From 9a92ff56a7d9da582938479500e5a475eef484a9 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 29 Apr 2025 17:18:18 +0800 Subject: [PATCH] Fix CVE-2025-43965 and CVE-2025-46393 (cherry picked from commit 57f3c0315f4f11bbc2019fc71ccff2075f941386) --- CVE-2025-43965.patch | 22 ++++++++++++++++++++++ CVE-2025-46393.patch | 36 ++++++++++++++++++++++++++++++++++++ ImageMagick.spec | 7 ++++++- 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-43965.patch create mode 100644 CVE-2025-46393.patch diff --git a/CVE-2025-43965.patch b/CVE-2025-43965.patch new file mode 100644 index 0000000..7904768 --- /dev/null +++ b/CVE-2025-43965.patch @@ -0,0 +1,22 @@ +From bac413a26073923d3ffb258adaab07fb3fe8fdc9 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Sat, 8 Feb 2025 23:31:39 +0100 +Subject: [PATCH] Update the image depth after this has been changed by + SetQuantumFormat. + +--- + coders/miff.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/coders/miff.c b/coders/miff.c +index 66f8d3850bf..77e92500679 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1335,6 +1335,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + if (quantum_format != UndefinedQuantumFormat) + { + status=SetQuantumFormat(image,quantum_info,quantum_format); ++ image->depth=quantum_info->depth; + if (status == MagickFalse) + ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed"); + } diff --git a/CVE-2025-46393.patch b/CVE-2025-46393.patch new file mode 100644 index 0000000..acdcb8b --- /dev/null +++ b/CVE-2025-46393.patch @@ -0,0 +1,36 @@ +From 81ac8a0d2eb21739842ed18c48c7646b7eef65b8 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 7 Feb 2025 20:57:15 -0500 +Subject: [PATCH] multispectral MIFF images renders all channels in arbitrary + order + +--- + coders/miff.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/coders/miff.c b/coders/miff.c +index 355455bc50e..398f66d0b66 100644 +--- a/coders/miff.c ++++ b/coders/miff.c +@@ -1347,10 +1347,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, + packet_size+=image->depth/8; + if (image->colorspace == CMYKColorspace) + packet_size+=image->depth/8; ++ if (image->number_meta_channels != 0) ++ packet_size=GetImageChannels(image)*image->depth/8; + if (image->compression == RLECompression) + packet_size++; +- if (image->number_meta_channels != 0) +- packet_size+=image->number_meta_channels*image->depth/8; + compress_extent=MagickMax(MagickMax(BZipMaxExtent(packet_size* + image->columns),LZMAMaxExtent(packet_size*image->columns)), + ZipMaxExtent(packet_size*image->columns)); +@@ -2171,7 +2171,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info, + if (compression == RLECompression) + packet_size++; + if (image->number_meta_channels != 0) +- packet_size+=image->number_meta_channels*image->depth/8; ++ packet_size=GetImageChannels(image)*image->depth/8; + length=MagickMax(BZipMaxExtent(packet_size*image->columns),ZipMaxExtent( + packet_size*image->columns)); + if ((compression == BZipCompression) || (compression == ZipCompression)) diff --git a/ImageMagick.spec b/ImageMagick.spec index 24a7d01..79d8376 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,12 +1,14 @@ Name: ImageMagick Epoch: 1 Version: 7.1.1.15 -Release: 1 +Release: 2 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.1-15.tar.gz Patch1: CVE-2023-5341.patch +Patch2: CVE-2025-43965.patch +Patch3: CVE-2025-46393.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -161,6 +163,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick* %changelog +* Tue Apr 29 2025 yaoxin <1024769339@qq.com> - 1:7.1.1.15-2 +- Fix CVE-2025-43965 and CVE-2025-46393 + * Mon Oct 23 2023 wulei - 1:7.1.1.15-1 - Update to 7.1.1.15 -- Gitee