summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick/CVE-2025-68618.patch109
-rw-r--r--meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb1
2 files changed, 110 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2025-68618.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2025-68618.patch
new file mode 100644
index 0000000000..e5dcc248a8
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2025-68618.patch
@@ -0,0 +1,109 @@
1From 68f99b5094315eb3b4020f01bf9fab9a7c5c40a1 Mon Sep 17 00:00:00 2001
2From: Cristy <urban-warrior@imagemagick.org>
3Date: Sun, 21 Dec 2025 12:43:08 -0500
4Subject: [PATCH]
5 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637
6
7CVE: CVE-2025-68618
8Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb]
9Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
10---
11 coders/msl.c | 24 ++++++++++++++++--------
12 coders/svg.c | 8 +++++++-
13 2 files changed, 23 insertions(+), 9 deletions(-)
14
15diff --git a/coders/msl.c b/coders/msl.c
16index dc7a8bfd8..80468b1ff 100644
17--- a/coders/msl.c
18+++ b/coders/msl.c
19@@ -120,6 +120,7 @@ typedef struct _MSLInfo
20 *exception;
21
22 ssize_t
23+ depth,
24 n,
25 number_groups;
26
27@@ -328,6 +329,10 @@ static void MSLStartElement(void *context,const xmlChar *tag,
28 RectangleInfo
29 geometry;
30
31+ size_t
32+ height,
33+ width;
34+
35 ssize_t
36 i,
37 j,
38@@ -336,11 +341,6 @@ static void MSLStartElement(void *context,const xmlChar *tag,
39 x,
40 y;
41
42-
43- size_t
44- height,
45- width;
46-
47 xmlParserCtxtPtr
48 parser;
49
50@@ -352,6 +352,13 @@ static void MSLStartElement(void *context,const xmlChar *tag,
51 exception=AcquireExceptionInfo();
52 parser=(xmlParserCtxtPtr) context;
53 msl_info=(MSLInfo *) parser->_private;
54+ if (msl_info->depth++ >= MagickMaxRecursionDepth)
55+ {
56+ (void) ThrowMagickException(msl_info->exception,GetMagickModule(),
57+ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",tag);
58+ xmlStopParser((xmlParserCtxtPtr) context);
59+ return;
60+ }
61 n=msl_info->n;
62 keyword=(const char *) NULL;
63 value=(char *) NULL;
64@@ -7057,15 +7064,15 @@ static void MSLStartElement(void *context,const xmlChar *tag,
65
66 static void MSLEndElement(void *context,const xmlChar *tag)
67 {
68- ssize_t
69- n;
70-
71 MSLInfo
72 *msl_info;
73
74 xmlParserCtxtPtr
75 parser;
76
77+ ssize_t
78+ n;
79+
80 /*
81 Called when the end of an element has been detected.
82 */
83@@ -7158,6 +7165,7 @@ static void MSLEndElement(void *context,const xmlChar *tag)
84 }
85 if (msl_info->content != (char *) NULL)
86 msl_info->content=DestroyString(msl_info->content);
87+ msl_info->depth--;
88 }
89
90 static void MSLCharacters(void *context,const xmlChar *c,int length)
91diff --git a/coders/svg.c b/coders/svg.c
92index b1ac0783d..6a069745f 100644
93--- a/coders/svg.c
94+++ b/coders/svg.c
95@@ -1249,7 +1249,13 @@ static void SVGStartElement(void *context,const xmlChar *name,
96 name);
97 parser=(xmlParserCtxtPtr) context;
98 svg_info=(SVGInfo *) parser->_private;
99- svg_info->n++;
100+ if (svg_info->n++ > MagickMaxRecursionDepth)
101+ {
102+ (void) ThrowMagickException(svg_info->exception,GetMagickModule(),
103+ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name);
104+ xmlStopParser((xmlParserCtxtPtr) context);
105+ return;
106+ }
107 svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t)
108 svg_info->n+1,sizeof(*svg_info->scale));
109 if (svg_info->scale == (double *) NULL)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
index 40e57b7f1d..0e52519558 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
26 file://CVE-2025-62171.patch \ 26 file://CVE-2025-62171.patch \
27 file://CVE-2025-65955.patch \ 27 file://CVE-2025-65955.patch \
28 file://CVE-2025-66628.patch \ 28 file://CVE-2025-66628.patch \
29 file://CVE-2025-68618.patch \
29 " 30 "
30SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb" 31SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb"
31 32