ALAS2-2025-2952

Amazon Linux 2 Security Advisory: ALAS2-2025-2952
Advisory Released Date: 2025-08-04
Advisory Updated Date: 2025-08-04

Severity: Medium

References: CVE-2025-53014 CVE-2025-53019 CVE-2025-53101
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix the issue. (CVE-2025-53014)

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue.

Affects ImageMagick < 7.1.2-0, < 6.9.13-26 (CVE-2025-53019)

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through `vsnprintf()`. Versions 7.1.2-0 and 6.9.13-26 fix the issue. (CVE-2025-53101)

Affected Packages:

ImageMagick

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update ImageMagick or yum update --advisory ALAS2-2025-2952 to update your system.

New Packages:

aarch64:
    ImageMagick-6.9.10.97-1.amzn2.0.14.aarch64
    ImageMagick-devel-6.9.10.97-1.amzn2.0.14.aarch64
    ImageMagick-doc-6.9.10.97-1.amzn2.0.14.aarch64
    ImageMagick-perl-6.9.10.97-1.amzn2.0.14.aarch64
    ImageMagick-c++-6.9.10.97-1.amzn2.0.14.aarch64
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.14.aarch64
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.14.aarch64

i686:
    ImageMagick-6.9.10.97-1.amzn2.0.14.i686
    ImageMagick-devel-6.9.10.97-1.amzn2.0.14.i686
    ImageMagick-doc-6.9.10.97-1.amzn2.0.14.i686
    ImageMagick-perl-6.9.10.97-1.amzn2.0.14.i686
    ImageMagick-c++-6.9.10.97-1.amzn2.0.14.i686
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.14.i686
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.14.i686

src:
    ImageMagick-6.9.10.97-1.amzn2.0.14.src

x86_64:
    ImageMagick-6.9.10.97-1.amzn2.0.14.x86_64
    ImageMagick-devel-6.9.10.97-1.amzn2.0.14.x86_64
    ImageMagick-doc-6.9.10.97-1.amzn2.0.14.x86_64
    ImageMagick-perl-6.9.10.97-1.amzn2.0.14.x86_64
    ImageMagick-c++-6.9.10.97-1.amzn2.0.14.x86_64
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.14.x86_64
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.14.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-53014, CVE-2025-53019, CVE-2025-53101

Mitre: CVE-2025-53014, CVE-2025-53019, CVE-2025-53101