From patchwork Thu Nov 20 08:49:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Divyanshu Rathore X-Patchwork-Id: 75101 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFED1CF8875 for ; Thu, 20 Nov 2025 15:26:36 +0000 (UTC) Received: from MA0PR01CU012.outbound.protection.outlook.com (MA0PR01CU012.outbound.protection.outlook.com [40.107.57.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.30427.1763629570098347010 for ; Thu, 20 Nov 2025 01:06:12 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bmwtechworks.in header.s=selector1 header.b=fRXGemf1; spf=pass (domain: bmwtechworks.in, ip: 40.107.57.43, mailfrom: divyanshu.rathore@bmwtechworks.in) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UwDb+EoZGQfomXiPy4AsDJg06QvSwHsxhyR6eX+F9U4BHq2WYVxjgkLXlvAlNswWtSp7GwRnG5Lef9uE7KW57TpyMNlYyqI1untcodSUfmwHJafRVlKnn5OsV7nSmodcC1RzxKr4om4llL26LYPI3SZ9mXxvCK56+506ARakMpR4YOU8AP5FB1a2mzwU0EXyy4FT4Bqodxy3Lc5wGA7g4ruGSxeMiR5ogGx67RHAOR8khBTVHmkfC8O/BZvT+1PRs5DWnG0s9ytKtmSig340Uqv4OJm8ManG/Gr5l1yNYHkJDUtreMqCFf1x4w2xsFQjEYGA5s/8rTipKh3l1txsKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=U1HErrmWz6LXOAokCOJl4GxUeCfc9cEjT3cK+A+k0uY=; b=W9PcZF2MmGzxCw5WFUJ999SHPdiNdg+3i/Em/mTXkNbyYYIFRe9KVOlqQx8No0RGEcS3qdpR9+cLjmN0/nOU6EJS6ia5dRAC+C/O+dC/t9Go9PlCCFd8fXpKiU1H7MTiMHYjCjAmeoLdys79cIw9S5sSBkfvJ7Q7AKpXwt8eMtFr7S6OkOLYHW9rhDV0raXpZz4RrHYRR5+dNtMd42Ll3U6KqEbi3SPDUjIUAL0mYceANAszjfsc1YCO5WKC3MbEHnsOP7ewNeWtjmcJeVEpDnD/czuydeuvvNS6M756xptFIX+MN0Conz4JVwsWwwJ7q9AC949+d0HrZUDBW8Fbfw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bmwtechworks.in; dmarc=pass action=none header.from=bmwtechworks.in; dkim=pass header.d=bmwtechworks.in; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bmwtechworks.in; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U1HErrmWz6LXOAokCOJl4GxUeCfc9cEjT3cK+A+k0uY=; b=fRXGemf11MMMi/G6zwwX6O8uoOnmUsnlFcivXCd8X2j5XcXJU4jzLFGUELhecJW7ONSyJ65Xk3AaZo+wEdytN9721hYBKO909OJ4mh3F4Rf3HRnvu1BreoIzJsH2v7gB73qED2NUHLuOQBEpSdzs1NCJg8YbJEKbJV6l++pGwyo7g9GOmXYEQUS/RnW5553PHGiAWF3ODJjSR9heDHonJ3WYukeopp8e2RW72C9wYOE7loL8ow33NPytOk+Ud/9Gf6gZZ9ieusiJiZnmlbV7bwNEP7n4NL2tGcbrPCpKL41JBY7VBMle0y9zElqhJdaeEvIwe++9PSuwN0BaWUGU8w== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=bmwtechworks.in; Received: from MA0P287MB3378.INDP287.PROD.OUTLOOK.COM (2603:1096:a01:143::11) by PN2P287MB1004.INDP287.PROD.OUTLOOK.COM (2603:1096:c01:134::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.10; Thu, 20 Nov 2025 08:50:21 +0000 Received: from MA0P287MB3378.INDP287.PROD.OUTLOOK.COM ([fe80::9a89:c69c:9878:e483]) by MA0P287MB3378.INDP287.PROD.OUTLOOK.COM ([fe80::9a89:c69c:9878:e483%6]) with mapi id 15.20.9343.009; Thu, 20 Nov 2025 08:50:21 +0000 From: Divyanshu Rathore To: openembedded-devel@lists.openembedded.org CC: Sana.Kazi@bmwtechworks.in Subject: [meta-oe][kirkstone][PATCH 11/12] ImageMagick: Fix CVE-2025-55298 Date: Thu, 20 Nov 2025 14:19:58 +0530 Message-ID: <20251120084959.51761-11-Divyanshu.Rathore@bmwtechworks.in> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20251120084959.51761-1-Divyanshu.Rathore@bmwtechworks.in> References: <20251120084959.51761-1-Divyanshu.Rathore@bmwtechworks.in> X-ClientProxiedBy: MA5P287CA0130.INDP287.PROD.OUTLOOK.COM (2603:1096:a01:1d2::12) To MA0P287MB3378.INDP287.PROD.OUTLOOK.COM (2603:1096:a01:143::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MA0P287MB3378:EE_|PN2P287MB1004:EE_ X-MS-Office365-Filtering-Correlation-Id: 532b9fd9-c399-4679-7586-08de2811d64c X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|52116014|10070799003|1800799024; X-Microsoft-Antispam-Message-Info: anNBiMY1c1lC/mpeMXYOQoBUiseNmkObxlnjmSIxwEDcqj82qJJ3GdfoXX1x3b2nHTFd6LWLcGujHL7q5i2ZYgz7Z7DssIQZCoDd7sdavEEH/3IpQAYZ8i9tQK8/fMvkKNvTtJHSqBDKx6mZ1AEGIUvMxHi15uA2STgqXTsD9Cu5vBkws9ig698dMsZNTLg4vMmHV4jR+8qZnir+QRRXbk6KGCcNUKg15D4es58KfCsrDjI4X+kuluYi93kVIH4reNna0NCo74ZyOoiSHnbuy0vA5wOpb2BtEWqVC5Vz2J/lKXymEMpCPITwx+tuiaWSCp1pSfVqVosL77fV72FC5j/sZGc3B8NJ4HobT92SrnEpnC33VIeCkamnjizd2wbVGnqbTEzIXl6QntXPMkTyD7ohVxY9HnEHZBxVfL/CCWpQcXFZ+WKp/rx1sD536yGTIB+J3jXWYPCM6GcxYm2Fnv6uglZxopL1QUw5joud8fqvjZxoV8xnh2Ps43brnUa56Nfjx8zZCNSxW6hd3BlF50ake0I+bCPU+NWKibxj29U7LtnnFHqY/Rw6BzU8KZrQagBNi5lRSs2YzAm8LcSKIJJ6EjeLViFB5KCivWzQeA5PXypl0Y3JpahXz3BbM2fm2DF83BpWmYv9O76+zWSNyDeU20APgoJngdc9yKI0JBxawXx6A5VFLZ3dnrI1qRgESL2lbnwiErA/uLqYf3+rFfxTVotcbNjR6CYaD4io1tRBNHGIlJMuFItMAilCCYtWu1S2hQ4IYtfy82fwTa1eZ9NxueUmvMmARDR3TDN6ZMgBAqJd5TqAhDrI81jxiNg86U1lB4G8zDbUyVgCnJRZy6TOGaNZ0HUQfsPQ7Ti7Ia1ztvc25reE0820zMZRu3Y5pn3lKgqPqCSHALhjNdGWRH8CmIZPZc67CTdqd0dlwEm7a1umlXLP+JyiHftsnu+6hhejFhRwnxhrLPTSSveLWiWZ1sg1gH8M3X12KTTuGZfI5FX2uRqjy4BPULE5s9Rz+3Mr/FVybET9VA8xgGmOetp0+Rk1VGcgF9UbGUcin5ErNOZIqt09/H9czMSOxuw3CpJ7maP9weVIDgGSxmfEbBXtfgHGpx/r5/tchh2hEzLpfVx1C+wWZ4scC7JzvhGKxNm3DqECR1lx2OOZoul2EsTAZtIjkhtaR5YzPOj+WzOMmcepKRuuU7X1AWjg4sYXejPhNIzYP3L3vCg+9X9HItX80BPCUXnK0aKnKZnyCsdkuRFNfRMB3rCYYaWARt/GFvo3DWZccXdfMr9vL95cnbe43M5aaHhKyv+AlS+OGs6WjdHR8MkXd/k+dKplNmfF4ZL70+Ou5NSeKpyRGdqJDS1+fFRKDLFV3JDMoiVIbFqMTub4NZTqcBY+pYMsJYnoJTyiiSda1QSlXHS/QclRM/eA2huiVobOlBuag2KzuqIIFVrCGoI1+B3JG4GerKXR X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MA0P287MB3378.INDP287.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(52116014)(10070799003)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: SLpMVtJMIu0cmHwnSZsIy4dD82FPwHcWbMby61ncXvr33h97EOrL0jsTkXZFi48gpE/lBO8f1URaRoa4BKvikwUC+AtaktyAGR1UbRico1BjYXPsQ28PBpaTbLwun9QomSXamH7Vl/0wAXstq34bv5k1VnBtkEb9ulSc7xQFwMu7El7M1BASOyov8AEItK+Uw70kuocuWdeM8HnC/XpCk5vY2U0ZCspWoOXUiSakHSn8fn6sL6HgaQ/bpP4y7HJeie83SuuYryg5cIK8Zj/yLPRWIfh3S9IK0yCuZiKr6o+ZooBXzfygbJm2OFfgJL9c+00a6RM6DDN5aSUlXNtAnD7FjgbPdEilk5HKVvvf7jD5x59V13MvwMAZfH9zAYv6AF55lY9xr6AtkFEIPNHYTIqkIqTQKV7xH9MC/GXrx+1hJScSsJS0GOz1BS/Te9vWvDQHM8e7M//znxmyaq559n59AXaFsSejAXvX3Ymx8xABk6iUtHtp84lv1Fe2OYcc8FpdSaK7CmOWz5jaWmn29CBl8+7pciAikzQrLucHf6MTvsxgIjdNYLaiDHpAXQByGwCLEV7f5lSzyqnl01F14vBLZPSBOkuwKxv1oKKglEM+CBcCdAOrMmBD6RgTxSn1j310Jj1kcg9/F+CeNTwrHx4Bon7nSrcOnA1NLukqCQLvelwLN+znAn66RE6JC18YiD8+FxcTXr4VwrZoS57Xp7q+2OOgqTrZIY9/jh4VOv++vUIHk/3lVAdLs5MBjK6rLUsuMOjZjymMeXstFpuC67bhNZc9OxifWgtVvUM3dny4ZtEM8I+cZCk4+WRqm6QjypSqL7f2xXYxRCCgHWm19Ms/FyskxY8CQWw+cdfbeN/4VBuJUAsS+7gKcuiQNgk2Ypd7pP0+Qk+t4KDB7Y5iaHvgXx4fbSwXxzAQGTBf7/FYCuDm+edXCNF2E8SzM+Zqg/JkM4nXgJAmNEF2Ro9Csdt0yR/q4Etwlb/Bm/jBJnL5mHPAGRYfG7tfz/7L4rcmNGyOTh4RTPsJH2382UZlh+5vrjbzIag3Kv2j2bnYRd3mwhle6iNOIEKj68/Ka4x/SHDgAAsJxhXCmzngEbIwHvtevCrqdEBAHPpYa3mDdn6EpNONWOM0DZ8t4h2cs2N4kADFtrZN2PeCaA1IS15K4b5IviJQ9KBZ1+mdwbrUAh/axcoq8GmPsgMBclwYzTd4CLOn2KtFKgIZYNDyC9TSoILbGzg0ljUR6RtKkA4IA+2r0chF8A46Ps5DLfGa3grxTiXany1Frj3KPTo6Eu8b20l8DH0Gak1z9eE7CxVUj98LvU7FHDgHjv88cvPOydsHcKq5aofTRN3QhRdhRh8o7OuybKr/v7LtVB+Er9vXwTwy67bA459aZDmdZjM6suCwRcZBifR1xAXlR/bPSyY/60mncpUAK6RUhTiGbY3KvL5I6P+ulxZVuSUtxjZTUZzKv6rp3NEyKzQpfgRAtfINGRXvUBDpKdQLB6lr1lfplk4D6I/mNNXDQgHUhjm+8gMbx8uBXcFYy4xuo6eJCA7UUTSST2oMAJOLHdp9JUXec/9pJi+pvH9WGt7QgjLfL1IPakXVO4gHvrZQV15xacqeDsi5R4YM7l5mEYK6h0sDeA2o7HhLwtto3TDf5nNQgP3rdIpmY7GLgmILwcWT4GFpzLptf3eTdA36G0te7J3M6dM= X-OriginatorOrg: bmwtechworks.in X-MS-Exchange-CrossTenant-Network-Message-Id: 532b9fd9-c399-4679-7586-08de2811d64c X-MS-Exchange-CrossTenant-AuthSource: MA0P287MB3378.INDP287.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Nov 2025 08:50:20.9568 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 970fa6fd-1031-4cc6-8c56-488f3c61cd05 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: hOg3RQwu5v/AizKQOviyEG0Jt/9aVbN85mbO+W7vPM0iNeaU5zBMqpPGOBBfB/RZGCyQSz9/q8HNd7/3+/2MgaHUn3+t+XG3R+PRN+iwglV0QzEZbW7eHj2Vq9weF3dZ X-MS-Exchange-Transport-CrossTenantHeadersStamped: PN2P287MB1004 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Nov 2025 15:26:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121947 Backport the fix for CVE-2025-55298 Add below patch to fix 0011-ImageMagick-Fix-CVE-2025-55298.patch Signed-off-by: Divyanshu Rathore --- ...support-patch-1-to-fix-CVE-2025-5529.patch | 49 ++++ ...support-patch-2-to-fix-CVE-2025-5529.patch | 58 ++++ ...support-patch-3-to-fix-CVE-2025-5529.patch | 205 +++++++++++++ ...support-patch-4-to-fix-CVE-2025-5529.patch | 103 +++++++ ...011-ImageMagick-Fix-1-CVE-2025-55298.patch | 71 +++++ ...011-ImageMagick-Fix-2-CVE-2025-55298.patch | 274 ++++++++++++++++++ .../imagemagick/imagemagick_7.0.10.bb | 6 + 7 files changed, 766 insertions(+) create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch new file mode 100644 index 0000000000..d4bd7d6acb --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch @@ -0,0 +1,49 @@ +From 11f9e946dab3f2a4de68809bab9c01be2967bb08 Mon Sep 17 00:00:00 2001 +From: Divyanshu Rathore +Date: Tue, 11 Nov 2025 14:34:12 +0530 +Subject: [PATCH 1/6] ImageMagick: Add support patch 1 to fix CVE-2025-55298 + +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/83caf59fce695fea0c5878e9f0d0b65e662cae66] + +Comment: Refreshed hunk to match latest kirkstone + +Signed-off-by: Divyanshu Rathore +--- + MagickCore/image.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 34804e522..849a89931 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1640,15 +1640,15 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + char + *q; + ++ const char ++ *p; ++ + int + c; + + MagickBooleanType + canonical; + +- const char +- *p; +- + ssize_t + field_width, + offset; +@@ -1656,6 +1656,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + canonical=MagickFalse; + offset=0; + (void) CopyMagickString(filename,format,MagickPathExtent); ++ if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) ++ return(strlen(filename)); + for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) + { + q=(char *) p+1; +-- +2.34.1 + diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch new file mode 100644 index 0000000000..3550a4abba --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch @@ -0,0 +1,58 @@ +From c02868456edccf0dd555c3d004efb491974c92c7 Mon Sep 17 00:00:00 2001 +From: Divyanshu Rathore +Date: Tue, 11 Nov 2025 15:17:32 +0530 +Subject: [PATCH 2/6] ImageMagick: Add support patch-2 to fix CVE-2025-55298 + +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774] + +Comment: Refreshed hunk to match latest kirkstone + +Signed-off-by: Divyanshu Rathore +--- + MagickCore/image.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 849a89931..3437ed358 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1650,7 +1650,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + canonical; + + ssize_t +- field_width, + offset; + + canonical=MagickFalse; +@@ -1666,21 +1665,23 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + p=q+1; + continue; + } +- field_width=0; +- if (*q == '0') +- field_width=(ssize_t) strtol(q,&q,10); + switch (*q) + { + case 'd': + case 'o': + case 'x': + { ++ ssize_t ++ count; ++ + q++; + c=(*q); + *q='\0'; +- (void) FormatLocaleString(filename+(p-format-offset),(size_t) ++ count=FormatLocaleString(filename+(p-format-offset),(size_t) + (MagickPathExtent-(p-format-offset)),p,value); +- offset+=(4-field_width); ++ if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset)))) ++ return(0); ++ offset+=(ssize_t) ((q-p)-count); + *q=c; + (void) ConcatenateMagickString(filename,q,MagickPathExtent); + canonical=MagickTrue; +-- +2.34.1 + diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch new file mode 100644 index 0000000000..63e88ebfd9 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch @@ -0,0 +1,205 @@ +From 19073f73f83c78a1fed8f040ed08b16ccfc817f5 Mon Sep 17 00:00:00 2001 +From: Divyanshu Rathore +Date: Tue, 11 Nov 2025 21:53:10 +0530 +Subject: [PATCH 3/6] ImageMagick: Add support patch-3 to fix CVE-2025-55298 + +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7] + +Comment: Refreshed hunk to match latest kirkstone + +Signed-off-by: Divyanshu Rathore +--- + MagickCore/image.c | 134 +++++++++++++++++++-------------------------- + 1 file changed, 55 insertions(+), 79 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 3437ed358..cd4de6df9 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1638,34 +1638,41 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + ExceptionInfo *exception) + { + char +- *q; ++ *p = filename, ++ pattern[MagickPathExtent]; + + const char +- *p; +- +- int +- c; +- +- MagickBooleanType +- canonical; +- +- ssize_t +- offset; ++ *cursor = format; + +- canonical=MagickFalse; +- offset=0; ++ /* ++ Start with a copy of the format string. ++ */ + (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) + return(strlen(filename)); +- for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) ++ while ((cursor=strchr(cursor,'%')) != (const char *) NULL) + { +- q=(char *) p+1; +- if (*q == '%') ++ const char ++ *q = cursor; ++ ++ ssize_t ++ offset = (ssize_t) (cursor-format); ++ ++ cursor++; /* move past '%' */ ++ if (*cursor == '%') + { +- p=q+1; ++ /* ++ Escaped %%. ++ */ ++ cursor++; + continue; + } +- switch (*q) ++ /* ++ Skip padding digits like %03d. ++ */ ++ if (*cursor == '0') ++ (void) strtol(cursor,(char **) &cursor,10); ++ switch (*cursor) + { + case 'd': + case 'o': +@@ -1674,93 +1681,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + ssize_t + count; + +- q++; +- c=(*q); +- *q='\0'; +- count=FormatLocaleString(filename+(p-format-offset),(size_t) +- (MagickPathExtent-(p-format-offset)),p,value); +- if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset)))) ++ count=FormatLocaleString(pattern,sizeof(pattern),q,value); ++ if ((count <= 0) || (count >= MagickPathExtent)) + return(0); +- offset+=(ssize_t) ((q-p)-count); +- *q=c; +- (void) ConcatenateMagickString(filename,q,MagickPathExtent); +- canonical=MagickTrue; +- if (*(q-1) != '%') +- break; +- p++; ++ if ((offset+count) >= MagickPathExtent) ++ return(0); ++ (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- ++ offset)); ++ cursor++; + break; + } + case '[': + { +- char +- pattern[MagickPathExtent]; +- + const char +- *option; ++ *end = strchr(cursor,']'), ++ *option = (const char *) NULL; + +- char +- *r; +- +- ssize_t +- i; +- +- ssize_t +- depth; ++ size_t ++ extent = (size_t) (end-cursor); + + /* +- Image option. ++ Handle %[key:value]; + */ +- if (strchr(p,']') == (char *) NULL) ++ if (end == (const char *) NULL) + break; +- depth=1; +- r=q+1; +- for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++) +- { +- if (*r == '[') +- depth++; +- if (*r == ']') +- depth--; +- if (depth <= 0) +- break; +- pattern[i]=(*r++); +- } +- pattern[i]='\0'; +- if (LocaleNCompare(pattern,"filename:",9) != 0) ++ if (extent >= sizeof(pattern)) + break; +- option=(const char *) NULL; ++ (void) CopyMagickString(pattern,cursor,extent); ++ pattern[extent]='\0'; + if (image != (Image *) NULL) + option=GetImageProperty(image,pattern,exception); +- if ((option == (const char *) NULL) && (image != (Image *) NULL)) ++ if ((option == (const char *) NULL) && (image != (Image *)NULL)) + option=GetImageArtifact(image,pattern); + if ((option == (const char *) NULL) && + (image_info != (ImageInfo *) NULL)) + option=GetImageOption(image_info,pattern); + if (option == (const char *) NULL) + break; +- q--; +- c=(*q); +- *q='\0'; +- (void) CopyMagickString(filename+(p-format-offset),option,(size_t) +- (MagickPathExtent-(p-format-offset))); +- offset+=strlen(pattern)-strlen(option)+3; +- *q=c; +- (void) ConcatenateMagickString(filename,r+1,MagickPathExtent); +- canonical=MagickTrue; +- if (*(q-1) != '%') +- break; +- p++; ++ (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- ++ offset)); ++ cursor=end+1; + break; + } + default: + break; + } + } +- if (canonical == MagickFalse) +- (void) CopyMagickString(filename,format,MagickPathExtent); +- else +- for (q=filename; *q != '\0'; q++) +- if ((*q == '%') && (*(q+1) == '%')) +- (void) CopyMagickString(q,q+1,(size_t) (MagickPathExtent-(q-filename))); ++ for (p=filename; *p != '\0'; ) ++ { ++ /* ++ Replace "%%" with "%". ++ */ ++ if ((*p == '%') && (*(p+1) == '%')) ++ (void) memmove(p,p+1,strlen(p)); /* shift left */ ++ else ++ p++; ++ } + return(strlen(filename)); + } + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch new file mode 100644 index 0000000000..65739cbf44 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch @@ -0,0 +1,103 @@ +From 3b5f524f80851b819bcbfd40e30912af3710ef48 Mon Sep 17 00:00:00 2001 +From: Divyanshu Rathore +Date: Wed, 12 Nov 2025 11:35:37 +0530 +Subject: [PATCH 4/6] ImageMagick: Add support patch-4 to fix CVE-2025-55298 + +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/6c7c8d5866b9c0ce6cc76a741e05b9482716101e] + +Comment: Refreshed hunk to match latest kirkstone + +Signed-off-by: Divyanshu Rathore +--- + MagickCore/image.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index cd4de6df9..1acf8edbd 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1647,6 +1647,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + /* + Start with a copy of the format string. + */ ++ assert(format != (const char *) NULL); ++ assert(filename != (char *) NULL); + (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) + return(strlen(filename)); +@@ -1670,7 +1672,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + /* + Skip padding digits like %03d. + */ +- if (*cursor == '0') ++ if (isdigit((int) ((unsigned char) *cursor)) != 0) + (void) strtol(cursor,(char **) &cursor,10); + switch (*cursor) + { +@@ -1682,9 +1684,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + count; + + count=FormatLocaleString(pattern,sizeof(pattern),q,value); +- if ((count <= 0) || (count >= MagickPathExtent)) +- return(0); +- if ((offset+count) >= MagickPathExtent) ++ if ((count <= 0) || (count >= MagickPathExtent) || ++ ((offset+count) >= MagickPathExtent)) + return(0); + (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- + offset)); +@@ -1698,7 +1699,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + *option = (const char *) NULL; + + size_t +- extent = (size_t) (end-cursor); ++ extent = (size_t) (end-cursor-1), ++ option_length, ++ tail_length; + + /* + Handle %[key:value]; +@@ -1707,19 +1710,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + break; + if (extent >= sizeof(pattern)) + break; +- (void) CopyMagickString(pattern,cursor,extent); ++ (void) CopyMagickString(pattern,cursor+1,extent+1); + pattern[extent]='\0'; + if (image != (Image *) NULL) +- option=GetImageProperty(image,pattern,exception); +- if ((option == (const char *) NULL) && (image != (Image *)NULL)) +- option=GetImageArtifact(image,pattern); ++ { ++ option=GetImageProperty(image,pattern,exception); ++ if (option == (const char *) NULL) ++ option=GetImageArtifact(image,pattern); ++ } + if ((option == (const char *) NULL) && + (image_info != (ImageInfo *) NULL)) + option=GetImageOption(image_info,pattern); + if (option == (const char *) NULL) + break; ++ option_length=strlen(option); ++ tail_length=strlen(end+1); ++ if ((offset+option_length+tail_length+1) > MagickPathExtent) ++ return(0); + (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- + offset)); ++ (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) ( ++ MagickPathExtent-offset-option_length-tail_length-1)); + cursor=end+1; + break; + } +@@ -1733,7 +1744,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + Replace "%%" with "%". + */ + if ((*p == '%') && (*(p+1) == '%')) +- (void) memmove(p,p+1,strlen(p)); /* shift left */ ++ (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */ + else + p++; + } +-- +2.34.1 + diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch new file mode 100644 index 0000000000..1a92b36755 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-1-CVE-2025-55298.patch @@ -0,0 +1,71 @@ +From bc530e782bcee75960dac57e9191ab7257842bd9 Mon Sep 17 00:00:00 2001 +From: Divyanshu Rathore +Date: Wed, 12 Nov 2025 11:52:00 +0530 +Subject: [PATCH 5/6] ImageMagick: Fix CVE-2025-55298 + +CVE: CVE-2025-55298 + +This CVE fixed in two parts, this commit includes the first fix. + +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895] + +Comment: Refreshed hunk to match latest kirkstone + +Signed-off-by: Divyanshu Rathore +--- + MagickCore/image.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 1acf8edbd..7a52236d8 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1633,6 +1633,31 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image) + % o exception: return any errors or warnings in this structure. + % + */ ++ ++static inline MagickBooleanType PercentNInvalidOperation(char *filename) ++{ ++ MagickBooleanType ++ match = MagickFalse; ++ ++ size_t ++ length = strlen(filename); ++ ++ ssize_t ++ i; ++ ++ for (i=0; i < (ssize_t) length-1; i++) ++ { ++ if ((filename[i] == '%') && ++ ((filename[i+1] == 'n') || (filename[i+1] == 'N'))) ++ { ++ filename[i]='?'; ++ filename[i+1]='\?'; ++ match=MagickTrue; ++ } ++ } ++ return(match); ++} ++ + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + Image *image,const char *format,int value,char *filename, + ExceptionInfo *exception) +@@ -1652,6 +1677,13 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) + return(strlen(filename)); ++ if (PercentNInvalidOperation(filename) != MagickFalse) ++ { ++ errno=EPERM; ++ (void) ThrowMagickException(exception,GetMagickModule(),OptionError, ++ "InvalidArgument","`%s'",filename); ++ return(0); ++ } + while ((cursor=strchr(cursor,'%')) != (const char *) NULL) + { + const char +-- +2.34.1 + diff --git a/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch new file mode 100644 index 0000000000..22fafbb4ff --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/0011-ImageMagick-Fix-2-CVE-2025-55298.patch @@ -0,0 +1,274 @@ +From 51bdbd8ba79cc29b5b8bd1cbe201612c4f1b6a14 Mon Sep 17 00:00:00 2001 +From: Divyanshu Rathore +Date: Wed, 12 Nov 2025 13:05:40 +0530 +Subject: [PATCH 6/6] ImageMagick: Fix CVE-2025-55298 + +CVE: CVE-2025-55298 + +This CVE fixed in two parts, this commit includes the second fix. + +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5] + +Comment: Refreshed hunk to match latest kirkstone + +Signed-off-by: Divyanshu Rathore +--- + MagickCore/image.c | 182 ++++++++++++++++++++++++--------------------- + 1 file changed, 96 insertions(+), 86 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 7a52236d8..beaf69728 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1619,7 +1619,7 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image) + % + % A description of each parameter follows. + % +-% o image_info: the image info.. ++% o image_info: the image info. + % + % o image: the image. + % +@@ -1634,28 +1634,39 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image) + % + */ + +-static inline MagickBooleanType PercentNInvalidOperation(char *filename) ++static inline MagickBooleanType IsValidFormatSpecifier(const char *start, ++ const char *end) + { +- MagickBooleanType +- match = MagickFalse; ++ char ++ specifier = end[-1]; + + size_t +- length = strlen(filename); ++ length = end-start; + +- ssize_t +- i; ++ /* ++ Is this a valid format specifier? ++ */ ++ if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o')) ++ return(MagickFalse); ++ if ((length == 1) && (*start == specifier)) ++ return(MagickTrue); ++ if (length >= 2) ++ { ++ size_t ++ i = 0; + +- for (i=0; i < (ssize_t) length-1; i++) +- { +- if ((filename[i] == '%') && +- ((filename[i+1] == 'n') || (filename[i+1] == 'N'))) +- { +- filename[i]='?'; +- filename[i+1]='\?'; +- match=MagickTrue; +- } +- } +- return(match); ++ if (*start == '0') ++ { ++ if ((length >= 3) && (start[1] == '0')) ++ return(MagickFalse); ++ i=1; ++ } ++ for ( ; i < (length-1); i++) ++ if (isdigit((int) ((unsigned char) start[i])) == 0) ++ return(MagickFalse); ++ return(MagickTrue); ++ } ++ return(MagickFalse); + } + + MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, +@@ -1669,82 +1680,89 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + const char + *cursor = format; + +- /* +- Start with a copy of the format string. +- */ + assert(format != (const char *) NULL); + assert(filename != (char *) NULL); +- (void) CopyMagickString(filename,format,MagickPathExtent); + if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse) +- return(strlen(filename)); +- if (PercentNInvalidOperation(filename) != MagickFalse) + { +- errno=EPERM; +- (void) ThrowMagickException(exception,GetMagickModule(),OptionError, +- "InvalidArgument","`%s'",filename); +- return(0); ++ (void) CopyMagickString(filename,format,MagickPathExtent); ++ return(strlen(filename)); + } +- while ((cursor=strchr(cursor,'%')) != (const char *) NULL) ++ while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1))) + { + const char +- *q = cursor; +- +- ssize_t +- offset = (ssize_t) (cursor-format); ++ *specifier_start, ++ *start; + +- cursor++; /* move past '%' */ ++ if (*cursor != '%') ++ { ++ *p++=(*cursor++); ++ continue; ++ } ++ start=cursor++; /* Skip '%' */ + if (*cursor == '%') + { +- /* +- Escaped %%. +- */ ++ *p++='%'; + cursor++; + continue; + } +- /* +- Skip padding digits like %03d. +- */ +- if (isdigit((int) ((unsigned char) *cursor)) != 0) +- (void) strtol(cursor,(char **) &cursor,10); +- switch (*cursor) +- { +- case 'd': +- case 'o': +- case 'x': ++ specifier_start=cursor; ++ while (isdigit((int) ((unsigned char) *cursor)) != 0) ++ cursor++; ++ if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x')) + { +- ssize_t +- count; ++ const char ++ *specifier_end = cursor+1; + +- count=FormatLocaleString(pattern,sizeof(pattern),q,value); +- if ((count <= 0) || (count >= MagickPathExtent) || +- ((offset+count) >= MagickPathExtent)) +- return(0); +- (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent- +- offset)); +- cursor++; +- break; ++ if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse) ++ { ++ char ++ format_specifier[MagickPathExtent]; ++ ++ size_t ++ length = cursor-specifier_start; ++ ++ ssize_t ++ count; ++ ++ (void) snprintf(format_specifier,sizeof(format_specifier), ++ "%%%.*s%c",(int) length,specifier_start,*cursor); ++ count=FormatLocaleString(pattern,sizeof(pattern),format_specifier, ++ value); ++ if ((count <= 0) || ((p-filename+count) >= MagickPathExtent)) ++ return(0); ++ (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename)); ++ p+=strlen(pattern); ++ cursor++; ++ continue; ++ } ++ else ++ { ++ /* ++ Invalid specifier — treat as literal. ++ */ ++ cursor=start; ++ *p++=(*cursor++); ++ continue; ++ } + } +- case '[': ++ if (*cursor == '[') + { + const char + *end = strchr(cursor,']'), + *option = (const char *) NULL; + + size_t +- extent = (size_t) (end-cursor-1), +- option_length, +- tail_length; ++ extent, ++ option_length; + +- /* +- Handle %[key:value]; +- */ + if (end == (const char *) NULL) +- break; ++ continue; ++ extent=(size_t) (end-cursor-1); + if (extent >= sizeof(pattern)) +- break; ++ continue; + (void) CopyMagickString(pattern,cursor+1,extent+1); + pattern[extent]='\0'; +- if (image != (Image *) NULL) ++ if (image != NULL) + { + option=GetImageProperty(image,pattern,exception); + if (option == (const char *) NULL) +@@ -1754,32 +1772,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + (image_info != (ImageInfo *) NULL)) + option=GetImageOption(image_info,pattern); + if (option == (const char *) NULL) +- break; ++ continue; + option_length=strlen(option); +- tail_length=strlen(end+1); +- if ((offset+option_length+tail_length+1) > MagickPathExtent) ++ if ((p-filename+option_length) >= MagickPathExtent) + return(0); +- (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent- +- offset)); +- (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) ( +- MagickPathExtent-offset-option_length-tail_length-1)); ++ (void) CopyMagickString(p,option,MagickPathExtent-(p-filename)); ++ p+=option_length; + cursor=end+1; +- break; ++ continue; + } +- default: +- break; +- } +- } +- for (p=filename; *p != '\0'; ) +- { + /* +- Replace "%%" with "%". ++ Invalid or unsupported specifier — treat as literal. + */ +- if ((*p == '%') && (*(p+1) == '%')) +- (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */ +- else +- p++; ++ cursor=start; ++ if ((p-filename+1) >= MagickPathExtent) ++ return(0); ++ *p++=(*cursor++); + } ++ *p='\0'; + return(strlen(filename)); + } + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb index af0a3149e3..d929a220f1 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb @@ -33,6 +33,12 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt file://0008-ImageMagick-Fix-CVE-2025-57807.patch \ file://0009-ImageMagick-Fix-CVE-2023-34151.patch \ file://0010-ImageMagick-Fix-CVE-2025-55154.patch \ + file://0011-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch \ + file://0011-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch \ + file://0011-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch \ + file://0011-ImageMagick-Add-support-patch-4-to-fix-CVE-2025-5529.patch \ + file://0011-ImageMagick-Fix-1-CVE-2025-55298.patch \ + file://0011-ImageMagick-Fix-2-CVE-2025-55298.patch \ " SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"