new file mode 100644
@@ -0,0 +1,44 @@
+From 8043433ba9ce0c550e09f2b3b6a3f5f62d802e6d Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 15 Mar 2022 21:59:33 -0400
+Subject: [PATCH] Coders:
+ https://github.com/ImageMagick/ImageMagick/issues/4947
+
+CVE: CVE-2022-1114
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f.patch]
+Comments: Refreshed the patch as per codebase
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ coders/dcm.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index ce6cecbd68d..879d5694d2a 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3239,18 +3239,17 @@ static Image *ReadDCMImage(const ImageIn
+ RelinquishMagickMemory(info_copy);
+ }
+
+- /*
+- If we're entering a sequence, push the current image parameters onto
+- the stack, so we can restore them at the end of the sequence.
+- */
+ if (strcmp(explicit_vr,"SQ") == 0)
+ {
+- info_copy=(DCMInfo *) AcquireMagickMemory(sizeof(info));
+- memcpy(info_copy,&info,sizeof(info));
+- AppendValueToLinkedList(stack,info_copy);
++ /*
++ If we're entering a sequence, push the current image parameters
++ onto the stack, so we can restore them at the end of the sequence.
++ */
++ DCMInfo *clone_info = (DCMInfo *) AcquireMagickMemory(sizeof(info));
++ (void) memcpy(clone_info,&info,sizeof(info));
++ AppendValueToLinkedList(stack,clone_info);
+ sequence_depth++;
+ }
+-
+ datum=0;
+ if (quantum == 4)
+ {
new file mode 100644
@@ -0,0 +1,114 @@
+From 9d3dd9192f6710ec8e10f5edda9b7bf67caeb232 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 14:14:36 -0500
+Subject: [PATCH] recursion detection framework
+
+CVE: CVE-2023-1289
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/9d3dd9192f6710ec8e10f5edda9b7bf67caeb232.patch]
+Comment: Hunk #2 and #3 for draw.c from orignal patch are excluded from this because
+these hunks remove the piece of code not present in imagemagick 7.0.10.
+Refreshed hunk2 of image.c, draw.h and draw.c
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/constitute.c | 12 ++++++++++++
+ MagickCore/draw.c | 18 +++---------------
+ MagickCore/draw.h | 3 +++
+ MagickCore/image.c | 2 ++
+ MagickCore/image.h | 3 +++
+ 5 files changed, 23 insertions(+), 15 deletions(-)
+
+diff --git a/MagickCore/constitute.c b/MagickCore/constitute.c
+index aa1a0c2682b..5c84602da87 100644
+--- a/MagickCore/constitute.c
++++ b/MagickCore/constitute.c
+@@ -130,6 +130,11 @@
+ % o exception: return any errors or warnings in this structure.
+ %
+ */
++/*
++ Define declarations.
++*/
++#define MaxReadRecursionDepth 100
++
+ MagickExport Image *ConstituteImage(const size_t columns,const size_t rows,
+ const char *map,const StorageType storage,const void *pixels,
+ ExceptionInfo *exception)
+@@ -558,9 +558,16 @@ MagickExport Image *ReadImage(const Imag
+ if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse)
+ LockSemaphoreInfo(magick_info->semaphore);
+ status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception);
++ if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth)
++ {
++ (void) ThrowMagickException(exception,GetMagickModule(),CoderError,
++ "NumberOfImagesIsNotSupported","`%s'",read_info->magick);
++ status=MagickFalse;
++ }
+ image=(Image *) NULL;
+ if (status != MagickFalse)
+ image=decoder(read_info,exception);
++ ((ImageInfo *) image_info)->recursion_depth--;
+ if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse)
+ UnlockSemaphoreInfo(magick_info->semaphore);
+ }
+diff --git a/MagickCore/draw.c b/MagickCore/draw.c
++index ff78d620afd..c875c07acc6 100644
++--- a/MagickCore/draw.c
+++++ b/MagickCore/draw.c
+@@ -5916,7 +5916,8 @@ MagickExport void GetDrawInfo(const Imag
+ (void) LogMagickEvent(TraceEvent,GetMagickModule(),"...");
+ assert(draw_info != (DrawInfo *) NULL);
+ (void) memset(draw_info,0,sizeof(*draw_info));
+- clone_info=CloneImageInfo(image_info);
++ draw_info->image_info=image_info;
++ clone_info=CloneImageInfo(draw_info->image_info);
+ GetAffineMatrix(&draw_info->affine);
+ exception=AcquireExceptionInfo();
+ (void) QueryColorCompliance("#000F",AllCompliance,&draw_info->fill,
+diff --git a/MagickCore/draw.h b/MagickCore/draw.h
+index 38a52e20361..69257fc02a1 100644
+--- a/MagickCore/draw.h
++++ b/MagickCore/draw.h
+@@ -340,6 +340,9 @@ typedef struct _DrawInfo
+
+ char
+ *id;
++
++ const ImageInfo
++ *image_info;
+ } DrawInfo;
+
+ typedef struct _PrimitiveInfo
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 9bf47e6e01d..8289139bf6f 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -995,6 +995,7 @@ MagickExport ImageInfo *CloneImageInfo(c
+ MagickPathExtent);
+ clone_info->channel=image_info->channel;
+ (void) CloneImageOptions(clone_info,image_info);
++ clone_info->recursion_depth=image_info->recursion_depth;
+ clone_info->debug=IsEventLogging();
+ clone_info->signature=image_info->signature;
+ return(clone_info);
+@@ -1350,6 +1350,7 @@ MagickExport void GetImageInfo(ImageInfo
+ image_info->quality=UndefinedCompressionQuality;
+ image_info->antialias=MagickTrue;
+ image_info->dither=MagickTrue;
++ image_info->depth=0;
+ synchronize=GetEnvironmentValue("MAGICK_SYNCHRONIZE");
+ if (synchronize != (const char *) NULL)
+ {
+diff --git a/MagickCore/image.h b/MagickCore/image.h
+index b9d870a9271..df6bf9bd103 100644
+--- a/MagickCore/image.h
++++ b/MagickCore/image.h
+@@ -492,6 +492,9 @@ struct _ImageInfo
+
+ PixelInfo
+ matte_color; /* matte (frame) color */
++
++ size_t
++ recursion_depth; /* recursion detection */
+ };
+
+ extern MagickExport ChannelType
new file mode 100644
@@ -0,0 +1,21 @@
+From c5b23cbf2119540725e6dc81f4deb25798ead6a4 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 6 Mar 2023 15:26:32 -0500
+Subject: [PATCH] erecursion detection
+CVE: CVE-2023-1289
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4]
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/draw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/MagickCore/draw.c 2025-05-12 13:34:26.689655000 +0530
++++ b/MagickCore/draw.c 2025-05-12 13:45:30.136300211 +0530
+@@ -5526,6 +5526,7 @@ MagickExport MagickBooleanType DrawPrimi
+ if (primitive_info->text == (char *) NULL)
+ break;
+ clone_info=AcquireImageInfo();
++ clone_info->recursion_depth=draw_info->image_info->recursion_depth;
+ composite_images=(Image *) NULL;
+ if (LocaleNCompare(primitive_info->text,"data:",5) == 0)
+ composite_images=ReadInlineImage(clone_info,primitive_info->text,
new file mode 100644
@@ -0,0 +1,35 @@
+From 1061db7f80fdc9ef572ac60b55f408f7bab6e1b0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 15 May 2023 14:22:11 -0400
+Subject: [PATCH] carefully crafted image files (TIM2, JPEG) no longer overflow
+ buffer nor use heap after free (thanks to Juzhi Lu, Zhen Zhou, Likang Luo of
+ NSFOCUS Security Team)
+
+CVE: CVE-2023-34474
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1061db7f80fdc9ef572ac60b55f408f7bab6e1b0.patch]
+Comment: Remove hunk from MagickCore/profile.c. as it fixes as the vulnerable function
+ImageMagick's ReplaceXmpValue() that introduces CVE-2023-34475 is not present in 7.0.10 version
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ MagickCore/profile.c | 5 +++--
+ coders/tim2.c | 4 +++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/coders/tim2.c b/coders/tim2.c
+index 0445985dcc0..d30afaf05d6 100644
+--- a/coders/tim2.c
++++ b/coders/tim2.c
+@@ -517,10 +517,12 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
+ /*
+ * ### Read CLUT Data ###
+ */
+- clut_data=(unsigned char *) AcquireQuantumMemory(1,header->clut_size);
++ clut_data=(unsigned char *) AcquireQuantumMemory(2,
++ MagickMax(header->clut_size,image->colors));
+ if (clut_data == (unsigned char *) NULL)
+ ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+ image_info->filename);
++ (void) memset(clut_data,0,2*MagickMax(header->clut_size,image->colors));
+ count=ReadBlob(image,header->clut_size,clut_data);
+ if (count != (ssize_t) (header->clut_size))
+ {
new file mode 100644
@@ -0,0 +1,28 @@
+From aa673b2e4defc7cad5bec16c4fc8324f71e531f1 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 24 Sep 2023 07:28:19 -0400
+Subject: [PATCH] check for BMP file size, poc provided by Hardik Shah of
+ Vehere (Dawn Treaders team)
+
+CVE: CVE-2023-5341
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1.patch]
+Comment: Refresh hunk as per codebase
+Signed-off-by: Sana Kazi Sana.Kazi@kpit.com
+---
+ coders/bmp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/coders/bmp.c b/coders/bmp.c
+index 94ec6628fdf..7e36d4f481b 100644
+--- a/coders/bmp.c
++++ b/coders/bmp.c
+@@ -625,6 +625,9 @@ static Image *ReadBMPImage(const ImageIn
+ if (image->debug != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule()," BMP size: %u",
+ bmp_info.size);
++ if ((bmp_info.file_size != 0) &&
++ ((MagickSizeType) bmp_info.file_size > GetBlobSize(image)))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ profile_data=0;
+ profile_size=0;
+ if (bmp_info.size == 12)
@@ -18,6 +18,11 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
file://CVE-2022-0284.patch \
file://fix-cipher-leak.patch \
file://CVE-2022-2719.patch \
+ file://CVE-2022-1114.patch \
+ file://CVE-2023-1289-1.patch \
+ file://CVE-2023-1289.patch \
+ file://CVE-2023-34474.patch \
+ file://CVE-2023-5341.patch \
"
SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"
Fix following CVEs for imagemagick: CVE-2023-5341, CVE-2022-1114, CVE-2023-1289 and CVE-2023-34474 Signed-off-by: Sana Kazi <sanakazi720@gmail.com> --- .../imagemagick/files/CVE-2022-1114.patch | 44 +++++++ .../imagemagick/files/CVE-2023-1289-1.patch | 114 ++++++++++++++++++ .../imagemagick/files/CVE-2023-1289.patch | 21 ++++ .../imagemagick/files/CVE-2023-34474.patch | 35 ++++++ .../imagemagick/files/CVE-2023-5341.patch | 28 +++++ .../imagemagick/imagemagick_7.0.10.bb | 5 + 6 files changed, 247 insertions(+) create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch