[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1118414: bookworm-pu: package imagemagick/8:6.9.11.60+dfsg-1.6+deb12u5

Hi,

On Sun, Oct 19, 2025 at 09:33:54PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Sun, Oct 19, 2025 at 09:04:40PM +0200, Bastien Roucaries wrote:
> > Le dimanche 19 octobre 2025, 21:02:54 heure d’été d’Europe centrale
> > Salvatore Bonaccorso a écrit :
> > > CVE-2025-53014, CVE-2025-53019 and CVE-2025-53101.
> > > 
> > I do not understand: imagemagick (8:6.9.11.60+dfsg-1.6+deb12u4)
> > bookworm-security; urgency=medium
> > 
> >   * Fix CVE-2025-53014:
> >     A heap buffer overflow was found in the `InterpretImageFilename`
> >     function. The issue stems from an off-by-one error that causes
> >     out-of-bounds memory access when processing format strings
> >     containing consecutive percent signs (`%%`).
> >     (Closes: #1109339)
> >   * Fix CVE-2025-53019:
> >     ImageMagick's `magick stream` command, specifying multiple
> >     consecutive `%d` format specifiers in a filename template
> >     causes a memory leak
> >   * Fix CVE-2025-53101:
> >     ImageMagick's `magick mogrify` command, specifying
> >     multiple consecutive `%d` format specifiers in a filename
> >     template causes internal pointer arithmetic to generate
> >     an address below the beginning of the stack buffer,
> >     resulting in a stack overflow through `vsnprintf()`.
> >   * Fix CVE-2025-55154:
> >     the magnified size calculations in ReadOneMNGIMage
> >     (in coders/png.c) are unsafe and can overflow,
> >     leading to memory corruption.
> >     (Closes: #1111103)
> >   * Fix CVE-2025-55212:
> >     passing a geometry string containing only a colon (":")
> >     to montage -geometry leads GetGeometry() to set width/height
> >     to 0. Later, ThumbnailImage() divides by these zero dimensions,
> >     triggering a crash (SIGFPE/abort)
> >     (Closes: #1111587)
> >   * Fix CVE-2025-55298:
> >     A format string bug vulnerability exists in InterpretImageFilename
> >     function where user input is directly passed to FormatLocaleString
> >     without proper sanitization. An attacker can overwrite arbitrary
> >     memory regions, enabling a wide range of attacks from heap
> >     overflow to remote code execution.
> >     (Closes: #1111586)
> >   * Fix CVE-2025-57803:
> >     A 32-bit integer overflow in the BMP encoder’s scanline-stride
> >     computation collapses bytes_per_line (stride) to a tiny
> >     value while the per-row writer still emits 3 × width bytes
> >     for 24-bpp images. The row base pointer advances using the
> >     (overflowed) stride, so the first row immediately writes
> >     past its slot and into adjacent heap memory with
> >     attacker-controlled bytes.
> >     (Closes: #1112469)
> >   * Fix CVE-2025-57807:
> >     A security problem was found in SeekBlob(), which permits
> >     advancing the stream offset beyond the current end without
> >     increasing capacity, and WriteBlob(), which then expands by
> >     quantum + length (amortized) instead of offset + length,
> >     and copies to data + offset. When offset ≫ extent, the
> >     copy targets memory beyond the allocation, producing a
> >     deterministic heap write on 64-bit builds. No 2⁶⁴
> >     arithmetic wrap, external delegates, or policy settings
> >     are required.
> >     (Closes: #1114520)
> 
> That is weird, I will double check what happened back then with the
> released DSA for 8:6.9.11.60+dfsg-1.6+deb12u4. Maybe then it is just
> wrong tracking.

Indeed, I doublechecked the debdiff as well and looks good. I just
have updated the security-tracker accordingly as the DSA was having
not a overlapping set of CVEs fixed in bookworm and trixie.

Regards,
Salvatore
Reply to: