Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25794
Backport the patch that references the relevant Github advisory[1] in its commit message explicitly. [1]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../imagemagick/CVE-2026-25794.patch | 54 +++++++++++++++++++ .../imagemagick/imagemagick_7.1.2-13.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch diff --git a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch new file mode 100644 index 0000000000..8eb9f14d57 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-25794.patch @@ -0,0 +1,54 @@ +From c4f271dbcbe543b3395f83a1b5416927500c2aa4 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <[email protected]> +Date: Fri, 6 Feb 2026 21:03:53 +0100 +Subject: [PATCH] Prevent out of bounds heap write in uhdr encoder + (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h) + +CVE: CVE-2026-25794 +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/ffe589df5ff8ce1433daa4ccb0d2a9fadfbe30ed] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + coders/uhdr.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/coders/uhdr.c b/coders/uhdr.c +index fc436595e..101d6a90f 100644 +--- a/coders/uhdr.c ++++ b/coders/uhdr.c +@@ -618,20 +618,28 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info, + { + /* Classify image as hdr/sdr intent basing on depth */ + int +- bpp = image->depth >= hdrIntentMinDepth ? 2 : 1; +- +- int +- aligned_width = image->columns + (image->columns & 1); +- +- int +- aligned_height = image->rows + (image->rows & 1); ++ bpp; + + ssize_t +- picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */; ++ aligned_height, ++ aligned_width; ++ ++ size_t ++ picSize; + + void + *crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL; + ++ if (((double) image->columns > sqrt(MAGICK_SSIZE_MAX/3.0)) || ++ ((double) image->rows > sqrt(MAGICK_SSIZE_MAX/3.0))) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(),ImageError, ++ "WidthOrHeightExceedsLimit","%s",image->filename); ++ goto next_image; ++ } ++ bpp = image->depth >= hdrIntentMinDepth ? 2 : 1; ++ aligned_width = image->columns + (image->columns & 1); ++ picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */; + if (IssRGBCompatibleColorspace(image->colorspace) && !IsGrayColorspace(image->colorspace)) + { + if (image->depth >= hdrIntentMinDepth && hdr_ct == UHDR_CT_LINEAR) diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb index 4b5a7fbb14..ab73da952c 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-13.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt file://CVE-2026-25576.patch \ file://CVE-2026-25637.patch \ file://CVE-2026-25638.patch \ + file://CVE-2026-25794.patch \ " SRCREV = "dd991e286b96918917a3392d6dc3ffc0e6907a4e"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124911): https://lists.openembedded.org/g/openembedded-devel/message/124911 Mute This Topic: https://lists.openembedded.org/mt/118171765/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
