Thank you for your contribution to Debian.
Mapping oldstable-security to oldstable-proposed-updates.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Sep 2025 23:54:25 +0200
Source: imagemagick
Architecture: source
Version: 8:6.9.11.60+dfsg-1.6+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca at debian.org>
Closes: 1109339 1111103 1111586 1111587 1112469 1114520
Changes:
imagemagick (8:6.9.11.60+dfsg-1.6+deb12u4) bookworm-security; urgency=medium
.
* Fix CVE-2025-53014:
A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).
(Closes: #1109339)
* Fix CVE-2025-53019:
ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
causes a memory leak
* Fix CVE-2025-53101:
ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template causes internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.
* Fix CVE-2025-55154:
the magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.
(Closes: #1111103)
* Fix CVE-2025-55212:
passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)
(Closes: #1111587)
* Fix CVE-2025-55298:
A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.
(Closes: #1111586)
* Fix CVE-2025-57803:
A 32-bit integer overflow in the BMP encoder’s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 × width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.
(Closes: #1112469)
* Fix CVE-2025-57807:
A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset ≫ extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2⁶⁴
arithmetic wrap, external delegates, or policy settings
are required.
(Closes: #1114520)
Checksums-Sha1:
79d5b02adec86c1503fd0db2ac8df8a191a0c0d5 5131 imagemagick_6.9.11.60+dfsg-1.6+deb12u4.dsc
824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz
70c71068c5c82ad582e9a523c935256fae4ee3b6 275684 imagemagick_6.9.11.60+dfsg-1.6+deb12u4.debian.tar.xz
7cf8d6c36d053800677eec088ae28c9c2943e29b 8034 imagemagick_6.9.11.60+dfsg-1.6+deb12u4_source.buildinfo
Checksums-Sha256:
520ab1f2e2310d89018595597b4e922291725aea14d5f835b042ba657a0a5190 5131 imagemagick_6.9.11.60+dfsg-1.6+deb12u4.dsc
472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz
6d627be6acec16282946f038acb765e8dd0475fc681d17298e84dd0c9593d133 275684 imagemagick_6.9.11.60+dfsg-1.6+deb12u4.debian.tar.xz
ba5ada3a3363e5dc02d0b16a49dfe97ca9a2dc942101c7e5f73d9288ed954155 8034 imagemagick_6.9.11.60+dfsg-1.6+deb12u4_source.buildinfo
Files:
ee9e4cbe88f6e0756a5b9cc1ff64ff69 5131 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u4.dsc
8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional imagemagick_6.9.11.60+dfsg.orig.tar.xz
e2f4a6d8aceaae5796b7dfcf69c69d37 275684 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u4.debian.tar.xz
b69db9c5cafe177d98a6c59f5a71f7b1 8034 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmi+lOARHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF9m1Q/8DzO2RNbgP1Zv9usHCyBsG7wfKga9y9Hi
6dDFx5E6cKbIjx85/4mUAj4DMgenw6WKCc8t81q/5f3HcgV82uv9O8MhqrJBZooH
fEpeKHm4+M8ACc5ZRVHa5bvAT1j3WDfYH2jL/OFlsyrGA17q2NV1NSeHPgJVPxtE
1gKe8++oeHB+TNhAg4WJ6UzHUzMpERSwqaJ//AEIzXYV1ww9djFCUY7/1ynrNjU7
G31M5ZiBInDQFk+5XcpnWZgX2k4Iz8uIrmPh1MR5JKGgkYM7BKwlwJSUBi4e6+Yd
MjD65hEkzY7CHlzlYswYESG+MTrKPZZ/brpuiN4GbzIkIA0P0M5Zca8wVKkq6L/1
kC+JcTsBJzUpP5pBkv0wfFGMk8iW+MBH9YVkW8KlbI+BZiuUQ4OB0ul+iFYKKV6d
B+dgAueAEFkC5oyDTCoF9+IKUrPr5nqy/OKQM5XUNwmHpLMNWEbhX0SF+TtEQ5YC
TfX2BA23zw6MX7DBdTeHzXzX7PCLW5neW6qOkisvx46p/ubKNydoF8BHGC+hlSEk
7IHmGyGE7AvtHK963pKemu+qa+6O+LVIoXSA5ET2fAj9ttPZEDG55xuAdAhtETAj
KViv3wX3OjEwbOOovuAmMqD99Zn9Q1ByG+CpJcRPrhGtqGjM6NO2WO0WSg67qZFR
OTM+OikhAPg=
=CjgP
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20250911/06119d7d/attachment.sig>