ALAS2GRAPHICSMAGICK1.3-2025-004

Amazon Linux 2 Security Advisory: ALAS2GRAPHICSMAGICK1.3-2025-004
Advisory Released Date: 2025-09-29
Advisory Updated Date: 2025-09-29
Severity: Medium
Issue Overview:

ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits. (CVE-2025-27795)

ReadWPGImage in WPG in GraphicsMagick before 1.3.46 mishandles palette buffer allocation, resulting in out-of-bounds access to heap memory in ReadBlob. (CVE-2025-27796)

GraphicsMagick before 8e56520 has a heap-based buffer over-read in ReadJXLImage in coders/jxl.c, related to an ImportViewPixelArea call. (CVE-2025-32460)


Affected Packages:

GraphicsMagick


Note:

This advisory is applicable to Amazon Linux 2 - Graphicsmagick1.3 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update GraphicsMagick or yum update --advisory ALAS2GRAPHICSMAGICK1.3-2025-004 to update your system.

New Packages:
aarch64:
    GraphicsMagick-1.3.45-1.amzn2.0.1.aarch64
    GraphicsMagick-devel-1.3.45-1.amzn2.0.1.aarch64
    GraphicsMagick-perl-1.3.45-1.amzn2.0.1.aarch64
    GraphicsMagick-c++-1.3.45-1.amzn2.0.1.aarch64
    GraphicsMagick-c++-devel-1.3.45-1.amzn2.0.1.aarch64
    GraphicsMagick-debuginfo-1.3.45-1.amzn2.0.1.aarch64

noarch:
    GraphicsMagick-doc-1.3.45-1.amzn2.0.1.noarch

src:
    GraphicsMagick-1.3.45-1.amzn2.0.1.src

x86_64:
    GraphicsMagick-1.3.45-1.amzn2.0.1.x86_64
    GraphicsMagick-devel-1.3.45-1.amzn2.0.1.x86_64
    GraphicsMagick-perl-1.3.45-1.amzn2.0.1.x86_64
    GraphicsMagick-c++-1.3.45-1.amzn2.0.1.x86_64
    GraphicsMagick-c++-devel-1.3.45-1.amzn2.0.1.x86_64
    GraphicsMagick-debuginfo-1.3.45-1.amzn2.0.1.x86_64

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2025-27795, CVE-2025-27796, CVE-2025-32460

Mitre: CVE-2025-27795, CVE-2025-27796, CVE-2025-32460