From f73c3e4b7729798d3c90c9e568378f74c57fdd83 Mon Sep 17 00:00:00 2001 From: Sana Kazi Date: Thu, 3 Jul 2025 16:50:55 +0530 Subject: imagemagick: Fix CVE vulnerablities Fix following CVEs for imagemagick: CVE-2023-5341, CVE-2022-1114, CVE-2023-1289 and CVE-2023-34474 Signed-off-by: Sana Kazi Signed-off-by: Armin Kuster --- .../imagemagick/files/CVE-2022-1114.patch | 44 ++++++++ .../imagemagick/files/CVE-2023-1289-1.patch | 114 +++++++++++++++++++++ .../imagemagick/files/CVE-2023-1289.patch | 21 ++++ .../imagemagick/files/CVE-2023-34474.patch | 35 +++++++ .../imagemagick/files/CVE-2023-5341.patch | 28 +++++ .../imagemagick/imagemagick_7.0.10.bb | 5 + 6 files changed, 247 insertions(+) create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch create mode 100644 meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch new file mode 100644 index 0000000000..0bdd67c30b --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2022-1114.patch @@ -0,0 +1,44 @@ +From 8043433ba9ce0c550e09f2b3b6a3f5f62d802e6d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 15 Mar 2022 21:59:33 -0400 +Subject: [PATCH] Coders: + https://github.com/ImageMagick/ImageMagick/issues/4947 + +CVE: CVE-2022-1114 +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f.patch] +Comments: Refreshed the patch as per codebase +Signed-off-by: Sana Kazi Sana.Kazi@kpit.com +--- + coders/dcm.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/coders/dcm.c b/coders/dcm.c +index ce6cecbd68d..879d5694d2a 100644 +--- a/coders/dcm.c ++++ b/coders/dcm.c +@@ -3239,18 +3239,17 @@ static Image *ReadDCMImage(const ImageIn + RelinquishMagickMemory(info_copy); + } + +- /* +- If we're entering a sequence, push the current image parameters onto +- the stack, so we can restore them at the end of the sequence. +- */ + if (strcmp(explicit_vr,"SQ") == 0) + { +- info_copy=(DCMInfo *) AcquireMagickMemory(sizeof(info)); +- memcpy(info_copy,&info,sizeof(info)); +- AppendValueToLinkedList(stack,info_copy); ++ /* ++ If we're entering a sequence, push the current image parameters ++ onto the stack, so we can restore them at the end of the sequence. ++ */ ++ DCMInfo *clone_info = (DCMInfo *) AcquireMagickMemory(sizeof(info)); ++ (void) memcpy(clone_info,&info,sizeof(info)); ++ AppendValueToLinkedList(stack,clone_info); + sequence_depth++; + } +- + datum=0; + if (quantum == 4) + { diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch new file mode 100644 index 0000000000..5f7cd8033f --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289-1.patch @@ -0,0 +1,114 @@ +From 9d3dd9192f6710ec8e10f5edda9b7bf67caeb232 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 6 Mar 2023 14:14:36 -0500 +Subject: [PATCH] recursion detection framework + +CVE: CVE-2023-1289 +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/9d3dd9192f6710ec8e10f5edda9b7bf67caeb232.patch] +Comment: Hunk #2 and #3 for draw.c from orignal patch are excluded from this because +these hunks remove the piece of code not present in imagemagick 7.0.10. +Refreshed hunk2 of image.c, draw.h and draw.c +Signed-off-by: Sana Kazi Sana.Kazi@kpit.com +--- + MagickCore/constitute.c | 12 ++++++++++++ + MagickCore/draw.c | 18 +++--------------- + MagickCore/draw.h | 3 +++ + MagickCore/image.c | 2 ++ + MagickCore/image.h | 3 +++ + 5 files changed, 23 insertions(+), 15 deletions(-) + +diff --git a/MagickCore/constitute.c b/MagickCore/constitute.c +index aa1a0c2682b..5c84602da87 100644 +--- a/MagickCore/constitute.c ++++ b/MagickCore/constitute.c +@@ -130,6 +130,11 @@ + % o exception: return any errors or warnings in this structure. + % + */ ++/* ++ Define declarations. ++*/ ++#define MaxReadRecursionDepth 100 ++ + MagickExport Image *ConstituteImage(const size_t columns,const size_t rows, + const char *map,const StorageType storage,const void *pixels, + ExceptionInfo *exception) +@@ -558,9 +558,16 @@ MagickExport Image *ReadImage(const Imag + if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse) + LockSemaphoreInfo(magick_info->semaphore); + status=IsCoderAuthorized(read_info->magick,ReadPolicyRights,exception); ++ if (((ImageInfo *) image_info)->recursion_depth++ > MaxReadRecursionDepth) ++ { ++ (void) ThrowMagickException(exception,GetMagickModule(),CoderError, ++ "NumberOfImagesIsNotSupported","`%s'",read_info->magick); ++ status=MagickFalse; ++ } + image=(Image *) NULL; + if (status != MagickFalse) + image=decoder(read_info,exception); ++ ((ImageInfo *) image_info)->recursion_depth--; + if (GetMagickDecoderThreadSupport(magick_info) == MagickFalse) + UnlockSemaphoreInfo(magick_info->semaphore); + } +diff --git a/MagickCore/draw.c b/MagickCore/draw.c ++index ff78d620afd..c875c07acc6 100644 ++--- a/MagickCore/draw.c +++++ b/MagickCore/draw.c +@@ -5916,7 +5916,8 @@ MagickExport void GetDrawInfo(const Imag + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"..."); + assert(draw_info != (DrawInfo *) NULL); + (void) memset(draw_info,0,sizeof(*draw_info)); +- clone_info=CloneImageInfo(image_info); ++ draw_info->image_info=image_info; ++ clone_info=CloneImageInfo(draw_info->image_info); + GetAffineMatrix(&draw_info->affine); + exception=AcquireExceptionInfo(); + (void) QueryColorCompliance("#000F",AllCompliance,&draw_info->fill, +diff --git a/MagickCore/draw.h b/MagickCore/draw.h +index 38a52e20361..69257fc02a1 100644 +--- a/MagickCore/draw.h ++++ b/MagickCore/draw.h +@@ -340,6 +340,9 @@ typedef struct _DrawInfo + + char + *id; ++ ++ const ImageInfo ++ *image_info; + } DrawInfo; + + typedef struct _PrimitiveInfo +diff --git a/MagickCore/image.c b/MagickCore/image.c +index 9bf47e6e01d..8289139bf6f 100644 +--- a/MagickCore/image.c ++++ b/MagickCore/image.c +@@ -995,6 +995,7 @@ MagickExport ImageInfo *CloneImageInfo(c + MagickPathExtent); + clone_info->channel=image_info->channel; + (void) CloneImageOptions(clone_info,image_info); ++ clone_info->recursion_depth=image_info->recursion_depth; + clone_info->debug=IsEventLogging(); + clone_info->signature=image_info->signature; + return(clone_info); +@@ -1350,6 +1350,7 @@ MagickExport void GetImageInfo(ImageInfo + image_info->quality=UndefinedCompressionQuality; + image_info->antialias=MagickTrue; + image_info->dither=MagickTrue; ++ image_info->depth=0; + synchronize=GetEnvironmentValue("MAGICK_SYNCHRONIZE"); + if (synchronize != (const char *) NULL) + { +diff --git a/MagickCore/image.h b/MagickCore/image.h +index b9d870a9271..df6bf9bd103 100644 +--- a/MagickCore/image.h ++++ b/MagickCore/image.h +@@ -492,6 +492,9 @@ struct _ImageInfo + + PixelInfo + matte_color; /* matte (frame) color */ ++ ++ size_t ++ recursion_depth; /* recursion detection */ + }; + + extern MagickExport ChannelType diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch new file mode 100644 index 0000000000..944754fb3d --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-1289.patch @@ -0,0 +1,21 @@ +From c5b23cbf2119540725e6dc81f4deb25798ead6a4 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 6 Mar 2023 15:26:32 -0500 +Subject: [PATCH] erecursion detection +CVE: CVE-2023-1289 +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4] +Signed-off-by: Sana Kazi Sana.Kazi@kpit.com +--- + MagickCore/draw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/MagickCore/draw.c 2025-05-12 13:34:26.689655000 +0530 ++++ b/MagickCore/draw.c 2025-05-12 13:45:30.136300211 +0530 +@@ -5526,6 +5526,7 @@ MagickExport MagickBooleanType DrawPrimi + if (primitive_info->text == (char *) NULL) + break; + clone_info=AcquireImageInfo(); ++ clone_info->recursion_depth=draw_info->image_info->recursion_depth; + composite_images=(Image *) NULL; + if (LocaleNCompare(primitive_info->text,"data:",5) == 0) + composite_images=ReadInlineImage(clone_info,primitive_info->text, diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch new file mode 100644 index 0000000000..e7b7783f47 --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-34474.patch @@ -0,0 +1,35 @@ +From 1061db7f80fdc9ef572ac60b55f408f7bab6e1b0 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 15 May 2023 14:22:11 -0400 +Subject: [PATCH] carefully crafted image files (TIM2, JPEG) no longer overflow + buffer nor use heap after free (thanks to Juzhi Lu, Zhen Zhou, Likang Luo of + NSFOCUS Security Team) + +CVE: CVE-2023-34474 +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/1061db7f80fdc9ef572ac60b55f408f7bab6e1b0.patch] +Comment: Remove hunk from MagickCore/profile.c. as it fixes as the vulnerable function +ImageMagick's ReplaceXmpValue() that introduces CVE-2023-34475 is not present in 7.0.10 version +Signed-off-by: Sana Kazi Sana.Kazi@kpit.com +--- + MagickCore/profile.c | 5 +++-- + coders/tim2.c | 4 +++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/coders/tim2.c b/coders/tim2.c +index 0445985dcc0..d30afaf05d6 100644 +--- a/coders/tim2.c ++++ b/coders/tim2.c +@@ -517,10 +517,12 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info, + /* + * ### Read CLUT Data ### + */ +- clut_data=(unsigned char *) AcquireQuantumMemory(1,header->clut_size); ++ clut_data=(unsigned char *) AcquireQuantumMemory(2, ++ MagickMax(header->clut_size,image->colors)); + if (clut_data == (unsigned char *) NULL) + ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", + image_info->filename); ++ (void) memset(clut_data,0,2*MagickMax(header->clut_size,image->colors)); + count=ReadBlob(image,header->clut_size,clut_data); + if (count != (ssize_t) (header->clut_size)) + { diff --git a/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch b/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch new file mode 100644 index 0000000000..e26dd61fba --- /dev/null +++ b/meta-oe/recipes-support/imagemagick/files/CVE-2023-5341.patch @@ -0,0 +1,28 @@ +From aa673b2e4defc7cad5bec16c4fc8324f71e531f1 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 24 Sep 2023 07:28:19 -0400 +Subject: [PATCH] check for BMP file size, poc provided by Hardik Shah of + Vehere (Dawn Treaders team) + +CVE: CVE-2023-5341 +Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1.patch] +Comment: Refresh hunk as per codebase +Signed-off-by: Sana Kazi Sana.Kazi@kpit.com +--- + coders/bmp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/coders/bmp.c b/coders/bmp.c +index 94ec6628fdf..7e36d4f481b 100644 +--- a/coders/bmp.c ++++ b/coders/bmp.c +@@ -625,6 +625,9 @@ static Image *ReadBMPImage(const ImageIn + if (image->debug != MagickFalse) + (void) LogMagickEvent(CoderEvent,GetMagickModule()," BMP size: %u", + bmp_info.size); ++ if ((bmp_info.file_size != 0) && ++ ((MagickSizeType) bmp_info.file_size > GetBlobSize(image))) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + profile_data=0; + profile_size=0; + if (bmp_info.size == 12) diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb index 6108dece27..ce5489bb3e 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.10.bb @@ -18,6 +18,11 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt file://CVE-2022-0284.patch \ file://fix-cipher-leak.patch \ file://CVE-2022-2719.patch \ + file://CVE-2022-1114.patch \ + file://CVE-2023-1289-1.patch \ + file://CVE-2023-1289.patch \ + file://CVE-2023-34474.patch \ + file://CVE-2023-5341.patch \ " SRCREV = "35b4991eb0939a327f3489988c366e21068b0178" -- cgit v1.2.3-54-g00ecf