[meta-oe,walnascar,05/11] imagemagick: patch CVE-2025-55004

Message ID	20251008205914.598660-5-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.218.48, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][walnascar][PATCH 05/11] imagemagick: patch CVE-2025-55004 Date: Wed, 8 Oct 2025 22:59:08 +0200 Message-ID: <20251008205914.598660-5-skandigraun@gmail.com> In-Reply-To: <20251008205914.598660-1-skandigraun@gmail.com> References: <20251008205914.598660-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,walnascar,01/11] imagemagick: patch CVE-2025-53014 \| expand [meta-oe,walnascar,01/11] imagemagick: patch CVE-2025-53014 [meta-oe,walnascar,02/11] imagemagick: patch CVE-2025-53015 [meta-oe,walnascar,03/11] imagemagick: patch CVE-2025-53019 [meta-oe,walnascar,04/11] imagemagick: patch CVE-2025-53101 [meta-oe,walnascar,05/11] imagemagick: patch CVE-2025-55004 [meta-oe,walnascar,06/11] imagemagick: patch CVE-2025-55005 [meta-oe,walnascar,07/11] imagemagick: patch CVE-2025-55154 [meta-oe,walnascar,08/11] imagemagick: patch CVE-2025-55160 [meta-oe,walnascar,09/11] imagemagick: patch CVE-2025-55212 [meta-oe,walnascar,10/11] imagemagick: patch CVE-2025-57803 [meta-oe,walnascar,11/11] imagemagick: patch CVE-2025-57807

Message ID

20251008205914.598660-5-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][walnascar][PATCH 05/11] imagemagick: patch CVE-2025-55004
Date: Wed,  8 Oct 2025 22:59:08 +0200
Message-ID: <20251008205914.598660-5-skandigraun@gmail.com>
In-Reply-To: <20251008205914.598660-1-skandigraun@gmail.com>
References: <20251008205914.598660-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,walnascar,01/11] imagemagick: patch CVE-2025-53014 | expand

Commit Message

Gyorgy Sarvari Oct. 8, 2025, 8:59 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55004

Pick the patch that mentions the relevant github advisory in its commit message.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../imagemagick/0001-CVE-2025-55004.patch     | 64 +++++++++++++++++++
 .../imagemagick/imagemagick_7.1.1-43.bb       |  1 +
 2 files changed, 65 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/0001-CVE-2025-55004.patch

diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/0001-CVE-2025-55004.patch b/meta-oe/recipes-support/imagemagick/imagemagick/0001-CVE-2025-55004.patch
new file mode 100644
index 0000000000..8a326de900
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/0001-CVE-2025-55004.patch
@@ -0,0 +1,64 @@ 
+From 2c850f4136e8972244f21ba2eb2db9397784d479 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 7 Aug 2025 19:14:00 -0400
+Subject: [PATCH] CVE-2025-55004
+
+CVE: CVE-2025-55004
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/55d97055e00a7bc7ae2776c99824002fbb4a72aa]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ coders/png.c | 33 ++++++++++-----------------------
+ 1 file changed, 10 insertions(+), 23 deletions(-)
+
+diff --git a/coders/png.c b/coders/png.c
+index ad756e8ed..9594623e3 100644
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -4779,37 +4779,24 @@ static Image *ReadOneJNGImage(MngReadInfo *mng_info,
+       jng_image=ReadImage(alpha_image_info,exception);
+ 
+       if (jng_image != (Image *) NULL)
+-        for (y=0; y < (ssize_t) image->rows; y++)
+         {
+-          s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception);
+-          q=GetAuthenticPixels(image,0,y,image->columns,1,exception);
+-          if ((s == (const Quantum *)  NULL) || (q == (Quantum *) NULL))
+-            break;
++          image->alpha_trait=BlendPixelTrait;
++          for (y=0; y < (ssize_t) image->rows; y++)
++          {
++            s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception);
++            q=GetAuthenticPixels(image,0,y,image->columns,1,exception);
++            if ((s == (const Quantum *)  NULL) || (q == (Quantum *) NULL))
++              break;
+ 
+-          if (image->alpha_trait != UndefinedPixelTrait)
+             for (x=(ssize_t) image->columns; x != 0; x--)
+             {
+               SetPixelAlpha(image,GetPixelRed(jng_image,s),q);
+               q+=(ptrdiff_t) GetPixelChannels(image);
+               s+=(ptrdiff_t) GetPixelChannels(jng_image);
+             }
+-
+-          else
+-            for (x=(ssize_t) image->columns; x != 0; x--)
+-            {
+-              Quantum
+-                alpha;
+-
+-              alpha=GetPixelRed(jng_image,s);
+-              SetPixelAlpha(image,alpha,q);
+-              if (alpha != OpaqueAlpha)
+-                image->alpha_trait=BlendPixelTrait;
+-              q+=(ptrdiff_t) GetPixelChannels(image);
+-              s+=(ptrdiff_t) GetPixelChannels(jng_image);
+-            }
+-
+-          if (SyncAuthenticPixels(image,exception) == MagickFalse)
+-            break;
++            if (SyncAuthenticPixels(image,exception) == MagickFalse)
++              break;
++          }
+         }
+       (void) RelinquishUniqueFileResource(alpha_image->filename);
+       alpha_image=DestroyImageList(alpha_image);
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1-43.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1-43.bb
index b4990fd5a3..570d162fd4 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1-43.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1-43.bb
@@ -18,6 +18,7 @@  SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
            file://0002-Added-missing-return.patch \
            file://0001-Fixed-memory-leak-when-entering-StreamImage-multiple.patch \
            file://0001-https-github.com-ImageMagick-ImageMagick-security-ad.patch \
+           file://0001-CVE-2025-55004.patch \
            "
 SRCREV = "a2d96f40e707ba54b57e7d98c3277d3ea6611ace"

[meta-oe,walnascar,05/11] imagemagick: patch CVE-2025-55004

Commit Message

Patch