Debian alert DLA-4339-1 (imagemagick)
| From: | rouca@debian.org | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 4339-1] imagemagick security update | |
| Date: | Sun, 19 Oct 2025 21:40:00 +0200 | |
| Message-ID: | <6b5766e5716a73418ccd62867669c16c@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4339-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès October 19, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : imagemagick Version : 8:6.9.11.60+dfsg-1.3+deb11u7 CVE ID : CVE-2025-62171 Debian Bug : 1118340 An Integer Overflow was found in BMP Decoder (ReadBMP). CVE-2025-57803 fix claims to patch this problem, but the fix is incomplete and ineffective in some cases. The patch added BMPOverflowCheck() but placed it after the overflow occurs. A malicious 58-byte BMP file can trigger AddressSanitizer crashes and DoS. This new issue was affected CVE-2025-62171. For Debian 11 bullseye, these problems have been fixed in version 8:6.9.11.60+dfsg-1.3+deb11u7. We recommend that you upgrade your imagemagick packages. For the detailed security status of imagemagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/imagemagick Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmj1PpAACgkQADoaLapB CF+cRhAAkbaf2UvAp2b1778Kh6IgCo2e1xhrZvoaOk6GhW4Rvl4aBln0HBIUSw25 Z8ZTNwaVH9jx7Pkn1hAAs+og+/SAdUiBoQR1dmBHAEjvloEnoH7v/dISJHj0vLEa F2s8Ky4jj/oPrQDFYl7Wz8+kUy9XrbJJOC0Qi9J551LT1B5TD3iIGLCr58SjdPvg EXhutu8fghfxP0wDUSdikrUfbiMdkYV36t8YgaXgAGrZQdZEGNSFIKAYZhj4UUVb a2Wor65oMWNf1hjdcf2GAGSWHFPJCo9mzA7yMhTdv7dnwGtYevbrvsUxQTCJCBiW C7KHF2j/U6DQ+j+8SXbJcvtnnKrczKNFRc5Hew7HingVAhuzU3YdhMmj34pX+LTi 5E+ol02LXq0G4Dkgy88tZODxn7iEkBgLPcNeDBZUJ0aKb5Bm7IxsCypuxM3/lyW5 33GNvgfVw5qctkd0+ypx5sJdIWzZNCijBPPb9SgYvDOi1tEU1krHeSB9wc3gspkO BCbvbgHNIJy+3Z6G3pO0nryhLD0vaCC9biIZFl2wEEc7/CAuj+oKzGlvmCSu2iXj Bv4Sanyv4193RV4NdJXfwyvzL1wVXTUsgDNtJsAWHdJg48GJx6CgP4J8Ho7M3A8P 8HNCHz967vGtX3QCI+S++6xiYR/CKkm4TjE7JzIe5NASJE3/wNI= =MAcY -----END PGP SIGNATURE-----