Fix CVE-2026-23876 with patch provided by NVD advisory. Link: https://nvd.nist.gov/vuln/detail/CVE-2026-23876
Signed-off-by: Bhabu Bindu <[email protected]> --- .../imagemagick/CVE-2026-23876.patch | 67 +++++++++++++++++++ .../imagemagick/imagemagick_7.1.1.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23876.patch diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23876.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23876.patch new file mode 100644 index 0000000000..d25038e513 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23876.patch @@ -0,0 +1,67 @@ +From 2fae24192b78fdfdd27d766fd21d90aeac6ea8b8 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <[email protected]> +Date: Sun, 18 Jan 2026 17:54:12 +0100 +Subject: [PATCH] Added overflow checks to prevent an out of bounds write + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8) + +CVE: CVE-2026-23876 +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8] +Signed-off-by: Bhabu Bindu <[email protected]> +--- + coders/xbm.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/coders/xbm.c b/coders/xbm.c +index a7a798ea168..d6cd5780d44 100644 +--- a/coders/xbm.c ++++ b/coders/xbm.c +@@ -197,6 +197,10 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + short int + hex_digits[256]; + ++ size_t ++ bytes_per_line, ++ length; ++ + ssize_t + i, + x, +@@ -209,8 +213,6 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + unsigned int + bit, + byte, +- bytes_per_line, +- length, + padding, + version; + +@@ -345,15 +347,15 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (((image->columns % 16) != 0) && ((image->columns % 16) < 9) && + (version == 10)) + padding=1; +- bytes_per_line=(unsigned int) (image->columns+7)/8+padding; +- length=(unsigned int) image->rows; +- data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line* +- sizeof(*data)); ++ bytes_per_line=(image->columns+7)/8+padding; ++ if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows,&length) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ data=(unsigned char *) AcquireQuantumMemory(length,sizeof(*data)); + if (data == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + p=data; + if (version == 10) +- for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2)) ++ for (i=0; i < (ssize_t) length; i+=2) + { + c=XBMInteger(image,hex_digits); + if (c < 0) +@@ -366,7 +368,7 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + *p++=(unsigned char) (c >> 8); + } + else +- for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++) ++ for (i=0; i < (ssize_t) length; i++) + { + c=XBMInteger(image,hex_digits); + if (c < 0) diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb index 0a1d34e313..abad1fe5d1 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb @@ -27,6 +27,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt file://CVE-2025-65955.patch \ file://CVE-2026-22770.patch \ file://CVE-2026-23874.patch \ + file://CVE-2026-23876.patch \ " SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124437): https://lists.openembedded.org/g/openembedded-devel/message/124437 Mute This Topic: https://lists.openembedded.org/mt/117853384/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
