Package: imagemagick X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for imagemagick. CVE-2025-53014[0]: | ImageMagick is free and open-source software used for editing and | manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 | have a heap buffer overflow in the `InterpretImageFilename` | function. The issue stems from an off-by-one error that causes out- | of-bounds memory access when processing format strings containing | consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix | the issue. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f CVE-2025-53015[1]: | ImageMagick is free and open-source software used for editing and | manipulating digital images. In versions prior to 7.1.2-0, infinite | lines occur when writing during a specific XMP file conversion | command. Version 7.1.2-0 fixes the issue. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g CVE-2025-53019[2]: | ImageMagick is free and open-source software used for editing and | manipulating digital images. In versions prior to 7.1.2-0 and | 6.9.13-26, in ImageMagick's `magick stream` command, specifying | multiple consecutive `%d` format specifiers in a filename template | causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc CVE-2025-53101[3]: | ImageMagick is free and open-source software used for editing and | manipulating digital images. In versions prior to 7.1.2-0 and | 6.9.13-26, in ImageMagick's `magick mogrify` command, specifying | multiple consecutive `%d` format specifiers in a filename template | causes internal pointer arithmetic to generate an address below the | beginning of the stack buffer, resulting in a stack overflow through | `vsnprintf()`. Versions 7.1.2-0 and 6.9.13-26 fix the issue. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9 https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774 (7.1.2-0) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53014 https://www.cve.org/CVERecord?id=CVE-2025-53014 [1] https://security-tracker.debian.org/tracker/CVE-2025-53015 https://www.cve.org/CVERecord?id=CVE-2025-53015 [2] https://security-tracker.debian.org/tracker/CVE-2025-53019 https://www.cve.org/CVERecord?id=CVE-2025-53019 [3] https://security-tracker.debian.org/tracker/CVE-2025-53101 https://www.cve.org/CVERecord?id=CVE-2025-53101 Please adjust the affected versions in the BTS as needed.
