From 7076d624188a087c4a0c9724790bc46f9ad97312 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 29 Apr 2025 12:20:02 +0800 Subject: [PATCH] Fix CVE-2025-27795 and CVE-2025-32460 --- CVE-2025-27795.patch | 38 +++++++++++++++++++++++++++++++++ CVE-2025-32460.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++ GraphicsMagick.spec | 13 +++++++++--- 3 files changed, 98 insertions(+), 3 deletions(-) create mode 100644 CVE-2025-27795.patch create mode 100644 CVE-2025-32460.patch diff --git a/CVE-2025-27795.patch b/CVE-2025-27795.patch new file mode 100644 index 0000000..a9f4fa3 --- /dev/null +++ b/CVE-2025-27795.patch @@ -0,0 +1,38 @@ +From: Bob Friesenhahn +Date: Mon, 9 Sep 2024 08:01:43 -0500 +Subject: ReadJXLImage(): Apply image dimension resource limits. Addresses + oss-fuzz Issue 69728 + +Backported to Debian by Carlos Henrique Lima Melara + +Changes: + - Drop changes to changelog and version files. +Origin: upstream, https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42 +Bug-Debian: https://bugs.debian.org/1099955 +Last-Update: 2025-03-31 +--- + coders/jxl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/coders/jxl.c b/coders/jxl.c +index b8a85fd..8a370fe 100644 +--- a/coders/jxl.c ++++ b/coders/jxl.c +@@ -531,6 +531,7 @@ static Image *ReadJXLImage(const ImageInfo *image_info, + basic_info.alpha_bits, basic_info.num_color_channels, + basic_info.have_animation == JXL_FALSE ? "False" : "True"); + } ++ + if (basic_info.num_extra_channels) + { + size_t index; +@@ -579,6 +580,9 @@ static Image *ReadJXLImage(const ImageInfo *image_info, + + image->orientation=convert_orientation(basic_info.orientation); + ++ if (CheckImagePixelLimits(image, exception) != MagickPass) ++ ThrowJXLReaderException(ResourceLimitError,ImagePixelLimitExceeded,image); ++ + pixel_format.endianness=JXL_NATIVE_ENDIAN; + pixel_format.align=0; + if (basic_info.num_color_channels == 1) diff --git a/CVE-2025-32460.patch b/CVE-2025-32460.patch new file mode 100644 index 0000000..46d536e --- /dev/null +++ b/CVE-2025-32460.patch @@ -0,0 +1,50 @@ +Description: ReadJXLImage(): pixel_format.num_channels needs to be 2 for grayscale matte +Origin: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-32460 +Forwarded: not-needed +Author: Bob Friesenhahn + +--- a/coders/jxl.c ++++ b/coders/jxl.c +@@ -600,7 +600,7 @@ static Image *ReadJXLImage(const ImageIn + ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image); + } + grayscale=MagickTrue; +- pixel_format.num_channels=1; ++ pixel_format.num_channels=image->matte ? 2 : 1; + pixel_format.data_type=(basic_info.bits_per_sample <= 8 ? JXL_TYPE_UINT8 : + (basic_info.bits_per_sample <= 16 ? JXL_TYPE_UINT16 : + JXL_TYPE_FLOAT)); +@@ -765,10 +765,32 @@ static Image *ReadJXLImage(const ImageIn + size_t + out_len; + ++ if (image->logging) ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "JxlPixelFormat:\n" ++ " num_channels: %u\n" ++ " data_type: %s\n" ++ " endianness: %s\n" ++ " align: %" MAGICK_SIZE_T_F "u", ++ pixel_format.num_channels, ++ pixel_format.data_type == JXL_TYPE_FLOAT ? "float" : ++ (pixel_format.data_type == JXL_TYPE_UINT8 ? "uint8" : ++ (pixel_format.data_type == JXL_TYPE_UINT16 ? "uint16" : ++ (pixel_format.data_type == JXL_TYPE_FLOAT16 ? "float16" : ++ "unknown"))) , ++ pixel_format.endianness == JXL_NATIVE_ENDIAN ? "native" : ++ (pixel_format.endianness == JXL_LITTLE_ENDIAN ? "little" : ++ (pixel_format.endianness == JXL_BIG_ENDIAN ? "big" : "unknown")), ++ pixel_format.align); ++ + status=JxlDecoderImageOutBufferSize(jxl_decoder,&pixel_format,&out_len); + if (status != JXL_DEC_SUCCESS) + break; + ++ if (image->logging) ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "JxlDecoderImageOutBufferSize() returns %" MAGICK_SIZE_T_F "u", ++ (MAGICK_SIZE_T) out_len); + out_buf=MagickAllocateResourceLimitedArray(unsigned char *,out_len,sizeof(*out_buf)); + if (out_buf == (unsigned char *) NULL) + ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image); diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec index 92da72d..727c759 100644 --- a/GraphicsMagick.spec +++ b/GraphicsMagick.spec @@ -26,7 +26,7 @@ Summary: An ImageMagick fork, offering faster image generation and better quality Name: GraphicsMagick Version: 1.3.41 -Release: 1 +Release: 2 License: MIT Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz @@ -35,7 +35,9 @@ Source1: urw-fonts-1.0.7pre44.tar.bz2 #S1 https://gitee.com/src-openeuler/urw-base35-fonts.git Url: http://www.graphicsmagick.org/ -Patch002: GraphicsMagick-1.3.31-perl_linkage.patch +Patch0: GraphicsMagick-1.3.31-perl_linkage.patch +Patch1: CVE-2025-27795.patch +Patch2: CVE-2025-32460.patch BuildRequires: bzip2-devel BuildRequires: freetype-devel @@ -151,6 +153,8 @@ GraphicsMagick documentation and usage introduction. %prep %setup -q +%patch -P 1 -p1 +%patch -P 2 -p1 %if 0%{?urw_font_bundle} mkdir -p urw-fonts @@ -158,7 +162,7 @@ tar --directory=urw-fonts/ -xf %{SOURCE1} rm -f urw-fonts/ChangeLog urw-fonts/README* urw-fonts/fonts* %endif -%patch002 -p1 -b .perl_linkage +%patch -P 0 -p1 -b .perl_linkage for f in ChangeLog.{2006,2008,2009,2012} NEWS.txt ; do iconv -f iso-8859-2 -t utf8 < $f > $f.utf8 @@ -338,6 +342,9 @@ exit 1 %{_mandir}/man3/* %changelog +* Tue Apr 29 2025 yaoxin <1024769339@qq.com> - 1.3.41-2 +- Fix CVE-2025-27795 and CVE-2025-32460 + * Tue Aug 29 2023 xu_ping <707078654@qq.com> - 1.3.41-1 - Upgrade 1.3.41 to fix gm convert command failed. -- Gitee