Le dimanche 19 octobre 2025, 21:02:54 heure d’été d’Europe centrale Salvatore Bonaccorso a écrit :
> CVE-2025-53014, CVE-2025-53019 and CVE-2025-53101.
>
I do not understand:
imagemagick (8:6.9.11.60+dfsg-1.6+deb12u4) bookworm-security; urgency=medium
* Fix CVE-2025-53014:
A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).
(Closes: #1109339)
* Fix CVE-2025-53019:
ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
causes a memory leak
* Fix CVE-2025-53101:
ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template causes internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.
* Fix CVE-2025-55154:
the magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.
(Closes: #1111103)
* Fix CVE-2025-55212:
passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)
(Closes: #1111587)
* Fix CVE-2025-55298:
A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.
(Closes: #1111586)
* Fix CVE-2025-57803:
A 32-bit integer overflow in the BMP encoder’s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 × width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.
(Closes: #1112469)
* Fix CVE-2025-57807:
A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset ≫ extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2⁶⁴
arithmetic wrap, external delegates, or policy settings
are required.
(Closes: #1114520)
rouca
Attachment:
signature.asc
Description: This is a digitally signed message part.