A security update has been issued for the ImageMagick package to address an integer overflow vulnerability in its BMP decoder. The vulnerability, tracked as CVE-2025-62171, can be triggered by a malicious 58-byte BMP file and cause a Denial of Service (DoS). Despite the previous fix's claim to resolve the issue, it proved to be incomplete and ineffective. To fix this problem, users are recommended to upgrade their ImageMagick packages to version 8:6.9.11.60+dfsg-1.3+deb11u7 for Debian GNU/Linux 11 (Bullseye) LTS.

[SECURITY] [DLA 4339-1] imagemagick security update

[SECURITY] [DLA 4339-1] imagemagick security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4339-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
October 19, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : imagemagick
Version : 8:6.9.11.60+dfsg-1.3+deb11u7
CVE ID : CVE-2025-62171
Debian Bug : 1118340

An Integer Overflow was found in BMP Decoder (ReadBMP).

CVE-2025-57803 fix claims to patch this problem, but the fix
is incomplete and ineffective in some cases.

The patch added BMPOverflowCheck() but placed it
after the overflow occurs.
A malicious 58-byte BMP file can trigger AddressSanitizer
crashes and DoS.

This new issue was affected CVE-2025-62171.

For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u7.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS