#1112469 imagemagick: CVE-2025-57803

Package:
src:imagemagick
Source:
src:imagemagick
Submitter:
Salvatore Bonaccorso
Date:
2025-09-06 22:39:03 UTC
Severity:
normal
Tags:
#1112469#5
Date:
2025-08-29 19:08:20 UTC
From:
To:
Hi,

The following vulnerability was published for imagemagick.

CVE-2025-57803[0]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2
| for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP
| encoder’s scanline-stride computation collapses bytes_per_line
| (stride) to a tiny value while the per-row writer still emits 3 ×
| width bytes for 24-bpp images. The row base pointer advances using
| the (overflowed) stride, so the first row immediately writes past
| its slot and into adjacent heap memory with attacker-controlled
| bytes. This is a classic, powerful primitive for heap corruption in
| common auto-convert pipelines. This issue has been patched in
| versions 6.9.13-28 and 7.1.2-2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-57803
https://www.cve.org/CVERecord?id=CVE-2025-57803
[1] https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm
[2] https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1112469#12
Date:
2025-09-06 22:36:46 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1112469@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 06 Sep 2025 01:44:14 +0200
Source: imagemagick
Architecture: source
Version: 8:7.1.2.3+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1111586 1111587 1112469 1114520
Changes:
 imagemagick (8:7.1.2.3+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version.
   * Fix CVE-2025-55212:
     Passing a geometry string containing only a colon (":") to montage
     -geometry leads GetGeometry() to set width/height to 0. Later,
     ThumbnailImage() divides by these zero dimensions, triggering
     a crash (SIGFPE/abort), resulting in a denial of service
     (Closes: #1111587)
   * Fix CVE-2025-55298:
     A format string bug vulnerability exists in InterpretImageFilename
     function where user input is directly passed to FormatLocaleString
     without proper sanitization. An attacker can overwrite arbitrary
     memory regions, enabling a wide range of attacks from heap overflow
     to remote code execution.
     (Closes: #1111586)
   * Fix CVE-2025-57803:
     A 32-bit integer overflow in the BMP encoder’s scanline-stride
     computation collapses bytes_per_line (stride) to a tiny value while
     the per-row writer still emits 3 × width bytes for 24-bpp images.
     The row base pointer advances using the (overflowed) stride,
     so the first row immediately writes past its slot
     and into adjacent heap memory with attacker-controlled bytes.
     (Closes: #1112469)
   * Fix CVE-2025-57807:
     ImageMagick versions include insecure functions: SeekBlob(),
     which permits advancing the stream offset beyond the current end without
     increasing capacity, and WriteBlob(), which then expands by
     quantum + length (amortized) instead of offset + length, and copies
     to data + offset. When offset ≫ extent, the copy targets memory
     beyond the allocation, producing a deterministic heap write
     on 64-bit builds
     (Closes: #1114520)
Checksums-Sha1:
 db60f121d8bbe2612efaa9f002691061def71713 5122 imagemagick_7.1.2.3+dfsg1-1.dsc
 d36475c8766d8495cdf1a6b3b486ed3646330cad 10520388 imagemagick_7.1.2.3+dfsg1.orig.tar.xz
 9b695bdf3345a21c20b23ba10268c4d7f0eb2032 268272 imagemagick_7.1.2.3+dfsg1-1.debian.tar.xz
 64f2e9763ef0abdb4af943e7733429163b83778f 8019 imagemagick_7.1.2.3+dfsg1-1_source.buildinfo
Checksums-Sha256:
 e46658e8f8ce95ce236efb60bc6893ad13ffa654006917566d4e1bace23de24d 5122 imagemagick_7.1.2.3+dfsg1-1.dsc
 854fc7b7642f47178c3bc2d4464856c0df2cce4778d5948e136b2dd996e8afe8 10520388 imagemagick_7.1.2.3+dfsg1.orig.tar.xz
 b89d5cc39aada0315780607899e15b8c2eb57aa1e975f499550316879a19536f 268272 imagemagick_7.1.2.3+dfsg1-1.debian.tar.xz
 f2ff6f70ed94ea53e7e4a3b92838e936500fbe4b0aa73fc7931bb717fe04d1c8 8019 imagemagick_7.1.2.3+dfsg1-1_source.buildinfo
Files:
 13e798b6f786f48c03cff465e777680a 5122 graphics optional imagemagick_7.1.2.3+dfsg1-1.dsc
 fb0a7e4860da03303b5be68a75b68eeb 10520388 graphics optional imagemagick_7.1.2.3+dfsg1.orig.tar.xz
 8850bf6f65617e268491bbbad06d6566 268272 graphics optional imagemagick_7.1.2.3+dfsg1-1.debian.tar.xz
 dbc57c99765a0dbd41d69e43497019d8 8019 graphics optional imagemagick_7.1.2.3+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmi8s7ERHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF+GRxAAsLCgsqwHRyPKnmCaG82CZoWcsO+5wGeR
VOWN/3o4vQph7jTKtUSfZujWpqyAWrKkSrdKqDjOBq2dTe1cqaQhA5xq8wXwDx4M
JVw7vKEVUPNMyXHiAeL/KYscDgJxRfXO8wXW8nR9oAxqFS3pybcgZrJisnSR9ED1
jbH0SY569TS/AsTI2+yqgh9vCn8xPU1WA0+2P8XYO50HD/SFQjAydY+aPosinhx+
DOlG03ngJrvUlgaUbAvyMNHDBN0v2KcAG11jjuqDc2lraFtPFfniavavKxAFlAGC
a3xuxWmeN9FIjEVH+jsZp1iRu1IEm6/X9qvKoUMBK30s2nAnYDE+CghyFxZijb1w
4s0VN6GR3P+Zzb4ccc0I3FMLI4XdNmU9GXQAB0o388VLPMBT+PrAsgU/b0Py//g3
ipT2Mu8vmVP9e9tbRCkycNHZXcWCQ8spPGKRUqlbh5LFy4JFmar7fkYTXB0A0yaZ
gShgdY9bmtOXIKT2PDyo8M3p3/8nYXqTLMn8Ed45wZ8gFjAAuEBoO4GTQb6lyYfD
zh0BmM0oM8qbrjJ1BEUWPDzVGN/yRaLE1HGtlhS1UEQr3MpB/Y0HIWJMXxlWQJ55
2VE/HJXe5oehK06qaSMYRHcSZ8cSU1VOsQ5nXi4TV8hyYpSBpl/XK+ELDJuYP/di
KbJcJw2wNPM=
=kAPm
-----END PGP SIGNATURE-----