ALAS2023-2025-1126

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1126
Advisory Released Date: 2025-08-08
Advisory Updated Date: 2025-08-08
Severity: Medium
Issue Overview:

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix the issue. (CVE-2025-53014)

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue.

Affects ImageMagick < 7.1.2-0, < 6.9.13-26 (CVE-2025-53019)

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through `vsnprintf()`. Versions 7.1.2-0 and 6.9.13-26 fix the issue. (CVE-2025-53101)


Affected Packages:

ImageMagick


Issue Correction:
Run dnf update ImageMagick --releasever 2023.8.20250808 or dnf update --advisory ALAS2023-2025-1126 --releasever 2023.8.20250808 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    ImageMagick-perl-debuginfo-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-c++-debuginfo-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-doc-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-debuginfo-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-c++-devel-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-c++-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-devel-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-debugsource-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-perl-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-libs-debuginfo-6.9.12.82-1.amzn2023.0.9.aarch64
    ImageMagick-libs-6.9.12.82-1.amzn2023.0.9.aarch64

src:
    ImageMagick-6.9.12.82-1.amzn2023.0.9.src

x86_64:
    ImageMagick-c++-devel-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-perl-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-c++-debuginfo-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-perl-debuginfo-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-debuginfo-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-devel-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-debugsource-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-doc-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-c++-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-libs-debuginfo-6.9.12.82-1.amzn2023.0.9.x86_64
    ImageMagick-libs-6.9.12.82-1.amzn2023.0.9.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-53014, CVE-2025-53019, CVE-2025-53101

Mitre: CVE-2025-53014, CVE-2025-53019, CVE-2025-53101