Fix CVE-2025-43965 and CVE-2025-46393

(cherry picked from commit 57f3c0315f4f11bbc2019fc71ccff2075f941386)
2025-04-29 17:18:18 +08:00 · 2025-04-29 17:18:18 +08:00 · 9a92ff56a7
commit 9a92ff56a7
parent a8c2434369
3 changed files with 64 additions and 1 deletions
--- a/CVE-2025-43965.patch
+++ b/CVE-2025-43965.patch
@ -0,0 +1,22 @@
 From bac413a26073923d3ffb258adaab07fb3fe8fdc9 Mon Sep 17 00:00:00 2001
 From: Dirk Lemstra <dirk@lemstra.org>
 Date: Sat, 8 Feb 2025 23:31:39 +0100
 Subject: [PATCH] Update the image depth after this has been changed by
 SetQuantumFormat.
 ---
 coders/miff.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/coders/miff.c b/coders/miff.c
 index 66f8d3850bf..77e92500679 100644
 --- a/coders/miff.c
 +++ b/coders/miff.c
@@ -1335,6 +1335,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
     if (quantum_format != UndefinedQuantumFormat)
       {
         status=SetQuantumFormat(image,quantum_info,quantum_format);
 +        image->depth=quantum_info->depth;
         if (status == MagickFalse)
           ThrowMIFFException(ResourceLimitError,"MemoryAllocationFailed");
       }
--- a/CVE-2025-46393.patch
+++ b/CVE-2025-46393.patch
@ -0,0 +1,36 @@
 From 81ac8a0d2eb21739842ed18c48c7646b7eef65b8 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Fri, 7 Feb 2025 20:57:15 -0500
 Subject: [PATCH] multispectral MIFF images renders all channels in arbitrary
 order
 ---
 coders/miff.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/coders/miff.c b/coders/miff.c
 index 355455bc50e..398f66d0b66 100644
 --- a/coders/miff.c
 +++ b/coders/miff.c
@@ -1347,10 +1347,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
       packet_size+=image->depth/8;
     if (image->colorspace == CMYKColorspace)
       packet_size+=image->depth/8;
 +    if (image->number_meta_channels != 0)
 +      packet_size=GetImageChannels(image)*image->depth/8;
     if (image->compression == RLECompression)
       packet_size++;
 -    if (image->number_meta_channels != 0)
 -      packet_size+=image->number_meta_channels*image->depth/8;
     compress_extent=MagickMax(MagickMax(BZipMaxExtent(packet_size*
       image->columns),LZMAMaxExtent(packet_size*image->columns)),
       ZipMaxExtent(packet_size*image->columns));
@@ -2171,7 +2171,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info,
     if (compression == RLECompression)
       packet_size++;
     if (image->number_meta_channels != 0)
 -      packet_size+=image->number_meta_channels*image->depth/8;
 +      packet_size=GetImageChannels(image)*image->depth/8;
     length=MagickMax(BZipMaxExtent(packet_size*image->columns),ZipMaxExtent(
       packet_size*image->columns));
     if ((compression == BZipCompression) || (compression == ZipCompression))
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,12 +1,14 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        7.1.1.15
-Release:        1
+Release:        2
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
 Source0:        https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.1-15.tar.gz
 Patch1:         CVE-2023-5341.patch
 Patch2:         CVE-2025-43965.patch
 Patch3:         CVE-2025-46393.patch
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -161,6 +163,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick*
 %changelog
 * Tue Apr 29 2025 yaoxin <1024769339@qq.com> - 1:7.1.1.15-2
 - Fix CVE-2025-43965 and CVE-2025-46393
 * Mon Oct 23 2023 wulei <wu_lei@hoperun.com> - 1:7.1.1.15-1
 - Update to 7.1.1.15