mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

ImageMagick: Fix CVE-2025-55298

Browse Source 
Backport the fix for CVE-2025-55298

Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
                          [https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895]

Add below patch to fix
0010-ImageMagick-Fix-CVE-2025-55298-1.patch
0010-ImageMagick-Fix-CVE-2025-55298-2.patch

Add below support patch to fix
0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch

Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Divyanshu Rathore
2025-12-12 20:29:46 +05:30
committed by Gyorgy Sarvari
parent a137e10750
commit 3a86962b26
6 changed files with 706 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
+48
View File
@@ -0,0 +1,48 @@
From 93bcbd44f4771227a9e637f69ddabb60e0e33b18 Mon Sep 17 00:00:00 2001
From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
Date: Tue, 11 Nov 2025 14:34:12 +0530
Subject: [PATCH 10/18] ImageMagick: Add support patch 1 to fix CVE-2025-55298
Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/83caf59fce695fea0c5878e9f0d0b65e662cae66]
Comment: Refreshed hunk to match latest kirkstone
Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
---
MagickCore/image.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/MagickCore/image.c b/MagickCore/image.c
index 346285165..f64e83645 100644
--- a/MagickCore/image.c
+++ b/MagickCore/image.c
@@ -1640,21 +1640,23 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
char
*q;
+ const char
+ *p;
+
int
c;
MagickBooleanType
canonical;
- const char
- *p;
-
ssize_t
offset;
canonical=MagickFalse;
offset=0;
(void) CopyMagickString(filename,format,MagickPathExtent);
+ if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
+ return(strlen(filename));
for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
{
q=(char *) p+1;
--
2.34.1
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
+205
View File
@@ -0,0 +1,205 @@
From 18f573cbd4767d9b51b23cde5b58945ae4e57243 Mon Sep 17 00:00:00 2001
From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
Date: Tue, 11 Nov 2025 21:53:10 +0530
Subject: [PATCH 11/18] ImageMagick: Add support patch-2 to fix CVE-2025-55298
Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7]
Comment: Refreshed hunk to match latest kirkstone
Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
---
MagickCore/image.c | 134 +++++++++++++++++++--------------------------
1 file changed, 55 insertions(+), 79 deletions(-)
diff --git a/MagickCore/image.c b/MagickCore/image.c
index f64e83645..cd4de6df9 100644
--- a/MagickCore/image.c
+++ b/MagickCore/image.c
@@ -1638,34 +1638,41 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
ExceptionInfo *exception)
{
char
- *q;
+ *p = filename,
+ pattern[MagickPathExtent];
const char
- *p;
-
- int
- c;
-
- MagickBooleanType
- canonical;
-
- ssize_t
- offset;
+ *cursor = format;
- canonical=MagickFalse;
- offset=0;
+ /*
+ Start with a copy of the format string.
+ */
(void) CopyMagickString(filename,format,MagickPathExtent);
if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
return(strlen(filename));
- for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+ while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
{
- q=(char *) p+1;
- if (*q == '%')
+ const char
+ *q = cursor;
+
+ ssize_t
+ offset = (ssize_t) (cursor-format);
+
+ cursor++; /* move past '%' */
+ if (*cursor == '%')
{
- p++;
+ /*
+ Escaped %%.
+ */
+ cursor++;
continue;
}
- switch (*q)
+ /*
+ Skip padding digits like %03d.
+ */
+ if (*cursor == '0')
+ (void) strtol(cursor,(char **) &cursor,10);
+ switch (*cursor)
{
case 'd':
case 'o':
@@ -1674,93 +1681,62 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
ssize_t
count;
- q++;
- c=(*q);
- *q='\0';
- count=FormatLocaleString(filename+(p-format-offset),(size_t)
- (MagickPathExtent-(p-format-offset)),p,value);
- if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
+ count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+ if ((count <= 0) || (count >= MagickPathExtent))
return(0);
- offset+=(ssize_t) ((q-p)-count);
- *q=c;
- (void) ConcatenateMagickString(filename,q,MagickPathExtent);
- canonical=MagickTrue;
- if (*(q-1) != '%')
- break;
- p++;
+ if ((offset+count) >= MagickPathExtent)
+ return(0);
+ (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+ offset));
+ cursor++;
break;
}
case '[':
{
- char
- pattern[MagickPathExtent];
-
const char
- *option;
+ *end = strchr(cursor,']'),
+ *option = (const char *) NULL;
- char
- *r;
-
- ssize_t
- i;
-
- ssize_t
- depth;
+ size_t
+ extent = (size_t) (end-cursor);
/*
- Image option.
+ Handle %[key:value];
*/
- if (strchr(p,']') == (char *) NULL)
+ if (end == (const char *) NULL)
break;
- depth=1;
- r=q+1;
- for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++)
- {
- if (*r == '[')
- depth++;
- if (*r == ']')
- depth--;
- if (depth <= 0)
- break;
- pattern[i]=(*r++);
- }
- pattern[i]='\0';
- if (LocaleNCompare(pattern,"filename:",9) != 0)
+ if (extent >= sizeof(pattern))
break;
- option=(const char *) NULL;
+ (void) CopyMagickString(pattern,cursor,extent);
+ pattern[extent]='\0';
if (image != (Image *) NULL)
option=GetImageProperty(image,pattern,exception);
- if ((option == (const char *) NULL) && (image != (Image *) NULL))
+ if ((option == (const char *) NULL) && (image != (Image *)NULL))
option=GetImageArtifact(image,pattern);
if ((option == (const char *) NULL) &&
(image_info != (ImageInfo *) NULL))
option=GetImageOption(image_info,pattern);
if (option == (const char *) NULL)
break;
- q--;
- c=(*q);
- *q='\0';
- (void) CopyMagickString(filename+(p-format-offset),option,(size_t)
- (MagickPathExtent-(p-format-offset)));
- offset+=strlen(pattern)-strlen(option)+3;
- *q=c;
- (void) ConcatenateMagickString(filename,r+1,MagickPathExtent);
- canonical=MagickTrue;
- if (*(q-1) != '%')
- break;
- p++;
+ (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+ offset));
+ cursor=end+1;
break;
}
default:
break;
}
}
- if (canonical == MagickFalse)
- (void) CopyMagickString(filename,format,MagickPathExtent);
- else
- for (q=filename; *q != '\0'; q++)
- if ((*q == '%') && (*(q+1) == '%'))
- (void) CopyMagickString(q,q+1,(size_t) (MagickPathExtent-(q-filename)));
+ for (p=filename; *p != '\0'; )
+ {
+ /*
+ Replace "%%" with "%".
+ */
+ if ((*p == '%') && (*(p+1) == '%'))
+ (void) memmove(p,p+1,strlen(p)); /* shift left */
+ else
+ p++;
+ }
return(strlen(filename));
}
--
2.34.1
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
+103
View File
@@ -0,0 +1,103 @@
From abc0b89e166c993ff766d3ff62b6d2be82f478f3 Mon Sep 17 00:00:00 2001
From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
Date: Wed, 12 Nov 2025 11:35:37 +0530
Subject: [PATCH 12/18] ImageMagick: Add support patch-3 to fix CVE-2025-55298
Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/6c7c8d5866b9c0ce6cc76a741e05b9482716101e]
Comment: Refreshed hunk to match latest kirkstone
Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
---
MagickCore/image.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/MagickCore/image.c b/MagickCore/image.c
index cd4de6df9..1acf8edbd 100644
--- a/MagickCore/image.c
+++ b/MagickCore/image.c
@@ -1647,6 +1647,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
/*
Start with a copy of the format string.
*/
+ assert(format != (const char *) NULL);
+ assert(filename != (char *) NULL);
(void) CopyMagickString(filename,format,MagickPathExtent);
if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
return(strlen(filename));
@@ -1670,7 +1672,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
/*
Skip padding digits like %03d.
*/
- if (*cursor == '0')
+ if (isdigit((int) ((unsigned char) *cursor)) != 0)
(void) strtol(cursor,(char **) &cursor,10);
switch (*cursor)
{
@@ -1682,9 +1684,8 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
count;
count=FormatLocaleString(pattern,sizeof(pattern),q,value);
- if ((count <= 0) || (count >= MagickPathExtent))
- return(0);
- if ((offset+count) >= MagickPathExtent)
+ if ((count <= 0) || (count >= MagickPathExtent) ||
+ ((offset+count) >= MagickPathExtent))
return(0);
(void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
offset));
@@ -1698,7 +1699,9 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
*option = (const char *) NULL;
size_t
- extent = (size_t) (end-cursor);
+ extent = (size_t) (end-cursor-1),
+ option_length,
+ tail_length;
/*
Handle %[key:value];
@@ -1707,19 +1710,27 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
break;
if (extent >= sizeof(pattern))
break;
- (void) CopyMagickString(pattern,cursor,extent);
+ (void) CopyMagickString(pattern,cursor+1,extent+1);
pattern[extent]='\0';
if (image != (Image *) NULL)
- option=GetImageProperty(image,pattern,exception);
- if ((option == (const char *) NULL) && (image != (Image *)NULL))
- option=GetImageArtifact(image,pattern);
+ {
+ option=GetImageProperty(image,pattern,exception);
+ if (option == (const char *) NULL)
+ option=GetImageArtifact(image,pattern);
+ }
if ((option == (const char *) NULL) &&
(image_info != (ImageInfo *) NULL))
option=GetImageOption(image_info,pattern);
if (option == (const char *) NULL)
break;
+ option_length=strlen(option);
+ tail_length=strlen(end+1);
+ if ((offset+option_length+tail_length+1) > MagickPathExtent)
+ return(0);
(void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
offset));
+ (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
+ MagickPathExtent-offset-option_length-tail_length-1));
cursor=end+1;
break;
}
@@ -1733,7 +1744,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
Replace "%%" with "%".
*/
if ((*p == '%') && (*(p+1) == '%'))
- (void) memmove(p,p+1,strlen(p)); /* shift left */
+ (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */
else
p++;
}
--
2.34.1
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-1.patch
+71
View File
@@ -0,0 +1,71 @@
From 62f97a69edb936544604e669de25e4bf2a9e2f06 Mon Sep 17 00:00:00 2001
From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
Date: Wed, 12 Nov 2025 11:52:00 +0530
Subject: [PATCH 13/18] ImageMagick: Fix CVE-2025-55298
CVE: CVE-2025-55298
This CVE fixed in two parts, this commit includes the first fix.
Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895]
Comment: Refreshed hunk to match latest kirkstone
Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
---
MagickCore/image.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/MagickCore/image.c b/MagickCore/image.c
index 1acf8edbd..7a52236d8 100644
--- a/MagickCore/image.c
+++ b/MagickCore/image.c
@@ -1633,6 +1633,31 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
% o exception: return any errors or warnings in this structure.
%
*/
+
+static inline MagickBooleanType PercentNInvalidOperation(char *filename)
+{
+ MagickBooleanType
+ match = MagickFalse;
+
+ size_t
+ length = strlen(filename);
+
+ ssize_t
+ i;
+
+ for (i=0; i < (ssize_t) length-1; i++)
+ {
+ if ((filename[i] == '%') &&
+ ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
+ {
+ filename[i]='?';
+ filename[i+1]='\?';
+ match=MagickTrue;
+ }
+ }
+ return(match);
+}
+
MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
Image *image,const char *format,int value,char *filename,
ExceptionInfo *exception)
@@ -1652,6 +1677,13 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
(void) CopyMagickString(filename,format,MagickPathExtent);
if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
return(strlen(filename));
+ if (PercentNInvalidOperation(filename) != MagickFalse)
+ {
+ errno=EPERM;
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+ "InvalidArgument","`%s'",filename);
+ return(0);
+ }
while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
{
const char
--
2.34.1
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
+274
View File
@@ -0,0 +1,274 @@
From b7e445241e43e3e919667d7244ccb99573cf951a Mon Sep 17 00:00:00 2001
From: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
Date: Wed, 12 Nov 2025 13:05:40 +0530
Subject: [PATCH 14/18] ImageMagick: Fix CVE-2025-55298
CVE: CVE-2025-55298
This CVE fixed in two parts, this commit includes the second fix.
Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
Comment: Refreshed hunk to match latest kirkstone
Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
---
MagickCore/image.c | 183 ++++++++++++++++++++++++---------------------
1 file changed, 96 insertions(+), 87 deletions(-)
diff --git a/MagickCore/image.c b/MagickCore/image.c
index 7a52236d8..3e6fdd114 100644
--- a/MagickCore/image.c
+++ b/MagickCore/image.c
@@ -1619,7 +1619,7 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
%
% A description of each parameter follows.
%
-% o image_info: the image info..
+% o image_info: the image info.
%
% o image: the image.
%
@@ -1634,28 +1634,38 @@ MagickExport VirtualPixelMethod GetImageVirtualPixelMethod(const Image *image)
%
*/
-static inline MagickBooleanType PercentNInvalidOperation(char *filename)
+static inline MagickBooleanType IsValidFormatSpecifier(const char *start,
+ const char *end)
{
- MagickBooleanType
- match = MagickFalse;
-
+ char
+ specifier = end[-1];
size_t
- length = strlen(filename);
+ length = end-start;
- ssize_t
- i;
+ /*
+ Is this a valid format specifier?
+ */
+ if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o'))
+ return(MagickFalse);
+ if ((length == 1) && (*start == specifier))
+ return(MagickTrue);
+ if (length >= 2)
+ {
+ size_t
+ i = 0;
- for (i=0; i < (ssize_t) length-1; i++)
- {
- if ((filename[i] == '%') &&
- ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
- {
- filename[i]='?';
- filename[i+1]='\?';
- match=MagickTrue;
- }
- }
- return(match);
+ if (*start == '0')
+ {
+ if ((length >= 3) && (start[1] == '0'))
+ return(MagickFalse);
+ i=1;
+ }
+ for ( ; i < (length-1); i++)
+ if (isdigit((int) ((unsigned char) start[i])) == 0)
+ return(MagickFalse);
+ return(MagickTrue);
+ }
+ return(MagickFalse);
}
MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
@@ -1669,82 +1679,89 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
const char
*cursor = format;
- /*
- Start with a copy of the format string.
- */
assert(format != (const char *) NULL);
assert(filename != (char *) NULL);
- (void) CopyMagickString(filename,format,MagickPathExtent);
if (IsStringTrue(GetImageOption(image_info,"filename:literal")) != MagickFalse)
- return(strlen(filename));
- if (PercentNInvalidOperation(filename) != MagickFalse)
{
- errno=EPERM;
- (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
- "InvalidArgument","`%s'",filename);
- return(0);
+ (void) CopyMagickString(filename,format,MagickPathExtent);
+ return(strlen(filename));
}
- while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+ while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1)))
{
const char
- *q = cursor;
+ *specifier_start,
+ *start;
- ssize_t
- offset = (ssize_t) (cursor-format);
-
- cursor++; /* move past '%' */
+ if (*cursor != '%')
+ {
+ *p++=(*cursor++);
+ continue;
+ }
+ start=cursor++; /* Skip '%' */
if (*cursor == '%')
{
- /*
- Escaped %%.
- */
+ *p++='%';
cursor++;
continue;
}
- /*
- Skip padding digits like %03d.
- */
- if (isdigit((int) ((unsigned char) *cursor)) != 0)
- (void) strtol(cursor,(char **) &cursor,10);
- switch (*cursor)
- {
- case 'd':
- case 'o':
- case 'x':
+ specifier_start=cursor;
+ while (isdigit((int) ((unsigned char) *cursor)) != 0)
+ cursor++;
+ if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x'))
{
- ssize_t
- count;
+ const char
+ *specifier_end = cursor+1;
- count=FormatLocaleString(pattern,sizeof(pattern),q,value);
- if ((count <= 0) || (count >= MagickPathExtent) ||
- ((offset+count) >= MagickPathExtent))
- return(0);
- (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
- offset));
- cursor++;
- break;
+ if (IsValidFormatSpecifier(specifier_start,specifier_end) != MagickFalse)
+ {
+ char
+ format_specifier[MagickPathExtent];
+
+ size_t
+ length = cursor-specifier_start;
+
+ ssize_t
+ count;
+
+ (void) snprintf(format_specifier,sizeof(format_specifier),
+ "%%%.*s%c",(int) length,specifier_start,*cursor);
+ count=FormatLocaleString(pattern,sizeof(pattern),format_specifier,
+ value);
+ if ((count <= 0) || ((p-filename+count) >= MagickPathExtent))
+ return(0);
+ (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename));
+ p+=strlen(pattern);
+ cursor++;
+ continue;
+ }
+ else
+ {
+ /*
+ Invalid specifier — treat as literal.
+ */
+ cursor=start;
+ *p++=(*cursor++);
+ continue;
+ }
}
- case '[':
+ if (*cursor == '[')
{
const char
*end = strchr(cursor,']'),
*option = (const char *) NULL;
size_t
- extent = (size_t) (end-cursor-1),
- option_length,
- tail_length;
+ extent,
+ option_length;
- /*
- Handle %[key:value];
- */
if (end == (const char *) NULL)
- break;
+ continue;
+ extent=(size_t) (end-cursor-1);
if (extent >= sizeof(pattern))
- break;
+ continue;
(void) CopyMagickString(pattern,cursor+1,extent+1);
pattern[extent]='\0';
- if (image != (Image *) NULL)
+ if (image != NULL)
{
option=GetImageProperty(image,pattern,exception);
if (option == (const char *) NULL)
@@ -1754,32 +1771,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
(image_info != (ImageInfo *) NULL))
option=GetImageOption(image_info,pattern);
if (option == (const char *) NULL)
- break;
+ continue;
option_length=strlen(option);
- tail_length=strlen(end+1);
- if ((offset+option_length+tail_length+1) > MagickPathExtent)
+ if ((p-filename+option_length) >= MagickPathExtent)
return(0);
- (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
- offset));
- (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
- MagickPathExtent-offset-option_length-tail_length-1));
+ (void) CopyMagickString(p,option,MagickPathExtent-(p-filename));
+ p+=option_length;
cursor=end+1;
- break;
+ continue;
}
- default:
- break;
- }
- }
- for (p=filename; *p != '\0'; )
- {
/*
- Replace "%%" with "%".
+ Invalid or unsupported specifier — treat as literal.
*/
- if ((*p == '%') && (*(p+1) == '%'))
- (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */
- else
- p++;
+ cursor=start;
+ if ((p-filename+1) >= MagickPathExtent)
+ return(0);
+ *p++=(*cursor++);
}
+ *p='\0';
return(strlen(filename));
}
--
2.34.1
meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+5
View File
@@ -36,6 +36,11 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
file://0007-ImageMagick-Fix-CVE-2025-57803.patch \
file://0008-ImageMagick-Fix-CVE-2025-57807.patch \
file://0009-ImageMagick-Fix-CVE-2025-55154.patch \
file://0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch \
file://0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch \
file://0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch \
file://0010-ImageMagick-Fix-CVE-2025-55298-1.patch \
file://0010-ImageMagick-Fix-CVE-2025-55298-2.patch \
"
SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"