Hi,
On Sun, Oct 19, 2025 at 09:04:40PM +0200, Bastien Roucaries wrote:
> Le dimanche 19 octobre 2025, 21:02:54 heure d’été d’Europe centrale
> Salvatore Bonaccorso a écrit :
> > CVE-2025-53014, CVE-2025-53019 and CVE-2025-53101.
> >
> I do not understand: imagemagick (8:6.9.11.60+dfsg-1.6+deb12u4)
> bookworm-security; urgency=medium
>
> * Fix CVE-2025-53014:
> A heap buffer overflow was found in the `InterpretImageFilename`
> function. The issue stems from an off-by-one error that causes
> out-of-bounds memory access when processing format strings
> containing consecutive percent signs (`%%`).
> (Closes: #1109339)
> * Fix CVE-2025-53019:
> ImageMagick's `magick stream` command, specifying multiple
> consecutive `%d` format specifiers in a filename template
> causes a memory leak
> * Fix CVE-2025-53101:
> ImageMagick's `magick mogrify` command, specifying
> multiple consecutive `%d` format specifiers in a filename
> template causes internal pointer arithmetic to generate
> an address below the beginning of the stack buffer,
> resulting in a stack overflow through `vsnprintf()`.
> * Fix CVE-2025-55154:
> the magnified size calculations in ReadOneMNGIMage
> (in coders/png.c) are unsafe and can overflow,
> leading to memory corruption.
> (Closes: #1111103)
> * Fix CVE-2025-55212:
> passing a geometry string containing only a colon (":")
> to montage -geometry leads GetGeometry() to set width/height
> to 0. Later, ThumbnailImage() divides by these zero dimensions,
> triggering a crash (SIGFPE/abort)
> (Closes: #1111587)
> * Fix CVE-2025-55298:
> A format string bug vulnerability exists in InterpretImageFilename
> function where user input is directly passed to FormatLocaleString
> without proper sanitization. An attacker can overwrite arbitrary
> memory regions, enabling a wide range of attacks from heap
> overflow to remote code execution.
> (Closes: #1111586)
> * Fix CVE-2025-57803:
> A 32-bit integer overflow in the BMP encoder’s scanline-stride
> computation collapses bytes_per_line (stride) to a tiny
> value while the per-row writer still emits 3 × width bytes
> for 24-bpp images. The row base pointer advances using the
> (overflowed) stride, so the first row immediately writes
> past its slot and into adjacent heap memory with
> attacker-controlled bytes.
> (Closes: #1112469)
> * Fix CVE-2025-57807:
> A security problem was found in SeekBlob(), which permits
> advancing the stream offset beyond the current end without
> increasing capacity, and WriteBlob(), which then expands by
> quantum + length (amortized) instead of offset + length,
> and copies to data + offset. When offset ≫ extent, the
> copy targets memory beyond the allocation, producing a
> deterministic heap write on 64-bit builds. No 2⁶⁴
> arithmetic wrap, external delegates, or policy settings
> are required.
> (Closes: #1114520)
That is weird, I will double check what happened back then with the
released DSA for 8:6.9.11.60+dfsg-1.6+deb12u4. Maybe then it is just
wrong tracking.
Regards,
Salvatore
