ISN 2025-42: ImageMagick Vulnerabilities
First published 2 October 2025
CVSS:3.1: 8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Multiple security vulnerabilities have been found in ImageMagick, an open-source image processor used in IGEL OS. This affects the following product versions:
IGEL OS 12
IGEL OS 11
Details
It has been discovered that a format string vulnerability exists in the InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can use this to overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution (CVE-2025-55298, high).
Apart from that the magnified size calculations in ReadOneMNGIMage are unsafe and can overflow, leading to memory corruption (CVE-2025-55154, high). Finally, a possible division by zero via the montage command can crash the program (CVE-2025-55212, high).
Update Instructions
OS 12: Update to the IGEL OS base system app in version 12.7.4 or newer when available from the IGEL App Portal.
OS 11: Update to IGEL OS version 11.11.100 when available.
References
Debian Security Advisory DSA-5997-1: https://lists.debian.org/debian-security-announce/2025/msg00161.html