mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
30,980 Commits 64 Branches 0 Tags
c14dcffcd77b7b9d0d1f3473f98d51ffe2b166e9
Commit Graph

4109 Commits

Author SHA1 Message Date
Ankur Tyagi 964432f3af libraw: ignore CVE-2026-5318 
Vulnerability exists in the function which was added in version 0.22.0[1]

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-5318

[1] https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 6d5a42a5e0 freerdp3: fix CVE-2026-33984 
Detaisl: https://nvd.nist.gov/vuln/detail/CVE-2026-33984

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 262e656885 freerdp3: fix CVE-2026-31897 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31897

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 73ae0a8034 freerdp3: fix CVE-2026-31806 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-31806

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 7025c461c7 freerdp3: fix CVE-2026-29776 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29776

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 1bc75cd389 freerdp3: fix CVE-2026-29775 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29775

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 2d96f24f2d freerdp3: fix CVE-2026-29774 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29774

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 53ab8b4a5a freerdp3: fix CVE-2026-24683 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24683

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 2beb2f81e7 freerdp3: fix CVE-2026-24682 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24682

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 799cfe0cfa freerdp3: fix CVE-2026-24681 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24681

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi b343c96d52 freerdp3: fix CVE-2026-24680 and CVE-2026-27950 
There was only SDL2 client until commit[1] created SDL2 and SDL3 clients
from version 3.6.0 onwards.
[1] https://github.com/FreeRDP/FreeRDP/commit/8281186a6d9dad20e8345d85a1732e2974636555

Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24680
https://nvd.nist.gov/vuln/detail/CVE-2026-27950

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 27ba3fb054 freerdp3: fix CVE-2026-24679 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24679

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 09cd8e482a freerdp3: ignore CVE-2026-24677 and CVE-2026-24678 
Both vulnerabilities exists in the functions which were added in
version 3.6.0[1]

Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-24677
https://nvd.nist.gov/vuln/detail/CVE-2026-24678

[1] https://github.com/FreeRDP/FreeRDP/commit/a81d111ac4023d31e10ebf579fa34c93bf56bce5

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 8cc0cd3deb freerdp3: fix CVE-2026-24676 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24676

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 4784f85b09 freerdp3: fix CVE-2026-24675 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24675
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi c9763be62b freerdp3: fix CVE-2026-24491 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24491

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi a0221753e4 freerdp3: fix CVE-2026-23948 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23948

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 21af1f7e13 freerdp3: fix CVE-2026-33952 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33952

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Ankur Tyagi 421f659e20 freerdp3: fix CVE-2026-25941 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25941

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-13 12:40:21 +05:30
Vijay Anusuri 57fc94a42d libssh: Fix CVE-2026-0966 
Pick commits according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-0966
[2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:47 +05:30
Vijay Anusuri 3b8e032dbc libssh: Fix CVE-2026-0964 
Pick commits according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-0964
[2] https://www.libssh.org/security/advisories/CVE-2026-0964.txt

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:46 +05:30
Martin Jansa 0e43651ad3 freerdp: remove 0001-Fix-const-qualifier-error.patch 
Instead of fixing the build with clang this is now breaking it after 2.11.8 commit:
https://github.com/FreeRDP/FreeRDP/commit/67818bddb31900cdf3acb26cb0b673cc90b71cc9

freerdp/2.11.8/git/client/Wayland/wlfreerdp.c:637:19: error: incompatible function pointer types assigning to 'OBJECT_NEW_FN' (aka 'void *(*)(const void *)') from 'void *(void *)' [-Wincompatible-function-pointer-types]
  637 |         obj->fnObjectNew = uwac_event_clone;
      |                          ^ ~~~~~~~~~~~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-04-03 15:00:40 +05:30
Sujeet Nayak 76abb03c21 libnice: make crypto library configurable via PACKAGECONFIG 
Move gnutls from a hard dependency to a PACKAGECONFIG option defaulting
to gnutls. This allows users to select openssl as an alternative crypto
library by setting PACKAGECONFIG.

Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Sujeet Nayak <sujeetnayak1976@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:15 +05:30
Gyorgy Sarvari b79eee49df imagemagick: patch CVE-2025-69204 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69204

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:12 +05:30
Gyorgy Sarvari 1c317cf2c8 imagemagick: patch CVE-2025-68950 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68950

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:11 +05:30
Gyorgy Sarvari 8d896ff2ae imagemagick: patch CVE-2025-68618 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68618

Backport the commit that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:11 +05:30
Gyorgy Sarvari 14bb7501b0 exiv2: patch CVE-2026-27631 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27631

Backport the patches referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:10 +05:30
Gyorgy Sarvari 3175de6547 exiv2: patch CVE-2026-27596 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27596

Backport the commits referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:10 +05:30
Gyorgy Sarvari 7e66b15669 exiv2: patch CVE-2026-25884 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884

Backport the commits referenced by the NVD advisory.

One of the patches contain some binary data (for test data),
which needs to be applied with git PATCHTOOL.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:10 +05:30
Vijay Anusuri 59b94e41bf libssh: Fix CVE-2026-3731 
Pick commits according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-3731
[2] https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:09 +05:30
Peter Marko ada8211493 sassc: ignore CVE-2022-43357 
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.

[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
    are not present in this repository.

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] https://github.com/sass/libsass/issues/3177
[3] https://github.com/sass/libsass/pull/3184
[4] https://github.com/sass/sassc/

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 576b84263b)

Scarthgap has also the fixed libsass version (3.6.6), the CVE can
be considered fixed.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:52:05 +05:30
Gyorgy Sarvari e7dcdee568 freerdp: upgrade 2.11.7 -> 2.11.8 
Drop patch that is included in this release.

Changelog: https://github.com/FreeRDP/FreeRDP/releases/tag/2.11.8

Backported #12319 bugfixes from 3.x
Fix incompatible pointer type issues
X11: fix pointer/integer type mismatch
Warn backport
[core] eliminate rdpRdp::instance
X11 client: ignore grab related LeaveNotify events
[winpr,pubsub] add NULL parameter checks
fix: correct server port assignment logic

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-03-24 08:47:02 +05:30
Gyorgy Sarvari a3aef9bbcc raptor2: patch CVE-2024-57822 and CVE-2024-57823 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-57822
https://nvd.nist.gov/vuln/detail/CVE-2024-57823

Pick the patches mentioned in the github issue[1] mentioned
in the NVD advisories (both of them are covered by the same issue)

[1]: https://github.com/dajobe/raptor/issues/70

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dc2c6a514e)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-12 13:38:12 +05:30
Gyorgy Sarvari 0923b77230 imagemagick: patch CVE-2025-66628 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66628

Pick the patch that refers to the relevant github advisory[1]
explicitly in its commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-09 09:35:55 +05:30
Gyorgy Sarvari a0806bca0a freerdp: ignore CVE-2025-68118 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118

The vulnerability is specific to the usage of Microsoft specific sprintf
implementation. Because of this, ignore this vulnerability.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1b4b952b51)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-02-09 09:35:54 +05:30
Gyorgy Sarvari 2df869df1c freerdp3: drop CVE-2025-68118 patch 
The CVE is also ignored in the same recipe, because it is a Windows-
only vulnerability. Due to this, the patch isn't required.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-13 06:53:10 +05:30
Peter Marko 29be38f0b1 synergy: patch CVE-2020-15117 
Pick commit based on [1].

Note that the pick is node from deskflow, which is open-source successor
of synergy.
If anyone uses thie recipe, it should be switched.

[1] https://github.com/deskflow/deskflow/security/advisories/GHSA-chfm-333q-gfpp

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit db283053d0)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 08:12:25 +05:30
Ankur Tyagi c1075f0312 usb-modeswitch-data: upgrade 20191128 -> 20251207 
20251207:
- Added device: [0bda:a192] MERCURY MW310UH (Wifi, based on RTL8192FU),
  thanks to Zenm Chen for the report

https://www.draisberghof.de/usb_modeswitch/ChangeLogData

Also drop unnecessary SRC_URI md5sum

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 08:12:25 +05:30
Ankur Tyagi 5dffed1382 usb-modeswitch: upgrade 2.6.1 -> 2.6.2 
2.6.2:
- Bug in C code (with gcc 1.5) fixed

https://www.draisberghof.de/usb_modeswitch/ChangeLog

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 08:12:24 +05:30
Katariina Lounento 6a3a40c102 libtar: patch CVEs 
cve-check.bbclass reported unpatched vulnerabilities in libtar
[1,2,3,4,5]. The NIST assigned base score for the worst vulnerability
is 9.1 / critical.

The patches were taken from the libtar [6] master branch after the
latest tag v1.2.20 (the changes in libtar master mostly originate from
Fedora and their patches), and from the Fedora 41 libtar source package
[7] and the Debian libtar package 1.2.20-8 [8] where the patches were
not available in the libtar repository itself.

The Fedora patch series was taken in its entirety in order to minimize
differences to Fedora's source tree instead of cherry-picking only CVE
fixes. Minimizing the differences should avoid issues with potential
inter-dependencies between the patches, and hopefully provide better
confidence as even the newest patches have been in use in Fedora for
nearly 2 years (since December 2022; Fedora rpms/libtar.git commit
e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the
Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains
changes *) that match the libtar commit
ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static
buffer in th_get_pathname()") whose commit message says

    Note this can break programs that expect sizeof(TAR) to be fixed.

The patches applied cleanly except for the Fedora srpm patch
libtar-1.2.11-bz729009.patch, which is identical with the pre-existing
meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted.

The meta-openembedded recipe does not include any of the patches in
Kirkstone [9] nor the current master [10].

libtar does not have newer releases, and the libtar master doesn't
contain all of the changes included in the patches. Fedora's
libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release
either but only in the master branch after the tag v1.2.20. The version
number in the filename is supposedly due to the patches being created
originally against v1.2.11 but have been upstreamed or at least
committed to the master only after v1.2.20.

The commit metadata could not be practically completed in most of the
cases due to missing commit messages in the original commits and
patches. The informal note about the author ("Authored by") was added to
the patch commit messages where the commit message was missing the
original author(s)' Signed-off-by.

*) The patch also contains the changes split to the libtar commits
    495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before
    freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6
    ("Added stdlib.h for malloc() in lib/decode.c"))

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646
[5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
[6] https://repo.or.cz/libtar.git
[7] https://src.fedoraproject.org/rpms/libtar/tree/f41
[8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
[9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f
[10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c

Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3c9b5b36c8)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 505f2defdc)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 08:12:22 +05:30
Ankur Tyagi 305fef50c7 freerdp3: ignore CVE-2025-68118 
Only affects Windows and can be ignored.

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 08:12:21 +05:30
Gyorgy Sarvari 626bcb7f86 imagemagick: patch CVE-2025-65955 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-65955

Pick the patch that is mentioned by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:56 +05:30
Gyorgy Sarvari 24e4caa837 imagemagick: patch CVE-2025-62171 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62171

Pick the patch that's mentioned by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:56 +05:30
Gyorgy Sarvari aeb80bb058 imagemagick: patch CVE-2025-57807 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57807

Backport the patch that's mentioned in the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:55 +05:30
Gyorgy Sarvari 9d92eeacdf imagemagick: patch CVE-2025-57803 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57803

Backport the patch that is mentioned in the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:55 +05:30
Gyorgy Sarvari 29fa171a9d imagemagick: patch CVE-2025-55212 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55212

Backport the patch that is mentioned in the NVD advisory.

Notes about the backport:
The original patch deletes two extra lines compared to the backport:
those lines were a previous attempt[1] to solve the same vulnerability,
and the final patch reverted them. Since that patch wasn't part of the
recipe, those deletions were dropped from the backported patch.

The PerceptibleReciprocal function was renamed[2] to MagickSafeReciprocal
after the recipe's revision, but there were no functional changes
in the function's behavior.

[1]: https://github.com/ImageMagick/ImageMagick/commit/43d92bf855155e8e716ecbb50ed94c2ed41ff9f6
[2]: https://github.com/ImageMagick/ImageMagick/commit/7e5d87fe6e9

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:54 +05:30
Gyorgy Sarvari 118df68d25 imagemagick: patch CVE-2025-55160 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55160

Pick the patch that mentions the related github advisory[1]
in its commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:54 +05:30
Gyorgy Sarvari dd13a60248 imagemagick: patch CVE-2025-55154 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55154

Pick the patch that mentions the related github advisory[1]
in its commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:53 +05:30
Gyorgy Sarvari df19121bc6 imagemagick: patch CVE-2025-55005 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55005

Pick the patch that mentions the related github advisory[1] in its
commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:53 +05:30
Gyorgy Sarvari b32dcf53ce imagemagick: patch CVE-2025-55004 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55004

Pick the patch that mentions the related github advisory[1] explicitly in
its commit message.

[1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
 2026-01-12 07:51:52 +05:30