From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: buildroot@buildroot.org
Cc: Grzegorz Blach <grzegorz@blach.pl>
Subject: [Buildroot] [PATCH 4/4] package/graphicsmagick: bump to v1.3.46
Date: Tue, 3 Mar 2026 09:13:23 +0100 [thread overview]
Message-ID: <20260303081323.53405-4-thomas.perale@mind.be> (raw)
In-Reply-To: <20260303081323.53405-1-thomas.perale@mind.be>
For more information, see the release note:
- http://www.graphicsmagick.org/NEWS.html#october-29-2025
- https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/compare/GraphicsMagick-1_3_45...GraphicsMagick-1_3_46
This release include now upstream fixes for CVE-2025-27795,
CVE-2025-32460, CVE-2025-27796.
Copyright year updated in [1].
[1] https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/13454c83b42327a29796b2bf418e4f90f5fc9292
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
...pply-image-dimension-resource-limits.patch | 33 ----------
...ixel_format-num_channels-needs-to-be.patch | 61 -------------------
...er-is-allocated-and-the-current-size.patch | 55 -----------------
package/graphicsmagick/graphicsmagick.hash | 4 +-
package/graphicsmagick/graphicsmagick.mk | 11 +---
5 files changed, 3 insertions(+), 161 deletions(-)
delete mode 100644 package/graphicsmagick/0001-ReadJXLImage-Apply-image-dimension-resource-limits.patch
delete mode 100644 package/graphicsmagick/0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
delete mode 100644 package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
diff --git a/package/graphicsmagick/0001-ReadJXLImage-Apply-image-dimension-resource-limits.patch b/package/graphicsmagick/0001-ReadJXLImage-Apply-image-dimension-resource-limits.patch
deleted file mode 100644
index 56122e466e..0000000000
--- a/package/graphicsmagick/0001-ReadJXLImage-Apply-image-dimension-resource-limits.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1725886903 18000
-# Mon Sep 09 08:01:43 2024 -0500
-# Node ID 9bbae7314e3c3b19b830591010ed90bb136b9c42
-# Parent db3ff8d00c28c38895e1600a28706ce251dac570
-ReadJXLImage(): Apply image dimension resource limits. Addresses oss-fuzz Issue 69728
-
-CVE: CVE-2025-27795
-Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-[Peter: drop ChangeLog/version changes]
-diff --git a/coders/jxl.c b/coders/jxl.c
---- a/coders/jxl.c
-+++ b/coders/jxl.c
-@@ -571,6 +571,7 @@
- basic_info.alpha_bits, basic_info.num_color_channels,
- basic_info.have_animation == JXL_FALSE ? "False" : "True");
- }
-+
- if (basic_info.num_extra_channels)
- {
- size_t index;
-@@ -637,6 +638,9 @@
-
- image->orientation=convert_orientation(basic_info.orientation);
-
-+ if (CheckImagePixelLimits(image, exception) != MagickPass)
-+ ThrowJXLReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
-+
- pixel_format.endianness=JXL_NATIVE_ENDIAN;
- pixel_format.align=0;
- if (basic_info.num_color_channels == 1)
diff --git a/package/graphicsmagick/0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch b/package/graphicsmagick/0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
deleted file mode 100644
index 004594523c..0000000000
--- a/package/graphicsmagick/0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1743004970 18000
-# Wed Mar 26 11:02:50 2025 -0500
-# Node ID 8e56520435df50f618a03f2721a39a70a515f1cb
-# Parent 036a1376a2a6dc9504c5148249cbd8feaef72de6
-ReadJXLImage(): pixel_format.num_channels needs to be 2 for grayscale matte.
-
-CVE: CVE-2025-32460
-Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-[Peter: drop ChangeLog/version changes]
-
-diff --git a/coders/jxl.c b/coders/jxl.c
---- a/coders/jxl.c
-+++ b/coders/jxl.c
-@@ -658,7 +658,7 @@
- ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image);
- }
- grayscale=MagickTrue;
-- pixel_format.num_channels=1;
-+ pixel_format.num_channels=image->matte ? 2 : 1;
- pixel_format.data_type=(basic_info.bits_per_sample <= 8 ? JXL_TYPE_UINT8 :
- (basic_info.bits_per_sample <= 16 ? JXL_TYPE_UINT16 :
- JXL_TYPE_FLOAT));
-@@ -843,6 +843,24 @@
- size_t
- out_len;
-
-+ if (image->logging)
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "JxlPixelFormat:\n"
-+ " num_channels: %u\n"
-+ " data_type: %s\n"
-+ " endianness: %s\n"
-+ " align: %" MAGICK_SIZE_T_F "u",
-+ pixel_format.num_channels,
-+ pixel_format.data_type == JXL_TYPE_FLOAT ? "float" :
-+ (pixel_format.data_type == JXL_TYPE_UINT8 ? "uint8" :
-+ (pixel_format.data_type == JXL_TYPE_UINT16 ? "uint16" :
-+ (pixel_format.data_type == JXL_TYPE_FLOAT16 ? "float16" :
-+ "unknown"))) ,
-+ pixel_format.endianness == JXL_NATIVE_ENDIAN ? "native" :
-+ (pixel_format.endianness == JXL_LITTLE_ENDIAN ? "little" :
-+ (pixel_format.endianness == JXL_BIG_ENDIAN ? "big" : "unknown")),
-+ pixel_format.align);
-+
- status=JxlDecoderImageOutBufferSize(jxl_decoder,&pixel_format,&out_len);
- if (status != JXL_DEC_SUCCESS)
- {
-@@ -852,6 +870,10 @@
- break;
- }
-
-+ if (image->logging)
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "JxlDecoderImageOutBufferSize() returns %" MAGICK_SIZE_T_F "u",
-+ (MAGICK_SIZE_T) out_len);
- out_buf=MagickAllocateResourceLimitedArray(unsigned char *,out_len,sizeof(*out_buf));
- if (out_buf == (unsigned char *) NULL)
- ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image);
diff --git a/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch b/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
deleted file mode 100644
index 8a98034833..0000000000
--- a/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1734634653 21600
-# Thu Dec 19 12:57:33 2024 -0600
-# Node ID 883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
-# Parent cf7cd5ebabb0ca40204de7539f4fb9ae02121958
-ReadWPGImage(): Assure that palette buffer is allocated and the current size.
-
-CVE: CVE-2025-27796
-Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
-[thomas: remove changelog and binary]
-Signed-off-by: Thomas Perale <thomas.perale@mind.be>
-
-diff --git a/coders/wpg.c b/coders/wpg.c
---- a/coders/wpg.c
-+++ b/coders/wpg.c
-@@ -1704,28 +1704,23 @@
- ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
- }
-
-- if(pPalette!=NULL &&
-- PaletteAllocBytes < 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries))
-- {
-- MagickFreeResourceLimitedMemory(pPalette);
-- PaletteAllocBytes = 0;
-- }
-+ /* Assure that buffer is allocated and the current size */
-+ if (PaletteAllocBytes != Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256))
-+ {
-+ PaletteAllocBytes = Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256);
-+ MagickReallocateResourceLimitedMemory(unsigned char *,pPalette,PaletteAllocBytes);
-+ }
- if(pPalette==NULL)
-- {
-- PaletteItems = WPG_Palette.NumOfEntries;
-- PaletteAllocBytes = 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries);
-- if(PaletteAllocBytes < 4*256) PaletteAllocBytes = 4*256;
-- pPalette = MagickAllocateResourceLimitedMemory(unsigned char *,(size_t)PaletteAllocBytes);
-- if(pPalette==NULL)
-- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
-- for(i=0; i<=255; i++)
-+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
-+
-+ PaletteItems = WPG_Palette.NumOfEntries;
-+ for(i=0; i<=255; i++)
- {
- pPalette[4*i] = WPG1_Palette[i].Red;
- pPalette[4*i+1] = WPG1_Palette[i].Green;
- pPalette[4*i+2] = WPG1_Palette[i].Blue;
- pPalette[4*i+3] = OpaqueOpacity;
- }
-- }
- if(ReadBlob(image,(size_t) PaletteItems*4,pPalette+((size_t)4*WPG_Palette.StartIndex)) != (size_t) PaletteItems*4)
- {
- MagickFreeResourceLimitedMemory(pPalette);
diff --git a/package/graphicsmagick/graphicsmagick.hash b/package/graphicsmagick/graphicsmagick.hash
index 044214c8fc..0a2e926c3f 100644
--- a/package/graphicsmagick/graphicsmagick.hash
+++ b/package/graphicsmagick/graphicsmagick.hash
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 dcea5167414f7c805557de2d7a47a9b3147bcbf617b91f5f0f4afe5e6543026b GraphicsMagick-1.3.45.tar.xz
-sha256 27d121f97ad71ff506ac5a6a9539e969154f3a66f3da24fd5b6f268acd106295 Copyright.txt
+sha256 c7c706a505e9c6c3764156bb94a0c9644d79131785df15a89c9f8721d1abd061 GraphicsMagick-1.3.46.tar.xz
+sha256 a610fd86484bf7c80b53f84f9644995c25c74f1dd711f16d2608bbe81176d18b Copyright.txt
diff --git a/package/graphicsmagick/graphicsmagick.mk b/package/graphicsmagick/graphicsmagick.mk
index e329e51b70..0b7875b5cc 100644
--- a/package/graphicsmagick/graphicsmagick.mk
+++ b/package/graphicsmagick/graphicsmagick.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GRAPHICSMAGICK_VERSION = 1.3.45
+GRAPHICSMAGICK_VERSION = 1.3.46
GRAPHICSMAGICK_SOURCE = GraphicsMagick-$(GRAPHICSMAGICK_VERSION).tar.xz
GRAPHICSMAGICK_SITE = https://downloads.sourceforge.net/project/graphicsmagick/graphicsmagick/$(GRAPHICSMAGICK_VERSION)
GRAPHICSMAGICK_LICENSE = MIT
@@ -20,15 +20,6 @@ GRAPHICSMAGICK_IGNORE_CVES += CVE-2008-6621
# https://bugzilla.redhat.com/show_bug.cgi?id=210921#c5
GRAPHICSMAGICK_IGNORE_CVES += CVE-2007-0770
-# 0001-ReadJXLImage-Apply-image-dimension-resource-limits.patch
-GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27795
-
-# 0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
-GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-32460
-
-# 0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
-GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27796
-
GRAPHICSMAGICK_INSTALL_STAGING = YES
GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config
--
2.53.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2026-03-03 8:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 8:13 [Buildroot] [PATCH 1/4] package/graphicsmagick: add CVE-2008-6621 to IGNORE_CVES Thomas Perale via buildroot
2026-03-03 8:13 ` [Buildroot] [PATCH 2/4] package/graphicsmagick: add CVE-2007-0770 " Thomas Perale via buildroot
2026-03-06 19:53 ` Thomas Perale via buildroot
2026-03-03 8:13 ` [Buildroot] [PATCH 3/4] package/graphicsmagick: add patch for CVE-2025-27796 Thomas Perale via buildroot
2026-03-06 19:53 ` Thomas Perale via buildroot
2026-03-03 8:13 ` Thomas Perale via buildroot [this message]
2026-03-03 17:38 ` [Buildroot] [PATCH 4/4] package/graphicsmagick: bump to v1.3.46 Julien Olivain via buildroot
2026-03-04 21:48 ` Julien Olivain via buildroot
2026-03-03 17:36 ` [Buildroot] [PATCH 1/4] package/graphicsmagick: add CVE-2008-6621 to IGNORE_CVES Julien Olivain via buildroot
2026-03-06 19:53 ` Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260303081323.53405-4-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=grzegorz@blach.pl \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox