Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25798
Backport the patch that mentions the related Github advisory[1] in its commit message. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../imagemagick/CVE-2026-25798.patch | 101 ++++++++++++++++++ .../imagemagick/imagemagick_7.1.2-13.bb | 1 + 2 files changed, 102 insertions(+) create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch new file mode 100644 index 0000000000..73814f8e12 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25798.patch @@ -0,0 +1,101 @@ +From a16b3ba623e773a35af509809f40bfa099d2da0c Mon Sep 17 00:00:00 2001 +From: Cristy <[email protected]> +Date: Sun, 1 Feb 2026 14:56:14 -0500 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4 + +CVE: CVE-2026-25798 +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/16dd3158ce197c6f65e7798a7a5cc4538bb0303e] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + MagickCore/cache.c | 37 +++++++++++++++++++++++++++++++++---- + coders/sixel.c | 4 ++-- + 2 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/MagickCore/cache.c b/MagickCore/cache.c +index 5f44791bd..d0c63cebe 100644 +--- a/MagickCore/cache.c ++++ b/MagickCore/cache.c +@@ -3561,6 +3561,25 @@ static MagickBooleanType MaskPixelCacheNexus(Image *image,NexusInfo *nexus_info, + % + */ + ++static inline MagickBooleanType CacheOverflowSanityCheckGetSize( ++ const MagickSizeType count,const size_t quantum,MagickSizeType *const extent) ++{ ++ MagickSizeType ++ length; ++ ++ if ((count == 0) || (quantum == 0)) ++ return(MagickTrue); ++ length=count*quantum; ++ if (quantum != (length/count)) ++ { ++ errno=ENOMEM; ++ return(MagickTrue); ++ } ++ if (extent != NULL) ++ *extent=length; ++ return(MagickFalse); ++} ++ + static MagickBooleanType OpenPixelCacheOnDisk(CacheInfo *cache_info, + const MapMode mode) + { +@@ -3711,7 +3730,7 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, + status; + + MagickSizeType +- length, ++ length = 0, + number_pixels; + + size_t +@@ -3789,12 +3808,22 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, + packet_size=MagickMax(cache_info->number_channels,1)*sizeof(Quantum); + if (image->metacontent_extent != 0) + packet_size+=cache_info->metacontent_extent; +- length=number_pixels*packet_size; ++ if (CacheOverflowSanityCheckGetSize(number_pixels,packet_size,&length) != MagickFalse) ++ { ++ cache_info->storage_class=UndefinedClass; ++ cache_info->length=0; ++ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", ++ image->filename); ++ } + columns=(size_t) (length/cache_info->rows/packet_size); + if ((cache_info->columns != columns) || ((ssize_t) cache_info->columns < 0) || + ((ssize_t) cache_info->rows < 0)) +- ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", +- image->filename); ++ { ++ cache_info->storage_class=UndefinedClass; ++ cache_info->length=0; ++ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed", ++ image->filename); ++ } + cache_info->length=length; + if (image->ping != MagickFalse) + { +diff --git a/coders/sixel.c b/coders/sixel.c +index a0ae4b8b7..e9d941300 100644 +--- a/coders/sixel.c ++++ b/coders/sixel.c +@@ -545,7 +545,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + if (max_x < position_x) + max_x = position_x; + if (max_y < (position_y + i)) +- max_y = position_y + i; ++ max_y = (int) (position_y + i); + } + sixel_vertical_mask <<= 1; + } +@@ -578,7 +578,7 @@ static MagickBooleanType sixel_decode(Image *image,unsigned char *p, + if (max_x < (position_x+repeat_count-1)) + max_x = position_x+repeat_count-1; + if (max_y < (position_y+i+n-1)) +- max_y = position_y+i+n-1; ++ max_y = (int) (position_y+i+n-1); + i+=(n-1); + sixel_vertical_mask <<= (n-1); + } diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb index 2f6c8079cf..f4cceac88d 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb @@ -25,6 +25,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt file://CVE-2026-25795.patch \ file://CVE-2026-25796.patch \ file://CVE-2026-25797.patch \ + file://CVE-2026-25798.patch \ " SRCREV = "dd991e286b96918917a3392d6dc3ffc0e6907a4e"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124915): https://lists.openembedded.org/g/openembedded-devel/message/124915 Mute This Topic: https://lists.openembedded.org/mt/118171771/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
