New Debian imagemagick 8:6.9.11.60+dfsg-1.6+deb12u4 fixes: This update addresses the following issues: * ImageMagick: Incorrect Handling of Image Depth in MIFF Processing in ImageMagick (CVE-2025-43965) 8:6.9.11.60+dfsg-1.6+deb12u4 (Sun, 07 Sep 2025 23:54:25 +0200) * Fix CVE-2025-53014: A heap buffer overflow was found in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). * Fix CVE-2025-53019: ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak * Fix CVE-2025-53101: ImageMagick's `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through `vsnprintf()`. * Fix CVE-2025-55154: the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. * Fix CVE-2025-55212: passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort) * Fix CVE-2025-55298: A format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. * Fix CVE-2025-57803: A 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. * Fix CVE-2025-57807: A security problem was found in SeekBlob(), which permits advancing the stream offset beyond the current end without increasing capacity, and WriteBlob(), which then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.
--- mirror/ftp/pool/main/i/imagemagick/imagemagick_6.9.11.60+dfsg-1.6+deb12u3.dsc +++ apt/ucs_5.2-0-errata5.2-3/source/imagemagick_6.9.11.60+dfsg-1.6+deb12u4.dsc @@ -1,3 +1,60 @@ +8:6.9.11.60+dfsg-1.6+deb12u4 [Sun, 07 Sep 2025 23:54:25 +0200] Bastien Roucariès <rouca@debian.org>: + + * Fix CVE-2025-53014: + A heap buffer overflow was found in the `InterpretImageFilename` + function. The issue stems from an off-by-one error that causes + out-of-bounds memory access when processing format strings + containing consecutive percent signs (`%%`). + (Closes: #1109339) + * Fix CVE-2025-53019: + ImageMagick's `magick stream` command, specifying multiple + consecutive `%d` format specifiers in a filename template + causes a memory leak + * Fix CVE-2025-53101: + ImageMagick's `magick mogrify` command, specifying + multiple consecutive `%d` format specifiers in a filename + template causes internal pointer arithmetic to generate + an address below the beginning of the stack buffer, + resulting in a stack overflow through `vsnprintf()`. + * Fix CVE-2025-55154: + the magnified size calculations in ReadOneMNGIMage + (in coders/png.c) are unsafe and can overflow, + leading to memory corruption. + (Closes: #1111103) + * Fix CVE-2025-55212: + passing a geometry string containing only a colon (":") + to montage -geometry leads GetGeometry() to set width/height + to 0. Later, ThumbnailImage() divides by these zero dimensions, + triggering a crash (SIGFPE/abort) + (Closes: #1111587) + * Fix CVE-2025-55298: + A format string bug vulnerability exists in InterpretImageFilename + function where user input is directly passed to FormatLocaleString + without proper sanitization. An attacker can overwrite arbitrary + memory regions, enabling a wide range of attacks from heap + overflow to remote code execution. + (Closes: #1111586) + * Fix CVE-2025-57803: + A 32-bit integer overflow in the BMP encoder’s scanline-stride + computation collapses bytes_per_line (stride) to a tiny + value while the per-row writer still emits 3 × width bytes + for 24-bpp images. The row base pointer advances using the + (overflowed) stride, so the first row immediately writes + past its slot and into adjacent heap memory with + attacker-controlled bytes. + (Closes: #1112469) + * Fix CVE-2025-57807: + A security problem was found in SeekBlob(), which permits + advancing the stream offset beyond the current end without + increasing capacity, and WriteBlob(), which then expands by + quantum + length (amortized) instead of offset + length, + and copies to data + offset. When offset ≫ extent, the + copy targets memory beyond the allocation, producing a + deterministic heap write on 64-bit builds. No 2⁶⁴ + arithmetic wrap, external delegates, or policy settings + are required. + (Closes: #1114520) + 8:6.9.11.60+dfsg-1.6+deb12u3 [Sat, 26 Apr 2025 20:26:11 +0300] Adrian Bunk <bunk@debian.org>: * Non-maintainer upload. <http://piuparts.knut.univention.de/5.2-3/#2286657578619091234>
OK: bug OK: yaml OK: announce_errata OK: patch ~OK: piuparts manual test OK [5.2-3] 3f2f0aad64 Bug #58639: imagemagick 8:6.9.11.60+dfsg-1.6+deb12u4 doc/errata/staging/imagemagick.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.2x193>