Security update for ImageMagick SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03150-1 Final 1 1 2025-09-10T17:58:50Z current 2025-09-10T17:58:50Z 2025-09-10T17:58:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ImageMagick This update for ImageMagick fixes the following issues: - CVE-2025-55005: Fixed heap buffer overflow when transforming from Log to sRGB colorspaces (bsc#1248077). - CVE-2025-55154: Fixed integer overflow when performing magnified size calculations in ReadOneMNGIMage (bsc#1248078). - CVE-2025-55160: Fixed undefined behavior due to function-type-mismatch in CloneSplayTree (bsc#1248079). - CVE-2025-55212: Fixed division-by-zero in ThumbnailImage() when passing a geometry string containing only a colon to `montage -geometry` (bsc#1248767). - CVE-2025-55298: Fixed heap overflow due to format string bug vulnerability (bsc#1248780). - CVE-2025-57803: Fixed heap out-of-bounds (OOB) write due to 32-bit integer overflow (bsc#1248784). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3150,SUSE-SLE-SERVER-12-SP5-LTSS-2025-3150,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-3150 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503150-1/ Link for SUSE-SU-2025:03150-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041608.html E-Mail link for SUSE-SU-2025:03150-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1248077 SUSE Bug 1248077 https://bugzilla.suse.com/1248078 SUSE Bug 1248078 https://bugzilla.suse.com/1248079 SUSE Bug 1248079 https://bugzilla.suse.com/1248767 SUSE Bug 1248767 https://bugzilla.suse.com/1248780 SUSE Bug 1248780 https://bugzilla.suse.com/1248784 SUSE Bug 1248784 https://www.suse.com/security/cve/CVE-2025-55005/ SUSE CVE CVE-2025-55005 page https://www.suse.com/security/cve/CVE-2025-55154/ SUSE CVE CVE-2025-55154 page https://www.suse.com/security/cve/CVE-2025-55160/ SUSE CVE CVE-2025-55160 page https://www.suse.com/security/cve/CVE-2025-55212/ SUSE CVE CVE-2025-55212 page https://www.suse.com/security/cve/CVE-2025-55298/ SUSE CVE CVE-2025-55298 page https://www.suse.com/security/cve/CVE-2025-57803/ SUSE CVE CVE-2025-57803 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ImageMagick-6.8.8.1-71.212.1 ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 ImageMagick-config-6-upstream-6.8.8.1-71.212.1 ImageMagick-devel-6.8.8.1-71.212.1 ImageMagick-devel-32bit-6.8.8.1-71.212.1 ImageMagick-devel-64bit-6.8.8.1-71.212.1 ImageMagick-doc-6.8.8.1-71.212.1 ImageMagick-extra-6.8.8.1-71.212.1 libMagick++-6_Q16-3-6.8.8.1-71.212.1 libMagick++-6_Q16-3-32bit-6.8.8.1-71.212.1 libMagick++-6_Q16-3-64bit-6.8.8.1-71.212.1 libMagick++-devel-6.8.8.1-71.212.1 libMagick++-devel-32bit-6.8.8.1-71.212.1 libMagick++-devel-64bit-6.8.8.1-71.212.1 libMagickCore-6_Q16-1-6.8.8.1-71.212.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.212.1 libMagickCore-6_Q16-1-64bit-6.8.8.1-71.212.1 libMagickWand-6_Q16-1-6.8.8.1-71.212.1 libMagickWand-6_Q16-1-32bit-6.8.8.1-71.212.1 libMagickWand-6_Q16-1-64bit-6.8.8.1-71.212.1 perl-PerlMagick-6.8.8.1-71.212.1 ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ImageMagick-config-6-upstream-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ImageMagick-devel-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libMagick++-devel-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libMagickCore-6_Q16-1-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libMagickWand-6_Q16-1-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ImageMagick-config-6-upstream-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ImageMagick-devel-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libMagick++-devel-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libMagickCore-6_Q16-1-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libMagickWand-6_Q16-1-6.8.8.1-71.212.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-1, when preparing to transform from Log to sRGB colorspaces, the logmap construction fails to handle cases where the reference-black or reference-white value is larger than 1024. This leads to corrupting memory beyond the end of the allocated logmap buffer. This issue has been patched in version 7.1.2-1. CVE-2025-55005 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503150-1/ https://www.suse.com/security/cve/CVE-2025-55005.html CVE-2025-55005 https://bugzilla.suse.com/1248077 SUSE Bug 1248077 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. This issue has been patched in versions 6.9.13-27 and 7.1.2-1. CVE-2025-55154 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503150-1/ https://www.suse.com/security/cve/CVE-2025-55154.html CVE-2025-55154 https://bugzilla.suse.com/1248078 SUSE Bug 1248078 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, there is undefined behavior (function-type-mismatch) in splay tree cloning callback. This results in a deterministic abort under UBSan (DoS in sanitizer builds), with no crash in a non-sanitized build. This issue has been patched in versions 6.9.13-27 and 7.1.2-1. CVE-2025-55160 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503150-1/ https://www.suse.com/security/cve/CVE-2025-55160.html CVE-2025-55160 https://bugzilla.suse.com/1248079 SUSE Bug 1248079 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. CVE-2025-55212 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503150-1/ https://www.suse.com/security/cve/CVE-2025-55212.html CVE-2025-55212 https://bugzilla.suse.com/1248767 SUSE Bug 1248767 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. CVE-2025-55298 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503150-1/ https://www.suse.com/security/cve/CVE-2025-55298.html CVE-2025-55298 https://bugzilla.suse.com/1248780 SUSE Bug 1248780 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder's scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. CVE-2025-57803 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.212.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.212.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503150-1/ https://www.suse.com/security/cve/CVE-2025-57803.html CVE-2025-57803 https://bugzilla.suse.com/1248784 SUSE Bug 1248784