[Pkg-gmagick-im-team] imagemagick_7.1.2.3+dfsg1-1_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Sat Sep 6 23:36:45 BST 2025 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Sep 2025 01:44:14 +0200
Source: imagemagick
Architecture: source
Version: 8:7.1.2.3+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca at debian.org>
Closes: 1111586 1111587 1112469 1114520
Changes:
 imagemagick (8:7.1.2.3+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version.
   * Fix CVE-2025-55212:
     Passing a geometry string containing only a colon (":") to montage
     -geometry leads GetGeometry() to set width/height to 0. Later,
     ThumbnailImage() divides by these zero dimensions, triggering
     a crash (SIGFPE/abort), resulting in a denial of service
     (Closes: #1111587)
   * Fix CVE-2025-55298:
     A format string bug vulnerability exists in InterpretImageFilename
     function where user input is directly passed to FormatLocaleString
     without proper sanitization. An attacker can overwrite arbitrary
     memory regions, enabling a wide range of attacks from heap overflow
     to remote code execution.
     (Closes: #1111586)
   * Fix CVE-2025-57803:
     A 32-bit integer overflow in the BMP encoder’s scanline-stride
     computation collapses bytes_per_line (stride) to a tiny value while
     the per-row writer still emits 3 × width bytes for 24-bpp images.
     The row base pointer advances using the (overflowed) stride,
     so the first row immediately writes past its slot
     and into adjacent heap memory with attacker-controlled bytes.
     (Closes: #1112469)
   * Fix CVE-2025-57807:
     ImageMagick versions include insecure functions: SeekBlob(),
     which permits advancing the stream offset beyond the current end without
     increasing capacity, and WriteBlob(), which then expands by
     quantum + length (amortized) instead of offset + length, and copies
     to data + offset. When offset ≫ extent, the copy targets memory
     beyond the allocation, producing a deterministic heap write
     on 64-bit builds
     (Closes: #1114520)
Checksums-Sha1:
 db60f121d8bbe2612efaa9f002691061def71713 5122 imagemagick_7.1.2.3+dfsg1-1.dsc
 d36475c8766d8495cdf1a6b3b486ed3646330cad 10520388 imagemagick_7.1.2.3+dfsg1.orig.tar.xz
 9b695bdf3345a21c20b23ba10268c4d7f0eb2032 268272 imagemagick_7.1.2.3+dfsg1-1.debian.tar.xz
 64f2e9763ef0abdb4af943e7733429163b83778f 8019 imagemagick_7.1.2.3+dfsg1-1_source.buildinfo
Checksums-Sha256:
 e46658e8f8ce95ce236efb60bc6893ad13ffa654006917566d4e1bace23de24d 5122 imagemagick_7.1.2.3+dfsg1-1.dsc
 854fc7b7642f47178c3bc2d4464856c0df2cce4778d5948e136b2dd996e8afe8 10520388 imagemagick_7.1.2.3+dfsg1.orig.tar.xz
 b89d5cc39aada0315780607899e15b8c2eb57aa1e975f499550316879a19536f 268272 imagemagick_7.1.2.3+dfsg1-1.debian.tar.xz
 f2ff6f70ed94ea53e7e4a3b92838e936500fbe4b0aa73fc7931bb717fe04d1c8 8019 imagemagick_7.1.2.3+dfsg1-1_source.buildinfo
Files:
 13e798b6f786f48c03cff465e777680a 5122 graphics optional imagemagick_7.1.2.3+dfsg1-1.dsc
 fb0a7e4860da03303b5be68a75b68eeb 10520388 graphics optional imagemagick_7.1.2.3+dfsg1.orig.tar.xz
 8850bf6f65617e268491bbbad06d6566 268272 graphics optional imagemagick_7.1.2.3+dfsg1-1.debian.tar.xz
 dbc57c99765a0dbd41d69e43497019d8 8019 graphics optional imagemagick_7.1.2.3+dfsg1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmi8s7ERHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF+GRxAAsLCgsqwHRyPKnmCaG82CZoWcsO+5wGeR
VOWN/3o4vQph7jTKtUSfZujWpqyAWrKkSrdKqDjOBq2dTe1cqaQhA5xq8wXwDx4M
JVw7vKEVUPNMyXHiAeL/KYscDgJxRfXO8wXW8nR9oAxqFS3pybcgZrJisnSR9ED1
jbH0SY569TS/AsTI2+yqgh9vCn8xPU1WA0+2P8XYO50HD/SFQjAydY+aPosinhx+
DOlG03ngJrvUlgaUbAvyMNHDBN0v2KcAG11jjuqDc2lraFtPFfniavavKxAFlAGC
a3xuxWmeN9FIjEVH+jsZp1iRu1IEm6/X9qvKoUMBK30s2nAnYDE+CghyFxZijb1w
4s0VN6GR3P+Zzb4ccc0I3FMLI4XdNmU9GXQAB0o388VLPMBT+PrAsgU/b0Py//g3
ipT2Mu8vmVP9e9tbRCkycNHZXcWCQ8spPGKRUqlbh5LFy4JFmar7fkYTXB0A0yaZ
gShgdY9bmtOXIKT2PDyo8M3p3/8nYXqTLMn8Ed45wZ8gFjAAuEBoO4GTQb6lyYfD
zh0BmM0oM8qbrjJ1BEUWPDzVGN/yRaLE1HGtlhS1UEQr3MpB/Y0HIWJMXxlWQJ55
2VE/HJXe5oehK06qaSMYRHcSZ8cSU1VOsQ5nXi4TV8hyYpSBpl/XK+ELDJuYP/di
KbJcJw2wNPM=
=kAPm
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20250906/7e328f53/attachment.sig>

More information about the Pkg-gmagick-im-team mailing list