imagemagick: Fix CVE-2025-68950

From: Naman Jain <namanj1@kpit.com>

ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to version 7.1.2-12, Magick fails
to check for circular references between two MVGs, leading to a
stack overflow. This is a DoS vulnerability, and any situation that
allows reading the mvg file will be affected.
Version 7.1.2-12 fixes the issue.
This is a minimal patch required for this cve.

Signed-off-by: Naman Jain <namanj1@kpit.com>
---
 .../imagemagick/files/CVE-2025-68950.patch    | 24 +++++++++++++++++++
 .../imagemagick/imagemagick_7.0.10.bb         |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch

Just as a confirmation, you meant this for kirkstone, right?


On 4/27/26 08:33, Naman Jain via lists.openembedded.org wrote:
> From: Naman Jain <namanj1@kpit.com>
> 
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to version 7.1.2-12, Magick fails
> to check for circular references between two MVGs, leading to a
> stack overflow. This is a DoS vulnerability, and any situation that
> allows reading the mvg file will be affected.
> Version 7.1.2-12 fixes the issue.
> This is a minimal patch required for this cve.
> 
> Signed-off-by: Naman Jain <namanj1@kpit.com>
> ---
>  .../imagemagick/files/CVE-2025-68950.patch    | 24 +++++++++++++++++++
>  .../imagemagick/imagemagick_7.0.10.bb         |  1 +
>  2 files changed, 25 insertions(+)
>  create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch
> 
> diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch
> new file mode 100644
> index 0000000000..f839884994
> --- /dev/null
> +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch
> @@ -0,0 +1,24 @@
> +From 204718c2211903949dcfc0df8e65ed066b008dec Mon Sep 17 00:00:00 2001
> +From: Cristy <urban-warrior@imagemagick.org>
> +Date: Fri, 26 Dec 2025 11:22:12 -0500
> +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j
> +
> +Magick fails to check for circular references between two MVGs, leading to a stack overflow. 
> +
> +CVE: CVE-2025-68950
> +
> +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/204718c2211903949dcfc0df8e65ed066b008dec]
> +
> +Comment: Refreshed the orignal patch based on 7.0.10-62 version of imagemagick
> +
> +--- a/MagickCore/draw.c	2026-04-09 13:26:27.935293000 +0530
> ++++ b/MagickCore/draw.c	2026-04-16 11:52:23.007277997 +0530
> +@@ -5545,7 +5545,7 @@ MagickExport MagickBooleanType DrawPrimi
> +               clone_info->size=DestroyString(clone_info->size);
> +             if (clone_info->extract != (char *) NULL)
> +               clone_info->extract=DestroyString(clone_info->extract);
> +-            if (*clone_info->filename != '\0')
> ++            if ((*clone_info->filename != '\0') && (LocaleCompare(clone_info->magick,"mvg") != 0))
> +               composite_images=ReadImage(clone_info,exception);
> +           }
> +       clone_info=DestroyImageInfo(clone_info);
> diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> index 9bc857b715..1dc1005aa7 100644
> --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> @@ -54,6 +54,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
>      file://CVE-2026-22770.patch \
>      file://CVE-2026-23874.patch \
>      file://CVE-2026-23876.patch \
> +    file://CVE-2025-68950.patch \
>  "
>  
>  SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#126632): https://lists.openembedded.org/g/openembedded-devel/message/126632
> Mute This Topic: https://lists.openembedded.org/mt/119026610/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Hi,
Yes, this is for kirkstone

Thanks and regards,
Naman jain

On Mon, 27 Apr, 2026, 1:35 pm Gyorgy Sarvari, <skandigraun@gmail.com> wrote:

> Just as a confirmation, you meant this for kirkstone, right?
>
>
> On 4/27/26 08:33, Naman Jain via lists.openembedded.org wrote:
> > From: Naman Jain <namanj1@kpit.com>
> >
> > ImageMagick is free and open-source software used for editing and
> > manipulating digital images. Prior to version 7.1.2-12, Magick fails
> > to check for circular references between two MVGs, leading to a
> > stack overflow. This is a DoS vulnerability, and any situation that
> > allows reading the mvg file will be affected.
> > Version 7.1.2-12 fixes the issue.
> > This is a minimal patch required for this cve.
> >
> > Signed-off-by: Naman Jain <namanj1@kpit.com>
> > ---
> >  .../imagemagick/files/CVE-2025-68950.patch    | 24 +++++++++++++++++++
> >  .../imagemagick/imagemagick_7.0.10.bb         |  1 +
> >  2 files changed, 25 insertions(+)
> >  create mode 100644
> meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch
> >
> > diff --git
> a/meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch
> b/meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch
> > new file mode 100644
> > index 0000000000..f839884994
> > --- /dev/null
> > +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2025-68950.patch
> > @@ -0,0 +1,24 @@
> > +From 204718c2211903949dcfc0df8e65ed066b008dec Mon Sep 17 00:00:00 2001
> > +From: Cristy <urban-warrior@imagemagick.org>
> > +Date: Fri, 26 Dec 2025 11:22:12 -0500
> > +Subject: [PATCH]
> https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j
> > +
> > +Magick fails to check for circular references between two MVGs, leading
> to a stack overflow.
> > +
> > +CVE: CVE-2025-68950
> > +
> > +Upstream-Status: Backport [
> https://github.com/ImageMagick/ImageMagick/commit/204718c2211903949dcfc0df8e65ed066b008dec
> ]
> > +
> > +Comment: Refreshed the orignal patch based on 7.0.10-62 version of
> imagemagick
> > +
> > +--- a/MagickCore/draw.c      2026-04-09 13:26:27.935293000 +0530
> > ++++ b/MagickCore/draw.c      2026-04-16 11:52:23.007277997 +0530
> > +@@ -5545,7 +5545,7 @@ MagickExport MagickBooleanType DrawPrimi
> > +               clone_info->size=DestroyString(clone_info->size);
> > +             if (clone_info->extract != (char *) NULL)
> > +               clone_info->extract=DestroyString(clone_info->extract);
> > +-            if (*clone_info->filename != '\0')
> > ++            if ((*clone_info->filename != '\0') &&
> (LocaleCompare(clone_info->magick,"mvg") != 0))
> > +               composite_images=ReadImage(clone_info,exception);
> > +           }
> > +       clone_info=DestroyImageInfo(clone_info);
> > diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> > index 9bc857b715..1dc1005aa7 100644
> > --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> > +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> > @@ -54,6 +54,7 @@ SRC_URI = "git://
> github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
> >      file://CVE-2026-22770.patch \
> >      file://CVE-2026-23874.patch \
> >      file://CVE-2026-23876.patch \
> > +    file://CVE-2025-68950.patch \
> >  "
> >
> >  SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#126632):
> https://lists.openembedded.org/g/openembedded-devel/message/126632
> > Mute This Topic: https://lists.openembedded.org/mt/119026610/6084445
> > Group Owner: openembedded-devel+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [
> skandigraun@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>