[Buildroot] [PATCH] package/imagemagick: security bump to v7.1.2-3

Thomas Perale thomas.perale at mind.be
Wed Sep 3 17:24:21 UTC 2025 

Hi Titouan,

In reply of:
> This fixes the following vulnerabilities:
> - CVE-2023-5341:
>     A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.
>     https://www.cve.org/CVERecord?id=CVE-2023-5341
 
Seems like the CVE-2023-5341 was a false positive. The fix [1] was already part
of 7.1.1-43.

[1] https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1

> - CVE-2025-55004:
>     ImageMagick is free and open-source software used for editing and
>     manipulating digital images. Prior to version 7.1.2-1, ImageMagick is
>     vulnerable to heap-buffer overflow read around the handling of images
>     with separate alpha channels when performing image magnification in
>     ReadOneMNGIMage. This can likely be used to leak subsequent memory
>     contents into the output image. This issue has been patched in version
>     7.1.2-1.
>     https://www.cve.org/CVERecord?id=CVE-2025-55004
> 
> - CVE-2025-55005:
>     ImageMagick is free and open-source software used for editing and
>     manipulating digital images. Prior to version 7.1.2-1, when preparing
>     to transform from Log to sRGB colorspaces, the logmap construction
>     fails to handle cases where the reference-black or reference-white
>     value is larger than 1024. This leads to corrupting memory beyond the
>     end of the allocated logmap buffer. This issue has been patched in
>     version 7.1.2-1.
>     https://www.cve.org/CVERecord?id=CVE-2025-55005
> 
> - CVE-2025-55160:
>     ImageMagick is free and open-source software used for editing and
>     manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1,
>     there is undefined behavior (function-type-mismatch) in splay tree
>     cloning callback. This results in a deterministic abort under UBSan
>     (DoS in sanitizer builds), with no crash in a non-sanitized build.
>     This issue has been patched in versions 6.9.13-27 and 7.1.2-1.
>     https://www.cve.org/CVERecord?id=CVE-2025-55160
> 
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>


Regards,
Thomas

> ---
>  package/imagemagick/imagemagick.hash | 2 +-
>  package/imagemagick/imagemagick.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/imagemagick/imagemagick.hash b/package/imagemagick/imagemagick.hash
> index 2983b511cc..f260a0e0fb 100644
> --- a/package/imagemagick/imagemagick.hash
> +++ b/package/imagemagick/imagemagick.hash
> @@ -1,3 +1,3 @@
>  # Locally computed
> -sha256  ceb972266b23dc7c1cfce0da5a7f0c9acfb4dc81f40eb542a49476fedbc2618f  imagemagick-7.1.1-43.tar.gz
> +sha256  b16415e8694a2e15e5282d64fc7b358f309ff3a514a90eb5da268676c772de3d  imagemagick-7.1.2-3.tar.gz
>  sha256  a556c5292c87c9a6ac795c80669b0c3660f9f729de8c476bf2b10f83ab1b34ec  LICENSE
> diff --git a/package/imagemagick/imagemagick.mk b/package/imagemagick/imagemagick.mk
> index 6bbda40396..30cacc7f1a 100644
> --- a/package/imagemagick/imagemagick.mk
> +++ b/package/imagemagick/imagemagick.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -IMAGEMAGICK_VERSION = 7.1.1-43
> +IMAGEMAGICK_VERSION = 7.1.2-3
>  IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION))
>  IMAGEMAGICK_LICENSE = Apache-2.0
>  IMAGEMAGICK_LICENSE_FILES = LICENSE
> -- 
> 2.51.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

More information about the buildroot mailing list