[meta-oe,walnascar,04/11] imagemagick: patch CVE-2025-53101

Message ID	20251008205914.598660-4-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.218.48, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][walnascar][PATCH 04/11] imagemagick: patch CVE-2025-53101 Date: Wed, 8 Oct 2025 22:59:07 +0200 Message-ID: <20251008205914.598660-4-skandigraun@gmail.com> In-Reply-To: <20251008205914.598660-1-skandigraun@gmail.com> References: <20251008205914.598660-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,walnascar,01/11] imagemagick: patch CVE-2025-53014 \| expand [meta-oe,walnascar,01/11] imagemagick: patch CVE-2025-53014 [meta-oe,walnascar,02/11] imagemagick: patch CVE-2025-53015 [meta-oe,walnascar,03/11] imagemagick: patch CVE-2025-53019 [meta-oe,walnascar,04/11] imagemagick: patch CVE-2025-53101 [meta-oe,walnascar,05/11] imagemagick: patch CVE-2025-55004 [meta-oe,walnascar,06/11] imagemagick: patch CVE-2025-55005 [meta-oe,walnascar,07/11] imagemagick: patch CVE-2025-55154 [meta-oe,walnascar,08/11] imagemagick: patch CVE-2025-55160 [meta-oe,walnascar,09/11] imagemagick: patch CVE-2025-55212 [meta-oe,walnascar,10/11] imagemagick: patch CVE-2025-57803 [meta-oe,walnascar,11/11] imagemagick: patch CVE-2025-57807

Message ID

20251008205914.598660-4-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][walnascar][PATCH 04/11] imagemagick: patch CVE-2025-53101
Date: Wed,  8 Oct 2025 22:59:07 +0200
Message-ID: <20251008205914.598660-4-skandigraun@gmail.com>
In-Reply-To: <20251008205914.598660-1-skandigraun@gmail.com>
References: <20251008205914.598660-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,walnascar,01/11] imagemagick: patch CVE-2025-53014 | expand

Commit Message

Gyorgy Sarvari Oct. 8, 2025, 8:59 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53101

Pick the patch mentioned in the details of the above link.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 ...-ImageMagick-ImageMagick-security-ad.patch | 52 +++++++++++++++++++
 .../imagemagick/imagemagick_7.1.1-43.bb       |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/0001-https-github.com-ImageMagick-ImageMagick-security-ad.patch

diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/0001-https-github.com-ImageMagick-ImageMagick-security-ad.patch b/meta-oe/recipes-support/imagemagick/imagemagick/0001-https-github.com-ImageMagick-ImageMagick-security-ad.patch
new file mode 100644
index 0000000000..48c3fff35c
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/0001-https-github.com-ImageMagick-ImageMagick-security-ad.patch
@@ -0,0 +1,52 @@ 
+From 0afb803b504b572f3dc654ac4e39e5bd8df7ee03 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 27 Jun 2025 20:02:12 -0400
+Subject: [PATCH] 
+ https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
+
+CVE: CVE-2025-53101
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ MagickCore/image.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 03a5972d0..abca0a9ae 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1665,7 +1665,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     canonical;
+ 
+   ssize_t
+-    field_width,
+     offset;
+ 
+   canonical=MagickFalse;
+@@ -1681,21 +1680,21 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+         p++;
+         continue;
+       }
+-    field_width=0;
+-    if (*q == '0')
+-      field_width=(ssize_t) strtol(q,&q,10);
+     switch (*q)
+     {
+       case 'd':
+       case 'o':
+       case 'x':
+       {
++        ssize_t count;
+         q++;
+         c=(*q);
+         *q='\0';
+-        (void) FormatLocaleString(filename+(p-format-offset),(size_t)
++        count=FormatLocaleString(filename+(p-format-offset),(size_t)
+           (MagickPathExtent-(p-format-offset)),p,value);
+-        offset+=(4-field_width);
++        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
++          return(0);
++        offset+=(ssize_t) ((q-p)-count);
+         *q=c;
+         (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+         canonical=MagickTrue;
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1-43.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1-43.bb
index 2f77a777a3..b4990fd5a3 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1-43.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1-43.bb
@@ -17,6 +17,7 @@  SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
            file://0001-Added-extra-checks-to-make-sure-we-don-t-get-stuck-i.patch \
            file://0002-Added-missing-return.patch \
            file://0001-Fixed-memory-leak-when-entering-StreamImage-multiple.patch \
+           file://0001-https-github.com-ImageMagick-ImageMagick-security-ad.patch \
            "
 SRCREV = "a2d96f40e707ba54b57e7d98c3277d3ea6611ace"

[meta-oe,walnascar,04/11] imagemagick: patch CVE-2025-53101

Commit Message

Patch