7d35bbae28
gimp: patch CVE-2025-5473
...
Detail: https://nvd.nist.gov/vuln/detail/CVE-2025-5473
Backport commit associated with the resolution of issue[1].
[1] https://gitlab.gnome.org/GNOME/gimp/-/issues/13910
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:14:15 +05:30
f11e20ad6e
gimp: ignore CVE-2025-48796
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-48796
The vulnerable function ani_load_image() was added[1] after the current
version of GIMP[2], we can ignore the CVE.
[1] https://gitlab.gnome.org/GNOME/gimp/-/commit/aa51b9e19ece8a8c54a513fe33b6d65abcb0fbfb
[2] https://gitlab.gnome.org/GNOME/gimp/-/commits/GIMP_2_10_38/plug-ins/file-ico/ico-load.c?ref_type=tags
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:14:14 +05:30
69cb161b5d
gimp: patch CVE-2025-14425
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425
Patch referenced by the nvd report is for the file "file-jp2.c" which was
renamed from "file-jp2-load.c" by commit[1] in the later versions.
[1] https://gitlab.gnome.org/GNOME/gimp/-/commit/19c57a9765ac3451c9cde94ccb06bec5ae06fbd8
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:14:14 +05:30
a7ef3041ba
gimp: patch CVE-2025-14422
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:14:14 +05:30
7dfdfc0035
gimp: ignore CVE-2007-3741
...
NVD still tracks this CVE as version-less, so explicit ignore is needed.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:14:13 +05:30
97c3c5ee0b
gimp: upgrade 2.10.36 -> 2.10.38
...
Feature backport for Windows otherwise it is mostly a bug-fix release
https://gitlab.gnome.org/GNOME/gimp/-/blob/GIMP_2_10_38/NEWS
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-19 12:14:10 +05:30
2df869df1c
freerdp3: drop CVE-2025-68118 patch
...
The CVE is also ignored in the same recipe, because it is a Windows-
only vulnerability. Due to this, the patch isn't required.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-13 06:53:10 +05:30
30dafc3958
unbound: Fix CVE-2025-5994
...
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been
discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is
also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND
configured to send ECS information along with queries to upstream name servers
CVE: CVE-2025-5994
Signed-off-by: Naman Jain <namanj1@kpit.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:27 +05:30
ed7365bfad
libao: ignore CVE-2017-11548
...
Both Suse[1] and Debian[2] disputes that this is a vulnerability in libao.
Based on their investigation while an issue exists, it is not in libao, however
higher in the audio-toolchain, most likely in libmad or mpg321. There seem to
be nothing to be fixed about this in libao - ignore this CVE due to this.
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1081767
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a993eb8b93ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:26 +05:30
2ecd7e0156
id3lib: mark CVE-2007-4460 as fixed
...
This is fixed in id3lib3.8.3_3.8.3-16.2.debian.tar.xz patch included in
SRC_URI.
Version 3.8.3-7 contains patch for this CVE, we use 3.8.3-16.2.
This can be verified by checking the debian/changelog within this patch
or diffing [1] and [2] and verifying that this can be reverse-applied.
[1] https://snapshot.debian.org/archive/debian/20070819T000000Z/pool/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-6.diff.gz
[2] https://snapshot.debian.org/archive/debian/20070819T000000Z/pool/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-7.diff.gz
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9fff0040f1ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:26 +05:30
5a5de39bbd
libvpx: upgrade 1.14.0 -> 1.14.1
...
libvpx-configure-support-blank-prefix.patch
refreshed for 1.14.1
Changelog:
============
- Improved the detection of compiler support for AArch64 extensions,
particularly SVE.
- Added vpx_codec_get_global_headers() support for VP9.
- Added buffer bounds checks to vpx_writer and vpx_write_bit_buffer.
- Fix to GetSegmentationData() crash in aq_mode=0 for RTC rate control.
- Fix to alloc for row_base_thresh_freq_fac.
- Free row mt memory before freeing cpi->tile_data.
- Fix to buffer alloc for vp9_bitstream_worker_data.
- Fix to VP8 race issue for multi-thread with pnsr_calc.
- Fix to uv width/height in vp9_scale_and_extend_frame_ssse3.
- Fix to integer division by zero and overflow in calc_pframe_target_size().
- Fix to integer overflow in vpx_img_alloc() & vpx_img_wrap()(CVE-2024-5197).
- Fix to UBSan error in vp9_rc_update_framerate().
- Fix to UBSan errors in vp8_new_framerate().
- Fix to integer overflow in vp8 encodeframe.c.
- Handle EINTR from sem_wait().
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 911023b521ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:25 +05:30
29be38f0b1
synergy: patch CVE-2020-15117
...
Pick commit based on [1].
Note that the pick is node from deskflow, which is open-source successor
of synergy.
If anyone uses thie recipe, it should be switched.
[1] https://github.com/deskflow/deskflow/security/advisories/GHSA-chfm-333q-gfpp
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit db283053d0ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:25 +05:30
c1075f0312
usb-modeswitch-data: upgrade 20191128 -> 20251207
...
20251207:
- Added device: [0bda:a192] MERCURY MW310UH (Wifi, based on RTL8192FU),
thanks to Zenm Chen for the report
https://www.draisberghof.de/usb_modeswitch/ChangeLogData
Also drop unnecessary SRC_URI md5sum
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:25 +05:30
5dffed1382
usb-modeswitch: upgrade 2.6.1 -> 2.6.2
...
2.6.2:
- Bug in C code (with gcc 1.5) fixed
https://www.draisberghof.de/usb_modeswitch/ChangeLog
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:24 +05:30
b76d5a084b
networkmanager: upgrade 1.46.0 -> 1.46.6
...
Solves CVE-2024-6501 (in 1.46.4).
Release notes:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.46.6/NEWS?ref_type=tags
Switch SRC_URI for gnome Gitlab as gnome mirror no longer contains new
releases.
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:24 +05:30
0bca0e04c8
libsodium: patch CVE-2025-69277
...
Pick patch per [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69277
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:23 +05:30
e434c0b06a
libwebsockets: ignore CVE-2025-1866
...
Only affects Windows and can be ignored.
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-1866
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:23 +05:30
6a3a40c102
libtar: patch CVEs
...
cve-check.bbclass reported unpatched vulnerabilities in libtar
[1,2,3,4,5]. The NIST assigned base score for the worst vulnerability
is 9.1 / critical.
The patches were taken from the libtar [6] master branch after the
latest tag v1.2.20 (the changes in libtar master mostly originate from
Fedora and their patches), and from the Fedora 41 libtar source package
[7] and the Debian libtar package 1.2.20-8 [8] where the patches were
not available in the libtar repository itself.
The Fedora patch series was taken in its entirety in order to minimize
differences to Fedora's source tree instead of cherry-picking only CVE
fixes. Minimizing the differences should avoid issues with potential
inter-dependencies between the patches, and hopefully provide better
confidence as even the newest patches have been in use in Fedora for
nearly 2 years (since December 2022; Fedora rpms/libtar.git commit
e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the
Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains
changes *) that match the libtar commit
ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static
buffer in th_get_pathname()") whose commit message says
Note this can break programs that expect sizeof(TAR) to be fixed.
The patches applied cleanly except for the Fedora srpm patch
libtar-1.2.11-bz729009.patch, which is identical with the pre-existing
meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted.
The meta-openembedded recipe does not include any of the patches in
Kirkstone [9] nor the current master [10].
libtar does not have newer releases, and the libtar master doesn't
contain all of the changes included in the patches. Fedora's
libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release
either but only in the master branch after the tag v1.2.20. The version
number in the filename is supposedly due to the patches being created
originally against v1.2.11 but have been upstreamed or at least
committed to the master only after v1.2.20.
The commit metadata could not be practically completed in most of the
cases due to missing commit messages in the original commits and
patches. The informal note about the author ("Authored by") was added to
the patch commit messages where the commit message was missing the
original author(s)' Signed-off-by.
*) The patch also contains the changes split to the libtar commits
495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before
freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6
("Added stdlib.h for malloc() in lib/decode.c"))
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646
[5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
[6] https://repo.or.cz/libtar.git
[7] https://src.fedoraproject.org/rpms/libtar/tree/f41
[8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
[9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f
[10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c
Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3c9b5b36c8skandigraun@gmail.com >
(cherry picked from commit 505f2defdcankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:22 +05:30
5e650cf2e5
krb5: ignore CVE-2025-3576
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-3576
As mentioned[1], vulnerability is fixed since upstream 1.21
[1] https://security-tracker.debian.org/tracker/CVE-2025-3576
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:22 +05:30
a99dac1be4
influxdb: ignore CVE-2024-30896
...
As mentioned in the comment[1], vulnerability is in
/api/v2/authorizations API which only exists in 2.x, 1.x is not affected.
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30896
[1] https://github.com/influxdata/influxdb/issues/24797#issuecomment-2514690740
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:21 +05:30
305fef50c7
freerdp3: ignore CVE-2025-68118
...
Only affects Windows and can be ignored.
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:21 +05:30
3d4aef2b2d
opusfile: patch CVE-2022-47021
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47021
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:20 +05:30
23edbe268c
vlc: patch CVE-2024-46461
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-46461
Backport the patch mentioned in the news[1] that fixes this vulnerabililty.
https://code.videolan.org/videolan/vlc/-/blob/3.0.21/NEWS?ref_type=tags#L44
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:20 +05:30
774c7ed3fd
sox: extend CVE_PRODUCT
...
Add all relevant items from queries:
$ sqlite3 nvdcve_2-2.db
sqlite> select vendor, product, count(*) from products where product like '%sox%' group by vendor, product;
commugen|sox_365|1
libsox_project|libsox|1
sox|sox|3
sox_project|sox|10
sqlite> select vendor, product, count(*) from products where product like '%sound_exchange%' group by vendor, product;
sound_exchange_project|sound_exchange|16
Signed-off-by: Peter Marko <peter.marko@siemens.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a68c3df41cankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:19 +05:30
42b615f953
libde265: patch CVE-2023-47471
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-47471
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:19 +05:30
e83565b24a
libde265: patch CVE-2023-43887
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-43887
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:19 +05:30
c49bff1273
wolfssl: patch CVE-2025-7394
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394
Backport patches from the PR[1][2][3] mentioned in the changelog[4].
[1] https://github.com/wolfSSL/wolfssl/pull/8849
[2] https://github.com/wolfSSL/wolfssl/pull/8867
[3] https://github.com/wolfSSL/wolfssl/pull/8898
[4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:18 +05:30
df26bbaaba
tinyproxy: patch CVE-2025-63938
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 08:12:13 +05:30
e90c455347
znc: patch CVE-2024-39844
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39844
Backport commit[1] from https://github.com/znc/znc/releases/tag/znc-1.9.1
[1] https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:52:00 +05:30
bfd8dda3ba
proftpd: patch CVE-2024-48651
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-48651
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:52:00 +05:30
bad750ad27
open62541: patch CVE-2024-53429
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-53429
Backport the patch mentioned in the comment[1] which fixed this CVE.
[1] https://github.com/open62541/open62541/issues/6825#issuecomment-2460650733
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:59 +05:30
c73fe4bd7e
mtr: patch CVE-2025-49809
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49809
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:59 +05:30
b45ac4e0ef
libcoap: patch CVE-2025-34468
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:58 +05:30
c0c54373e9
frr: ignore CVE-2024-44070
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-44070
The PR[1] fixing this CVE was backported[2] to stable/9.1 and commit[3]
exists in the current version so we can ignore it.
$ git tag --contains 21cd931 | grep frr-9.1.3
frr-9.1.3
[1] https://github.com/FRRouting/frr/pull/16497
[2] https://github.com/FRRouting/frr/pull/16504
[3] https://github.com/FRRouting/frr/commit/21cd931a5f9303e12104c72ce31ca383c0c57514
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:58 +05:30
7e4c89a25e
dante: Add _GNU_SOURCE for musl builds
...
This helps build fixes e.g. cpuset_t definitions etc.
glibc builds have _GNU_SOURCE defined inherently.
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 848bac20eaankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:57 +05:30
f0fa984d16
dante: upgrade 1.4.3 -> 1.4.4
...
License-Update: copyright year bump
Changelog:
- Fix potential security issue CVE-2024-54662, related to "socksmethod"
use in client/hostid-rules.
- Add a missing call to setgroups(2).
- Patch to fix compilation with libminiupnp 2.2.8.
- Client connectchild optimizations.
- Client SIGIO handling improvements.
- Various configure/build fixes.
- Updated to support TCP_EXP1 version of TCP hostid format.
https://www.inet.no/dante/announce-1.4.4
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:57 +05:30
2aa20b7141
cifs-utils: patch CVE-2025-2312
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:56 +05:30
626bcb7f86
imagemagick: patch CVE-2025-65955
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-65955
Pick the patch that is mentioned by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:56 +05:30
24e4caa837
imagemagick: patch CVE-2025-62171
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62171
Pick the patch that's mentioned by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:56 +05:30
aeb80bb058
imagemagick: patch CVE-2025-57807
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57807
Backport the patch that's mentioned in the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:55 +05:30
9d92eeacdf
imagemagick: patch CVE-2025-57803
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57803
Backport the patch that is mentioned in the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:55 +05:30
29fa171a9d
imagemagick: patch CVE-2025-55212
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55212
Backport the patch that is mentioned in the NVD advisory.
Notes about the backport:
The original patch deletes two extra lines compared to the backport:
those lines were a previous attempt[1] to solve the same vulnerability,
and the final patch reverted them. Since that patch wasn't part of the
recipe, those deletions were dropped from the backported patch.
The PerceptibleReciprocal function was renamed[2] to MagickSafeReciprocal
after the recipe's revision, but there were no functional changes
in the function's behavior.
[1]: https://github.com/ImageMagick/ImageMagick/commit/43d92bf855155e8e716ecbb50ed94c2ed41ff9f6
[2]: https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e9
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:54 +05:30
118df68d25
imagemagick: patch CVE-2025-55160
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55160
Pick the patch that mentions the related github advisory[1]
in its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:54 +05:30
dd13a60248
imagemagick: patch CVE-2025-55154
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55154
Pick the patch that mentions the related github advisory[1]
in its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:53 +05:30
df19121bc6
imagemagick: patch CVE-2025-55005
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55005
Pick the patch that mentions the related github advisory[1] in its
commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:53 +05:30
b32dcf53ce
imagemagick: patch CVE-2025-55004
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55004
Pick the patch that mentions the related github advisory[1] explicitly in
its commit message.
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:52 +05:30
2d4ca24273
imagemagick: patch CVE-2025-53101
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53101
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:52 +05:30
482f541705
imagemagick: patch CVE-2025-53019
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53019
Pick the commit that is marked as a fix at the bottom of the relevant
github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:51 +05:30
7c479d21cd
imagemagick: patch CVE-2025-53015
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53015
Backport the patches marked as a solution at the bottom of the relevant
github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:51 +05:30
e9916715c9
imagemagick: patch CVE-2025-53014
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53014
Pick the commit that is mentioned as a solution at the bottom of
the relevant Github advisory[1].
[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-01-12 07:51:50 +05:30
Ankur Tyagi
Peter Marko
Gyorgy Sarvari
Naman Jain
Wang Mingyu
Katariina Lounento
Khem Raj