diff mbox series

[meta-oe,scarthgap,2/2] imagemagick: Fix CVE-2026-28494

Message ID 20260416053949.365300-2-bhabu.bindu@kpit.com
State New
Headers show
Series [meta-oe,scarthgap,1/2] imagemagick: Fix CVE-2026-28493 | expand

Commit Message

Bhabu Bindu April 16, 2026, 5:39 a.m. UTC 
From: Bindu Bhabu <bhabu.bindu@kpit.com>

Backport imagemagick commits [1] from version 7.1.2-16
which fixes the vulnerability according to Debian [2].

[1] https://github.com/ImageMagick/ImageMagick/commit/a3f2f8680fa01cbce731191789322419efb5954a
[2] https://security-tracker.debian.org/tracker/CVE-2026-28494

Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
---
 .../imagemagick/CVE-2026-28494.patch          | 61 +++++++++++++++++++
 .../imagemagick/imagemagick_7.1.1.bb          |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-28494.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-28494.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-28494.patch
new file mode 100644
index 0000000000..1f65d0131f
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-28494.patch
@@ -0,0 +1,61 @@ 
+From a3f2f8680fa01cbce731191789322419efb5954a Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 28 Feb 2026 11:31:15 +0100
+Subject: [PATCH] Added checks to avoid possible stack corruption
+ (GHSA-932h-jw47-73jm)
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/a3f2f8680fa01cbce731191789322419efb5954a]
+CVE: CVE-2026-28494
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ MagickCore/morphology.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/MagickCore/morphology.c b/MagickCore/morphology.c
+index 81bd2265438..727ac100180 100644
+--- a/MagickCore/morphology.c
++++ b/MagickCore/morphology.c
+@@ -234,6 +234,9 @@ static KernelInfo *ParseKernelArray(const char *kernel_string)
+   GeometryInfo
+     args;
+ 
++  size_t
++    length;
++
+   kernel=(KernelInfo *) AcquireMagickMemory(sizeof(*kernel));
+   if (kernel == (KernelInfo *) NULL)
+     return(kernel);
+@@ -261,8 +264,9 @@ static KernelInfo *ParseKernelArray(const char *kernel_string)
+   if ( p != (char *) NULL && p < end)
+     {
+       /* ParseGeometry() needs the geometry separated! -- Arrgghh */
+-      (void) memcpy(token, kernel_string, (size_t) (p-kernel_string));
+-      token[p-kernel_string] = '\0';
++      length=MagickMin((size_t) (p-kernel_string),sizeof(token)-1);
++      (void) memcpy(token, kernel_string, length);
++      token[length] = '\0';
+       SetGeometryInfo(&args);
+       flags = ParseGeometry(token, &args);
+ 
+@@ -388,6 +392,9 @@ static KernelInfo *ParseKernelName(const char *kernel_string,
+   MagickStatusType
+     flags;
+ 
++  size_t
++    length;
++
+   ssize_t
+     type;
+ 
+@@ -406,8 +413,9 @@ static KernelInfo *ParseKernelName(const char *kernel_string,
+     end = strchr(p, '\0');
+ 
+   /* ParseGeometry() needs the geometry separated! -- Arrgghh */
+-  (void) memcpy(token, p, (size_t) (end-p));
+-  token[end-p] = '\0';
++  length=MagickMin((size_t) (end-p),sizeof(token)-1);
++  (void) memcpy(token, p, length);
++  token[length] = '\0';
+   SetGeometryInfo(&args);
+   flags = ParseGeometry(token, &args);
+ 
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
index 09a56a1723..d85cdb27f3 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
@@ -32,6 +32,7 @@  SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
            file://CVE-2026-28493-1.patch \
            file://CVE-2026-28493-2.patch \
            file://CVE-2026-28493-3.patch \
+           file://CVE-2026-28494.patch \
            "
 SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb"