From e95928b2df2674e2b4dabe5e13df6aee0195b485 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Fri, 15 Aug 2025 10:04:11 +0800 Subject: [PATCH] Fix CVE-2025-55154 and CVE-2025-55160 --- CVE-2025-55154.patch | 85 +++++++++++++++++++++++ CVE-2025-55160.patch | 156 +++++++++++++++++++++++++++++++++++++++++++ ImageMagick.spec | 7 +- 3 files changed, 247 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-55154.patch create mode 100644 CVE-2025-55160.patch diff --git a/CVE-2025-55154.patch b/CVE-2025-55154.patch new file mode 100644 index 0000000..c0b51de --- /dev/null +++ b/CVE-2025-55154.patch @@ -0,0 +1,85 @@ +From 14234b2d3be45af1f71ffafd260532bbd8f81d39 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 9 Aug 2025 08:28:19 -0400 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82 + +--- + coders/png.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index a662fb38b..b3e690b32 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -6753,7 +6753,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + if (((mng_info->magn_methx > 0) && (mng_info->magn_methx <= 5)) && + ((mng_info->magn_methy > 0) && (mng_info->magn_methy <= 5))) + { +- png_uint_32 ++ size_t + magnified_height, + magnified_width; + +@@ -6767,19 +6767,19 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + mng_info->magn_methy = 1; + if (mng_info->magn_methx == 1) + { +- magnified_width=mng_info->magn_ml; ++ magnified_width=(size_t) mng_info->magn_ml; + + if (image->columns > 1) + magnified_width += mng_info->magn_mr; + + if (image->columns > 2) +- magnified_width += (png_uint_32) ++ magnified_width += (size_t) + ((image->columns-2)*(mng_info->magn_mx)); + } + + else + { +- magnified_width=(png_uint_32) image->columns; ++ magnified_width=(size_t) image->columns; + + if (image->columns > 1) + magnified_width += mng_info->magn_ml-1; +@@ -6788,25 +6788,25 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + magnified_width += mng_info->magn_mr-1; + + if (image->columns > 3) +- magnified_width += (png_uint_32) ++ magnified_width += (size_t) + ((image->columns-3)*(mng_info->magn_mx-1)); + } + + if (mng_info->magn_methy == 1) + { +- magnified_height=mng_info->magn_mt; ++ magnified_height=(size_t) mng_info->magn_mt; + + if (image->rows > 1) + magnified_height += mng_info->magn_mb; + + if (image->rows > 2) +- magnified_height += (png_uint_32) ++ magnified_height += (size_t) + ((image->rows-2)*(mng_info->magn_my)); + } + + else + { +- magnified_height=(png_uint_32) image->rows; ++ magnified_height=(size_t) image->rows; + + if (image->rows > 1) + magnified_height += mng_info->magn_mt-1; +@@ -6815,7 +6815,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + magnified_height += mng_info->magn_mb-1; + + if (image->rows > 3) +- magnified_height += (png_uint_32) ++ magnified_height += (size_t) + ((image->rows-3)*(mng_info->magn_my-1)); + } + diff --git a/CVE-2025-55160.patch b/CVE-2025-55160.patch new file mode 100644 index 0000000..d705870 --- /dev/null +++ b/CVE-2025-55160.patch @@ -0,0 +1,156 @@ +From 986bddf243da88768e8198ee07c758768c098108 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 10 Aug 2025 08:28:40 -0400 +Subject: [PATCH] + https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x + +--- + magick/artifact.c | 17 ++++++++++++++++- + magick/option.c | 17 ++++++++++++++++- + magick/profile.c | 19 ++++++++++++++++++- + magick/property.c | 18 ++++++++++++++++-- + 4 files changed, 66 insertions(+), 5 deletions(-) + +diff --git a/magick/artifact.c b/magick/artifact.c +index 67478ecf0..0de6e6007 100644 +--- a/magick/artifact.c ++++ b/magick/artifact.c +@@ -97,6 +97,21 @@ + % o clone_image: the clone image. + % + */ ++ ++typedef char ++ *(*CloneKeyFunc)(const char *), ++ *(*CloneValueFunc)(const char *); ++ ++static inline void *CloneArtifactKey(void *key) ++{ ++ return((void *) ((CloneKeyFunc) ConstantString)((const char *) key)); ++} ++ ++static inline void *CloneArtifactValue(void *value) ++{ ++ return((void *) ((CloneValueFunc) ConstantString)((const char *) value)); ++} ++ + MagickExport MagickBooleanType CloneImageArtifacts(Image *image, + const Image *clone_image) + { +@@ -115,7 +130,7 @@ MagickExport MagickBooleanType CloneImageArtifacts(Image *image, + if (image->artifacts != (void *) NULL) + DestroyImageArtifacts(image); + image->artifacts=CloneSplayTree((SplayTreeInfo *) clone_image->artifacts, +- (void *(*)(void *)) ConstantString,(void *(*)(void *)) ConstantString); ++ CloneArtifactKey,CloneArtifactValue); + } + return(MagickTrue); + } +diff --git a/magick/option.c b/magick/option.c +index fef6f516f..927bdf92c 100644 +--- a/magick/option.c ++++ b/magick/option.c +@@ -1790,6 +1790,21 @@ static const OptionInfo + % o clone_info: the clone image info. + % + */ ++ ++typedef char ++ *(*CloneKeyFunc)(const char *), ++ *(*CloneValueFunc)(const char *); ++ ++static inline void *CloneOptionKey(void *key) ++{ ++ return((void *) ((CloneKeyFunc) ConstantString)((const char *) key)); ++} ++ ++static inline void *CloneOptionValue(void *value) ++{ ++ return((void *) ((CloneValueFunc) ConstantString)((const char *) value)); ++} ++ + MagickExport MagickBooleanType CloneImageOptions(ImageInfo *image_info, + const ImageInfo *clone_info) + { +@@ -1805,7 +1820,7 @@ MagickExport MagickBooleanType CloneImageOptions(ImageInfo *image_info, + if (image_info->options != (void *) NULL) + DestroyImageOptions(image_info); + image_info->options=CloneSplayTree((SplayTreeInfo *) clone_info->options, +- (void *(*)(void *)) ConstantString,(void *(*)(void *)) ConstantString); ++ CloneOptionKey,CloneOptionValue); + } + return(MagickTrue); + } +diff --git a/magick/profile.c b/magick/profile.c +index 18dc280d6..985decf94 100644 +--- a/magick/profile.c ++++ b/magick/profile.c +@@ -115,6 +115,23 @@ static void + % o clone_image: the clone image. + % + */ ++ ++typedef char ++ *(*CloneKeyFunc)(const char *); ++ ++typedef StringInfo ++ *(*CloneValueFunc)(const StringInfo *); ++ ++static inline void *CloneProfileKey(void *key) ++{ ++ return((void *) ((CloneKeyFunc) ConstantString)((const char *) key)); ++} ++ ++static inline void *CloneProfileValue(void *value) ++{ ++ return((void *) ((CloneValueFunc) CloneStringInfo)((const StringInfo *) value)); ++} ++ + MagickExport MagickBooleanType CloneImageProfiles(Image *image, + const Image *clone_image) + { +@@ -133,7 +150,7 @@ MagickExport MagickBooleanType CloneImageProfiles(Image *image, + if (image->profiles != (void *) NULL) + DestroyImageProfiles(image); + image->profiles=CloneSplayTree((SplayTreeInfo *) clone_image->profiles, +- (void *(*)(void *)) ConstantString,(void *(*)(void *)) CloneStringInfo); ++ CloneProfileKey,CloneProfileValue); + } + return(MagickTrue); + } +diff --git a/magick/property.c b/magick/property.c +index c74688f6e..d37342cd0 100644 +--- a/magick/property.c ++++ b/magick/property.c +@@ -127,6 +127,21 @@ + % o clone_image: the clone image. + % + */ ++ ++typedef char ++ *(*CloneKeyFunc)(const char *), ++ *(*CloneValueFunc)(const char *); ++ ++static inline void *ClonePropertyKey(void *key) ++{ ++ return((void *) ((CloneKeyFunc) ConstantString)((const char *) key)); ++} ++ ++static inline void *ClonePropertyValue(void *value) ++{ ++ return((void *) ((CloneValueFunc) ConstantString)((const char *) value)); ++} ++ + MagickExport MagickBooleanType CloneImageProperties(Image *image, + const Image *clone_image) + { +@@ -192,8 +207,7 @@ MagickExport MagickBooleanType CloneImageProperties(Image *image, + if (image->properties != (void *) NULL) + DestroyImageProperties(image); + image->properties=CloneSplayTree((SplayTreeInfo *) +- clone_image->properties,(void *(*)(void *)) ConstantString, +- (void *(*)(void *)) ConstantString); ++ clone_image->properties,ClonePropertyKey,ClonePropertyValue); + } + return(MagickTrue); + } diff --git a/ImageMagick.spec b/ImageMagick.spec index 0425d36..193c36d 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,7 +1,7 @@ Name: ImageMagick Epoch: 1 Version: 6.9.12.86 -Release: 7 +Release: 8 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ @@ -14,6 +14,8 @@ Patch4: CVE-2025-43965.patch Patch5: CVE-2025-53014.patch Patch6: CVE-2025-53019.patch Patch7: CVE-2025-53101.patch +Patch8: CVE-2025-55154.patch +Patch9: CVE-2025-55160.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -171,6 +173,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Fri Aug 15 2025 yaoxin <1024769339@qq.com> - 1:6.9.12.86-8 +- Fix CVE-2025-55154 and CVE-2025-55160 + * Mon Jul 21 2025 wangkai <13474090681@163.com> - 1:6.9.12.86-7 - Fix CVE-2025-53014, CVE-2025-53019, CVE-2025-53101 -- Gitee