[meta-oe,kirkstone,11/12] ImageMagick: Fix CVE-2025-55298

Message ID	20251120084959.51761-11-Divyanshu.Rathore@bmwtechworks.in
State	New
Headers	show Return-Path: <philip@balister.org> ip: 40.107.57.43, mailfrom: divyanshu.rathore@bmwtechworks.in) From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in> To: openembedded-devel@lists.openembedded.org CC: Sana.Kazi@bmwtechworks.in Subject: [meta-oe][kirkstone][PATCH 11/12] ImageMagick: Fix CVE-2025-55298 Date: Thu, 20 Nov 2025 14:19:58 +0530 Message-ID: <20251120084959.51761-11-Divyanshu.Rathore@bmwtechworks.in> In-Reply-To: <20251120084959.51761-1-Divyanshu.Rathore@bmwtechworks.in> References: <20251120084959.51761-1-Divyanshu.Rathore@bmwtechworks.in> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Series	[meta-oe,kirkstone,01/12] ImageMagick: Fix CVE-2025-53014 \| expand [meta-oe,kirkstone,01/12] ImageMagick: Fix CVE-2025-53014 [meta-oe,kirkstone,02/12] ImageMagick: Fix CVE-2025-53101 [meta-oe,kirkstone,03/12] ImageMagick: Fix CVE-2025-55160 [meta-oe,kirkstone,04/12] ImageMagick: Fix CVE-2025-55005 [meta-oe,kirkstone,05/12] ImageMagick: Fix CVE-2025-53019 [meta-oe,kirkstone,06/12] ImageMagick: Fix CVE-2025-55004 [meta-oe,kirkstone,07/12] ImageMagick: Fix CVE-2025-57803 [meta-oe,kirkstone,08/12] ImageMagick: Fix CVE-2025-57807 [meta-oe,kirkstone,09/12] ImageMagick: Fix CVE-2023-34151 [meta-oe,kirkstone,10/12] ImageMagick: Fix CVE-2025-55154 [meta-oe,kirkstone,11/12] ImageMagick: Fix CVE-2025-55298 [meta-oe,kirkstone,12/12] ImageMagick: Fix CVE-2024-41817

Message ID

20251120084959.51761-11-Divyanshu.Rathore@bmwtechworks.in

State

New

Headers

From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
To: openembedded-devel@lists.openembedded.org
CC: Sana.Kazi@bmwtechworks.in
Subject: [meta-oe][kirkstone][PATCH 11/12] ImageMagick: Fix CVE-2025-55298
Date: Thu, 20 Nov 2025 14:19:58 +0530
Message-ID: <20251120084959.51761-11-Divyanshu.Rathore@bmwtechworks.in>
In-Reply-To: <20251120084959.51761-1-Divyanshu.Rathore@bmwtechworks.in>
References: <20251120084959.51761-1-Divyanshu.Rathore@bmwtechworks.in>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 SLpMVtJMIu0cmHwnSZsIy4dD82FPwHcWbMby61ncXvr33h97EOrL0jsTkXZFi48gpE/lBO8f1URaRoa4BKvikwUC+AtaktyAGR1UbRico1BjYXPsQ28PBpaTbLwun9QomSXamH7Vl/0wAXstq34bv5k1VnBtkEb9ulSc7xQFwMu7El7M1BASOyov8AEItK+Uw70kuocuWdeM8HnC/XpCk5vY2U0ZCspWoOXUiSakHSn8fn6sL6HgaQ/bpP4y7HJeie83SuuYryg5cIK8Zj/yLPRWIfh3S9IK0yCuZiKr6o+ZooBXzfygbJm2OFfgJL9c+00a6RM6DDN5aSUlXNtAnD7FjgbPdEilk5HKVvvf7jD5x59V13MvwMAZfH9zAYv6AF55lY9xr6AtkFEIPNHYTIqkIqTQKV7xH9MC/GXrx+1hJScSsJS0GOz1BS/Te9vWvDQHM8e7M//znxmyaq559n59AXaFsSejAXvX3Ymx8xABk6iUtHtp84lv1Fe2OYcc8FpdSaK7CmOWz5jaWmn29CBl8+7pciAikzQrLucHf6MTvsxgIjdNYLaiDHpAXQByGwCLEV7f5lSzyqnl01F14vBLZPSBOkuwKxv1oKKglEM+CBcCdAOrMmBD6RgTxSn1j310Jj1kcg9/F+CeNTwrHx4Bon7nSrcOnA1NLukqCQLvelwLN+znAn66RE6JC18YiD8+FxcTXr4VwrZoS57Xp7q+2OOgqTrZIY9/jh4VOv++vUIHk/3lVAdLs5MBjK6rLUsuMOjZjymMeXstFpuC67bhNZc9OxifWgtVvUM3dny4ZtEM8I+cZCk4+WRqm6QjypSqL7f2xXYxRCCgHWm19Ms/FyskxY8CQWw+cdfbeN/4VBuJUAsS+7gKcuiQNgk2Ypd7pP0+Qk+t4KDB7Y5iaHvgXx4fbSwXxzAQGTBf7/FYCuDm+edXCNF2E8SzM+Zqg/JkM4nXgJAmNEF2Ro9Csdt0yR/q4Etwlb/Bm/jBJnL5mHPAGRYfG7tfz/7L4rcmNGyOTh4RTPsJH2382UZlh+5vrjbzIag3Kv2j2bnYRd3mwhle6iNOIEKj68/Ka4x/SHDgAAsJxhXCmzngEbIwHvtevCrqdEBAHPpYa3mDdn6EpNONWOM0DZ8t4h2cs2N4kADFtrZN2PeCaA1IS15K4b5IviJQ9KBZ1+mdwbrUAh/axcoq8GmPsgMBclwYzTd4CLOn2KtFKgIZYNDyC9TSoILbGzg0ljUR6RtKkA4IA+2r0chF8A46Ps5DLfGa3grxTiXany1Frj3KPTo6Eu8b20l8DH0Gak1z9eE7CxVUj98LvU7FHDgHjv88cvPOydsHcKq5aofTRN3QhRdhRh8o7OuybKr/v7LtVB+Er9vXwTwy67bA459aZDmdZjM6suCwRcZBifR1xAXlR/bPSyY/60mncpUAK6RUhTiGbY3KvL5I6P+ulxZVuSUtxjZTUZzKv6rp3NEyKzQpfgRAtfINGRXvUBDpKdQLB6lr1lfplk4D6I/mNNXDQgHUhjm+8gMbx8uBXcFYy4xuo6eJCA7UUTSST2oMAJOLHdp9JUXec/9pJi+pvH9WGt7QgjLfL1IPakXVO4gHvrZQV15xacqeDsi5R4YM7l5mEYK6h0sDeA2o7HhLwtto3TDf5nNQgP3rdIpmY7GLgmILwcWT4GFpzLptf3eTdA36G0te7J3M6dM=
X-OriginatorOrg: bmwtechworks.in
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 532b9fd9-c399-4679-7586-08de2811d64c
X-MS-Exchange-CrossTenant-AuthSource: MA0P287MB3378.INDP287.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Nov 2025 08:50:20.9568
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 970fa6fd-1031-4cc6-8c56-488f3c61cd05
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 hOg3RQwu5v/AizKQOviyEG0Jt/9aVbN85mbO+W7vPM0iNeaU5zBMqpPGOBBfB/RZGCyQSz9/q8HNd7/3+/2MgaHUn3+t+XG3R+PRN+iwglV0QzEZbW7eHj2Vq9weF3dZ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PN2P287MB1004
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 20 Nov 2025 15:26:36 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121947

Series

[meta-oe,kirkstone,01/12] ImageMagick: Fix CVE-2025-53014 | expand

Commit Message

Divyanshu Rathore Nov. 20, 2025, 8:49 a.m. UTC

Backport the fix for CVE-2025-55298

Add below patch to fix
0011-ImageMagick-Fix-CVE-2025-55298.patch

Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
---
 ...support-patch-1-to-fix-CVE-2025-5529.patch |  49 ++++
 ...support-patch-2-to-fix-CVE-2025-5529.patch |  58 ++++
 ...support-patch-3-to-fix-CVE-2025-5529.patch | 205 +++++++++++++
 ...support-patch-4-to-fix-CVE-2025-5529.patch | 103 +++++++
 ...011-ImageMagick-Fix-1-CVE-2025-55298.patch |  71 +++++
 ...011-ImageMagick-Fix-2-CVE-2025-55298.patch | 274 ++++++++++++++++++
 .../imagemagick/imagemagick_7.0.10.bb         |   6 +
 7 files changed, 766 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
 create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
 create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
 create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch
 create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch
 create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch

Comments

Gyorgy Sarvari Nov. 22, 2025, 12:48 p.m. UTC | #1

These patches fail to apply - could you please take a look at this? It
looks that this patch's content is already present.


ERROR: imagemagick-7.0.10-62-r0 do_patch: Applying patch
'0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch' on
target directory
'/cocto/kirkstone-next/build/tmp/work/core2-64-poky-linux/imagemagick/7.0.10-62-r0/git'
CmdError('quilt --quiltrc
/cocto/kirkstone-next/build/tmp/work/core2-64-poky-linux/imagemagick/7.0.10-62-r0/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch
0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
patching file MagickCore/image.c
Hunk #1 FAILED at 1650.
Hunk #2 FAILED at 1666.
2 out of 2 hunks FAILED -- rejects in file MagickCore/image.c
Patch 0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
can be reverse-applied


On 11/20/25 09:49, Divyanshu Rathore via lists.openembedded.org wrote:
> Backport the fix for CVE-2025-55298
>
> Add below patch to fix
> 0011-ImageMagick-Fix-CVE-2025-55298.patch
>
> Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> ---
>  ...support-patch-1-to-fix-CVE-2025-5529.patch |  49 ++++
>  ...support-patch-2-to-fix-CVE-2025-5529.patch |  58 ++++
>  ...support-patch-3-to-fix-CVE-2025-5529.patch | 205 +++++++++++++
>  ...support-patch-4-to-fix-CVE-2025-5529.patch | 103 +++++++
>  ...011-ImageMagick-Fix-1-CVE-2025-55298.patch |  71 +++++
>  ...011-ImageMagick-Fix-2-CVE-2025-55298.patch | 274 ++++++++++++++++++
>  .../imagemagick/imagemagick_7.0.10.bb         |   6 +
>  7 files changed, 766 insertions(+)
>  create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
>  create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
>  create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
>  create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch
>  create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch
>  create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch
>
> diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
> new file mode 100644
> index 0000000000..d4bd7d6acb
> --- /dev/null
> +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
> @@ -0,0 +1,49 @@
> +From 11f9e946dab3f2a4de68809bab9c01be2967bb08 Mon Sep 17 00:00:00 2001
> +From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +Date: Tue, 11 Nov 2025 14:34:12 +0530
> +Subject: [PATCH 1/6] ImageMagick: Add support patch 1 to fix CVE-2025-55298
> +
> +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/83caf59fce695fea0c5878e9f0d0b65e662cae66]
> +
> +Comment: Refreshed hunk to match latest kirkstone
> +
> +Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +---
> + MagickCore/image.c | 8 +++++---
> + 1 file changed, 5 insertions(+), 3 deletions(-)
> +
> +diff --git a/MagickCore/image.c b/MagickCore/image.c
> +index 34804e522..849a89931 100644
> +--- a/MagickCore/image.c
> ++++ b/MagickCore/image.c
> +@@ -1640,15 +1640,15 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +   char
> +     *q;
> + 
> ++  const char
> ++    *p;
> ++
> +   int
> +     c;
> + 
> +   MagickBooleanType
> +     canonical;
> + 
> +-  const char
> +-    *p;
> +-
> +   ssize_t
> +     field_width,
> +     offset;
> +@@ -1656,6 +1656,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +   canonical=MagickFalse;
> +   offset=0;
> +   (void) CopyMagickString(filename,format,MagickPathExtent);
> ++  if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
> ++    return(strlen(filename));
> +   for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
> +   {
> +     q=(char *) p+1;
> +-- 
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
> new file mode 100644
> index 0000000000..3550a4abba
> --- /dev/null
> +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
> @@ -0,0 +1,58 @@
> +From c02868456edccf0dd555c3d004efb491974c92c7 Mon Sep 17 00:00:00 2001
> +From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +Date: Tue, 11 Nov 2025 15:17:32 +0530
> +Subject: [PATCH 2/6] ImageMagick: Add support patch-2 to fix CVE-2025-55298
> +
> +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774]
> +
> +Comment: Refreshed hunk to match latest kirkstone
> +
> +Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +---
> + MagickCore/image.c | 13 +++++++------
> + 1 file changed, 7 insertions(+), 6 deletions(-)
> +
> +diff --git a/MagickCore/image.c b/MagickCore/image.c
> +index 849a89931..3437ed358 100644
> +--- a/MagickCore/image.c
> ++++ b/MagickCore/image.c
> +@@ -1650,7 +1650,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +     canonical;
> + 
> +   ssize_t
> +-    field_width,
> +     offset;
> + 
> +   canonical=MagickFalse;
> +@@ -1666,21 +1665,23 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +         p=q+1;
> +         continue;
> +       }
> +-    field_width=0;
> +-    if (*q == '0')
> +-      field_width=(ssize_t) strtol(q,&q,10);
> +     switch (*q)
> +     {
> +       case 'd':
> +       case 'o':
> +       case 'x':
> +       {
> ++        ssize_t
> ++          count;
> ++
> +         q++;
> +         c=(*q);
> +         *q='\0';
> +-        (void) FormatLocaleString(filename+(p-format-offset),(size_t)
> ++        count=FormatLocaleString(filename+(p-format-offset),(size_t)
> +           (MagickPathExtent-(p-format-offset)),p,value);
> +-        offset+=(4-field_width);
> ++        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
> ++          return(0);
> ++        offset+=(ssize_t) ((q-p)-count);
> +         *q=c;
> +         (void) ConcatenateMagickString(filename,q,MagickPathExtent);
> +         canonical=MagickTrue;
> +-- 
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
> new file mode 100644
> index 0000000000..63e88ebfd9
> --- /dev/null
> +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
> @@ -0,0 +1,205 @@
> +From 19073f73f83c78a1fed8f040ed08b16ccfc817f5 Mon Sep 17 00:00:00 2001
> +From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +Date: Tue, 11 Nov 2025 21:53:10 +0530
> +Subject: [PATCH 3/6] ImageMagick: Add support patch-3 to fix CVE-2025-55298
> +
> +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7]
> +
> +Comment: Refreshed hunk to match latest kirkstone
> +
> +Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +---
> + MagickCore/image.c | 134 +++++++++++++++++++--------------------------
> + 1 file changed, 55 insertions(+), 79 deletions(-)
> +
> +diff --git a/MagickCore/image.c b/MagickCore/image.c
> +index 3437ed358..cd4de6df9 100644
> +--- a/MagickCore/image.c
> ++++ b/MagickCore/image.c
> +@@ -1638,34 +1638,41 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +   ExceptionInfo *exception)
> + {
> +   char
> +-    *q;
> ++    *p = filename,
> ++    pattern[MagickPathExtent];
> + 
> +   const char
> +-    *p;
> +-
> +-  int
> +-    c;
> +-
> +-  MagickBooleanType
> +-    canonical;
> +-
> +-  ssize_t
> +-    offset;
> ++    *cursor = format;
> + 
> +-  canonical=MagickFalse;
> +-  offset=0;
> ++  /*
> ++    Start with a copy of the format string.
> ++  */
> +   (void) CopyMagickString(filename,format,MagickPathExtent);
> +   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
> +     return(strlen(filename));
> +-  for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
> ++  while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
> +   {
> +-    q=(char *) p+1;
> +-    if (*q == '%')
> ++    const char
> ++      *q = cursor;
> ++
> ++    ssize_t
> ++      offset = (ssize_t) (cursor-format);
> ++
> ++    cursor++;  /* move past '%' */
> ++    if (*cursor == '%')
> +       {
> +-        p=q+1;
> ++        /*
> ++          Escaped %%.
> ++        */
> ++        cursor++;
> +         continue;
> +       }
> +-    switch (*q)
> ++    /*
> ++      Skip padding digits like %03d.
> ++    */
> ++    if (*cursor == '0')
> ++      (void) strtol(cursor,(char **) &cursor,10);
> ++    switch (*cursor)
> +     {
> +       case 'd':
> +       case 'o':
> +@@ -1674,93 +1681,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +         ssize_t
> +           count;
> + 
> +-        q++;
> +-        c=(*q);
> +-        *q='\0';
> +-        count=FormatLocaleString(filename+(p-format-offset),(size_t)
> +-          (MagickPathExtent-(p-format-offset)),p,value);
> +-        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
> ++        count=FormatLocaleString(pattern,sizeof(pattern),q,value);
> ++        if ((count <= 0) || (count >= MagickPathExtent))
> +           return(0);
> +-        offset+=(ssize_t) ((q-p)-count);
> +-        *q=c;
> +-        (void) ConcatenateMagickString(filename,q,MagickPathExtent);
> +-        canonical=MagickTrue;
> +-        if (*(q-1) != '%')
> +-          break;
> +-        p++;
> ++        if ((offset+count) >= MagickPathExtent)
> ++          return(0);
> ++        (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
> ++          offset));
> ++        cursor++;
> +         break;
> +       }
> +       case '[':
> +       {
> +-        char
> +-          pattern[MagickPathExtent];
> +-
> +         const char
> +-          *option;
> ++          *end = strchr(cursor,']'),
> ++          *option = (const char *) NULL;
> + 
> +-        char
> +-          *r;
> +-
> +-        ssize_t
> +-          i;
> +-
> +-        ssize_t
> +-          depth;
> ++        size_t
> ++          extent = (size_t) (end-cursor);
> + 
> +         /*
> +-          Image option.
> ++          Handle %[key:value];
> +         */
> +-        if (strchr(p,']') == (char *) NULL)
> ++        if (end == (const char *) NULL)
> +           break;
> +-        depth=1;
> +-        r=q+1;
> +-        for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++)
> +-        {
> +-          if (*r == '[')
> +-            depth++;
> +-          if (*r == ']')
> +-            depth--;
> +-          if (depth <= 0)
> +-            break;
> +-          pattern[i]=(*r++);
> +-        }
> +-        pattern[i]='\0';
> +-        if (LocaleNCompare(pattern,"filename:",9) != 0)
> ++        if (extent >= sizeof(pattern))
> +           break;
> +-        option=(const char *) NULL;
> ++        (void) CopyMagickString(pattern,cursor,extent);
> ++        pattern[extent]='\0';
> +         if (image != (Image *) NULL)
> +           option=GetImageProperty(image,pattern,exception);
> +-        if ((option == (const char *) NULL) && (image != (Image *) NULL))
> ++        if ((option == (const char *) NULL) && (image != (Image *)NULL))
> +           option=GetImageArtifact(image,pattern);
> +         if ((option == (const char *) NULL) &&
> +             (image_info != (ImageInfo *) NULL))
> +           option=GetImageOption(image_info,pattern);
> +         if (option == (const char *) NULL)
> +           break;
> +-        q--;
> +-        c=(*q);
> +-        *q='\0';
> +-        (void) CopyMagickString(filename+(p-format-offset),option,(size_t)
> +-          (MagickPathExtent-(p-format-offset)));
> +-        offset+=strlen(pattern)-strlen(option)+3;
> +-        *q=c;
> +-        (void) ConcatenateMagickString(filename,r+1,MagickPathExtent);
> +-        canonical=MagickTrue;
> +-        if (*(q-1) != '%')
> +-          break;
> +-        p++;
> ++        (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
> ++          offset));
> ++        cursor=end+1;
> +         break;
> +       }
> +       default:
> +         break;
> +     }
> +   }
> +-  if (canonical == MagickFalse)
> +-    (void) CopyMagickString(filename,format,MagickPathExtent);
> +-  else
> +-    for (q=filename; *q != '\0'; q++)
> +-      if ((*q == '%') && (*(q+1) == '%'))
> +-        (void) CopyMagickString(q,q+1,(size_t) (MagickPathExtent-(q-filename)));
> ++  for (p=filename; *p != '\0'; )
> ++  {
> ++    /*
> ++      Replace "%%" with "%".
> ++    */
> ++    if ((*p == '%') && (*(p+1) == '%'))
> ++      (void) memmove(p,p+1,strlen(p));  /* shift left */
> ++    else
> ++      p++;
> ++  }
> +   return(strlen(filename));
> + }
> + 
> +-- 
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch
> new file mode 100644
> index 0000000000..65739cbf44
> --- /dev/null
> +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch
> @@ -0,0 +1,103 @@
> +From 3b5f524f80851b819bcbfd40e30912af3710ef48 Mon Sep 17 00:00:00 2001
> +From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +Date: Wed, 12 Nov 2025 11:35:37 +0530
> +Subject: [PATCH 4/6] ImageMagick: Add support patch-4 to fix CVE-2025-55298
> +
> +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/6c7c8d5866b9c0ce6cc76a741e05b9482716101e]
> +
> +Comment: Refreshed hunk to match latest kirkstone
> +
> +Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +---
> + MagickCore/image.c | 31 +++++++++++++++++++++----------
> + 1 file changed, 21 insertions(+), 10 deletions(-)
> +
> +diff --git a/MagickCore/image.c b/MagickCore/image.c
> +index cd4de6df9..1acf8edbd 100644
> +--- a/MagickCore/image.c
> ++++ b/MagickCore/image.c
> +@@ -1647,6 +1647,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +   /*
> +     Start with a copy of the format string.
> +   */
> ++  assert(format != (const char *) NULL);
> ++  assert(filename != (char *) NULL);
> +   (void) CopyMagickString(filename,format,MagickPathExtent);
> +   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
> +     return(strlen(filename));
> +@@ -1670,7 +1672,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +     /*
> +       Skip padding digits like %03d.
> +     */
> +-    if (*cursor == '0')
> ++    if (isdigit((int) ((unsigned char) *cursor)) != 0)
> +       (void) strtol(cursor,(char **) &cursor,10);
> +     switch (*cursor)
> +     {
> +@@ -1682,9 +1684,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +           count;
> + 
> +         count=FormatLocaleString(pattern,sizeof(pattern),q,value);
> +-        if ((count <= 0) || (count >= MagickPathExtent))
> +-          return(0);
> +-        if ((offset+count) >= MagickPathExtent)
> ++        if ((count <= 0) || (count >= MagickPathExtent) ||
> ++            ((offset+count) >= MagickPathExtent))
> +           return(0);
> +         (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
> +           offset));
> +@@ -1698,7 +1699,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +           *option = (const char *) NULL;
> + 
> +         size_t
> +-          extent = (size_t) (end-cursor);
> ++          extent = (size_t) (end-cursor-1),
> ++          option_length,
> ++          tail_length;
> + 
> +         /*
> +           Handle %[key:value];
> +@@ -1707,19 +1710,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +           break;
> +         if (extent >= sizeof(pattern))
> +           break;
> +-        (void) CopyMagickString(pattern,cursor,extent);
> ++        (void) CopyMagickString(pattern,cursor+1,extent+1);
> +         pattern[extent]='\0';
> +         if (image != (Image *) NULL)
> +-          option=GetImageProperty(image,pattern,exception);
> +-        if ((option == (const char *) NULL) && (image != (Image *)NULL))
> +-          option=GetImageArtifact(image,pattern);
> ++          {
> ++            option=GetImageProperty(image,pattern,exception);
> ++            if (option == (const char *) NULL)
> ++              option=GetImageArtifact(image,pattern);
> ++          }
> +         if ((option == (const char *) NULL) &&
> +             (image_info != (ImageInfo *) NULL))
> +           option=GetImageOption(image_info,pattern);
> +         if (option == (const char *) NULL)
> +           break;
> ++        option_length=strlen(option);
> ++        tail_length=strlen(end+1);
> ++        if ((offset+option_length+tail_length+1) > MagickPathExtent)
> ++          return(0);
> +         (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
> +           offset));
> ++        (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
> ++          MagickPathExtent-offset-option_length-tail_length-1));
> +         cursor=end+1;
> +         break;
> +       }
> +@@ -1733,7 +1744,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +       Replace "%%" with "%".
> +     */
> +     if ((*p == '%') && (*(p+1) == '%'))
> +-      (void) memmove(p,p+1,strlen(p));  /* shift left */
> ++      (void) memmove(p,p+1,strlen(p+1)+1);  /* shift left */
> +     else
> +       p++;
> +   }
> +-- 
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch
> new file mode 100644
> index 0000000000..1a92b36755
> --- /dev/null
> +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch
> @@ -0,0 +1,71 @@
> +From bc530e782bcee75960dac57e9191ab7257842bd9 Mon Sep 17 00:00:00 2001
> +From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +Date: Wed, 12 Nov 2025 11:52:00 +0530
> +Subject: [PATCH 5/6] ImageMagick: Fix CVE-2025-55298
> +
> +CVE: CVE-2025-55298
> +
> +This CVE fixed in two parts, this commit includes the first fix.
> +
> +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895]
> +
> +Comment: Refreshed hunk to match latest kirkstone
> +
> +Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +---
> + MagickCore/image.c | 32 ++++++++++++++++++++++++++++++++
> + 1 file changed, 32 insertions(+)
> +
> +diff --git a/MagickCore/image.c b/MagickCore/image.c
> +index 1acf8edbd..7a52236d8 100644
> +--- a/MagickCore/image.c
> ++++ b/MagickCore/image.c
> +@@ -1633,6 +1633,31 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
> + %    o exception: return any errors or warnings in this structure.
> + %
> + */
> ++
> ++static inline MagickBooleanType PercentNInvalidOperation(char *filename)
> ++{
> ++  MagickBooleanType
> ++    match = MagickFalse;
> ++
> ++  size_t
> ++    length = strlen(filename);
> ++
> ++  ssize_t
> ++    i;
> ++
> ++  for (i=0; i < (ssize_t) length-1; i++)
> ++  {
> ++    if ((filename[i] == '%') &&
> ++        ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
> ++      {
> ++        filename[i]='?';
> ++        filename[i+1]='\?';
> ++        match=MagickTrue;
> ++      }
> ++  }
> ++  return(match);
> ++}
> ++
> + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +   Image *image,const char *format,int value,char *filename,
> +   ExceptionInfo *exception)
> +@@ -1652,6 +1677,13 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +   (void) CopyMagickString(filename,format,MagickPathExtent);
> +   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
> +     return(strlen(filename));
> ++  if (PercentNInvalidOperation(filename) != MagickFalse)
> ++    {
> ++      errno=EPERM;
> ++      (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
> ++        "InvalidArgument","`%s'",filename);
> ++      return(0);
> ++    }
> +   while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
> +   {
> +     const char
> +-- 
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch
> new file mode 100644
> index 0000000000..22fafbb4ff
> --- /dev/null
> +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch
> @@ -0,0 +1,274 @@
> +From 51bdbd8ba79cc29b5b8bd1cbe201612c4f1b6a14 Mon Sep 17 00:00:00 2001
> +From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +Date: Wed, 12 Nov 2025 13:05:40 +0530
> +Subject: [PATCH 6/6] ImageMagick: Fix CVE-2025-55298
> +
> +CVE: CVE-2025-55298
> +
> +This CVE fixed in two parts, this commit includes the second fix.
> +
> +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
> +
> +Comment: Refreshed hunk to match latest kirkstone
> +
> +Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
> +---
> + MagickCore/image.c | 182 ++++++++++++++++++++++++---------------------
> + 1 file changed, 96 insertions(+), 86 deletions(-)
> +
> +diff --git a/MagickCore/image.c b/MagickCore/image.c
> +index 7a52236d8..beaf69728 100644
> +--- a/MagickCore/image.c
> ++++ b/MagickCore/image.c
> +@@ -1619,7 +1619,7 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
> + %
> + %  A description of each parameter follows.
> + %
> +-%    o image_info: the image info..
> ++%    o image_info: the image info.
> + %
> + %    o image: the image.
> + %
> +@@ -1634,28 +1634,39 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
> + %
> + */
> + 
> +-static inline MagickBooleanType PercentNInvalidOperation(char *filename)
> ++static inline MagickBooleanType IsValidFormatSpecifier(const char *start,
> ++  const char *end)
> + {
> +-  MagickBooleanType
> +-    match = MagickFalse;
> ++  char
> ++    specifier = end[-1];
> + 
> +   size_t
> +-    length = strlen(filename);
> ++    length = end-start;
> + 
> +-  ssize_t
> +-    i;
> ++  /*
> ++    Is this a valid format specifier?
> ++  */
> ++  if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o'))
> ++    return(MagickFalse);
> ++  if ((length == 1) && (*start == specifier))
> ++    return(MagickTrue);
> ++  if (length >= 2)
> ++    {
> ++      size_t
> ++        i = 0;
> + 
> +-  for (i=0; i < (ssize_t) length-1; i++)
> +-  {
> +-    if ((filename[i] == '%') &&
> +-        ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
> +-      {
> +-        filename[i]='?';
> +-        filename[i+1]='\?';
> +-        match=MagickTrue;
> +-      }
> +-  }
> +-  return(match);
> ++      if (*start == '0')
> ++        {
> ++          if ((length >= 3) && (start[1] == '0'))
> ++            return(MagickFalse);
> ++          i=1;
> ++        }
> ++      for ( ; i < (length-1); i++)
> ++        if (isdigit((int) ((unsigned char) start[i])) == 0)
> ++          return(MagickFalse);
> ++      return(MagickTrue);
> ++    }
> ++  return(MagickFalse);
> + }
> + 
> + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +@@ -1669,82 +1680,89 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +   const char
> +     *cursor = format;
> + 
> +-  /*
> +-    Start with a copy of the format string.
> +-  */
> +   assert(format != (const char *) NULL);
> +   assert(filename != (char *) NULL);
> +-  (void) CopyMagickString(filename,format,MagickPathExtent);
> +   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
> +-    return(strlen(filename));
> +-  if (PercentNInvalidOperation(filename) != MagickFalse)
> +     {
> +-      errno=EPERM;
> +-      (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
> +-        "InvalidArgument","`%s'",filename);
> +-      return(0);
> ++      (void) CopyMagickString(filename,format,MagickPathExtent);
> ++      return(strlen(filename));
> +     }
> +-  while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
> ++  while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1)))
> +   {
> +     const char
> +-      *q = cursor;
> +-
> +-    ssize_t
> +-      offset = (ssize_t) (cursor-format);
> ++      *specifier_start,
> ++      *start;
> + 
> +-    cursor++;  /* move past '%' */
> ++    if (*cursor != '%')
> ++      {
> ++        *p++=(*cursor++);
> ++        continue;
> ++      }
> ++    start=cursor++;  /* Skip '%' */
> +     if (*cursor == '%')
> +       {
> +-        /*
> +-          Escaped %%.
> +-        */
> ++        *p++='%';
> +         cursor++;
> +         continue;
> +       }
> +-    /*
> +-      Skip padding digits like %03d.
> +-    */
> +-    if (isdigit((int) ((unsigned char) *cursor)) != 0)
> +-      (void) strtol(cursor,(char **) &cursor,10);
> +-    switch (*cursor)
> +-    {
> +-      case 'd':
> +-      case 'o':
> +-      case 'x':
> ++    specifier_start=cursor;
> ++    while (isdigit((int) ((unsigned char) *cursor)) != 0)
> ++      cursor++;
> ++    if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x'))
> +       {
> +-        ssize_t
> +-          count;
> ++        const char
> ++          *specifier_end = cursor+1;
> + 
> +-        count=FormatLocaleString(pattern,sizeof(pattern),q,value);
> +-        if ((count <= 0) || (count >= MagickPathExtent) ||
> +-            ((offset+count) >= MagickPathExtent))
> +-          return(0);
> +-        (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
> +-          offset));
> +-        cursor++;
> +-        break;
> ++        if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse)
> ++          {
> ++            char
> ++              format_specifier[MagickPathExtent];
> ++
> ++            size_t
> ++              length = cursor-specifier_start;
> ++
> ++            ssize_t
> ++              count;
> ++
> ++            (void) snprintf(format_specifier,sizeof(format_specifier),
> ++              "%%%.*s%c",(int) length,specifier_start,*cursor);
> ++            count=FormatLocaleString(pattern,sizeof(pattern),format_specifier,
> ++              value);
> ++            if ((count <= 0) || ((p-filename+count) >= MagickPathExtent))
> ++              return(0);
> ++            (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename));
> ++            p+=strlen(pattern);
> ++            cursor++;
> ++            continue;
> ++          }
> ++        else
> ++          {
> ++            /*
> ++              Invalid specifier — treat as literal.
> ++            */
> ++            cursor=start;
> ++            *p++=(*cursor++);
> ++            continue;
> ++          }
> +       }
> +-      case '[':
> ++    if (*cursor == '[')
> +       {
> +         const char
> +           *end = strchr(cursor,']'),
> +           *option = (const char *) NULL;
> + 
> +         size_t
> +-          extent = (size_t) (end-cursor-1),
> +-          option_length,
> +-          tail_length;
> ++          extent,
> ++          option_length;
> + 
> +-        /*
> +-          Handle %[key:value];
> +-        */
> +         if (end == (const char *) NULL)
> +-          break;
> ++          continue;
> ++        extent=(size_t) (end-cursor-1);
> +         if (extent >= sizeof(pattern))
> +-          break;
> ++          continue;
> +         (void) CopyMagickString(pattern,cursor+1,extent+1);
> +         pattern[extent]='\0';
> +-        if (image != (Image *) NULL)
> ++        if (image != NULL)
> +           {
> +             option=GetImageProperty(image,pattern,exception);
> +             if (option == (const char *) NULL)
> +@@ -1754,32 +1772,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
> +             (image_info != (ImageInfo *) NULL))
> +           option=GetImageOption(image_info,pattern);
> +         if (option == (const char *) NULL)
> +-          break;
> ++          continue;
> +         option_length=strlen(option);
> +-        tail_length=strlen(end+1);
> +-        if ((offset+option_length+tail_length+1) > MagickPathExtent)
> ++        if ((p-filename+option_length) >= MagickPathExtent)
> +           return(0);
> +-        (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
> +-          offset));
> +-        (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
> +-          MagickPathExtent-offset-option_length-tail_length-1));
> ++        (void) CopyMagickString(p,option,MagickPathExtent-(p-filename));
> ++        p+=option_length;
> +         cursor=end+1;
> +-        break;
> ++        continue;
> +       }
> +-      default:
> +-        break;
> +-    }
> +-  }
> +-  for (p=filename; *p != '\0'; )
> +-  {
> +     /*
> +-      Replace "%%" with "%".
> ++      Invalid or unsupported specifier — treat as literal.
> +     */
> +-    if ((*p == '%') && (*(p+1) == '%'))
> +-      (void) memmove(p,p+1,strlen(p+1)+1);  /* shift left */
> +-    else
> +-      p++;
> ++    cursor=start;
> ++    if ((p-filename+1) >= MagickPathExtent)
> ++      return(0);
> ++    *p++=(*cursor++);
> +   }
> ++  *p='\0';
> +   return(strlen(filename));
> + }
> + 
> +-- 
> +2.34.1
> +
> diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> index af0a3149e3..d929a220f1 100644
> --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
> @@ -33,6 +33,12 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
>      file://0008-ImageMagick-Fix-CVE-2025-57807.patch \
>      file://0009-ImageMagick-Fix-CVE-2023-34151.patch \
>      file://0010-ImageMagick-Fix-CVE-2025-55154.patch \
> +    file://0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch \
> +    file://0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch \
> +    file://0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch \
> +    file://0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch \
> +    file://0011-ImageMagick-Fix-1-CVE-2025-55298.patch \
> +    file://0011-ImageMagick-Fix-2-CVE-2025-55298.patch \
>  "
>  
>  SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#121947): https://lists.openembedded.org/g/openembedded-devel/message/121947
> Mute This Topic: https://lists.openembedded.org/mt/116392327/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..d4bd7d6acb
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,49 @@ 
+From 11f9e946dab3f2a4de68809bab9c01be2967bb08 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Tue, 11 Nov 2025 14:34:12 +0530
+Subject: [PATCH 1/6] ImageMagick: Add support patch 1 to fix CVE-2025-55298
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/83caf59fce695fea0c5878e9f0d0b65e662cae66]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 34804e522..849a89931 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1640,15 +1640,15 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   char
+     *q;
+ 
++  const char
++    *p;
++
+   int
+     c;
+ 
+   MagickBooleanType
+     canonical;
+ 
+-  const char
+-    *p;
+-
+   ssize_t
+     field_width,
+     offset;
+@@ -1656,6 +1656,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   canonical=MagickFalse;
+   offset=0;
+   (void) CopyMagickString(filename,format,MagickPathExtent);
++  if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
++    return(strlen(filename));
+   for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+   {
+     q=(char *) p+1;
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..3550a4abba
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,58 @@ 
+From c02868456edccf0dd555c3d004efb491974c92c7 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Tue, 11 Nov 2025 15:17:32 +0530
+Subject: [PATCH 2/6] ImageMagick: Add support patch-2 to fix CVE-2025-55298
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 849a89931..3437ed358 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1650,7 +1650,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     canonical;
+ 
+   ssize_t
+-    field_width,
+     offset;
+ 
+   canonical=MagickFalse;
+@@ -1666,21 +1665,23 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+         p=q+1;
+         continue;
+       }
+-    field_width=0;
+-    if (*q == '0')
+-      field_width=(ssize_t) strtol(q,&q,10);
+     switch (*q)
+     {
+       case 'd':
+       case 'o':
+       case 'x':
+       {
++        ssize_t
++          count;
++
+         q++;
+         c=(*q);
+         *q='\0';
+-        (void) FormatLocaleString(filename+(p-format-offset),(size_t)
++        count=FormatLocaleString(filename+(p-format-offset),(size_t)
+           (MagickPathExtent-(p-format-offset)),p,value);
+-        offset+=(4-field_width);
++        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
++          return(0);
++        offset+=(ssize_t) ((q-p)-count);
+         *q=c;
+         (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+         canonical=MagickTrue;
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..63e88ebfd9
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,205 @@ 
+From 19073f73f83c78a1fed8f040ed08b16ccfc817f5 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Tue, 11 Nov 2025 21:53:10 +0530
+Subject: [PATCH 3/6] ImageMagick: Add support patch-3 to fix CVE-2025-55298
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 134 +++++++++++++++++++--------------------------
+ 1 file changed, 55 insertions(+), 79 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 3437ed358..cd4de6df9 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1638,34 +1638,41 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   ExceptionInfo *exception)
+ {
+   char
+-    *q;
++    *p = filename,
++    pattern[MagickPathExtent];
+ 
+   const char
+-    *p;
+-
+-  int
+-    c;
+-
+-  MagickBooleanType
+-    canonical;
+-
+-  ssize_t
+-    offset;
++    *cursor = format;
+ 
+-  canonical=MagickFalse;
+-  offset=0;
++  /*
++    Start with a copy of the format string.
++  */
+   (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+     return(strlen(filename));
+-  for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
++  while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+   {
+-    q=(char *) p+1;
+-    if (*q == '%')
++    const char
++      *q = cursor;
++
++    ssize_t
++      offset = (ssize_t) (cursor-format);
++
++    cursor++;  /* move past '%' */
++    if (*cursor == '%')
+       {
+-        p=q+1;
++        /*
++          Escaped %%.
++        */
++        cursor++;
+         continue;
+       }
+-    switch (*q)
++    /*
++      Skip padding digits like %03d.
++    */
++    if (*cursor == '0')
++      (void) strtol(cursor,(char **) &cursor,10);
++    switch (*cursor)
+     {
+       case 'd':
+       case 'o':
+@@ -1674,93 +1681,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+         ssize_t
+           count;
+ 
+-        q++;
+-        c=(*q);
+-        *q='\0';
+-        count=FormatLocaleString(filename+(p-format-offset),(size_t)
+-          (MagickPathExtent-(p-format-offset)),p,value);
+-        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
++        count=FormatLocaleString(pattern,sizeof(pattern),q,value);
++        if ((count <= 0) || (count >= MagickPathExtent))
+           return(0);
+-        offset+=(ssize_t) ((q-p)-count);
+-        *q=c;
+-        (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+-        canonical=MagickTrue;
+-        if (*(q-1) != '%')
+-          break;
+-        p++;
++        if ((offset+count) >= MagickPathExtent)
++          return(0);
++        (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
++          offset));
++        cursor++;
+         break;
+       }
+       case '[':
+       {
+-        char
+-          pattern[MagickPathExtent];
+-
+         const char
+-          *option;
++          *end = strchr(cursor,']'),
++          *option = (const char *) NULL;
+ 
+-        char
+-          *r;
+-
+-        ssize_t
+-          i;
+-
+-        ssize_t
+-          depth;
++        size_t
++          extent = (size_t) (end-cursor);
+ 
+         /*
+-          Image option.
++          Handle %[key:value];
+         */
+-        if (strchr(p,']') == (char *) NULL)
++        if (end == (const char *) NULL)
+           break;
+-        depth=1;
+-        r=q+1;
+-        for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++)
+-        {
+-          if (*r == '[')
+-            depth++;
+-          if (*r == ']')
+-            depth--;
+-          if (depth <= 0)
+-            break;
+-          pattern[i]=(*r++);
+-        }
+-        pattern[i]='\0';
+-        if (LocaleNCompare(pattern,"filename:",9) != 0)
++        if (extent >= sizeof(pattern))
+           break;
+-        option=(const char *) NULL;
++        (void) CopyMagickString(pattern,cursor,extent);
++        pattern[extent]='\0';
+         if (image != (Image *) NULL)
+           option=GetImageProperty(image,pattern,exception);
+-        if ((option == (const char *) NULL) && (image != (Image *) NULL))
++        if ((option == (const char *) NULL) && (image != (Image *)NULL))
+           option=GetImageArtifact(image,pattern);
+         if ((option == (const char *) NULL) &&
+             (image_info != (ImageInfo *) NULL))
+           option=GetImageOption(image_info,pattern);
+         if (option == (const char *) NULL)
+           break;
+-        q--;
+-        c=(*q);
+-        *q='\0';
+-        (void) CopyMagickString(filename+(p-format-offset),option,(size_t)
+-          (MagickPathExtent-(p-format-offset)));
+-        offset+=strlen(pattern)-strlen(option)+3;
+-        *q=c;
+-        (void) ConcatenateMagickString(filename,r+1,MagickPathExtent);
+-        canonical=MagickTrue;
+-        if (*(q-1) != '%')
+-          break;
+-        p++;
++        (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
++          offset));
++        cursor=end+1;
+         break;
+       }
+       default:
+         break;
+     }
+   }
+-  if (canonical == MagickFalse)
+-    (void) CopyMagickString(filename,format,MagickPathExtent);
+-  else
+-    for (q=filename; *q != '\0'; q++)
+-      if ((*q == '%') && (*(q+1) == '%'))
+-        (void) CopyMagickString(q,q+1,(size_t) (MagickPathExtent-(q-filename)));
++  for (p=filename; *p != '\0'; )
++  {
++    /*
++      Replace "%%" with "%".
++    */
++    if ((*p == '%') && (*(p+1) == '%'))
++      (void) memmove(p,p+1,strlen(p));  /* shift left */
++    else
++      p++;
++  }
+   return(strlen(filename));
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..65739cbf44
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,103 @@ 
+From 3b5f524f80851b819bcbfd40e30912af3710ef48 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Wed, 12 Nov 2025 11:35:37 +0530
+Subject: [PATCH 4/6] ImageMagick: Add support patch-4 to fix CVE-2025-55298
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/6c7c8d5866b9c0ce6cc76a741e05b9482716101e]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index cd4de6df9..1acf8edbd 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1647,6 +1647,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   /*
+     Start with a copy of the format string.
+   */
++  assert(format != (const char *) NULL);
++  assert(filename != (char *) NULL);
+   (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+     return(strlen(filename));
+@@ -1670,7 +1672,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     /*
+       Skip padding digits like %03d.
+     */
+-    if (*cursor == '0')
++    if (isdigit((int) ((unsigned char) *cursor)) != 0)
+       (void) strtol(cursor,(char **) &cursor,10);
+     switch (*cursor)
+     {
+@@ -1682,9 +1684,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+           count;
+ 
+         count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+-        if ((count <= 0) || (count >= MagickPathExtent))
+-          return(0);
+-        if ((offset+count) >= MagickPathExtent)
++        if ((count <= 0) || (count >= MagickPathExtent) ||
++            ((offset+count) >= MagickPathExtent))
+           return(0);
+         (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+           offset));
+@@ -1698,7 +1699,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+           *option = (const char *) NULL;
+ 
+         size_t
+-          extent = (size_t) (end-cursor);
++          extent = (size_t) (end-cursor-1),
++          option_length,
++          tail_length;
+ 
+         /*
+           Handle %[key:value];
+@@ -1707,19 +1710,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+           break;
+         if (extent >= sizeof(pattern))
+           break;
+-        (void) CopyMagickString(pattern,cursor,extent);
++        (void) CopyMagickString(pattern,cursor+1,extent+1);
+         pattern[extent]='\0';
+         if (image != (Image *) NULL)
+-          option=GetImageProperty(image,pattern,exception);
+-        if ((option == (const char *) NULL) && (image != (Image *)NULL))
+-          option=GetImageArtifact(image,pattern);
++          {
++            option=GetImageProperty(image,pattern,exception);
++            if (option == (const char *) NULL)
++              option=GetImageArtifact(image,pattern);
++          }
+         if ((option == (const char *) NULL) &&
+             (image_info != (ImageInfo *) NULL))
+           option=GetImageOption(image_info,pattern);
+         if (option == (const char *) NULL)
+           break;
++        option_length=strlen(option);
++        tail_length=strlen(end+1);
++        if ((offset+option_length+tail_length+1) > MagickPathExtent)
++          return(0);
+         (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+           offset));
++        (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
++          MagickPathExtent-offset-option_length-tail_length-1));
+         cursor=end+1;
+         break;
+       }
+@@ -1733,7 +1744,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+       Replace "%%" with "%".
+     */
+     if ((*p == '%') && (*(p+1) == '%'))
+-      (void) memmove(p,p+1,strlen(p));  /* shift left */
++      (void) memmove(p,p+1,strlen(p+1)+1);  /* shift left */
+     else
+       p++;
+   }
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch
new file mode 100644
index 0000000000..1a92b36755
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch
@@ -0,0 +1,71 @@ 
+From bc530e782bcee75960dac57e9191ab7257842bd9 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Wed, 12 Nov 2025 11:52:00 +0530
+Subject: [PATCH 5/6] ImageMagick: Fix CVE-2025-55298
+
+CVE: CVE-2025-55298
+
+This CVE fixed in two parts, this commit includes the first fix.
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 1acf8edbd..7a52236d8 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1633,6 +1633,31 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
+ %    o exception: return any errors or warnings in this structure.
+ %
+ */
++
++static inline MagickBooleanType PercentNInvalidOperation(char *filename)
++{
++  MagickBooleanType
++    match = MagickFalse;
++
++  size_t
++    length = strlen(filename);
++
++  ssize_t
++    i;
++
++  for (i=0; i < (ssize_t) length-1; i++)
++  {
++    if ((filename[i] == '%') &&
++        ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
++      {
++        filename[i]='?';
++        filename[i+1]='\?';
++        match=MagickTrue;
++      }
++  }
++  return(match);
++}
++
+ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   Image *image,const char *format,int value,char *filename,
+   ExceptionInfo *exception)
+@@ -1652,6 +1677,13 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+     return(strlen(filename));
++  if (PercentNInvalidOperation(filename) != MagickFalse)
++    {
++      errno=EPERM;
++      (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
++        "InvalidArgument","`%s'",filename);
++      return(0);
++    }
+   while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+   {
+     const char
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch
new file mode 100644
index 0000000000..22fafbb4ff
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch
@@ -0,0 +1,274 @@ 
+From 51bdbd8ba79cc29b5b8bd1cbe201612c4f1b6a14 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+Date: Wed, 12 Nov 2025 13:05:40 +0530
+Subject: [PATCH 6/6] ImageMagick: Fix CVE-2025-55298
+
+CVE: CVE-2025-55298
+
+This CVE fixed in two parts, this commit includes the second fix.
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
+---
+ MagickCore/image.c | 182 ++++++++++++++++++++++++---------------------
+ 1 file changed, 96 insertions(+), 86 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 7a52236d8..beaf69728 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1619,7 +1619,7 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
+ %
+ %  A description of each parameter follows.
+ %
+-%    o image_info: the image info..
++%    o image_info: the image info.
+ %
+ %    o image: the image.
+ %
+@@ -1634,28 +1634,39 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
+ %
+ */
+ 
+-static inline MagickBooleanType PercentNInvalidOperation(char *filename)
++static inline MagickBooleanType IsValidFormatSpecifier(const char *start,
++  const char *end)
+ {
+-  MagickBooleanType
+-    match = MagickFalse;
++  char
++    specifier = end[-1];
+ 
+   size_t
+-    length = strlen(filename);
++    length = end-start;
+ 
+-  ssize_t
+-    i;
++  /*
++    Is this a valid format specifier?
++  */
++  if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o'))
++    return(MagickFalse);
++  if ((length == 1) && (*start == specifier))
++    return(MagickTrue);
++  if (length >= 2)
++    {
++      size_t
++        i = 0;
+ 
+-  for (i=0; i < (ssize_t) length-1; i++)
+-  {
+-    if ((filename[i] == '%') &&
+-        ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
+-      {
+-        filename[i]='?';
+-        filename[i+1]='\?';
+-        match=MagickTrue;
+-      }
+-  }
+-  return(match);
++      if (*start == '0')
++        {
++          if ((length >= 3) && (start[1] == '0'))
++            return(MagickFalse);
++          i=1;
++        }
++      for ( ; i < (length-1); i++)
++        if (isdigit((int) ((unsigned char) start[i])) == 0)
++          return(MagickFalse);
++      return(MagickTrue);
++    }
++  return(MagickFalse);
+ }
+ 
+ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+@@ -1669,82 +1680,89 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+   const char
+     *cursor = format;
+ 
+-  /*
+-    Start with a copy of the format string.
+-  */
+   assert(format != (const char *) NULL);
+   assert(filename != (char *) NULL);
+-  (void) CopyMagickString(filename,format,MagickPathExtent);
+   if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+-    return(strlen(filename));
+-  if (PercentNInvalidOperation(filename) != MagickFalse)
+     {
+-      errno=EPERM;
+-      (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+-        "InvalidArgument","`%s'",filename);
+-      return(0);
++      (void) CopyMagickString(filename,format,MagickPathExtent);
++      return(strlen(filename));
+     }
+-  while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
++  while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1)))
+   {
+     const char
+-      *q = cursor;
+-
+-    ssize_t
+-      offset = (ssize_t) (cursor-format);
++      *specifier_start,
++      *start;
+ 
+-    cursor++;  /* move past '%' */
++    if (*cursor != '%')
++      {
++        *p++=(*cursor++);
++        continue;
++      }
++    start=cursor++;  /* Skip '%' */
+     if (*cursor == '%')
+       {
+-        /*
+-          Escaped %%.
+-        */
++        *p++='%';
+         cursor++;
+         continue;
+       }
+-    /*
+-      Skip padding digits like %03d.
+-    */
+-    if (isdigit((int) ((unsigned char) *cursor)) != 0)
+-      (void) strtol(cursor,(char **) &cursor,10);
+-    switch (*cursor)
+-    {
+-      case 'd':
+-      case 'o':
+-      case 'x':
++    specifier_start=cursor;
++    while (isdigit((int) ((unsigned char) *cursor)) != 0)
++      cursor++;
++    if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x'))
+       {
+-        ssize_t
+-          count;
++        const char
++          *specifier_end = cursor+1;
+ 
+-        count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+-        if ((count <= 0) || (count >= MagickPathExtent) ||
+-            ((offset+count) >= MagickPathExtent))
+-          return(0);
+-        (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+-          offset));
+-        cursor++;
+-        break;
++        if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse)
++          {
++            char
++              format_specifier[MagickPathExtent];
++
++            size_t
++              length = cursor-specifier_start;
++
++            ssize_t
++              count;
++
++            (void) snprintf(format_specifier,sizeof(format_specifier),
++              "%%%.*s%c",(int) length,specifier_start,*cursor);
++            count=FormatLocaleString(pattern,sizeof(pattern),format_specifier,
++              value);
++            if ((count <= 0) || ((p-filename+count) >= MagickPathExtent))
++              return(0);
++            (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename));
++            p+=strlen(pattern);
++            cursor++;
++            continue;
++          }
++        else
++          {
++            /*
++              Invalid specifier — treat as literal.
++            */
++            cursor=start;
++            *p++=(*cursor++);
++            continue;
++          }
+       }
+-      case '[':
++    if (*cursor == '[')
+       {
+         const char
+           *end = strchr(cursor,']'),
+           *option = (const char *) NULL;
+ 
+         size_t
+-          extent = (size_t) (end-cursor-1),
+-          option_length,
+-          tail_length;
++          extent,
++          option_length;
+ 
+-        /*
+-          Handle %[key:value];
+-        */
+         if (end == (const char *) NULL)
+-          break;
++          continue;
++        extent=(size_t) (end-cursor-1);
+         if (extent >= sizeof(pattern))
+-          break;
++          continue;
+         (void) CopyMagickString(pattern,cursor+1,extent+1);
+         pattern[extent]='\0';
+-        if (image != (Image *) NULL)
++        if (image != NULL)
+           {
+             option=GetImageProperty(image,pattern,exception);
+             if (option == (const char *) NULL)
+@@ -1754,32 +1772,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+             (image_info != (ImageInfo *) NULL))
+           option=GetImageOption(image_info,pattern);
+         if (option == (const char *) NULL)
+-          break;
++          continue;
+         option_length=strlen(option);
+-        tail_length=strlen(end+1);
+-        if ((offset+option_length+tail_length+1) > MagickPathExtent)
++        if ((p-filename+option_length) >= MagickPathExtent)
+           return(0);
+-        (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+-          offset));
+-        (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
+-          MagickPathExtent-offset-option_length-tail_length-1));
++        (void) CopyMagickString(p,option,MagickPathExtent-(p-filename));
++        p+=option_length;
+         cursor=end+1;
+-        break;
++        continue;
+       }
+-      default:
+-        break;
+-    }
+-  }
+-  for (p=filename; *p != '\0'; )
+-  {
+     /*
+-      Replace "%%" with "%".
++      Invalid or unsupported specifier — treat as literal.
+     */
+-    if ((*p == '%') && (*(p+1) == '%'))
+-      (void) memmove(p,p+1,strlen(p+1)+1);  /* shift left */
+-    else
+-      p++;
++    cursor=start;
++    if ((p-filename+1) >= MagickPathExtent)
++      return(0);
++    *p++=(*cursor++);
+   }
++  *p='\0';
+   return(strlen(filename));
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
index af0a3149e3..d929a220f1 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -33,6 +33,12 @@  SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
     file://0008-ImageMagick-Fix-CVE-2025-57807.patch \
     file://0009-ImageMagick-Fix-CVE-2023-34151.patch \
     file://0010-ImageMagick-Fix-CVE-2025-55154.patch \
+    file://0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch \
+    file://0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch \
+    file://0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch \
+    file://0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch \
+    file://0011-ImageMagick-Fix-1-CVE-2025-55298.patch \
+    file://0011-ImageMagick-Fix-2-CVE-2025-55298.patch \
 "
 
 SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"