Skip to content

[GHSA-q3hc-j9x5-mp9m] ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family #6499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
martincostello wants to merge 1 commit into from
Closed

[GHSA-q3hc-j9x5-mp9m] ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family #6499

martincostello wants to merge 1 commit into from
+2 −328

Conversation

@martincostello
Copy link

@martincostello martincostello commented Dec 4, 2025

Updates

  • Affected products

Comments
These NuGet packages are not affected by the vulnerability: dlemstra/Magick.NET#1937 (comment)

@github
Copy link
Collaborator

github commented Dec 4, 2025

Hi there @dlemstra! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings December 4, 2025 12:17
@github-actions github-actions bot changed the base branch from main to martincostello/advisory-improvement-6499 December 4, 2025 12:18
Copilot finished reviewing on behalf of martincostello December 4, 2025 12:19
@dlemstra
Copy link

dlemstra commented Dec 4, 2025

Please make this change.

Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to update a GitHub security advisory (GHSA-q3hc-j9x5-mp9m) for an ImageMagick vulnerability (CVE-2025-65955) to reflect that NuGet packages are not affected. However, the implementation creates invalid advisory data by leaving an affected package entry with an empty package name and an incomplete version range.

Key Changes

  • Updated the modification timestamp by 2 seconds
  • Changed the package name from "Magick.NET-Q16-AnyCPU" to an empty string
  • Removed all additional NuGet package variants and their version constraints while leaving a malformed affected entry

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

advisories/github-reviewed/2025/12/GHSA-q3hc-j9x5-mp9m/GHSA-q3hc-j9x5-mp9m.json
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
"name": ""
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package name is set to an empty string. If these NuGet packages are not affected by the vulnerability, this entire affected package entry should be removed instead of leaving an empty package name, which creates invalid advisory data. Consider removing the entire package object (lines 18-33) from the "affected" array.

Copilot uses AI. Check for mistakes.
Copy link
Author

@martincostello martincostello Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Artifact from unremovable auto-added package entry in the form. All the entries should just have been removed. I can't edit the file here though to remove it.

advisories/github-reviewed/2025/12/GHSA-q3hc-j9x5-mp9m/GHSA-q3hc-j9x5-mp9m.json
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "last_affected" field is removed but "introduced": "0" remains. This creates an incomplete range specification with only an introduction point but no end boundary. If the packages are not affected, the entire affected entry should be removed rather than leaving a malformed range.

Copilot uses AI. Check for mistakes.
@yhidad31
Copy link

yhidad31 commented Dec 5, 2025

Hello @martincostello, the advisory has been submitted for withdrawal. Thank you for contributing to the GitHub Advisory Database and your effort to help the community stay secure!

@yhidad31 yhidad31 closed this Dec 5, 2025
@github-actions github-actions bot deleted the martincostello-GHSA-q3hc-j9x5-mp9m branch December 5, 2025 23:55
@dlemstra
Copy link

dlemstra commented Dec 6, 2025

The advisory should not be withdrawn? Only the part where it mentions the Magick.NET libraries should be removed @yhidad31?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@martincostello @github @dlemstra @yhidad31