diff --git a/CVE-2025-53014.patch b/CVE-2025-53014.patch new file mode 100644 index 0000000000000000000000000000000000000000..6af6308a11d9fc85d27572385e429ef3cf4619b7 --- /dev/null +++ b/CVE-2025-53014.patch @@ -0,0 +1,25 @@ +From: Dirk Lemstra +Date: Thu, 26 Jun 2025 23:01:07 +0200 +Subject: Correct out of bounds read of a single byte. + +origin: https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53014 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339 +--- + MagickCore/image.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 261d750..1b242f8 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1678,7 +1678,7 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + q=(char *) p+1; + if (*q == '%') + { +- p=q+1; ++ p++; + continue; + } + field_width=0; diff --git a/CVE-2025-53015_1-pre.patch b/CVE-2025-53015_1-pre.patch new file mode 100644 index 0000000000000000000000000000000000000000..e29a266ca80c0ba755219cd8ea69a213b123b542 --- /dev/null +++ b/CVE-2025-53015_1-pre.patch @@ -0,0 +1,194 @@ +From 3e4f327d44acc41538b86c1386048d8e489d9c7c Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 5 Aug 2023 22:52:40 -0400 +Subject: [PATCH] eliminate compiler warnings + +Origin: https://github.com/ImageMagick/ImageMagick/commit/3e4f327d44acc41538b86c1386048d8e489d9c7c + +--- + MagickCore/cache.c | 52 ++++++++++++++++++++------------------ + MagickCore/image-private.h | 2 +- + 2 files changed, 29 insertions(+), 25 deletions(-) + +diff --git a/MagickCore/cache.c b/MagickCore/cache.c +index c0adc66389e..4dccc1dcf88 100644 +--- a/MagickCore/cache.c ++++ b/MagickCore/cache.c +@@ -650,7 +650,7 @@ static MagickBooleanType ClonePixelCacheOnDisk( + number_bytes=write(clone_info->file,buffer,(size_t) count); + if (number_bytes != count) + break; +- extent+=number_bytes; ++ extent+=(size_t) number_bytes; + } + buffer=(unsigned char *) RelinquishMagickMemory(buffer); + if (extent != cache_info->length) +@@ -2789,14 +2789,14 @@ MagickPrivate const Quantum *GetVirtualPixelCacheNexus(const Image *image, + if (pixels == (Quantum *) NULL) + return((const Quantum *) NULL); + q=pixels; +- offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns+ ++ offset=nexus_info->region.y*(MagickOffsetType) cache_info->columns+ + nexus_info->region.x; + length=(MagickSizeType) (nexus_info->region.height-1L)*cache_info->columns+ + nexus_info->region.width-1L; + number_pixels=(MagickSizeType) cache_info->columns*cache_info->rows; + if ((offset >= 0) && (((MagickSizeType) offset+length) < number_pixels)) +- if ((x >= 0) && ((ssize_t) (x+columns-1) < (ssize_t) cache_info->columns) && +- (y >= 0) && ((ssize_t) (y+rows-1) < (ssize_t) cache_info->rows)) ++ if ((x >= 0) && ((x+(ssize_t) columns-1) < (ssize_t) cache_info->columns) && ++ (y >= 0) && ((y+(ssize_t) rows-1) < (ssize_t) cache_info->rows)) + { + MagickBooleanType + status; +@@ -2914,13 +2914,14 @@ MagickPrivate const Quantum *GetVirtualPixelCacheNexus(const Image *image, + if ((virtual_pixel_method == EdgeVirtualPixelMethod) || + (virtual_pixel_method == UndefinedVirtualPixelMethod)) + y_offset=EdgeY(y_offset,cache_info->rows); +- for (u=0; u < (ssize_t) columns; u+=length) ++ for (u=0; u < (ssize_t) columns; u+=(ssize_t) length) + { + ssize_t + x_offset; + + x_offset=x+u; +- length=(MagickSizeType) MagickMin(cache_info->columns-x_offset,columns-u); ++ length=(MagickSizeType) MagickMin((ssize_t) cache_info->columns- ++ x_offset,(ssize_t) columns-u); + if (((x_offset < 0) || (x_offset >= (ssize_t) cache_info->columns)) || + ((y_offset < 0) || (y_offset >= (ssize_t) cache_info->rows)) || + (length == 0)) +@@ -3568,11 +3569,11 @@ static inline MagickOffsetType WritePixelCacheRegion( + for (i=0; i < (MagickOffsetType) length; i+=count) + { + #if !defined(MAGICKCORE_HAVE_PWRITE) +- count=write(cache_info->file,buffer+i,(size_t) MagickMin(length-i,(size_t) +- MAGICK_SSIZE_MAX)); ++ count=write(cache_info->file,buffer+i,(size_t) MagickMin(length- ++ (MagickSizeType) i,MAGICK_SSIZE_MAX)); + #else +- count=pwrite(cache_info->file,buffer+i,(size_t) MagickMin(length-i,(size_t) +- MAGICK_SSIZE_MAX),offset+i); ++ count=pwrite(cache_info->file,buffer+i,(size_t) MagickMin(length- ++ (MagickSizeType) i,MAGICK_SSIZE_MAX),offset+i); + #endif + if (count <= 0) + { +@@ -4081,7 +4082,8 @@ MagickExport MagickBooleanType PersistPixelCache(Image *image, + cache_info->offset=(*offset); + if (OpenPixelCache(image,ReadMode,exception) == MagickFalse) + return(MagickFalse); +- *offset+=cache_info->length+page_size-(cache_info->length % page_size); ++ *offset=(*offset+(MagickOffsetType) cache_info->length+page_size- ++ ((MagickOffsetType) cache_info->length % page_size)); + return(MagickTrue); + } + /* +@@ -4114,7 +4116,8 @@ MagickExport MagickBooleanType PersistPixelCache(Image *image, + status=OpenPixelCacheOnDisk(clone_info,WriteMode); + if (status != MagickFalse) + status=ClonePixelCacheRepository(clone_info,cache_info,exception); +- *offset+=cache_info->length+page_size-(cache_info->length % page_size); ++ *offset=(*offset+(MagickOffsetType) cache_info->length+page_size- ++ ((MagickOffsetType) cache_info->length % page_size)); + clone_info=(CacheInfo *) DestroyPixelCache(clone_info); + return(status); + } +@@ -4191,11 +4194,12 @@ MagickPrivate Quantum *QueueAuthenticPixelCacheNexus(Image *image, + "PixelsAreNotAuthentic","`%s'",image->filename); + return((Quantum *) NULL); + } +- offset=(MagickOffsetType) y*cache_info->columns+x; ++ offset=y*(MagickOffsetType) cache_info->columns+x; + if (offset < 0) + return((Quantum *) NULL); + number_pixels=(MagickSizeType) cache_info->columns*cache_info->rows; +- offset+=(MagickOffsetType) (rows-1)*cache_info->columns+columns-1; ++ offset+=((MagickOffsetType) rows-1)*(MagickOffsetType) cache_info->columns+ ++ (MagickOffsetType) columns-1; + if ((MagickSizeType) offset >= number_pixels) + return((Quantum *) NULL); + /* +@@ -4398,11 +4402,11 @@ static inline MagickOffsetType ReadPixelCacheRegion( + for (i=0; i < (MagickOffsetType) length; i+=count) + { + #if !defined(MAGICKCORE_HAVE_PREAD) +- count=read(cache_info->file,buffer+i,(size_t) MagickMin(length-i,(size_t) +- MAGICK_SSIZE_MAX)); ++ count=read(cache_info->file,buffer+i,(size_t) MagickMin(length- ++ (MagickSizeType) i,(size_t) MAGICK_SSIZE_MAX)); + #else +- count=pread(cache_info->file,buffer+i,(size_t) MagickMin(length-i,(size_t) +- MAGICK_SSIZE_MAX),offset+i); ++ count=pread(cache_info->file,buffer+i,(size_t) MagickMin(length- ++ (MagickSizeType) i,(size_t) MAGICK_SSIZE_MAX),offset+i); + #endif + if (count <= 0) + { +@@ -4439,7 +4443,7 @@ static MagickBooleanType ReadPixelCacheMetacontent( + return(MagickFalse); + if (nexus_info->authentic_pixel_cache != MagickFalse) + return(MagickTrue); +- offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns+ ++ offset=nexus_info->region.y*(MagickOffsetType) cache_info->columns+ + nexus_info->region.x; + length=(MagickSizeType) nexus_info->region.width* + cache_info->metacontent_extent; +@@ -4464,7 +4468,7 @@ static MagickBooleanType ReadPixelCacheMetacontent( + length=extent; + rows=1UL; + } +- p=(unsigned char *) cache_info->metacontent+offset* ++ p=(unsigned char *) cache_info->metacontent+offset*(MagickOffsetType) + cache_info->metacontent_extent; + for (y=0; y < (ssize_t) rows; y++) + { +@@ -4501,7 +4505,7 @@ static MagickBooleanType ReadPixelCacheMetacontent( + cache_info->metacontent_extent,length,(unsigned char *) q); + if (count != (MagickOffsetType) length) + break; +- offset+=cache_info->columns; ++ offset+=(MagickOffsetType) cache_info->columns; + q+=cache_info->metacontent_extent*nexus_info->region.width; + } + if (IsFileDescriptorLimitExceeded() != MagickFalse) +@@ -4675,7 +4679,7 @@ static MagickBooleanType ReadPixelCachePixels( + cache_info->number_channels*sizeof(*q),length,(unsigned char *) q); + if (count != (MagickOffsetType) length) + break; +- offset+=cache_info->columns; ++ offset+=(MagickOffsetType) cache_info->columns; + q+=cache_info->number_channels*nexus_info->region.width; + } + if (IsFileDescriptorLimitExceeded() != MagickFalse) +@@ -5701,7 +5705,7 @@ static MagickBooleanType WritePixelCacheMetacontent(CacheInfo *cache_info, + if (count != (MagickOffsetType) length) + break; + p+=cache_info->metacontent_extent*nexus_info->region.width; +- offset+=cache_info->columns; ++ offset+=(MagickOffsetType) cache_info->columns; + } + if (IsFileDescriptorLimitExceeded() != MagickFalse) + (void) ClosePixelCacheOnDisk(cache_info); +@@ -5868,7 +5872,7 @@ static MagickBooleanType WritePixelCachePixels( + if (count != (MagickOffsetType) length) + break; + p+=cache_info->number_channels*nexus_info->region.width; +- offset+=cache_info->columns; ++ offset+=(MagickOffsetType) cache_info->columns; + } + if (IsFileDescriptorLimitExceeded() != MagickFalse) + (void) ClosePixelCacheOnDisk(cache_info); +diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h +index c156cf0ee16..8ffcae53688 100644 +--- a/MagickCore/image-private.h ++++ b/MagickCore/image-private.h +@@ -51,7 +51,7 @@ extern "C" { + #define MagickSQ2PI 2.50662827463100024161235523934010416269302368164062 + #define MAGICK_SIZE_MAX (SIZE_MAX) + #define MAGICK_SSIZE_MAX (SSIZE_MAX) +-#define MAGICK_SSIZE_MIN (-(SSIZE_MAX)-1) ++#define MAGICK_SSIZE_MIN (-SSIZE_MAX-1) + #define MatteColor "#bdbdbd" /* gray */ + #define MatteColorRGBA ScaleShortToQuantum(0xbdbd),\ + ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha diff --git a/CVE-2025-53015_1.patch b/CVE-2025-53015_1.patch new file mode 100644 index 0000000000000000000000000000000000000000..9dc5974cbe2a6a80722eb9590e3eaca95498e5e5 --- /dev/null +++ b/CVE-2025-53015_1.patch @@ -0,0 +1,48 @@ +From: Dirk Lemstra +Date: Fri, 2 May 2025 18:33:17 +0200 +Subject: [PATCH] Added extra checks to make sure we don't get stuck in the + while loop. + +origin: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339 +--- + MagickCore/image-private.h | 1 + + MagickCore/profile.c | 11 +++++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/MagickCore/image-private.h b/MagickCore/image-private.h +index 4ce71c3..11dca10 100644 +--- a/MagickCore/image-private.h ++++ b/MagickCore/image-private.h +@@ -52,6 +52,7 @@ extern "C" { + #define MAGICK_SIZE_MAX (SIZE_MAX) + #define MAGICK_SSIZE_MAX (SSIZE_MAX) + #define MAGICK_SSIZE_MIN (-SSIZE_MAX-1) ++#define MAGICK_ULONG_MAX (ULONG_MAX) + #define MatteColor "#bdbdbd" /* gray */ + #define MatteColorRGBA ScaleShortToQuantum(0xbdbd),\ + ScaleShortToQuantum(0xbdbd),ScaleShortToQuantum(0xbdbd),OpaqueAlpha +diff --git a/MagickCore/profile.c b/MagickCore/profile.c +index 7eea1d3..85c1801 100644 +--- a/MagickCore/profile.c ++++ b/MagickCore/profile.c +@@ -2571,6 +2571,17 @@ static void GetXmpNumeratorAndDenominator(double value, + *denominator=1; + if (value <= MagickEpsilon) + return; ++ if (value > (double) MAGICK_ULONG_MAX) ++ { ++ *numerator = MAGICK_ULONG_MAX; ++ *denominator = 1; ++ return; ++ } ++ if (floor(value) == value) ++ { ++ *numerator = (unsigned long) value; ++ *denominator = 1; ++ } + *numerator=1; + df=1.0; + while(fabs(df - value) > MagickEpsilon) diff --git a/CVE-2025-53015_2.patch b/CVE-2025-53015_2.patch new file mode 100644 index 0000000000000000000000000000000000000000..956e91d9843edb314b9a2b5a30137867d680cdd1 --- /dev/null +++ b/CVE-2025-53015_2.patch @@ -0,0 +1,24 @@ +From: Dirk Lemstra +Date: Mon, 12 May 2025 22:23:48 +0200 +Subject: Added missing return. + +origin: https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2025-53015 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339 +--- + MagickCore/profile.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/MagickCore/profile.c b/MagickCore/profile.c +index 85c1801..a68e54f 100644 +--- a/MagickCore/profile.c ++++ b/MagickCore/profile.c +@@ -2581,6 +2581,7 @@ static void GetXmpNumeratorAndDenominator(double value, + { + *numerator = (unsigned long) value; + *denominator = 1; ++ return; + } + *numerator=1; + df=1.0; diff --git a/CVE-2025-53019.patch b/CVE-2025-53019.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e5798c545438b8feece7652e0c73c3a4df36ccb --- /dev/null +++ b/CVE-2025-53019.patch @@ -0,0 +1,24 @@ +From: Dirk Lemstra +Date: Fri, 27 Jun 2025 14:51:57 +0200 +Subject: Fixed memory leak when entering StreamImage multiple times. + +origin: https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc +--- + MagickCore/stream.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/MagickCore/stream.c b/MagickCore/stream.c +index 786dabb..22a0c9e 100644 +--- a/MagickCore/stream.c ++++ b/MagickCore/stream.c +@@ -1321,7 +1321,8 @@ MagickExport Image *StreamImage(const ImageInfo *image_info, + image_info->filename); + read_info=CloneImageInfo(image_info); + stream_info->image_info=image_info; +- stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL); ++ if (stream_info->quantum_info == (QuantumInfo *) NULL) ++ stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL); + if (stream_info->quantum_info == (QuantumInfo *) NULL) + { + read_info=DestroyImageInfo(read_info); diff --git a/CVE-2025-53101.patch b/CVE-2025-53101.patch new file mode 100644 index 0000000000000000000000000000000000000000..36eded9a6d1d7762613a15cf0349bee9b90fe145 --- /dev/null +++ b/CVE-2025-53101.patch @@ -0,0 +1,54 @@ +From: Cristy +Date: Fri, 27 Jun 2025 20:02:12 -0400 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9 + +origin: backport, https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774 +bug: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9 +--- + MagickCore/image.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 1b242f8..63d6ef0 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -1665,7 +1665,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + canonical; + + ssize_t +- field_width, + offset; + + canonical=MagickFalse; +@@ -1681,22 +1680,24 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, + p++; + continue; + } +- field_width=0; +- if (*q == '0') +- field_width=(ssize_t) strtol(q,&q,10); + switch (*q) + { + case 'd': + case 'o': + case 'x': + { ++ ssize_t ++ count; ++ + q++; + c=(*q); + *q='\0'; +- (void) FormatLocaleString(filename+(p-format-offset),(size_t) ++ count=FormatLocaleString(filename+(p-format-offset),(size_t) + (MagickPathExtent-(p-format-offset)),p,value); +- offset+=(4-field_width); +- *q=c; ++ if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset)))) ++ return(0); ++ offset+=(ssize_t) ((q-p)-count); ++ *q=(char) c; + (void) ConcatenateMagickString(filename,q,MagickPathExtent); + canonical=MagickTrue; + if (*(q-1) != '%') diff --git a/ImageMagick.spec b/ImageMagick.spec index 79d837644d7b8d9de2cb657d57546050e0c6ea7b..8e0ed3d59697f7abfae14baf5fc999e739805753 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,7 +1,7 @@ Name: ImageMagick Epoch: 1 Version: 7.1.1.15 -Release: 2 +Release: 3 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ @@ -9,6 +9,12 @@ Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1 Patch1: CVE-2023-5341.patch Patch2: CVE-2025-43965.patch Patch3: CVE-2025-46393.patch +Patch4: CVE-2025-53014.patch +Patch5: CVE-2025-53015_1-pre.patch +Patch6: CVE-2025-53015_1.patch +Patch7: CVE-2025-53015_2.patch +Patch8: CVE-2025-53101.patch +Patch9: CVE-2025-53019.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -163,6 +169,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick* %changelog +* Mon Jul 21 2025 wangkai <13474090681@163.com> - 1:7.1.1.15-3 +- Fix CVE-2025-53014, CVE-2025-53015, CVE-2025-53019, CVE-2025-53101 + * Tue Apr 29 2025 yaoxin <1024769339@qq.com> - 1:7.1.1.15-2 - Fix CVE-2025-43965 and CVE-2025-46393