Source: imagemagick Version: 8:7.1.2.1+dfsg1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for imagemagick. CVE-2025-57803[0]: | ImageMagick is free and open-source software used for editing and | manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 | for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP | encoder’s scanline-stride computation collapses bytes_per_line | (stride) to a tiny value while the per-row writer still emits 3 × | width bytes for 24-bpp images. The row base pointer advances using | the (overflowed) stride, so the first row immediately writes past | its slot and into adjacent heap memory with attacker-controlled | bytes. This is a classic, powerful primitive for heap corruption in | common auto-convert pipelines. This issue has been patched in | versions 6.9.13-28 and 7.1.2-2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-57803 https://www.cve.org/CVERecord?id=CVE-2025-57803 [1] https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm [2] https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
