diff mbox series

[OE-core,scartgap,4/4] imagemagick: Fix CVE-2026-23952

Message ID 20260217065123.1001038-4-bhabu.bindu@kpit.com
State New
Headers show
Series [OE-core,scartgap,1/4] imagemagick: Fix CVE-2026-22770 | expand

Commit Message

Bhabu Bindu Feb. 17, 2026, 6:51 a.m. UTC 
Fix CVE-2026-23952 with patch provided by Debian from fixed version.

Link: https://security-tracker.debian.org/tracker/CVE-2026-23952

Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
---
 .../imagemagick/CVE-2026-23952.patch          | 57 +++++++++++++++++++
 .../imagemagick/imagemagick_7.1.1.bb          |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23952.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23952.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23952.patch
new file mode 100644
index 0000000000..d8eb44b44d
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23952.patch
@@ -0,0 +1,57 @@ 
+From 1eefab41bc0ab1c6c2c1fd3e4a49e3ee1849751d Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 15 Jan 2026 17:34:46 -0500
+Subject: [PATCH] 
+ https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8
+
+CVE: CVE-2026-23952
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1eefab41bc0ab1c6c2c1fd3e4a49e3ee1849751d]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ PerlMagick/quantum/quantum.pm |  2 +-
+ coders/msl.c                  | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/PerlMagick/quantum/quantum.pm b/PerlMagick/quantum/quantum.pm
+index 1dd5921fa8e..74cc8168f37 100644
+--- a/PerlMagick/quantum/quantum.pm
++++ b/PerlMagick/quantum/quantum.pm
+@@ -6,7 +6,7 @@ package Image::Magick::Q16HDRI;
+ #  You may not use this file except in compliance with the License.  You may
+ #  obtain a copy of the License at
+ #
+-#    https://imagemagick.org/script/license.php
++#    https://imagemagick.org/license/
+ #
+ #  Unless required by applicable law or agreed to in writing, software
+ #  distributed under the License is distributed on an "AS IS" BASIS,
+diff --git a/coders/msl.c b/coders/msl.c
+index fa29764563b..5b182b5922f 100644
+--- a/coders/msl.c
++++ b/coders/msl.c
+@@ -7088,6 +7088,12 @@ static void MSLEndElement(void *context,const xmlChar *tag)
+     {
+       if (LocaleCompare((const char *) tag,"comment") == 0 )
+         {
++          if (msl_info->image[n] == (Image *) NULL)
++            {
++              ThrowMSLException(OptionError,"NoImagesDefined",
++                (const char *) tag);
++              break;
++            }
+           (void) DeleteImageProperty(msl_info->image[n],"comment");
+           if (msl_info->content == (char *) NULL)
+             break;
+@@ -7137,6 +7143,12 @@ static void MSLEndElement(void *context,const xmlChar *tag)
+     {
+       if (LocaleCompare((const char *) tag,"label") == 0 )
+         {
++          if (msl_info->image[n] == (Image *) NULL)
++            {
++              ThrowMSLException(OptionError,"NoImagesDefined",
++                (const char *) tag);
++              break;
++            }
+           (void) DeleteImageProperty(msl_info->image[n],"label");
+           if (msl_info->content == (char *) NULL)
+             break;
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
index abad1fe5d1..3917eed92e 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
@@ -28,6 +28,7 @@  SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
            file://CVE-2026-22770.patch \
            file://CVE-2026-23874.patch \
            file://CVE-2026-23876.patch \
+           file://CVE-2026-23952.patch \
            "
 SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb"