[ubuntu/questing-proposed] imagemagick 8:7.1.2.3+dfsg1-1 (Accepted)
Jeremy Bícha
jbicha at ubuntu.com
Sun Sep 7 14:55:31 UTC 2025
imagemagick (8:7.1.2.3+dfsg1-1) unstable; urgency=medium
* New upstream version.
* Fix CVE-2025-55212:
Passing a geometry string containing only a colon (":") to montage
-geometry leads GetGeometry() to set width/height to 0. Later,
ThumbnailImage() divides by these zero dimensions, triggering
a crash (SIGFPE/abort), resulting in a denial of service
(Closes: #1111587)
* Fix CVE-2025-55298:
A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap overflow
to remote code execution.
(Closes: #1111586)
* Fix CVE-2025-57803:
A 32-bit integer overflow in the BMP encoder’s scanline-stride
computation collapses bytes_per_line (stride) to a tiny value while
the per-row writer still emits 3 × width bytes for 24-bpp images.
The row base pointer advances using the (overflowed) stride,
so the first row immediately writes past its slot
and into adjacent heap memory with attacker-controlled bytes.
(Closes: #1112469)
* Fix CVE-2025-57807:
ImageMagick versions include insecure functions: SeekBlob(),
which permits advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length, and copies
to data + offset. When offset ≫ extent, the copy targets memory
beyond the allocation, producing a deterministic heap write
on 64-bit builds
(Closes: #1114520)
Date: 2025-09-07 04:30:32.741393+00:00
Signed-By: Jeremy Bícha <jbicha at ubuntu.com>
https://launchpad.net/ubuntu/+source/imagemagick/8:7.1.2.3+dfsg1-1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list