| Package | imagemagick |
|---|---|
| Version | 8:6.9.10.23+dfsg-2.1+deb10u11 (buster) |
| Related CVEs | CVE-2025-53014 CVE-2025-53019 CVE-2025-53101 CVE-2025-55154 CVE-2025-55212 CVE-2025-55298 CVE-2025-57803 CVE-2025-57807 |
Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.
CVE-2025-53014
A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).
CVE-2025-53019
ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
caused a memory leak
CVE-2025-53101
ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template caused internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.
CVE-2025-55154
The magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.
CVE-2025-55212
passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)
CVE-2025-55298
A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.
CVE-2025-57803
A 32-bit integer overflow in the BMP encoderâ??s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 Ã? width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.
CVE-2025-57807
A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset â?« extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2��
arithmetic wrap, external delegates, or policy settings
are required.
For Debian 10 buster, these problems have been fixed in version 8:6.9.10.23+dfsg-2.1+deb10u11.
We recommend that you upgrade your imagemagick packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.