packages/GraphicsMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2025-27795 and CVE-2025-32460

Browse Source 
(cherry picked from commit 7076d624188a087c4a0c9724790bc46f9ad97312)
This commit is contained in:
starlet-dx 2025-04-29 12:20:02 +08:00 committed by openeuler-sync-bot
parent 54d35b3952
commit 41cef0daf4
3 changed files with 98 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
CVE-2025-27795.patch Normal file
View File

@ -0,0 +1,38 @@
From: Bob Friesenhahn <bfriesen@GraphicsMagick.org>
Date: Mon, 9 Sep 2024 08:01:43 -0500
Subject: ReadJXLImage(): Apply image dimension resource limits. Addresses
oss-fuzz Issue 69728
Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>
Changes:
- Drop changes to changelog and version files.
Origin: upstream, https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42
Bug-Debian: https://bugs.debian.org/1099955
Last-Update: 2025-03-31
---
coders/jxl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/coders/jxl.c b/coders/jxl.c
index b8a85fd..8a370fe 100644
--- a/coders/jxl.c
+++ b/coders/jxl.c
@@ -531,6 +531,7 @@ static Image *ReadJXLImage(const ImageInfo *image_info,
basic_info.alpha_bits, basic_info.num_color_channels,
basic_info.have_animation == JXL_FALSE ? "False" : "True");
}
+
if (basic_info.num_extra_channels)
{
size_t index;
@@ -579,6 +580,9 @@ static Image *ReadJXLImage(const ImageInfo *image_info,
image->orientation=convert_orientation(basic_info.orientation);
+ if (CheckImagePixelLimits(image, exception) != MagickPass)
+ ThrowJXLReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
+
pixel_format.endianness=JXL_NATIVE_ENDIAN;
pixel_format.align=0;
if (basic_info.num_color_channels == 1)

50
CVE-2025-32460.patch Normal file
View File

@ -0,0 +1,50 @@
Description: ReadJXLImage(): pixel_format.num_channels needs to be 2 for grayscale matte
Origin: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-32460
Forwarded: not-needed
Author: Bob Friesenhahn <bfriesen@GraphicsMagick.org>
--- a/coders/jxl.c
+++ b/coders/jxl.c
@@ -600,7 +600,7 @@ static Image *ReadJXLImage(const ImageIn
ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image);
}
grayscale=MagickTrue;
- pixel_format.num_channels=1;
+ pixel_format.num_channels=image->matte ? 2 : 1;
pixel_format.data_type=(basic_info.bits_per_sample <= 8 ? JXL_TYPE_UINT8 :
(basic_info.bits_per_sample <= 16 ? JXL_TYPE_UINT16 :
JXL_TYPE_FLOAT));
@@ -765,10 +765,32 @@ static Image *ReadJXLImage(const ImageIn
size_t
out_len;
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "JxlPixelFormat:\n"
+ " num_channels: %u\n"
+ " data_type: %s\n"
+ " endianness: %s\n"
+ " align: %" MAGICK_SIZE_T_F "u",
+ pixel_format.num_channels,
+ pixel_format.data_type == JXL_TYPE_FLOAT ? "float" :
+ (pixel_format.data_type == JXL_TYPE_UINT8 ? "uint8" :
+ (pixel_format.data_type == JXL_TYPE_UINT16 ? "uint16" :
+ (pixel_format.data_type == JXL_TYPE_FLOAT16 ? "float16" :
+ "unknown"))) ,
+ pixel_format.endianness == JXL_NATIVE_ENDIAN ? "native" :
+ (pixel_format.endianness == JXL_LITTLE_ENDIAN ? "little" :
+ (pixel_format.endianness == JXL_BIG_ENDIAN ? "big" : "unknown")),
+ pixel_format.align);
+
status=JxlDecoderImageOutBufferSize(jxl_decoder,&pixel_format,&out_len);
if (status != JXL_DEC_SUCCESS)
break;
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "JxlDecoderImageOutBufferSize() returns %" MAGICK_SIZE_T_F "u",
+ (MAGICK_SIZE_T) out_len);
out_buf=MagickAllocateResourceLimitedArray(unsigned char *,out_len,sizeof(*out_buf));
if (out_buf == (unsigned char *) NULL)
ThrowJXLReaderException(ResourceLimitError,MemoryAllocationFailed,image);

13
GraphicsMagick.spec
View File

@ -26,7 +26,7 @@
Summary: An ImageMagick fork, offering faster image generation and better quality
Name: GraphicsMagick
Version: 1.3.41
Release: 1
Release: 2
License: MIT
Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
@ -35,7 +35,9 @@ Source1: urw-fonts-1.0.7pre44.tar.bz2
#S1 https://gitee.com/src-openeuler/urw-base35-fonts.git
Url: http://www.graphicsmagick.org/
Patch002: GraphicsMagick-1.3.31-perl_linkage.patch
Patch0: GraphicsMagick-1.3.31-perl_linkage.patch
Patch1: CVE-2025-27795.patch
Patch2: CVE-2025-32460.patch
BuildRequires: bzip2-devel
BuildRequires: freetype-devel
@ -151,6 +153,8 @@ GraphicsMagick documentation and usage introduction.
%prep
%setup -q
%patch -P 1 -p1
%patch -P 2 -p1
%if 0%{?urw_font_bundle}
mkdir -p urw-fonts
@ -158,7 +162,7 @@ tar --directory=urw-fonts/ -xf %{SOURCE1}
rm -f urw-fonts/ChangeLog urw-fonts/README* urw-fonts/fonts*
%endif
%patch002 -p1 -b .perl_linkage
%patch -P 0 -p1 -b .perl_linkage
for f in ChangeLog.{2006,2008,2009,2012} NEWS.txt ; do
iconv -f iso-8859-2 -t utf8 < $f > $f.utf8
@ -338,6 +342,9 @@ exit 1
%{_mandir}/man3/*
%changelog
* Tue Apr 29 2025 yaoxin <1024769339@qq.com> - 1.3.41-2
- Fix CVE-2025-27795 and CVE-2025-32460
* Tue Aug 29 2023 xu_ping <707078654@qq.com> - 1.3.41-1
- Upgrade 1.3.41 to fix gm convert command failed.