From f844b088aa5ec53c2bf0e6e8320285afde171afb Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Fri, 15 Aug 2025 10:18:45 +0800 Subject: [PATCH] Fix CVE-2025-55004, CVE-2025-55005, CVE-2025-55154, CVE-2025-55160 (cherry picked from commit 25744cba2f3fbcd8b5d631314021c29b6bb86cd9) --- CVE-2025-55004.patch | 65 ++++++++++++++++++ CVE-2025-55005.patch | 31 +++++++++ CVE-2025-55154.patch | 76 +++++++++++++++++++++ CVE-2025-55160.patch | 156 +++++++++++++++++++++++++++++++++++++++++++ ImageMagick.spec | 9 ++- 5 files changed, 336 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-55004.patch create mode 100644 CVE-2025-55005.patch create mode 100644 CVE-2025-55154.patch create mode 100644 CVE-2025-55160.patch diff --git a/CVE-2025-55004.patch b/CVE-2025-55004.patch new file mode 100644 index 0000000..9f40443 --- /dev/null +++ b/CVE-2025-55004.patch @@ -0,0 +1,65 @@ +From 55d97055e00a7bc7ae2776c99824002fbb4a72aa Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 7 Aug 2025 19:14:00 -0400 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw + +--- + coders/png.c | 33 ++++++++++----------------------- + 1 file changed, 10 insertions(+), 23 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index 5b7cda5..5d240a1 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -4802,37 +4802,24 @@ static Image *ReadOneJNGImage(MngReadInfo *mng_info, + jng_image=ReadImage(alpha_image_info,exception); + + if (jng_image != (Image *) NULL) +- for (y=0; y < (ssize_t) image->rows; y++) + { +- s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception); +- q=GetAuthenticPixels(image,0,y,image->columns,1,exception); +- if ((s == (const Quantum *) NULL) || (q == (Quantum *) NULL)) +- break; ++ image->alpha_trait=BlendPixelTrait; ++ for (y=0; y < (ssize_t) image->rows; y++) ++ { ++ s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception); ++ q=GetAuthenticPixels(image,0,y,image->columns,1,exception); ++ if ((s == (const Quantum *) NULL) || (q == (Quantum *) NULL)) ++ break; + +- if (image->alpha_trait != UndefinedPixelTrait) + for (x=(ssize_t) image->columns; x != 0; x--) + { + SetPixelAlpha(image,GetPixelRed(jng_image,s),q); + q+=GetPixelChannels(image); + s+=GetPixelChannels(jng_image); + } +- +- else +- for (x=(ssize_t) image->columns; x != 0; x--) +- { +- Quantum +- alpha; +- +- alpha=GetPixelRed(jng_image,s); +- SetPixelAlpha(image,alpha,q); +- if (alpha != OpaqueAlpha) +- image->alpha_trait=BlendPixelTrait; +- q+=GetPixelChannels(image); +- s+=GetPixelChannels(jng_image); +- } +- +- if (SyncAuthenticPixels(image,exception) == MagickFalse) +- break; ++ if (SyncAuthenticPixels(image,exception) == MagickFalse) ++ break; ++ } + } + (void) RelinquishUniqueFileResource(alpha_image->filename); + alpha_image=DestroyImageList(alpha_image); +-- +2.50.1 + diff --git a/CVE-2025-55005.patch b/CVE-2025-55005.patch new file mode 100644 index 0000000..4a5f5b8 --- /dev/null +++ b/CVE-2025-55005.patch @@ -0,0 +1,31 @@ +From b68bb6d3cfe472d5bd9329b4172e2e4f63d90a57 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 7 Aug 2025 22:05:10 -0400 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp + +--- + MagickCore/colorspace.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/MagickCore/colorspace.c b/MagickCore/colorspace.c +index 7ac78a683d8..4b4866a60e4 100644 +--- a/MagickCore/colorspace.c ++++ b/MagickCore/colorspace.c +@@ -2420,10 +2420,16 @@ static MagickBooleanType TransformsRGBImage(Image *image, + value=GetImageProperty(image,"reference-black",exception); + if (value != (const char *) NULL) + reference_black=StringToDouble(value,(char **) NULL); ++ if (reference_black > 1024.0) ++ reference_black=1024.0; + reference_white=ReferenceWhite; + value=GetImageProperty(image,"reference-white",exception); + if (value != (const char *) NULL) + reference_white=StringToDouble(value,(char **) NULL); ++ if (reference_white > 1024.0) ++ reference_white=1024.0; ++ if (reference_black > reference_white) ++ reference_black=reference_white; + logmap=(Quantum *) AcquireQuantumMemory((size_t) MaxMap+1UL, + sizeof(*logmap)); + if (logmap == (Quantum *) NULL) diff --git a/CVE-2025-55154.patch b/CVE-2025-55154.patch new file mode 100644 index 0000000..591a25c --- /dev/null +++ b/CVE-2025-55154.patch @@ -0,0 +1,76 @@ +From db986e4782e9f6cc42a0e50151dc4fe43641b337 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 9 Aug 2025 08:28:23 -0400 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82 + +--- + coders/png.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index f7ae779b2fe..f6ea0bbde8d 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -6404,19 +6404,19 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + mng_info->magn_methy = 1; + if (mng_info->magn_methx == 1) + { +- magnified_width=mng_info->magn_ml; ++ magnified_width=(size_t) mng_info->magn_ml; + + if (image->columns > 1) + magnified_width += mng_info->magn_mr; + + if (image->columns > 2) +- magnified_width += (png_uint_32) ++ magnified_width += (size_t) + ((image->columns-2)*(mng_info->magn_mx)); + } + + else + { +- magnified_width=(png_uint_32) image->columns; ++ magnified_width=(size_t) image->columns; + + if (image->columns > 1) + magnified_width += mng_info->magn_ml-1; +@@ -6425,25 +6425,25 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + magnified_width += mng_info->magn_mr-1; + + if (image->columns > 3) +- magnified_width += (png_uint_32) ++ magnified_width += (size_t) + ((image->columns-3)*(mng_info->magn_mx-1)); + } + + if (mng_info->magn_methy == 1) + { +- magnified_height=mng_info->magn_mt; ++ magnified_height=(size_t) mng_info->magn_mt; + + if (image->rows > 1) + magnified_height += mng_info->magn_mb; + + if (image->rows > 2) +- magnified_height += (png_uint_32) ++ magnified_height += (size_t) + ((image->rows-2)*(mng_info->magn_my)); + } + + else + { +- magnified_height=(png_uint_32) image->rows; ++ magnified_height=(size_t) image->rows; + + if (image->rows > 1) + magnified_height += mng_info->magn_mt-1; +@@ -6452,7 +6452,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info, + magnified_height += mng_info->magn_mb-1; + + if (image->rows > 3) +- magnified_height += (png_uint_32) ++ magnified_height += (size_t) + ((image->rows-3)*(mng_info->magn_my-1)); + } + diff --git a/CVE-2025-55160.patch b/CVE-2025-55160.patch new file mode 100644 index 0000000..31fa927 --- /dev/null +++ b/CVE-2025-55160.patch @@ -0,0 +1,156 @@ +From 63d8769dd6a8f32f4096c71be9e08a2c081e47da Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 10 Aug 2025 08:28:28 -0400 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x + +--- + MagickCore/artifact.c | 17 ++++++++++++++++- + MagickCore/option.c | 17 ++++++++++++++++- + MagickCore/profile.c | 19 ++++++++++++++++++- + MagickCore/property.c | 18 ++++++++++++++++-- + 4 files changed, 66 insertions(+), 5 deletions(-) + +diff --git a/MagickCore/artifact.c b/MagickCore/artifact.c +index dae6aaaf0b1..764ef75a44b 100644 +--- a/MagickCore/artifact.c ++++ b/MagickCore/artifact.c +@@ -99,6 +99,21 @@ + % o clone_image: the source image for artifacts to clone. + % + */ ++ ++typedef char ++ *(*CloneKeyFunc)(const char *), ++ *(*CloneValueFunc)(const char *); ++ ++static inline void *CloneArtifactKey(void *key) ++{ ++ return((void *) ((CloneKeyFunc) ConstantString)((const char *) key)); ++} ++ ++static inline void *CloneArtifactValue(void *value) ++{ ++ return((void *) ((CloneValueFunc) ConstantString)((const char *) value)); ++} ++ + MagickExport MagickBooleanType CloneImageArtifacts(Image *image, + const Image *clone_image) + { +@@ -117,7 +132,7 @@ MagickExport MagickBooleanType CloneImageArtifacts(Image *image, + if (image->artifacts != (void *) NULL) + DestroyImageArtifacts(image); + image->artifacts=CloneSplayTree((SplayTreeInfo *) clone_image->artifacts, +- (void *(*)(void *)) ConstantString,(void *(*)(void *)) ConstantString); ++ CloneArtifactKey,CloneArtifactValue); + } + return(MagickTrue); + } +diff --git a/MagickCore/option.c b/MagickCore/option.c +index 621b0f9b26d..f844f44d6af 100644 +--- a/MagickCore/option.c ++++ b/MagickCore/option.c +@@ -2361,6 +2361,21 @@ static const OptionInfo + % o clone_info: the source image info for options to clone. + % + */ ++ ++typedef char ++ *(*CloneKeyFunc)(const char *), ++ *(*CloneValueFunc)(const char *); ++ ++static inline void *CloneOptionKey(void *key) ++{ ++ return((void *) ((CloneKeyFunc) ConstantString)((const char *) key)); ++} ++ ++static inline void *CloneOptionValue(void *value) ++{ ++ return((void *) ((CloneValueFunc) ConstantString)((const char *) value)); ++} ++ + MagickExport MagickBooleanType CloneImageOptions(ImageInfo *image_info, + const ImageInfo *clone_info) + { +@@ -2376,7 +2391,7 @@ MagickExport MagickBooleanType CloneImageOptions(ImageInfo *image_info, + if (image_info->options != (void *) NULL) + DestroyImageOptions(image_info); + image_info->options=CloneSplayTree((SplayTreeInfo *) clone_info->options, +- (void *(*)(void *)) ConstantString,(void *(*)(void *)) ConstantString); ++ CloneOptionKey,CloneOptionValue); + } + return(MagickTrue); + } +diff --git a/MagickCore/profile.c b/MagickCore/profile.c +index fac191845f1..8e38b301bb1 100644 +--- a/MagickCore/profile.c ++++ b/MagickCore/profile.c +@@ -143,6 +143,23 @@ typedef struct _CMSExceptionInfo + % o clone_image: the clone image. + % + */ ++ ++typedef char ++ *(*CloneKeyFunc)(const char *); ++ ++typedef StringInfo ++ *(*CloneValueFunc)(const StringInfo *); ++ ++static inline void *CloneProfileKey(void *key) ++{ ++ return((void *) ((CloneKeyFunc) ConstantString)((const char *) key)); ++} ++ ++static inline void *CloneProfileValue(void *value) ++{ ++ return((void *) ((CloneValueFunc) CloneStringInfo)((const StringInfo *) value)); ++} ++ + MagickExport MagickBooleanType CloneImageProfiles(Image *image, + const Image *clone_image) + { +@@ -157,7 +174,7 @@ MagickExport MagickBooleanType CloneImageProfiles(Image *image, + if (image->profiles != (void *) NULL) + DestroyImageProfiles(image); + image->profiles=CloneSplayTree((SplayTreeInfo *) clone_image->profiles, +- (void *(*)(void *)) ConstantString,(void *(*)(void *)) CloneStringInfo); ++ CloneProfileKey,CloneProfileValue); + } + return(MagickTrue); + } +diff --git a/MagickCore/property.c b/MagickCore/property.c +index 09ae365dfa2..976ca34d70a 100644 +--- a/MagickCore/property.c ++++ b/MagickCore/property.c +@@ -131,6 +131,21 @@ + % o clone_image: the clone image. + % + */ ++ ++typedef char ++ *(*CloneKeyFunc)(const char *), ++ *(*CloneValueFunc)(const char *); ++ ++static inline void *ClonePropertyKey(void *key) ++{ ++ return((void *) ((CloneKeyFunc) ConstantString)((const char *) key)); ++} ++ ++static inline void *ClonePropertyValue(void *value) ++{ ++ return((void *) ((CloneValueFunc) ConstantString)((const char *) value)); ++} ++ + MagickExport MagickBooleanType CloneImageProperties(Image *image, + const Image *clone_image) + { +@@ -195,8 +210,7 @@ MagickExport MagickBooleanType CloneImageProperties(Image *image, + if (image->properties != (void *) NULL) + DestroyImageProperties(image); + image->properties=CloneSplayTree((SplayTreeInfo *) +- clone_image->properties,(void *(*)(void *)) ConstantString, +- (void *(*)(void *)) ConstantString); ++ clone_image->properties,ClonePropertyKey,ClonePropertyValue); + } + return(MagickTrue); + } diff --git a/ImageMagick.spec b/ImageMagick.spec index 8e0ed3d..5318582 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,7 +1,7 @@ Name: ImageMagick Epoch: 1 Version: 7.1.1.15 -Release: 3 +Release: 4 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ @@ -15,6 +15,10 @@ Patch6: CVE-2025-53015_1.patch Patch7: CVE-2025-53015_2.patch Patch8: CVE-2025-53101.patch Patch9: CVE-2025-53019.patch +Patch10: CVE-2025-55004.patch +Patch11: CVE-2025-55005.patch +Patch12: CVE-2025-55154.patch +Patch13: CVE-2025-55160.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -169,6 +173,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick* %changelog +* Fri Aug 15 2025 yaoxin <1024769339@qq.com> - 1:7.1.1.15-4 +- Fix CVE-2025-55004, CVE-2025-55005, CVE-2025-55154, CVE-2025-55160 + * Mon Jul 21 2025 wangkai <13474090681@163.com> - 1:7.1.1.15-3 - Fix CVE-2025-53014, CVE-2025-53015, CVE-2025-53019, CVE-2025-53101 -- Gitee