| Package | imagemagick |
|---|---|
| Version | 8:6.9.7.4+dfsg-11+deb9u23 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u12 (buster) |
| Related CVEs | CVE-2025-62171 |
An integer overflow vulnerability was discovered in the ReadBMP() function of the BMP decoder within ImageMagick.
Although CVE-2025-57803 was issued to address this flaw, the proposed fix is incomplete and fails to prevent exploitation in certain scenarios. Specifically, the patch introduces a BMPOverflowCheck() function in some code path, but it is invoked only after the overflow has already occurred—rendering in some case.
This oversight allows a specially crafted 58-byte BMP file to trigger AddressSanitizer crashes, potentially leading to denial-of-service (DoS) conditions.
This new issue was affected CVE-2025-62171.
For Debian 10 buster, these problems have been fixed in version 8:6.9.10.23+dfsg-2.1+deb10u12.
For Debian 9 stretch, these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u23.
We recommend that you upgrade your imagemagick packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.