Bug- and security-fix release. Shortlog:
https://github.com/ImageMagick/ImageMagick/compare/7.1.2-17...7.1.2-18
Also remove the obsolete CVE_STATUS assignments - all of these have been corrected
at NVD, and they are tracked with a version/CPE that mirror the real vulnerability
state of the recipe.
While at it, also corrected the reason for the remaining CVE_STATUS assignments.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changelog:
===========
* client: Fix use-after-free when creating async proxy failed
* daemon: Fix race on subscribers list when on thread
* ftp: Validate fe_size when parsing symlink target
* ftp: Check localtime() return value before use
* CVE-2026-28295: ftp: Use control connection address for PASV data
* CVE-2026-28296: ftp: Reject paths containing CR/LF characters
* gphoto2: Use g_try_realloc() instead of g_realloc()
* cdda: Reject path traversal in mount URI host
* client: Fail when URI has invalid UTF-8 chars
* Some other fixes
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The logic used is :
- We check if the required tools are present or not
- We used magick to create an raw RGB file
- The created RGB is then converted to PNG using convert
- We re-gerenate RGB from PNG and compare the original and re-generated RGB
- Enabled the ptest in ptest-packagelists-meta-oe.inc as
suggested by Gyorgy Sarvari and incorporated logging suggestion
- This was done as standard imagemagick test like drawtest requires manual
internetion to verify the file
Signed-off-by: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The ImageMagick 7 suite installs multiple tool symlinks (animate, convert,
identify, etc.) each implemented by their corresponding *.im7 binaries.
The main 'magick' CLI wrapper binary was not included in the ALTERNATIVE list,
This leave '/usr/bin/magick' missing in the image causing scripts and ptests
that rely on the primary 'magick' CLI to fail.
Signed-off-by: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This release contains fixes for the following vulnerabilities:
CVE-2025-53014, CVE-2025-53015, CVE-2025-53019, CVE-2025-53101,
CVE-2025-55004, CVE-2025-55005, CVE-2025-55154, CVE-2025-55160,
CVE-2025-55212, CVE-2025-55298, CVE-2025-57803, CVE-2025-57807
Also remove jp2 PACKAGECONFIG: it was superseded by openjpeg
PACKAGECONFIG, which also provides jpeg 2000 support.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When PACKAGECONFIG options like 'cxx' 'webp' and 'xml' are disabled,
certain files such as Magick++-config.im7, configure.xml, or
delegates.xml are not installed. Unconditionally running sed
on these files results in errors during do_install
Error:
sed: can't read .../image/usr/bin/Magick++-config.im7: No such file or directory
Signed-off-by: Nikhil R <nikhilr5@kpit.com>
Signed-off-by: Sana Kazi <sanakazi720@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This CVE is fixed by
aa673b2e4d
It is tracked as 'fixed in next version' - 7.1.2 (which does not exist)
in NVD DB.
.../tmp/work/core2-64-poky-linux/imagemagick/7.1.1-43/git$ git describe aa673b2e4defc7cad5bec16c4fc8324f71e531f1 --tags
7.1.1-18-4-gaa673b2e4d
.../tmp/work/core2-64-poky-linux/imagemagick/7.1.1-43/git$ git tag --contains aa673b2e4defc7cad5bec16c4fc8324f71e531f1 | head -n1
7.1.1-19
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* move version part after dash to PV
* set git tag regex
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update status for:
CVE-2016-7534, CVE-2016-7535, CVE-2016-7536, CVE-2016-7537, CVE-2016-7538, CVE-2017-5506, CVE-2017-5509, CVE-2017-5510, CVE-2017-5511, CVE-2007-1667
CPE is incorrect, the current version (7.1.1) is not affected.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These allow the use of imagemagick in SDKs where it is useful to perform
image analysis such as on the autobuilder for screenshot processing
during QA testing.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is detected during configure due to AC_SYS_LARGEFILE autoconf macro
which is set to 64 if off_t is 64bit and then assigned to
-D_FILE_OFFSET_BITS=${ac_cv_sys_file_offset_bits} and system expects it
to be a number not a string.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a new PACKAGECONFIG switch for building C++ bindings for
imagemagick.
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
master branch on the repository has been renamed in upstream to main.
Signed-off-by: Kartikey Rameshbhai Parmar <kartikey.rameshbhai.parmar@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The ImageMagick license requires that attribution notices contained in
the NOTICE file are distributed along a derivative work. Thus it makes
sense to collect the NOTICE file in the deploy/licenses directory.
Signed-off-by: Mark Jonas <toertel@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Only the copyright date for the LICENSE file changed.
Add PACKAGECONFIG to enable use of tcmalloc.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The LICENSE file checksum updated due to two trivial changes:
- Copyright year updates
- the URL for a web version of the license terms moved.
Add libtool dependencies to avoid:
configure: error: libltdl is required for modules and OpenCL builds
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade imagemagick from 7.0.5 patchset 6 to 7.0.9 patchset 9.
* update SRC_URI. Replace tarball with git repo that it only keeps
latest tarball on www.imagemagick.org
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
LICENSE changes are due to copyright year increments and
a URL changing from http to https.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Although it does not have an obvious name (gvc), Graphviz is an
optional library configurable via configure.ac.
Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
