* [Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3
@ 2025-09-03 12:43 Titouan Christophe via buildroot
2025-09-03 16:15 ` Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Titouan Christophe via buildroot @ 2025-09-03 12:43 UTC (permalink / raw)
To: buildroot
This fixes the following vulnerabilities:
- CVE-2023-5341:
A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.
https://www.cve.org/CVERecord?id=CVE-2023-5341
- CVE-2025-55004:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to version 7.1.2-1, ImageMagick is
vulnerable to heap-buffer overflow read around the handling of images
with separate alpha channels when performing image magnification in
ReadOneMNGIMage. This can likely be used to leak subsequent memory
contents into the output image. This issue has been patched in version
7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55004
- CVE-2025-55005:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to version 7.1.2-1, when preparing
to transform from Log to sRGB colorspaces, the logmap construction
fails to handle cases where the reference-black or reference-white
value is larger than 1024. This leads to corrupting memory beyond the
end of the allocated logmap buffer. This issue has been patched in
version 7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55005
- CVE-2025-55160:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1,
there is undefined behavior (function-type-mismatch) in splay tree
cloning callback. This results in a deterministic abort under UBSan
(DoS in sanitizer builds), with no crash in a non-sanitized build.
This issue has been patched in versions 6.9.13-27 and 7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55160
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
package/imagemagick/imagemagick.hash | 2 +-
package/imagemagick/imagemagick.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/imagemagick/imagemagick.hash b/package/imagemagick/imagemagick.hash
index 2983b511cc..f260a0e0fb 100644
--- a/package/imagemagick/imagemagick.hash
+++ b/package/imagemagick/imagemagick.hash
@@ -1,3 +1,3 @@
# Locally computed
-sha256 ceb972266b23dc7c1cfce0da5a7f0c9acfb4dc81f40eb542a49476fedbc2618f imagemagick-7.1.1-43.tar.gz
+sha256 b16415e8694a2e15e5282d64fc7b358f309ff3a514a90eb5da268676c772de3d imagemagick-7.1.2-3.tar.gz
sha256 a556c5292c87c9a6ac795c80669b0c3660f9f729de8c476bf2b10f83ab1b34ec LICENSE
diff --git a/package/imagemagick/imagemagick.mk b/package/imagemagick/imagemagick.mk
index 6bbda40396..30cacc7f1a 100644
--- a/package/imagemagick/imagemagick.mk
+++ b/package/imagemagick/imagemagick.mk
@@ -4,7 +4,7 @@
#
################################################################################
-IMAGEMAGICK_VERSION = 7.1.1-43
+IMAGEMAGICK_VERSION = 7.1.2-3
IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION))
IMAGEMAGICK_LICENSE = Apache-2.0
IMAGEMAGICK_LICENSE_FILES = LICENSE
--
2.51.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3
2025-09-03 12:43 [Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3 Titouan Christophe via buildroot
@ 2025-09-03 16:15 ` Peter Korsgaard
2025-09-03 17:24 ` Thomas Perale via buildroot
2025-09-11 19:23 ` Thomas Perale via buildroot
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2025-09-03 16:15 UTC (permalink / raw)
To: Titouan Christophe via buildroot; +Cc: Titouan Christophe
>>>>> "Titouan" == Titouan Christophe via buildroot <buildroot@buildroot.org> writes:
> This fixes the following vulnerabilities:
> - CVE-2023-5341:
> A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.
> https://www.cve.org/CVERecord?id=CVE-2023-5341
> - CVE-2025-55004:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to version 7.1.2-1, ImageMagick is
> vulnerable to heap-buffer overflow read around the handling of images
> with separate alpha channels when performing image magnification in
> ReadOneMNGIMage. This can likely be used to leak subsequent memory
> contents into the output image. This issue has been patched in version
> 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55004
> - CVE-2025-55005:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to version 7.1.2-1, when preparing
> to transform from Log to sRGB colorspaces, the logmap construction
> fails to handle cases where the reference-black or reference-white
> value is larger than 1024. This leads to corrupting memory beyond the
> end of the allocated logmap buffer. This issue has been patched in
> version 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55005
> - CVE-2025-55160:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1,
> there is undefined behavior (function-type-mismatch) in splay tree
> cloning callback. This results in a deterministic abort under UBSan
> (DoS in sanitizer builds), with no crash in a non-sanitized build.
> This issue has been patched in versions 6.9.13-27 and 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55160
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3
2025-09-03 12:43 [Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3 Titouan Christophe via buildroot
2025-09-03 16:15 ` Peter Korsgaard
@ 2025-09-03 17:24 ` Thomas Perale via buildroot
2025-09-11 19:23 ` Thomas Perale via buildroot
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Perale via buildroot @ 2025-09-03 17:24 UTC (permalink / raw)
To: Titouan Christophe; +Cc: Thomas Perale, buildroot
Hi Titouan,
In reply of:
> This fixes the following vulnerabilities:
> - CVE-2023-5341:
> A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.
> https://www.cve.org/CVERecord?id=CVE-2023-5341
Seems like the CVE-2023-5341 was a false positive. The fix [1] was already part
of 7.1.1-43.
[1] https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1
> - CVE-2025-55004:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to version 7.1.2-1, ImageMagick is
> vulnerable to heap-buffer overflow read around the handling of images
> with separate alpha channels when performing image magnification in
> ReadOneMNGIMage. This can likely be used to leak subsequent memory
> contents into the output image. This issue has been patched in version
> 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55004
>
> - CVE-2025-55005:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to version 7.1.2-1, when preparing
> to transform from Log to sRGB colorspaces, the logmap construction
> fails to handle cases where the reference-black or reference-white
> value is larger than 1024. This leads to corrupting memory beyond the
> end of the allocated logmap buffer. This issue has been patched in
> version 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55005
>
> - CVE-2025-55160:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1,
> there is undefined behavior (function-type-mismatch) in splay tree
> cloning callback. This results in a deterministic abort under UBSan
> (DoS in sanitizer builds), with no crash in a non-sanitized build.
> This issue has been patched in versions 6.9.13-27 and 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55160
>
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Regards,
Thomas
> ---
> package/imagemagick/imagemagick.hash | 2 +-
> package/imagemagick/imagemagick.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/imagemagick/imagemagick.hash b/package/imagemagick/imagemagick.hash
> index 2983b511cc..f260a0e0fb 100644
> --- a/package/imagemagick/imagemagick.hash
> +++ b/package/imagemagick/imagemagick.hash
> @@ -1,3 +1,3 @@
> # Locally computed
> -sha256 ceb972266b23dc7c1cfce0da5a7f0c9acfb4dc81f40eb542a49476fedbc2618f imagemagick-7.1.1-43.tar.gz
> +sha256 b16415e8694a2e15e5282d64fc7b358f309ff3a514a90eb5da268676c772de3d imagemagick-7.1.2-3.tar.gz
> sha256 a556c5292c87c9a6ac795c80669b0c3660f9f729de8c476bf2b10f83ab1b34ec LICENSE
> diff --git a/package/imagemagick/imagemagick.mk b/package/imagemagick/imagemagick.mk
> index 6bbda40396..30cacc7f1a 100644
> --- a/package/imagemagick/imagemagick.mk
> +++ b/package/imagemagick/imagemagick.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -IMAGEMAGICK_VERSION = 7.1.1-43
> +IMAGEMAGICK_VERSION = 7.1.2-3
> IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION))
> IMAGEMAGICK_LICENSE = Apache-2.0
> IMAGEMAGICK_LICENSE_FILES = LICENSE
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3
2025-09-03 12:43 [Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3 Titouan Christophe via buildroot
2025-09-03 16:15 ` Peter Korsgaard
2025-09-03 17:24 ` Thomas Perale via buildroot
@ 2025-09-11 19:23 ` Thomas Perale via buildroot
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Perale via buildroot @ 2025-09-11 19:23 UTC (permalink / raw)
To: Titouan Christophe; +Cc: Thomas Perale, buildroot
In reply of:
> This fixes the following vulnerabilities:
> - CVE-2023-5341:
> A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.
> https://www.cve.org/CVERecord?id=CVE-2023-5341
>
> - CVE-2025-55004:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to version 7.1.2-1, ImageMagick is
> vulnerable to heap-buffer overflow read around the handling of images
> with separate alpha channels when performing image magnification in
> ReadOneMNGIMage. This can likely be used to leak subsequent memory
> contents into the output image. This issue has been patched in version
> 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55004
>
> - CVE-2025-55005:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to version 7.1.2-1, when preparing
> to transform from Log to sRGB colorspaces, the logmap construction
> fails to handle cases where the reference-black or reference-white
> value is larger than 1024. This leads to corrupting memory beyond the
> end of the allocated logmap buffer. This issue has been patched in
> version 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55005
>
> - CVE-2025-55160:
> ImageMagick is free and open-source software used for editing and
> manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1,
> there is undefined behavior (function-type-mismatch) in splay tree
> cloning callback. This results in a deterministic abort under UBSan
> (DoS in sanitizer builds), with no crash in a non-sanitized build.
> This issue has been patched in versions 6.9.13-27 and 7.1.2-1.
> https://www.cve.org/CVERecord?id=CVE-2025-55160
>
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Applied to 2025.02.x & 2025.05.x. Thanks
> ---
> package/imagemagick/imagemagick.hash | 2 +-
> package/imagemagick/imagemagick.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/imagemagick/imagemagick.hash b/package/imagemagick/imagemagick.hash
> index 2983b511cc..f260a0e0fb 100644
> --- a/package/imagemagick/imagemagick.hash
> +++ b/package/imagemagick/imagemagick.hash
> @@ -1,3 +1,3 @@
> # Locally computed
> -sha256 ceb972266b23dc7c1cfce0da5a7f0c9acfb4dc81f40eb542a49476fedbc2618f imagemagick-7.1.1-43.tar.gz
> +sha256 b16415e8694a2e15e5282d64fc7b358f309ff3a514a90eb5da268676c772de3d imagemagick-7.1.2-3.tar.gz
> sha256 a556c5292c87c9a6ac795c80669b0c3660f9f729de8c476bf2b10f83ab1b34ec LICENSE
> diff --git a/package/imagemagick/imagemagick.mk b/package/imagemagick/imagemagick.mk
> index 6bbda40396..30cacc7f1a 100644
> --- a/package/imagemagick/imagemagick.mk
> +++ b/package/imagemagick/imagemagick.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -IMAGEMAGICK_VERSION = 7.1.1-43
> +IMAGEMAGICK_VERSION = 7.1.2-3
> IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION))
> IMAGEMAGICK_LICENSE = Apache-2.0
> IMAGEMAGICK_LICENSE_FILES = LICENSE
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-09-11 19:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-03 12:43 [Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3 Titouan Christophe via buildroot
2025-09-03 16:15 ` Peter Korsgaard
2025-09-03 17:24 ` Thomas Perale via buildroot
2025-09-11 19:23 ` Thomas Perale via buildroot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.