imagemagick: patch CVE-2025-53014

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53014 Pick the commit that is mentioned as a solution at the bottom of the relevant Github advisory[1]. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-01-08 11:53:05 +01:00
parent 80175b4a47
commit e9916715c9
2 changed files with 28 additions and 1 deletions
@@ -0,0 +1,25 @@
+From ebf0f36974e2c9b47d9bb5bf31d19a19c0ce4e8e Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Thu, 26 Jun 2025 23:01:07 +0200
+Subject: [PATCH] Correct out of bounds read of a single byte.
+
+CVE: CVE-2025-53014
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ MagickCore/image.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 261d75003..1b242f828 100644
+--- a/MagickCore/image.c
+++ b/MagickCore/image.c
+@@ -1678,7 +1678,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+     q=(char *) p+1;
+     if (*q == '%')
+       {
+-        p=q+1;
+        p++;
+         continue;
+       }
+     field_width=0;
@@ -11,7 +11,9 @@ DEPENDS = "lcms bzip2 jpeg libpng tiff zlib fftw freetype libtool"

 BASE_PV := "${PV}"
 PV .= "-47"
-SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=https"
+SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=https \
+           file://CVE-2025-53014.patch \
+           "
 SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb"

 S = "${WORKDIR}/git"