the stack, so we can restore them at the end of the sequence.
+          */
+          DCMInfo *clone_info = (DCMInfo *) AcquireMagickMemory(sizeof(info));
+          (void) memcpy(clone_info,&info,sizeof(info));
+          AppendValueToLinkedList(stack,clone_info);
+           sequence_depth++;
+         }
+-
+       datum=0;
+       if (quantum == 4)
+         {
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch
new file mode 100644
index 0000000000..5f7cd8033f
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch
@@ -0,0 +1,114 @@
+From 9d3dd9192f6710ec8e10f5edda9b7bf67caeb232 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 14:14:36 -0500
+Subject: [PATCH] recursion detection framework
+CVE: CVE-2023-1289
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/9d3dd9192f6710ec8e10f5edda9b7bf67caeb232.patch]
+Comment: Hunk #2 and #3 for draw.c from orignal patch are excluded from this because
+these hunks remove the piece of code not present in imagemagick 7.0.10.
+Refreshed hunk2 of image.c, draw.h and draw.c
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/constitute.c | 12 ++++++++++++
+ MagickCore/draw.c       | 18 +++---------------
+ MagickCore/draw.h       |  3 +++
+ MagickCore/image.c      |  2 ++
+ MagickCore/image.h      |  3 +++
+ 5 files changed, 23 insertions(+), 15 deletions(-)
+diff --git a/MagickCore/constitute.c b/MagickCore/constitute.c
+index aa1a0c2682b..5c84602da87 100644
+--- a/MagickCore/constitute.c
+++ b/MagickCore/constitute.c
+@@ -130,6 +130,11 @@
+ %    o exception: return any errors or warnings in this structure.
+ %
+ */
+/*
+  Define declarations.
+*/
+#define MaxReadRecursionDepth  100
+
+ MagickExport Image *ConstituteImage(const size_t columns,const size_t rows,
+   const char *map,const StorageType storage,const void *pixels,
+   ExceptionInfo *exception)
+@@ -558,9 +558,16 @@ MagickExport Image *ReadImage(const Imag
+       if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse)
+         LockSemaphoreInfo(magick_info->semaphore);
+       status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception);
+      if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth)
+        {
+          (void) ThrowMagickException(exception,GetMagickModule(),CoderError,
+            "NumberOfImagesIsNotSupported","`%s'",read_info->magick);
+          status=MagickFalse;
+        }
+       image=(Image *) NULL;
+       if (status != MagickFalse)
+         image=decoder(read_info,exception);
+      ((ImageInfo *) image_info)->recursion_depth--;
+       if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse)
+         UnlockSemaphoreInfo(magick_info->semaphore);
+     }
+diff --git a/MagickCore/draw.c b/MagickCore/draw.c
+index ff78d620afd..c875c07acc6 100644
+--- a/MagickCore/draw.c
++++ b/MagickCore/draw.c
+@@ -5916,7 +5916,8 @@ MagickExport void GetDrawInfo(const Imag
+   (void) LogMagickEvent(TraceEvent,GetMagickModule(),"...");
+   assert(draw_info != (DrawInfo *) NULL);
+   (void) memset(draw_info,0,sizeof(*draw_info));
+-  clone_info=CloneImageInfo(image_info);
+  draw_info->image_info=image_info;
+  clone_info=CloneImageInfo(draw_info->image_info);
+   GetAffineMatrix(&draw_info->affine);
+   exception=AcquireExceptionInfo();
+   (void) QueryColorCompliance("#000F",AllCompliance,&draw_info->fill,
+diff --git a/MagickCore/draw.h b/MagickCore/draw.h
+index 38a52e20361..69257fc02a1 100644
+--- a/MagickCore/draw.h
+++ b/MagickCore/draw.h
+@@ -340,6 +340,9 @@ typedef struct _DrawInfo
+ 
+   char
+     *id;
+
+  const ImageInfo
+    *image_info;  
+ } DrawInfo;
+ 
+ typedef struct _PrimitiveInfo
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 9bf47e6e01d..8289139bf6f 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -995,6 +995,7 @@ MagickExport ImageInfo *CloneImageInfo(c
+     MagickPathExtent);
+   clone_info->channel=image_info->channel;
+   (void) CloneImageOptions(clone_info,image_info);
+  clone_info->recursion_depth=image_info->recursion_depth;
+   clone_info->debug=IsEventLogging();
+   clone_info->signature=image_info->signature;
+   return(clone_info);
+@@ -1350,6 +1350,7 @@ MagickExport void GetImageInfo(ImageInfo
+   image_info->quality=UndefinedCompressionQuality;
+   image_info->antialias=MagickTrue;
+   image_info->dither=MagickTrue;
+  image_info->depth=0;
+   synchronize=GetEnvironmentValue("MAGICK_SYNCHRONIZE");
+   if (synchronize != (const char *) NULL)
+     {
+diff --git a/MagickCore/image.h b/MagickCore/image.h
+index b9d870a9271..df6bf9bd103 100644
+--- a/MagickCore/image.h
+++ b/MagickCore/image.h
+@@ -492,6 +492,9 @@ struct _ImageInfo
+ 
+   PixelInfo
+     matte_color;        /* matte (frame) color */
+
+  size_t
+    recursion_depth;  /* recursion detection */
+ };
+ 
+ extern MagickExport ChannelType
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch
new file mode 100644
index 0000000000..944754fb3d
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch
@@ -0,0 +1,21 @@
+From c5b23cbf2119540725e6dc81f4deb25798ead6a4 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 15:26:32 -0500
+Subject: [PATCH] erecursion detection
+CVE: CVE-2023-1289
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4]
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/draw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+--- a/MagickCore/draw.c 2025-05-12 13:34:26.689655000 +0530
+++ b/MagickCore/draw.c 2025-05-12 13:45:30.136300211 +0530
+@@ -5526,6 +5526,7 @@ MagickExport MagickBooleanType DrawPrimi
+       if (primitive_info->text == (char *) NULL)
+         break;
+       clone_info=AcquireImageInfo();
+      clone_info->recursion_depth=draw_info->image_info->recursion_depth;      
+       composite_images=(Image *) NULL;
+       if (LocaleNCompare(primitive_info->text,"data:",5) == 0)
+         composite_images=ReadInlineImage(clone_info,primitive_info->text,
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch
new file mode 100644
index 0000000000..e7b7783f47
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch
@@ -0,0 +1,35 @@
+From 1061db7f80fdc9ef572ac60b55f408f7bab6e1b0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 15 May 2023 14:22:11 -0400
+Subject: [PATCH] carefully crafted image files (TIM2, JPEG) no longer overflow
+ buffer nor use heap after free (thanks to Juzhi Lu, Zhen Zhou, Likang Luo of
+ NSFOCUS Security Team)
+CVE: CVE-2023-34474
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1061db7f80fdc9ef572ac60b55f408f7bab6e1b0.patch]
+Comment: Remove hunk from MagickCore/profile.c. as it fixes as the vulnerable function
+ImageMagick's ReplaceXmpValue() that introduces CVE-2023-34475 is not present in 7.0.10 version
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/profile.c | 5 +++--
+ coders/tim2.c        | 4 +++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+diff --git a/coders/tim2.c b/coders/tim2.c
+index 0445985dcc0..d30afaf05d6 100644
+--- a/coders/tim2.c
+++ b/coders/tim2.c
+@@ -517,10 +517,12 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
+     /*
+       * ### Read CLUT Data ###
+       */
+-    clut_data=(unsigned char *) AcquireQuantumMemory(1,header->clut_size);
+    clut_data=(unsigned char *) AcquireQuantumMemory(2,
+      MagickMax(header->clut_size,image->colors));
+     if (clut_data == (unsigned char *) NULL)
+       ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+         image_info->filename);
+    (void) memset(clut_data,0,2*MagickMax(header->clut_size,image->colors));
+     count=ReadBlob(image,header->clut_size,clut_data);
+     if (count != (ssize_t) (header->clut_size))
+       {
diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch
new file mode 100644
index 0000000000..e26dd61fba
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch
@@ -0,0 +1,28 @@
+From aa673b2e4defc7cad5bec16c4fc8324f71e531f1 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 24 Sep 2023 07:28:19 -0400
+Subject: [PATCH] check for BMP file size, poc provided by Hardik Shah of
+ Vehere (Dawn Treaders team)
+CVE: CVE-2023-5341
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1.patch]
+Comment: Refresh hunk as per codebase
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ coders/bmp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/coders/bmp.c b/coders/bmp.c
+index 94ec6628fdf..7e36d4f481b 100644
+--- a/coders/bmp.c
+++ b/coders/bmp.c
+@@ -625,6 +625,9 @@ static Image *ReadBMPImage(const ImageIn
+     if (image->debug != MagickFalse)
+       (void) LogMagickEvent(CoderEvent,GetMagickModule(),"  BMP size: %u",
+         bmp_info.size);
+    if ((bmp_info.file_size != 0) &&
+        ((MagickSizeType) bmp_info.file_size > GetBlobSize(image)))
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+     profile_data=0;
+     profile_size=0;
+     if (bmp_info.size == 12)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
index 6108dece27..ce5489bb3e 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -18,6 +18,11 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
    file://CVE-2022-0284.patch \
    file://fix-cipher-leak.patch \
    file://CVE-2022-2719.patch \
+    file://CVE-2022-1114.patch \
+    file://CVE-2023-1289-1.patch \
+    file://CVE-2023-1289.patch \
+    file://CVE-2023-34474.patch \
+    file://CVE-2023-5341.patch \
 "
 SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"

diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch new file mode 100644 index 0000000000..0bdd67c30b --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch
@@ -0,0 +1,44 @@
		1	From 8043433ba9ce0c550e09f2b3b6a3f5f62d802e6d Mon Sep 17 00:00:00 2001
		2	From: Cristy <urban-warrior@imagemagick.org>
		3	Date: Tue, 15 Mar 2022 21:59:33 -0400
		4	Subject: [PATCH] Coders:
		5	https://github.com/ImageMagick/ImageMagick/issues/4947
		6
		7	CVE: CVE-2022-1114
		8	Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f.patch]
		9	Comments: Refreshed the patch as per codebase
		10	Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
		11	---
		12	coders/dcm.c \| 18 +++++++++---------
		13	1 file changed, 9 insertions(+), 9 deletions(-)
		14
		15	diff --git a/coders/dcm.c b/coders/dcm.c
		16	index ce6cecbd68d..879d5694d2a 100644
		17	--- a/coders/dcm.c
		18	+++ b/coders/dcm.c
		19	@@ -3239,18 +3239,17 @@ static Image *ReadDCMImage(const ImageIn
		20	RelinquishMagickMemory(info_copy);
		21	}
		22
		23	- /*
		24	- If we're entering a sequence, push the current image parameters onto
		25	- the stack, so we can restore them at the end of the sequence.
		26	- */
		27	if (strcmp(explicit_vr,"SQ") == 0)
		28	{
		29	- info_copy=(DCMInfo *) AcquireMagickMemory(sizeof(info));
		30	- memcpy(info_copy,&info,sizeof(info));
		31	- AppendValueToLinkedList(stack,info_copy);
		32	+ /*
		33	+ If we're entering a sequence, push the current image parameters
		34	+ onto the stack, so we can restore them at the end of the sequence.
		35	+ */
		36	+ DCMInfo clone_info = (DCMInfo ) AcquireMagickMemory(sizeof(info));
		37	+ (void) memcpy(clone_info,&info,sizeof(info));
		38	+ AppendValueToLinkedList(stack,clone_info);
		39	sequence_depth++;
		40	}
		41	-
		42	datum=0;
		43	if (quantum == 4)
		44	{


diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch new file mode 100644 index 0000000000..5f7cd8033f --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch
@@ -0,0 +1,114 @@
		1	From 9d3dd9192f6710ec8e10f5edda9b7bf67caeb232 Mon Sep 17 00:00:00 2001
		2	From: Cristy <urban-warrior@imagemagick.org>
		3	Date: Mon, 6 Mar 2023 14:14:36 -0500
		4	Subject: [PATCH] recursion detection framework
		5
		6	CVE: CVE-2023-1289
		7	Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/9d3dd9192f6710ec8e10f5edda9b7bf67caeb232.patch]
		8	Comment: Hunk #2 and #3 for draw.c from orignal patch are excluded from this because
		9	these hunks remove the piece of code not present in imagemagick 7.0.10.
		10	Refreshed hunk2 of image.c, draw.h and draw.c
		11	Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
		12	---
		13	MagickCore/constitute.c \| 12 ++++++++++++
		14	MagickCore/draw.c \| 18 +++---------------
		15	MagickCore/draw.h \| 3 +++
		16	MagickCore/image.c \| 2 ++
		17	MagickCore/image.h \| 3 +++
		18	5 files changed, 23 insertions(+), 15 deletions(-)
		19
		20	diff --git a/MagickCore/constitute.c b/MagickCore/constitute.c
		21	index aa1a0c2682b..5c84602da87 100644
		22	--- a/MagickCore/constitute.c
		23	+++ b/MagickCore/constitute.c
		24	@@ -130,6 +130,11 @@
		25	% o exception: return any errors or warnings in this structure.
		26	%
		27	*/
		28	+/*
		29	+ Define declarations.
		30	+*/
		31	+#define MaxReadRecursionDepth 100
		32	+
		33	MagickExport Image *ConstituteImage(const size_t columns,const size_t rows,
		34	const char map,const StorageType storage,const void pixels,
		35	ExceptionInfo *exception)
		36	@@ -558,9 +558,16 @@ MagickExport Image *ReadImage(const Imag
		37	if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse)
		38	LockSemaphoreInfo(magick_info->semaphore);
		39	status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception);
		40	+ if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth)
		41	+ {
		42	+ (void) ThrowMagickException(exception,GetMagickModule(),CoderError,
		43	+ "NumberOfImagesIsNotSupported","`%s'",read_info->magick);
		44	+ status=MagickFalse;
		45	+ }
		46	image=(Image *) NULL;
		47	if (status != MagickFalse)
		48	image=decoder(read_info,exception);
		49	+ ((ImageInfo *) image_info)->recursion_depth--;
		50	if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse)
		51	UnlockSemaphoreInfo(magick_info->semaphore);
		52	}
		53	diff --git a/MagickCore/draw.c b/MagickCore/draw.c
		54	+index ff78d620afd..c875c07acc6 100644
		55	+--- a/MagickCore/draw.c
		56	++++ b/MagickCore/draw.c
		57	@@ -5916,7 +5916,8 @@ MagickExport void GetDrawInfo(const Imag
		58	(void) LogMagickEvent(TraceEvent,GetMagickModule(),"...");
		59	assert(draw_info != (DrawInfo *) NULL);
		60	(void) memset(draw_info,0,sizeof(*draw_info));
		61	- clone_info=CloneImageInfo(image_info);
		62	+ draw_info->image_info=image_info;
		63	+ clone_info=CloneImageInfo(draw_info->image_info);
		64	GetAffineMatrix(&draw_info->affine);
		65	exception=AcquireExceptionInfo();
		66	(void) QueryColorCompliance("#000F",AllCompliance,&draw_info->fill,
		67	diff --git a/MagickCore/draw.h b/MagickCore/draw.h
		68	index 38a52e20361..69257fc02a1 100644
		69	--- a/MagickCore/draw.h
		70	+++ b/MagickCore/draw.h
		71	@@ -340,6 +340,9 @@ typedef struct _DrawInfo
		72
		73	char
		74	*id;
		75	+
		76	+ const ImageInfo
		77	+ *image_info;
		78	} DrawInfo;
		79
		80	typedef struct _PrimitiveInfo
		81	diff --git a/MagickCore/image.c b/MagickCore/image.c
		82	index 9bf47e6e01d..8289139bf6f 100644
		83	--- a/MagickCore/image.c
		84	+++ b/MagickCore/image.c
		85	@@ -995,6 +995,7 @@ MagickExport ImageInfo *CloneImageInfo(c
		86	MagickPathExtent);
		87	clone_info->channel=image_info->channel;
		88	(void) CloneImageOptions(clone_info,image_info);
		89	+ clone_info->recursion_depth=image_info->recursion_depth;
		90	clone_info->debug=IsEventLogging();
		91	clone_info->signature=image_info->signature;
		92	return(clone_info);
		93	@@ -1350,6 +1350,7 @@ MagickExport void GetImageInfo(ImageInfo
		94	image_info->quality=UndefinedCompressionQuality;
		95	image_info->antialias=MagickTrue;
		96	image_info->dither=MagickTrue;
		97	+ image_info->depth=0;
		98	synchronize=GetEnvironmentValue("MAGICK_SYNCHRONIZE");
		99	if (synchronize != (const char *) NULL)
		100	{
		101	diff --git a/MagickCore/image.h b/MagickCore/image.h
		102	index b9d870a9271..df6bf9bd103 100644
		103	--- a/MagickCore/image.h
		104	+++ b/MagickCore/image.h
		105	@@ -492,6 +492,9 @@ struct _ImageInfo
		106
		107	PixelInfo
		108	matte_color; /* matte (frame) color */
		109	+
		110	+ size_t
		111	+ recursion_depth; /* recursion detection */
		112	};
		113
		114	extern MagickExport ChannelType


diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch new file mode 100644 index 0000000000..944754fb3d --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch
@@ -0,0 +1,21 @@
		1	From c5b23cbf2119540725e6dc81f4deb25798ead6a4 Mon Sep 17 00:00:00 2001
		2	From: Cristy <urban-warrior@imagemagick.org>
		3	Date: Mon, 6 Mar 2023 15:26:32 -0500
		4	Subject: [PATCH] erecursion detection
		5	CVE: CVE-2023-1289
		6	Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4]
		7	Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
		8	---
		9	MagickCore/draw.c \| 3 ++-
		10	1 file changed, 2 insertions(+), 1 deletion(-)
		11
		12	--- a/MagickCore/draw.c 2025-05-12 13:34:26.689655000 +0530
		13	+++ b/MagickCore/draw.c 2025-05-12 13:45:30.136300211 +0530
		14	@@ -5526,6 +5526,7 @@ MagickExport MagickBooleanType DrawPrimi
		15	if (primitive_info->text == (char *) NULL)
		16	break;
		17	clone_info=AcquireImageInfo();
		18	+ clone_info->recursion_depth=draw_info->image_info->recursion_depth;
		19	composite_images=(Image *) NULL;
		20	if (LocaleNCompare(primitive_info->text,"data:",5) == 0)
		21	composite_images=ReadInlineImage(clone_info,primitive_info->text,


diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch new file mode 100644 index 0000000000..e7b7783f47 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch
@@ -0,0 +1,35 @@
		1	From 1061db7f80fdc9ef572ac60b55f408f7bab6e1b0 Mon Sep 17 00:00:00 2001
		2	From: Cristy <urban-warrior@imagemagick.org>
		3	Date: Mon, 15 May 2023 14:22:11 -0400
		4	Subject: [PATCH] carefully crafted image files (TIM2, JPEG) no longer overflow
		5	buffer nor use heap after free (thanks to Juzhi Lu, Zhen Zhou, Likang Luo of
		6	NSFOCUS Security Team)
		7
		8	CVE: CVE-2023-34474
		9	Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1061db7f80fdc9ef572ac60b55f408f7bab6e1b0.patch]
		10	Comment: Remove hunk from MagickCore/profile.c. as it fixes as the vulnerable function
		11	ImageMagick's ReplaceXmpValue() that introduces CVE-2023-34475 is not present in 7.0.10 version
		12	Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
		13	---
		14	MagickCore/profile.c \| 5 +++--
		15	coders/tim2.c \| 4 +++-
		16	2 files changed, 6 insertions(+), 3 deletions(-)
		17
		18	diff --git a/coders/tim2.c b/coders/tim2.c
		19	index 0445985dcc0..d30afaf05d6 100644
		20	--- a/coders/tim2.c
		21	+++ b/coders/tim2.c
		22	@@ -517,10 +517,12 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
		23	/*
		24	* ### Read CLUT Data ###
		25	*/
		26	- clut_data=(unsigned char *) AcquireQuantumMemory(1,header->clut_size);
		27	+ clut_data=(unsigned char *) AcquireQuantumMemory(2,
		28	+ MagickMax(header->clut_size,image->colors));
		29	if (clut_data == (unsigned char *) NULL)
		30	ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
		31	image_info->filename);
		32	+ (void) memset(clut_data,0,2*MagickMax(header->clut_size,image->colors));
		33	count=ReadBlob(image,header->clut_size,clut_data);
		34	if (count != (ssize_t) (header->clut_size))
		35	{


diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch new file mode 100644 index 0000000000..e26dd61fba --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch
@@ -0,0 +1,28 @@
		1	From aa673b2e4defc7cad5bec16c4fc8324f71e531f1 Mon Sep 17 00:00:00 2001
		2	From: Cristy <urban-warrior@imagemagick.org>
		3	Date: Sun, 24 Sep 2023 07:28:19 -0400
		4	Subject: [PATCH] check for BMP file size, poc provided by Hardik Shah of
		5	Vehere (Dawn Treaders team)
		6
		7	CVE: CVE-2023-5341
		8	Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1.patch]
		9	Comment: Refresh hunk as per codebase
		10	Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
		11	---
		12	coders/bmp.c \| 3 +++
		13	1 file changed, 3 insertions(+)
		14
		15	diff --git a/coders/bmp.c b/coders/bmp.c
		16	index 94ec6628fdf..7e36d4f481b 100644
		17	--- a/coders/bmp.c
		18	+++ b/coders/bmp.c
		19	@@ -625,6 +625,9 @@ static Image *ReadBMPImage(const ImageIn
		20	if (image->debug != MagickFalse)
		21	(void) LogMagickEvent(CoderEvent,GetMagickModule()," BMP size: %u",
		22	bmp_info.size);
		23	+ if ((bmp_info.file_size != 0) &&
		24	+ ((MagickSizeType) bmp_info.file_size > GetBlobSize(image)))
		25	+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
		26	profile_data=0;
		27	profile_size=0;
		28	if (bmp_info.size == 12)


diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb index 6108dece27..ce5489bb3e 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -18,6 +18,11 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
18	file://CVE-2022-0284.patch \	18	file://CVE-2022-0284.patch \
19	file://fix-cipher-leak.patch \	19	file://fix-cipher-leak.patch \
20	file://CVE-2022-2719.patch \	20	file://CVE-2022-2719.patch \
		21	file://CVE-2022-1114.patch \
		22	file://CVE-2023-1289-1.patch \
		23	file://CVE-2023-1289.patch \
		24	file://CVE-2023-34474.patch \
		25	file://CVE-2023-5341.patch \
21	"	26	"
22		27
23	SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"	28	SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"