Backport the fix for CVE-2025-55298
Upstream-Status: Backport
[https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
[https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895]
Add below patch to fix
0010-ImageMagick-Fix-CVE-2025-55298-1.patch
0010-ImageMagick-Fix-CVE-2025-55298-2.patch
Add below support patch to fix
0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
Signed-off-by: Divyanshu Rathore <[email protected]>
---
...support-patch-1-to-fix-CVE-2025-5529.patch | 48 +++
...support-patch-2-to-fix-CVE-2025-5529.patch | 205 +++++++++++++
...support-patch-3-to-fix-CVE-2025-5529.patch | 103 +++++++
...010-ImageMagick-Fix-CVE-2025-55298-1.patch | 71 +++++
...010-ImageMagick-Fix-CVE-2025-55298-2.patch | 274 ++++++++++++++++++
.../imagemagick/imagemagick_7.0.10.bb | 5 +
6 files changed, 706 insertions(+)
create mode 100644
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
create mode 100644
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
create mode 100644
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
create mode 100644
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-1.patch
create mode 100644
meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
diff --git
a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..9e95b294e3
--- /dev/null
+++
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,48 @@
+From 93bcbd44f4771227a9e637f69ddabb60e0e33b18 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <[email protected]>
+Date: Tue, 11 Nov 2025 14:34:12 +0530
+Subject: [PATCH 10/18] ImageMagick: Add support patch 1 to fix CVE-2025-55298
+
+Upstream-Status: Backport
[https://github.com/ImageMagick/ImageMagick/commit/83caf59fce695fea0c5878e9f0d0b65e662cae66]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <[email protected]>
+---
+ MagickCore/image.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 346285165..f64e83645 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1640,21 +1640,23 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ char
+ *q;
+
++ const char
++ *p;
++
+ int
+ c;
+
+ MagickBooleanType
+ canonical;
+
+- const char
+- *p;
+-
+ ssize_t
+ offset;
+
+ canonical=MagickFalse;
+ offset=0;
+ (void) CopyMagickString(filename,format,MagickPathExtent);
++ if (IsStringTrue(GetImageOption(image_info,"filename:literal")) !=
MagickFalse)
++ return(strlen(filename));
+ for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+ {
+ q=(char *) p+1;
+--
+2.34.1
+
diff --git
a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..a51bc1994b
--- /dev/null
+++
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,205 @@
+From 18f573cbd4767d9b51b23cde5b58945ae4e57243 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <[email protected]>
+Date: Tue, 11 Nov 2025 21:53:10 +0530
+Subject: [PATCH 11/18] ImageMagick: Add support patch-2 to fix CVE-2025-55298
+
+Upstream-Status: Backport
[https://github.com/ImageMagick/ImageMagick/commit/82550750ec8f79393b381c3ed349dd495bbab8a7]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <[email protected]>
+---
+ MagickCore/image.c | 134 +++++++++++++++++++--------------------------
+ 1 file changed, 55 insertions(+), 79 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index f64e83645..cd4de6df9 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1638,34 +1638,41 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ ExceptionInfo *exception)
+ {
+ char
+- *q;
++ *p = filename,
++ pattern[MagickPathExtent];
+
+ const char
+- *p;
+-
+- int
+- c;
+-
+- MagickBooleanType
+- canonical;
+-
+- ssize_t
+- offset;
++ *cursor = format;
+
+- canonical=MagickFalse;
+- offset=0;
++ /*
++ Start with a copy of the format string.
++ */
+ (void) CopyMagickString(filename,format,MagickPathExtent);
+ if (IsStringTrue(GetImageOption(image_info,"filename:literal")) !=
MagickFalse)
+ return(strlen(filename));
+- for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
++ while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+ {
+- q=(char *) p+1;
+- if (*q == '%')
++ const char
++ *q = cursor;
++
++ ssize_t
++ offset = (ssize_t) (cursor-format);
++
++ cursor++; /* move past '%' */
++ if (*cursor == '%')
+ {
+- p++;
++ /*
++ Escaped %%.
++ */
++ cursor++;
+ continue;
+ }
+- switch (*q)
++ /*
++ Skip padding digits like %03d.
++ */
++ if (*cursor == '0')
++ (void) strtol(cursor,(char **) &cursor,10);
++ switch (*cursor)
+ {
+ case 'd':
+ case 'o':
+@@ -1674,93 +1681,62 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ ssize_t
+ count;
+
+- q++;
+- c=(*q);
+- *q='\0';
+- count=FormatLocaleString(filename+(p-format-offset),(size_t)
+- (MagickPathExtent-(p-format-offset)),p,value);
+- if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
++ count=FormatLocaleString(pattern,sizeof(pattern),q,value);
++ if ((count <= 0) || (count >= MagickPathExtent))
+ return(0);
+- offset+=(ssize_t) ((q-p)-count);
+- *q=c;
+- (void) ConcatenateMagickString(filename,q,MagickPathExtent);
+- canonical=MagickTrue;
+- if (*(q-1) != '%')
+- break;
+- p++;
++ if ((offset+count) >= MagickPathExtent)
++ return(0);
++ (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
++ offset));
++ cursor++;
+ break;
+ }
+ case '[':
+ {
+- char
+- pattern[MagickPathExtent];
+-
+ const char
+- *option;
++ *end = strchr(cursor,']'),
++ *option = (const char *) NULL;
+
+- char
+- *r;
+-
+- ssize_t
+- i;
+-
+- ssize_t
+- depth;
++ size_t
++ extent = (size_t) (end-cursor);
+
+ /*
+- Image option.
++ Handle %[key:value];
+ */
+- if (strchr(p,']') == (char *) NULL)
++ if (end == (const char *) NULL)
+ break;
+- depth=1;
+- r=q+1;
+- for (i=0; (i < (MagickPathExtent-1L)) && (*r != '\0'); i++)
+- {
+- if (*r == '[')
+- depth++;
+- if (*r == ']')
+- depth--;
+- if (depth <= 0)
+- break;
+- pattern[i]=(*r++);
+- }
+- pattern[i]='\0';
+- if (LocaleNCompare(pattern,"filename:",9) != 0)
++ if (extent >= sizeof(pattern))
+ break;
+- option=(const char *) NULL;
++ (void) CopyMagickString(pattern,cursor,extent);
++ pattern[extent]='\0';
+ if (image != (Image *) NULL)
+ option=GetImageProperty(image,pattern,exception);
+- if ((option == (const char *) NULL) && (image != (Image *) NULL))
++ if ((option == (const char *) NULL) && (image != (Image *)NULL))
+ option=GetImageArtifact(image,pattern);
+ if ((option == (const char *) NULL) &&
+ (image_info != (ImageInfo *) NULL))
+ option=GetImageOption(image_info,pattern);
+ if (option == (const char *) NULL)
+ break;
+- q--;
+- c=(*q);
+- *q='\0';
+- (void) CopyMagickString(filename+(p-format-offset),option,(size_t)
+- (MagickPathExtent-(p-format-offset)));
+- offset+=strlen(pattern)-strlen(option)+3;
+- *q=c;
+- (void) ConcatenateMagickString(filename,r+1,MagickPathExtent);
+- canonical=MagickTrue;
+- if (*(q-1) != '%')
+- break;
+- p++;
++ (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
++ offset));
++ cursor=end+1;
+ break;
+ }
+ default:
+ break;
+ }
+ }
+- if (canonical == MagickFalse)
+- (void) CopyMagickString(filename,format,MagickPathExtent);
+- else
+- for (q=filename; *q != '\0'; q++)
+- if ((*q == '%') && (*(q+1) == '%'))
+- (void) CopyMagickString(q,q+1,(size_t)
(MagickPathExtent-(q-filename)));
++ for (p=filename; *p != '\0'; )
++ {
++ /*
++ Replace "%%" with "%".
++ */
++ if ((*p == '%') && (*(p+1) == '%'))
++ (void) memmove(p,p+1,strlen(p)); /* shift left */
++ else
++ p++;
++ }
+ return(strlen(filename));
+ }
+ �
+--
+2.34.1
+
diff --git
a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
new file mode 100644
index 0000000000..2f4e019132
--- /dev/null
+++
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch
@@ -0,0 +1,103 @@
+From abc0b89e166c993ff766d3ff62b6d2be82f478f3 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <[email protected]>
+Date: Wed, 12 Nov 2025 11:35:37 +0530
+Subject: [PATCH 12/18] ImageMagick: Add support patch-3 to fix CVE-2025-55298
+
+Upstream-Status: Backport
[https://github.com/ImageMagick/ImageMagick/commit/6c7c8d5866b9c0ce6cc76a741e05b9482716101e]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <[email protected]>
+---
+ MagickCore/image.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index cd4de6df9..1acf8edbd 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1647,6 +1647,8 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ /*
+ Start with a copy of the format string.
+ */
++ assert(format != (const char *) NULL);
++ assert(filename != (char *) NULL);
+ (void) CopyMagickString(filename,format,MagickPathExtent);
+ if (IsStringTrue(GetImageOption(image_info,"filename:literal")) !=
MagickFalse)
+ return(strlen(filename));
+@@ -1670,7 +1672,7 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ /*
+ Skip padding digits like %03d.
+ */
+- if (*cursor == '0')
++ if (isdigit((int) ((unsigned char) *cursor)) != 0)
+ (void) strtol(cursor,(char **) &cursor,10);
+ switch (*cursor)
+ {
+@@ -1682,9 +1684,8 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ count;
+
+ count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+- if ((count <= 0) || (count >= MagickPathExtent))
+- return(0);
+- if ((offset+count) >= MagickPathExtent)
++ if ((count <= 0) || (count >= MagickPathExtent) ||
++ ((offset+count) >= MagickPathExtent))
+ return(0);
+ (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+ offset));
+@@ -1698,7 +1699,9 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ *option = (const char *) NULL;
+
+ size_t
+- extent = (size_t) (end-cursor);
++ extent = (size_t) (end-cursor-1),
++ option_length,
++ tail_length;
+
+ /*
+ Handle %[key:value];
+@@ -1707,19 +1710,27 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ break;
+ if (extent >= sizeof(pattern))
+ break;
+- (void) CopyMagickString(pattern,cursor,extent);
++ (void) CopyMagickString(pattern,cursor+1,extent+1);
+ pattern[extent]='\0';
+ if (image != (Image *) NULL)
+- option=GetImageProperty(image,pattern,exception);
+- if ((option == (const char *) NULL) && (image != (Image *)NULL))
+- option=GetImageArtifact(image,pattern);
++ {
++ option=GetImageProperty(image,pattern,exception);
++ if (option == (const char *) NULL)
++ option=GetImageArtifact(image,pattern);
++ }
+ if ((option == (const char *) NULL) &&
+ (image_info != (ImageInfo *) NULL))
+ option=GetImageOption(image_info,pattern);
+ if (option == (const char *) NULL)
+ break;
++ option_length=strlen(option);
++ tail_length=strlen(end+1);
++ if ((offset+option_length+tail_length+1) > MagickPathExtent)
++ return(0);
+ (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+ offset));
++ (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
++ MagickPathExtent-offset-option_length-tail_length-1));
+ cursor=end+1;
+ break;
+ }
+@@ -1733,7 +1744,7 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ Replace "%%" with "%".
+ */
+ if ((*p == '%') && (*(p+1) == '%'))
+- (void) memmove(p,p+1,strlen(p)); /* shift left */
++ (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */
+ else
+ p++;
+ }
+--
+2.34.1
+
diff --git
a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-1.patch
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-1.patch
new file mode 100644
index 0000000000..95dda55623
--- /dev/null
+++
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-1.patch
@@ -0,0 +1,71 @@
+From 62f97a69edb936544604e669de25e4bf2a9e2f06 Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <[email protected]>
+Date: Wed, 12 Nov 2025 11:52:00 +0530
+Subject: [PATCH 13/18] ImageMagick: Fix CVE-2025-55298
+
+CVE: CVE-2025-55298
+
+This CVE fixed in two parts, this commit includes the first fix.
+
+Upstream-Status: Backport
[https://github.com/ImageMagick/ImageMagick/commit/1f93323df9d8c011c31bc4c6880390071f7fb895]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <[email protected]>
+---
+ MagickCore/image.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 1acf8edbd..7a52236d8 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1633,6 +1633,31 @@ MagickExport VirtualPixelMethod
GetImageVirtualPixelMethod(const Image *image)
+ % o exception: return any errors or warnings in this structure.
+ %
+ */
++
++static inline MagickBooleanType PercentNInvalidOperation(char *filename)
++{
++ MagickBooleanType
++ match = MagickFalse;
++
++ size_t
++ length = strlen(filename);
++
++ ssize_t
++ i;
++
++ for (i=0; i < (ssize_t) length-1; i++)
++ {
++ if ((filename[i] == '%') &&
++ ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
++ {
++ filename[i]='?';
++ filename[i+1]='\?';
++ match=MagickTrue;
++ }
++ }
++ return(match);
++}
++
+ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+ Image *image,const char *format,int value,char *filename,
+ ExceptionInfo *exception)
+@@ -1652,6 +1677,13 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ (void) CopyMagickString(filename,format,MagickPathExtent);
+ if (IsStringTrue(GetImageOption(image_info,"filename:literal")) !=
MagickFalse)
+ return(strlen(filename));
++ if (PercentNInvalidOperation(filename) != MagickFalse)
++ {
++ errno=EPERM;
++ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
++ "InvalidArgument","`%s'",filename);
++ return(0);
++ }
+ while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
+ {
+ const char
+--
+2.34.1
+
diff --git
a/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
new file mode 100644
index 0000000000..c9cbf95c4d
--- /dev/null
+++
b/meta-oe/recipes-support/imagemagick/files/0010-ImageMagick-Fix-CVE-2025-55298-2.patch
@@ -0,0 +1,274 @@
+From b7e445241e43e3e919667d7244ccb99573cf951a Mon Sep 17 00:00:00 2001
+From: Divyanshu Rathore <[email protected]>
+Date: Wed, 12 Nov 2025 13:05:40 +0530
+Subject: [PATCH 14/18] ImageMagick: Fix CVE-2025-55298
+
+CVE: CVE-2025-55298
+
+This CVE fixed in two parts, this commit includes the second fix.
+
+Upstream-Status: Backport
[https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5]
+
+Comment: Refreshed hunk to match latest kirkstone
+
+Signed-off-by: Divyanshu Rathore <[email protected]>
+---
+ MagickCore/image.c | 183 ++++++++++++++++++++++++---------------------
+ 1 file changed, 96 insertions(+), 87 deletions(-)
+
+diff --git a/MagickCore/image.c b/MagickCore/image.c
+index 7a52236d8..3e6fdd114 100644
+--- a/MagickCore/image.c
++++ b/MagickCore/image.c
+@@ -1619,7 +1619,7 @@ MagickExport VirtualPixelMethod
GetImageVirtualPixelMethod(const Image *image)
+ %
+ % A description of each parameter follows.
+ %
+-% o image_info: the image info..
++% o image_info: the image info.
+ %
+ % o image: the image.
+ %
+@@ -1634,28 +1634,38 @@ MagickExport VirtualPixelMethod
GetImageVirtualPixelMethod(const Image *image)
+ %
+ */
+
+-static inline MagickBooleanType PercentNInvalidOperation(char *filename)
++static inline MagickBooleanType IsValidFormatSpecifier(const char *start,
++ const char *end)
+ {
+- MagickBooleanType
+- match = MagickFalse;
+-
++ char
++ specifier = end[-1];
+ size_t
+- length = strlen(filename);
++ length = end-start;
+
+- ssize_t
+- i;
++ /*
++ Is this a valid format specifier?
++ */
++ if ((specifier != 'd') && (specifier != 'x') && (specifier != 'o'))
++ return(MagickFalse);
++ if ((length == 1) && (*start == specifier))
++ return(MagickTrue);
++ if (length >= 2)
++ {
++ size_t
++ i = 0;
+
+- for (i=0; i < (ssize_t) length-1; i++)
+- {
+- if ((filename[i] == '%') &&
+- ((filename[i+1] == 'n') || (filename[i+1] == 'N')))
+- {
+- filename[i]='?';
+- filename[i+1]='\?';
+- match=MagickTrue;
+- }
+- }
+- return(match);
++ if (*start == '0')
++ {
++ if ((length >= 3) && (start[1] == '0'))
++ return(MagickFalse);
++ i=1;
++ }
++ for ( ; i < (length-1); i++)
++ if (isdigit((int) ((unsigned char) start[i])) == 0)
++ return(MagickFalse);
++ return(MagickTrue);
++ }
++ return(MagickFalse);
+ }
+
+ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
+@@ -1669,82 +1679,89 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ const char
+ *cursor = format;
+
+- /*
+- Start with a copy of the format string.
+- */
+ assert(format != (const char *) NULL);
+ assert(filename != (char *) NULL);
+- (void) CopyMagickString(filename,format,MagickPathExtent);
+ if (IsStringTrue(GetImageOption(image_info,"filename:literal")) !=
MagickFalse)
+- return(strlen(filename));
+- if (PercentNInvalidOperation(filename) != MagickFalse)
+ {
+- errno=EPERM;
+- (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "InvalidArgument","`%s'",filename);
+- return(0);
++ (void) CopyMagickString(filename,format,MagickPathExtent);
++ return(strlen(filename));
+ }
+- while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
++ while ((*cursor != '\0') && ((p-filename) < ((ssize_t) MagickPathExtent-1)))
+ {
+ const char
+- *q = cursor;
++ *specifier_start,
++ *start;
+
+- ssize_t
+- offset = (ssize_t) (cursor-format);
+-
+- cursor++; /* move past '%' */
++ if (*cursor != '%')
++ {
++ *p++=(*cursor++);
++ continue;
++ }
++ start=cursor++; /* Skip '%' */
+ if (*cursor == '%')
+ {
+- /*
+- Escaped %%.
+- */
++ *p++='%';
+ cursor++;
+ continue;
+ }
+- /*
+- Skip padding digits like %03d.
+- */
+- if (isdigit((int) ((unsigned char) *cursor)) != 0)
+- (void) strtol(cursor,(char **) &cursor,10);
+- switch (*cursor)
+- {
+- case 'd':
+- case 'o':
+- case 'x':
++ specifier_start=cursor;
++ while (isdigit((int) ((unsigned char) *cursor)) != 0)
++ cursor++;
++ if ((*cursor == 'd') || (*cursor == 'o') || (*cursor == 'x'))
+ {
+- ssize_t
+- count;
++ const char
++ *specifier_end = cursor+1;
+
+- count=FormatLocaleString(pattern,sizeof(pattern),q,value);
+- if ((count <= 0) || (count >= MagickPathExtent) ||
+- ((offset+count) >= MagickPathExtent))
+- return(0);
+- (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-
+- offset));
+- cursor++;
+- break;
++ if (IsValidFormatSpecifier(specifier_start,specifier_end) !=
MagickFalse)
++ {
++ char
++ format_specifier[MagickPathExtent];
++
++ size_t
++ length = cursor-specifier_start;
++
++ ssize_t
++ count;
++
++ (void) snprintf(format_specifier,sizeof(format_specifier),
++ "%%%.*s%c",(int) length,specifier_start,*cursor);
++ count=FormatLocaleString(pattern,sizeof(pattern),format_specifier,
++ value);
++ if ((count <= 0) || ((p-filename+count) >= MagickPathExtent))
++ return(0);
++ (void) CopyMagickString(p,pattern,MagickPathExtent-(p-filename));
++ p+=strlen(pattern);
++ cursor++;
++ continue;
++ }
++ else
++ {
++ /*
++ Invalid specifier — treat as literal.
++ */
++ cursor=start;
++ *p++=(*cursor++);
++ continue;
++ }
+ }
+- case '[':
++ if (*cursor == '[')
+ {
+ const char
+ *end = strchr(cursor,']'),
+ *option = (const char *) NULL;
+
+ size_t
+- extent = (size_t) (end-cursor-1),
+- option_length,
+- tail_length;
++ extent,
++ option_length;
+
+- /*
+- Handle %[key:value];
+- */
+ if (end == (const char *) NULL)
+- break;
++ continue;
++ extent=(size_t) (end-cursor-1);
+ if (extent >= sizeof(pattern))
+- break;
++ continue;
+ (void) CopyMagickString(pattern,cursor+1,extent+1);
+ pattern[extent]='\0';
+- if (image != (Image *) NULL)
++ if (image != NULL)
+ {
+ option=GetImageProperty(image,pattern,exception);
+ if (option == (const char *) NULL)
+@@ -1754,32 +1771,24 @@ MagickExport size_t InterpretImageFilename(const
ImageInfo *image_info,
+ (image_info != (ImageInfo *) NULL))
+ option=GetImageOption(image_info,pattern);
+ if (option == (const char *) NULL)
+- break;
++ continue;
+ option_length=strlen(option);
+- tail_length=strlen(end+1);
+- if ((offset+option_length+tail_length+1) > MagickPathExtent)
++ if ((p-filename+option_length) >= MagickPathExtent)
+ return(0);
+- (void) CopyMagickString(p+offset,option,(size_t) (MagickPathExtent-
+- offset));
+- (void) ConcatenateMagickString(p+offset+option_length,end+1,(size_t) (
+- MagickPathExtent-offset-option_length-tail_length-1));
++ (void) CopyMagickString(p,option,MagickPathExtent-(p-filename));
++ p+=option_length;
+ cursor=end+1;
+- break;
++ continue;
+ }
+- default:
+- break;
+- }
+- }
+- for (p=filename; *p != '\0'; )
+- {
+ /*
+- Replace "%%" with "%".
++ Invalid or unsupported specifier — treat as literal.
+ */
+- if ((*p == '%') && (*(p+1) == '%'))
+- (void) memmove(p,p+1,strlen(p+1)+1); /* shift left */
+- else
+- p++;
++ cursor=start;
++ if ((p-filename+1) >= MagickPathExtent)
++ return(0);
++ *p++=(*cursor++);
+ }
++ *p='\0';
+ return(strlen(filename));
+ }
+ �
+--
+2.34.1
+
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
index 751186b361..ecd4d85b3a 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb
@@ -34,6 +34,11 @@ SRC_URI =
"git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
file://0007-ImageMagick-Fix-CVE-2025-57803.patch \
file://0008-ImageMagick-Fix-CVE-2025-57807.patch \
file://0009-ImageMagick-Fix-CVE-2025-55154.patch \
+ file://0010-ImageMagick-Add-support-patch-1-to-fix-CVE-2025-5529.patch \
+ file://0010-ImageMagick-Add-support-patch-2-to-fix-CVE-2025-5529.patch \
+ file://0010-ImageMagick-Add-support-patch-3-to-fix-CVE-2025-5529.patch \
+ file://0010-ImageMagick-Fix-CVE-2025-55298-1.patch \
+ file://0010-ImageMagick-Fix-CVE-2025-55298-2.patch \
"
SRCREV = "35b4991eb0939a327f3489988c366e21068b0178"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#122624):
https://lists.openembedded.org/g/openembedded-devel/message/122624
Mute This Topic: https://lists.openembedded.org/mt/116753533/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
