public inbox for buildroot@busybox.net
 help / color / mirror / Atom feed
From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 3/4] package/graphicsmagick: add patch for CVE-2025-27796
Date: Fri,  6 Mar 2026 20:53:26 +0100	[thread overview]
Message-ID: <20260306195327.8533-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260303081323.53405-3-thomas.perale@mind.be>

In reply of:
> Fixes the following vulnerability:
> 
> - CVE-2025-27796:
>     ReadWPGImage in WPG in GraphicsMagick before 1.3.46 mishandles palette
>     buffer allocation, resulting in out-of-bounds access to heap memory in
>     ReadBlob.
> 
> For more information, see
>   - https://www.cve.org/CVERecord?id=CVE-2025-27796
>   - https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2025.11.x. Thanks

> ---
>  ...er-is-allocated-and-the-current-size.patch | 55 +++++++++++++++++++
>  package/graphicsmagick/graphicsmagick.mk      |  3 +
>  2 files changed, 58 insertions(+)
>  create mode 100644 package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
> 
> diff --git a/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch b/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
> new file mode 100644
> index 0000000000..8a98034833
> --- /dev/null
> +++ b/package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
> @@ -0,0 +1,55 @@
> +# HG changeset patch
> +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
> +# Date 1734634653 21600
> +#      Thu Dec 19 12:57:33 2024 -0600
> +# Node ID 883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
> +# Parent  cf7cd5ebabb0ca40204de7539f4fb9ae02121958
> +ReadWPGImage(): Assure that palette buffer is allocated and the current size.
> +
> +CVE: CVE-2025-27796
> +Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
> +[thomas: remove changelog and binary]
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +
> +diff --git a/coders/wpg.c b/coders/wpg.c
> +--- a/coders/wpg.c
> ++++ b/coders/wpg.c
> +@@ -1704,28 +1704,23 @@
> +                 ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
> +               }
> + 
> +-              if(pPalette!=NULL &&
> +-                 PaletteAllocBytes < 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries))
> +-              {
> +-                MagickFreeResourceLimitedMemory(pPalette);
> +-                PaletteAllocBytes = 0;
> +-              }
> ++              /* Assure that buffer is allocated and the current size */
> ++              if (PaletteAllocBytes != Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256))
> ++                {
> ++                  PaletteAllocBytes = Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256);
> ++                  MagickReallocateResourceLimitedMemory(unsigned char *,pPalette,PaletteAllocBytes);
> ++                }
> +               if(pPalette==NULL)
> +-              {
> +-                PaletteItems = WPG_Palette.NumOfEntries;
> +-                PaletteAllocBytes = 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries);
> +-                if(PaletteAllocBytes < 4*256) PaletteAllocBytes = 4*256;
> +-                pPalette = MagickAllocateResourceLimitedMemory(unsigned char *,(size_t)PaletteAllocBytes);
> +-                if(pPalette==NULL)
> +-                    ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
> +-                for(i=0; i<=255; i++)
> ++                ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
> ++
> ++              PaletteItems = WPG_Palette.NumOfEntries;
> ++              for(i=0; i<=255; i++)
> +                 {
> +                   pPalette[4*i] = WPG1_Palette[i].Red;
> +                   pPalette[4*i+1] = WPG1_Palette[i].Green;
> +                   pPalette[4*i+2] = WPG1_Palette[i].Blue;
> +                   pPalette[4*i+3] = OpaqueOpacity;
> +                 }
> +-              }
> +               if(ReadBlob(image,(size_t) PaletteItems*4,pPalette+((size_t)4*WPG_Palette.StartIndex)) != (size_t) PaletteItems*4)
> +               {
> +                 MagickFreeResourceLimitedMemory(pPalette);
> diff --git a/package/graphicsmagick/graphicsmagick.mk b/package/graphicsmagick/graphicsmagick.mk
> index 6c2885b7d8..e329e51b70 100644
> --- a/package/graphicsmagick/graphicsmagick.mk
> +++ b/package/graphicsmagick/graphicsmagick.mk
> @@ -26,6 +26,9 @@ GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27795
>  # 0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
>  GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-32460
>  
> +# 0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
> +GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27796
> +
>  GRAPHICSMAGICK_INSTALL_STAGING = YES
>  GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config
>  
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

  reply	other threads:[~2026-03-06 19:53 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-03  8:13 [Buildroot] [PATCH 1/4] package/graphicsmagick: add CVE-2008-6621 to IGNORE_CVES Thomas Perale via buildroot
2026-03-03  8:13 ` [Buildroot] [PATCH 2/4] package/graphicsmagick: add CVE-2007-0770 " Thomas Perale via buildroot
2026-03-06 19:53   ` Thomas Perale via buildroot
2026-03-03  8:13 ` [Buildroot] [PATCH 3/4] package/graphicsmagick: add patch for CVE-2025-27796 Thomas Perale via buildroot
2026-03-06 19:53   ` Thomas Perale via buildroot [this message]
2026-03-03  8:13 ` [Buildroot] [PATCH 4/4] package/graphicsmagick: bump to v1.3.46 Thomas Perale via buildroot
2026-03-03 17:38   ` Julien Olivain via buildroot
2026-03-04 21:48     ` Julien Olivain via buildroot
2026-03-03 17:36 ` [Buildroot] [PATCH 1/4] package/graphicsmagick: add CVE-2008-6621 to IGNORE_CVES Julien Olivain via buildroot
2026-03-06 19:53 ` Thomas Perale via buildroot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260306195327.8533-1-thomas.perale@mind.be \
    --to=buildroot@buildroot.org \
    --cc=thomas.perale@mind.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox