Search for packages
| purl | pkg:deb/debian/imagemagick@8:6.9.11.60%2Bdfsg-1.3%2Bdeb11u8?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2gw3-qfan-jygd | ImageMagick's failure to limit the depth of SVG file reads caused a DoS attack Using Magick to read a malicious SVG file resulted in a DoS attack. |
CVE-2025-68618
GHSA-p27m-hp98-6637 |
| VCID-7t1t-1spz-gfee | ImageMagick has a heap-buffer-overflow ### Summary While Processing a crafted TIFF file, imagemagick crashes. ### Details Following is the imagemagick version: ``` imagemagick_git/build_26jun23/bin/magick --version Version: ImageMagick 7.1.1-13 (Beta) Q16-HDRI x86_64 56f478940:20230625 https://imagemagick.org Copyright: (C) 1999 ImageMagick Studio LLC License: https://imagemagick.org/script/license.php Features: Cipher DPC HDRI Delegates (built-in): fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff webp x xml zlib Compiler: gcc (4.2) ``` ### PoC issue can be replicated with following command with provided POC file(sent over email): ```bash magick poc.tiff /dev/null ``` ### Impact This can lead to application crash. ### Credits Please give credits to Hardik shah of Vehere (Dawn Treaders team) |
CVE-2025-68469
GHSA-fff3-4rp7-px97 |
| VCID-b43n-3d1g-u3fe | ImageMagick's failure to limit MVG mutual causes Stack Overflow Magick fails to check for circular references between two MVGs, leading to a stack overflow. |
CVE-2025-68950
GHSA-7rvh-xqp3-pr8j |
| VCID-g9xf-han8-6qgs | ImageMagick: ImageMagick: Denial of Service via integer overflow in SVG image processing |
CVE-2025-69204
|
| VCID-spch-fffg-4yc5 | Withdrawn Advisory: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family ## Withdrawn Advisory This advisory has been withdrawn because it does not affect the ImageMagick project's NuGet packages. ### Original Description We believe that we have discovered a potential security vulnerability in ImageMagick’s Magick++ layer that manifests when `Options::fontFamily` is invoked with an empty string. **Vulnerability Details** - Clearing a font family calls `RelinquishMagickMemory` on `_drawInfo->font`, freeing the font string but leaving `_drawInfo->font` pointing to freed memory while `_drawInfo->family` is set to that (now-invalid) pointer. Any later cleanup or reuse of `_drawInfo->font` re-frees or dereferences dangling memory. - `DestroyDrawInfo` and other setters (`Options::font`, `Image::font`) assume `_drawInfo->font` remains valid, so destruction or subsequent updates trigger crashes or heap corruption. ```cpp if (family_.length() == 0) { _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font); DestroyString(RemoveImageOption(imageInfo(),"family")); } ``` - **CWE-416 (Use After Free):** `_drawInfo->font` is left dangling yet still reachable through the Options object. - **CWE-415 (Double Free):** DrawInfo teardown frees `_drawInfo->font` again, provoking allocator aborts. **Affected Versions** - Introduced by commit `6409f34d637a34a1c643632aa849371ec8b3b5a8` (“Added fontFamily to the Image class of Magick++”, 2015-08-01, blame line 313). - Present in all releases that include that commit, at least ImageMagick 7.0.1-0 and later (likely late 6.9 builds with Magick++ font family support as well). Older releases without `fontFamily` are unaffected. **Command Line Triggerability** This vulnerability cannot be triggered from the command line interface. The bug is specific to the Magick++ C++ API, specifically the `Options::fontFamily()` method. The command-line utilities (such as `convert`, `magick`, etc.) do not expose this particular code path, as they operate through different internal mechanisms that do not directly call `Options::fontFamily()` with an empty string in a way that would trigger the use-after-free condition. **Proposed Fix** ```diff diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp @@ void Magick::Options::fontFamily(const std::string &family_) - _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font); + _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family); ``` This frees only the actual family string, leaving `_drawInfo->font` untouched. Optionally nulling `_drawInfo->font` when clearing `font()` itself maintains allocator hygiene. |
CVE-2025-65955
GHSA-q3hc-j9x5-mp9m |
| VCID-x8c1-btup-4ygu | ImageMagick is vulnerable to an integer Overflow in TIM decoder leading to out of bounds read (32-bit only) The TIM (PSX TIM) image parser in ImageMagick contains a critical integer overflow vulnerability in the `ReadTIMImage` function (`coders/tim.c`). The code reads `width` and `height` (16-bit values) from the file header and calculates `image_size = 2 * width * height` without checking for overflow. On 32-bit systems (or where `size_t` is 32-bit), this calculation can overflow if `width` and `height` are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via `AcquireQuantumMemory` and later operations relying on the dimensions can trigger an out of bounds read. |
CVE-2025-66628
GHSA-6hjr-v6g4-3fm8 |