ALAS2-2025-3000

Amazon Linux 2 Security Advisory: ALAS2-2025-3000
Advisory Released Date: 2025-09-16
Advisory Updated Date: 2025-09-16

Severity: Important

References: CVE-2025-55004 CVE-2025-55005 CVE-2025-55160 CVE-2025-55298
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-1, ImageMagick is vulnerable to heap-buffer overflow read around the handling of images with separate alpha channels when performing image magnification in ReadOneMNGIMage. This can likely be used to leak subsequent memory contents into the output image. This issue has been patched in version 7.1.2-1. (CVE-2025-55004)

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-1, when preparing to transform from Log to sRGB colorspaces, the logmap construction fails to handle cases where the reference-black or reference-white value is larger than 1024. This leads to corrupting memory beyond the end of the allocated logmap buffer. This issue has been patched in version 7.1.2-1. (CVE-2025-55005)

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, there is undefined behavior (function-type-mismatch) in splay tree cloning callback. This results in a deterministic abort under UBSan (DoS in sanitizer builds), with no crash in a non-sanitized build. This issue has been patched in versions 6.9.13-27 and 7.1.2-1. (CVE-2025-55160)

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. (CVE-2025-55298)

Affected Packages:

ImageMagick

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update ImageMagick or yum update --advisory ALAS2-2025-3000 to update your system.

New Packages:

aarch64:
    ImageMagick-6.9.10.97-1.amzn2.0.16.aarch64
    ImageMagick-devel-6.9.10.97-1.amzn2.0.16.aarch64
    ImageMagick-doc-6.9.10.97-1.amzn2.0.16.aarch64
    ImageMagick-perl-6.9.10.97-1.amzn2.0.16.aarch64
    ImageMagick-c++-6.9.10.97-1.amzn2.0.16.aarch64
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.16.aarch64
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.16.aarch64

i686:
    ImageMagick-6.9.10.97-1.amzn2.0.16.i686
    ImageMagick-devel-6.9.10.97-1.amzn2.0.16.i686
    ImageMagick-doc-6.9.10.97-1.amzn2.0.16.i686
    ImageMagick-perl-6.9.10.97-1.amzn2.0.16.i686
    ImageMagick-c++-6.9.10.97-1.amzn2.0.16.i686
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.16.i686
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.16.i686

src:
    ImageMagick-6.9.10.97-1.amzn2.0.16.src

x86_64:
    ImageMagick-6.9.10.97-1.amzn2.0.16.x86_64
    ImageMagick-devel-6.9.10.97-1.amzn2.0.16.x86_64
    ImageMagick-doc-6.9.10.97-1.amzn2.0.16.x86_64
    ImageMagick-perl-6.9.10.97-1.amzn2.0.16.x86_64
    ImageMagick-c++-6.9.10.97-1.amzn2.0.16.x86_64
    ImageMagick-c++-devel-6.9.10.97-1.amzn2.0.16.x86_64
    ImageMagick-debuginfo-6.9.10.97-1.amzn2.0.16.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2025-55004, CVE-2025-55005, CVE-2025-55160, CVE-2025-55298

Mitre: CVE-2025-55004, CVE-2025-55005, CVE-2025-55160, CVE-2025-55298