Hi, On Sat, Oct 18, 2025 at 11:42:48AM +0200, Bastien Roucaries wrote: > Le samedi 18 octobre 2025, 09:18:42 heure d’été d’Europe centrale Salvatore > Bonaccorso a écrit : > > Source: imagemagick > > Version: 8:7.1.2.3+dfsg1-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for imagemagick. > > > > CVE-2025-62171[0]: > > | ImageMagick is an open source software suite for displaying, > > | converting, and editing raster image files. In ImageMagick versions > > | prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability > > | exists in the BMP decoder on 32-bit systems. The vulnerability > > | occurs in coders/bmp.c when calculating the extent value by > > | multiplying image columns by bits per pixel. On 32-bit systems with > > | size_t of 4 bytes, a malicious BMP file with specific dimensions can > > | cause this multiplication to overflow and wrap to zero. The overflow > > | check added to address CVE-2025-57803 is placed after the overflow > > | occurs, making it ineffective. A specially crafted 58-byte BMP file > > | with width set to 536,870,912 and 32 bits per pixel can trigger this > > | overflow, causing the bytes_per_line calculation to become zero. > > | This vulnerability only affects 32-bit builds of ImageMagick where > > | default resource limits for width, height, and area have been > > | manually increased beyond their defaults. 64-bit systems with size_t > > | of 8 bytes are not vulnerable, and systems using default ImageMagick > > | resource limits are not vulnerable. The vulnerability is fixed in > > | versions 7.1.2-7 and 6.9.13-32. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For me it is a no-dsa one due to policy.xml forbidding such big file
Agreeed that this is no-dsa, I just marked it as such. > So will like to downgrade to minor and will made a point release Yes if you feel strong, you can downgrade. Point release update is in any case enough. Regards, Salvatore
