[Pkg-gmagick-im-team] Bug#1109339: imagemagick: CVE-2025-53014 CVE-2025-53015 CVE-2025-53019 CVE-2025-53101
Moritz Mühlenhoff
jmm at inutil.org
Tue Jul 15 13:34:55 BST 2025
Package: imagemagick
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for imagemagick.
CVE-2025-53014[0]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26
| have a heap buffer overflow in the `InterpretImageFilename`
| function. The issue stems from an off-by-one error that causes out-
| of-bounds memory access when processing format strings containing
| consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix
| the issue.
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
CVE-2025-53015[1]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. In versions prior to 7.1.2-0, infinite
| lines occur when writing during a specific XMP file conversion
| command. Version 7.1.2-0 fixes the issue.
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g
CVE-2025-53019[2]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. In versions prior to 7.1.2-0 and
| 6.9.13-26, in ImageMagick's `magick stream` command, specifying
| multiple consecutive `%d` format specifiers in a filename template
| causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue.
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc
CVE-2025-53101[3]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. In versions prior to 7.1.2-0 and
| 6.9.13-26, in ImageMagick's `magick mogrify` command, specifying
| multiple consecutive `%d` format specifiers in a filename template
| causes internal pointer arithmetic to generate an address below the
| beginning of the stack buffer, resulting in a stack overflow through
| `vsnprintf()`. Versions 7.1.2-0 and 6.9.13-26 fix the issue.
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9
https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774 (7.1.2-0)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53014
https://www.cve.org/CVERecord?id=CVE-2025-53014
[1] https://security-tracker.debian.org/tracker/CVE-2025-53015
https://www.cve.org/CVERecord?id=CVE-2025-53015
[2] https://security-tracker.debian.org/tracker/CVE-2025-53019
https://www.cve.org/CVERecord?id=CVE-2025-53019
[3] https://security-tracker.debian.org/tracker/CVE-2025-53101
https://www.cve.org/CVERecord?id=CVE-2025-53101
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-gmagick-im-team
mailing list