From ae6c8ebc8bff9f2010db56554346def96173a5b5 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 29 Apr 2025 12:43:34 +0800 Subject: [PATCH] Fix CVE-2025-27795,CVE-2025-27796 and CVE-2025-32460 --- CVE-2025-27795.patch | 17 ++++++++++++++++ CVE-2025-27796.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2025-32460.patch | 16 +++++++++++++++ GraphicsMagick.spec | 15 ++++++++++++--- 4 files changed, 91 insertions(+), 3 deletions(-) create mode 100644 CVE-2025-27795.patch create mode 100644 CVE-2025-27796.patch create mode 100644 CVE-2025-32460.patch diff --git a/CVE-2025-27795.patch b/CVE-2025-27795.patch new file mode 100644 index 0000000..57a3bce --- /dev/null +++ b/CVE-2025-27795.patch @@ -0,0 +1,17 @@ +Origin: +https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42 + +diff -r db3ff8d00c28 -r 9bbae7314e3c coders/jxl.c +--- a/coders/jxl.c Sat Sep 07 10:14:51 2024 -0500 ++++ b/coders/jxl.c Mon Sep 09 08:01:43 2024 -0500 +@@ -637,6 +638,9 @@ + + image->orientation=convert_orientation(basic_info.orientation); + ++ if (CheckImagePixelLimits(image, exception) != MagickPass) ++ ThrowJXLReaderException(ResourceLimitError,ImagePixelLimitExceeded,image); ++ + pixel_format.endianness=JXL_NATIVE_ENDIAN; + pixel_format.align=0; + if (basic_info.num_color_channels == 1) + diff --git a/CVE-2025-27796.patch b/CVE-2025-27796.patch new file mode 100644 index 0000000..010b603 --- /dev/null +++ b/CVE-2025-27796.patch @@ -0,0 +1,46 @@ +Origin: +https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3f9f + +diff -r cf7cd5ebabb0 -r 883ebf8cae6d coders/wpg.c +--- a/coders/wpg.c Mon Dec 16 10:50:23 2024 -0600 ++++ b/coders/wpg.c Thu Dec 19 12:57:33 2024 -0600 +@@ -1704,28 +1704,23 @@ + ThrowReaderException(CorruptImageError,InvalidColormapIndex,image); + } + +- if(pPalette!=NULL && +- PaletteAllocBytes < 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries)) +- { +- MagickFreeResourceLimitedMemory(pPalette); +- PaletteAllocBytes = 0; +- } ++ /* Assure that buffer is allocated and the current size */ ++ if (PaletteAllocBytes != Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256)) ++ { ++ PaletteAllocBytes = Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256); ++ MagickReallocateResourceLimitedMemory(unsigned char *,pPalette,PaletteAllocBytes); ++ } + if(pPalette==NULL) +- { +- PaletteItems = WPG_Palette.NumOfEntries; +- PaletteAllocBytes = 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries); +- if(PaletteAllocBytes < 4*256) PaletteAllocBytes = 4*256; +- pPalette = MagickAllocateResourceLimitedMemory(unsigned char *,(size_t)PaletteAllocBytes); +- if(pPalette==NULL) +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); +- for(i=0; i<=255; i++) ++ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); ++ ++ PaletteItems = WPG_Palette.NumOfEntries; ++ for(i=0; i<=255; i++) + { + pPalette[4*i] = WPG1_Palette[i].Red; + pPalette[4*i+1] = WPG1_Palette[i].Green; + pPalette[4*i+2] = WPG1_Palette[i].Blue; + pPalette[4*i+3] = OpaqueOpacity; + } +- } + if(ReadBlob(image,(size_t) PaletteItems*4,pPalette+((size_t)4*WPG_Palette.StartIndex)) != (size_t) PaletteItems*4) + { + MagickFreeResourceLimitedMemory(pPalette); + diff --git a/CVE-2025-32460.patch b/CVE-2025-32460.patch new file mode 100644 index 0000000..752c4d3 --- /dev/null +++ b/CVE-2025-32460.patch @@ -0,0 +1,16 @@ +Origin: +https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb + +Index: GraphicsMagick-1.3.45/coders/jxl.c +=================================================================== +--- GraphicsMagick-1.3.45.orig/coders/jxl.c ++++ GraphicsMagick-1.3.45/coders/jxl.c +@@ -657,7 +657,7 @@ static Image *ReadJXLImage(const ImageIn + ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image); + } + grayscale=MagickTrue; +- pixel_format.num_channels=1; ++ pixel_format.num_channels=image->matte ? 2 : 1; + pixel_format.data_type=(basic_info.bits_per_sample <= 8 ? JXL_TYPE_UINT8 : + (basic_info.bits_per_sample <= 16 ? JXL_TYPE_UINT16 : + JXL_TYPE_FLOAT)); diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec index 443bf8a..ddc5cfb 100644 --- a/GraphicsMagick.spec +++ b/GraphicsMagick.spec @@ -26,7 +26,7 @@ Summary: An ImageMagick fork, offering faster image generation and better quality Name: GraphicsMagick Version: 1.3.45 -Release: 2 +Release: 3 License: MIT Source0: https://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz @@ -35,7 +35,10 @@ Source1: urw-fonts-1.0.7pre44.tar.bz2 #S1 https://gitee.com/src-openeuler/urw-base35-fonts.git Url: https://www.graphicsmagick.org/ -Patch002: GraphicsMagick-1.3.31-perl_linkage.patch +Patch0: GraphicsMagick-1.3.31-perl_linkage.patch +Patch1: CVE-2025-27795.patch +Patch2: CVE-2025-27796.patch +Patch3: CVE-2025-32460.patch BuildRequires: bzip2-devel BuildRequires: freetype-devel @@ -150,6 +153,9 @@ GraphicsMagick documentation and usage introduction. %prep %setup -q +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 %if 0%{?urw_font_bundle} mkdir -p urw-fonts @@ -157,7 +163,7 @@ tar --directory=urw-fonts/ -xf %{SOURCE1} rm -f urw-fonts/ChangeLog urw-fonts/README* urw-fonts/fonts* %endif -%patch -P002 -p1 -b .perl_linkage +%patch -P 0 -p1 -b .perl_linkage for f in ChangeLog.{2006,2008,2009,2012} NEWS.txt ; do iconv -f iso-8859-2 -t utf8 < $f > $f.utf8 @@ -324,6 +330,9 @@ exit 1 %{_mandir}/man3/* %changelog +* Tue Apr 29 2025 yaoxin <1024769339@qq.com> - 1.3.45-3 +- Fix CVE-2025-27795,CVE-2025-27796 and CVE-2025-32460 + * Thu Jan 16 2025 Funda Wang - 1.3.45-2 - cleanup spec -- Gitee