[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 4297-1] imagemagick security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4297-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
September 10, 2025                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : imagemagick
Version        : 8:6.9.11.60+dfsg-1.3+deb11u6
CVE ID         : CVE-2025-53014 CVE-2025-53019 CVE-2025-53101 CVE-2025-55154 
                 CVE-2025-55212 CVE-2025-55298 CVE-2025-57803 CVE-2025-57807
Debian Bug     : 1109339 1111103 1111586 1111587 1112469 1114520

Multiple vulnerabilities were fixed in imagemagick an image manipulation
software suite.

CVE-2025-53014

    A heap buffer overflow was found in the `InterpretImageFilename`
    function. The issue stems from an off-by-one error that causes
    out-of-bounds memory access when processing format strings
    containing consecutive percent signs (`%%`).

CVE-2025-53019

    ImageMagick's `magick stream` command, specifying multiple
    consecutive `%d` format specifiers in a filename template
    caused a memory leak

CVE-2025-53101

    ImageMagick's `magick mogrify` command, specifying
    multiple consecutive `%d` format specifiers in a filename
    template caused internal pointer arithmetic to generate
    an address below the beginning of the stack buffer,
    resulting in a stack overflow through `vsnprintf()`.

CVE-2025-55154

    The magnified size calculations in ReadOneMNGIMage
    (in coders/png.c) are unsafe and can overflow,
    leading to memory corruption.

CVE-2025-55212

    passing a geometry string containing only a colon (":")
    to montage -geometry leads GetGeometry() to set width/height
    to 0. Later, ThumbnailImage() divides by these zero dimensions,
    triggering a crash (SIGFPE/abort)
    
CVE-2025-55298

    A format string bug vulnerability exists in InterpretImageFilename
    function where user input is directly passed to FormatLocaleString
    without proper sanitization. An attacker can overwrite arbitrary
    memory regions, enabling a wide range of attacks from heap
    overflow to remote code execution.
    
CVE-2025-57803

    A 32-bit integer overflow in the BMP encoderâ??s scanline-stride
    computation collapses bytes_per_line (stride) to a tiny
    value while the per-row writer still emits 3 Ã? width bytes
    for 24-bpp images. The row base pointer advances using the
    (overflowed) stride, so the first row immediately writes
    past its slot and into adjacent heap memory with
    attacker-controlled bytes.

CVE-2025-57807

    A security problem was found in SeekBlob(), which permits
    advancing the stream offset beyond the current end without
    increasing capacity, and WriteBlob(), which then expands by
    quantum + length (amortized) instead of offset + length,
    and copies to data + offset. When offset â?« extent, the
    copy targets memory beyond the allocation, producing a
    deterministic heap write on 64-bit builds. No 2��
    arithmetic wrap, external delegates, or policy settings
    are required.

For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u6.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmjB8M4ACgkQADoaLapB
CF9UXQ//QD723zstBv18yripgLU4NVoidJMbBv740SFhmnb2Gm6YnnCxWJp4dWMs
v0bkityPq+DOTtg8HgPi+aOaIZMUvBK2LDjLka7gPU4oekX0FU4GY8dL2bcGCmPY
ekILCbB6ruwQTToLvO9UDlCD53NsxwZl0RCtsu03adz8koilcxvJcPnUikIro+gW
a6qD/93GTKVYiKasruIx4H7tVPrfD0sBeDx8wZR7jnvGhSSTP0fFQUdQTctIEYOl
6hbHSAMamorP/Zr/brkkpBn9//LUie+e0yMcW93MPJk1YYcgWJf7yfzvZ/zoP2gm
XtzK7635icCdz6pKWV0JZTxrUrZmFiwJ6zACrWglaCK67B+nOTDmn+l/E7roxe8f
5MMlRZDWlDFF78ovyDvSCTtJTkNbfr+NKB3EDHVeKSbLCNTDBuVMxMxEH76bbC6S
KoF1QGfotJ24z57nXmqOUE3UCnLHHGKSCSxT5/w2qckw9fPrXe3pgBSfiwHR9+ON
jQowAFv0gqwD6185G+GYmOuPUZNzGvmpBs6W6jybUB29ZjCpHFaEgrkbreLLNX1H
PxzcnuQDYh3qm+EgdrlTiPO0zFZwDrWBOmywirFp796PosuqCr9GFK0Fc1OG56VO
1whBbOu4sv6/FMA26hNnA/Bb/WbTin3fF4q4LynaMfAB6FhNZbM=
=Ds9A
-----END PGP SIGNATURE-----
Reply to: