Debian GNU/Linux 10 (Buster) Extended LTS has received two security updates. The imagemagick package has been updated to fix multiple security vulnerabilities, including heap buffer overflows, memory leaks, and format string bugs. The vulnerabilities (CVEs) listed include issues with processing format strings containing consecutive percent signs (%%), memory corruption due to unsafe size calculations, and arbitrary memory region overwrites. These updates address various commands within ImageMagick, such as magick stream, magick mogrify, and montage, which were found to be vulnerable to these security issues. Additionally, the ca-certificates-java package requires an upgrade to resolve a circular dependency between Java packages and system certificates.

ELA-1515-1 imagemagick security update
ELA-1514-1 ca-certificates-java bugfix update

ELA-1515-1 imagemagick security update

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u11 (buster)

Related CVEs :
CVE-2025-53014
CVE-2025-53019
CVE-2025-53101
CVE-2025-55154
CVE-2025-55212
CVE-2025-55298
CVE-2025-57803
CVE-2025-57807

Multiple vulnerabilities were fixed in imagemagick an image manipulation
software suite.

CVE-2025-53014
A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).

CVE-2025-53019
ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
caused a memory leak

CVE-2025-53101
ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template caused internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.

CVE-2025-55154
The magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.

CVE-2025-55212
passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)

CVE-2025-55298
A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.

CVE-2025-57803
A 32-bit integer overflow in the BMP encoderâ??s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 Ã? width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.

CVE-2025-57807
A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset â?« extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2��
arithmetic wrap, external delegates, or policy settings
are required.

ELA-1515-1 imagemagick security update

ELA-1514-1 ca-certificates-java bugfix update

Package : ca-certificates-java
Version : 20230710~deb12u1~deb11u1~deb10u1 (buster)

The ca-certificates-java package needs to be upgraded to resolve a circular
dependency between Java packages and ca-certificates,
which would otherwise prevent the system certificates from being updated.

ELA-1514-1 ca-certificates-java bugfix update