ALAS2023-2025-1206

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1206
Advisory Released Date: 2025-09-29
Advisory Updated Date: 2025-09-29

Severity: Medium

References: CVE-2025-55212 CVE-2025-57807
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. (CVE-2025-55212)

ImageMagick is free and open-source software used for editing and manipulating digital images. ImageMagick versions lower than 14.8.2 include insecure functions: SeekBlob(), which permits advancing the stream offset beyond the current end without increasing capacity, and WriteBlob(), which then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset [?] extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 264 arithmetic wrap, external delegates, or policy settings are required. This is fixed in version 14.8.2. (CVE-2025-57807)

Affected Packages:

ImageMagick

Issue Correction:
Run dnf update ImageMagick --releasever 2023.9.20250929 or dnf update --advisory ALAS2023-2025-1206 --releasever 2023.9.20250929 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    ImageMagick-c++-debuginfo-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-perl-debuginfo-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-devel-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-c++-devel-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-debuginfo-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-perl-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-c++-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-doc-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-debugsource-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-libs-debuginfo-6.9.13.29-1.amzn2023.0.1.aarch64
    ImageMagick-libs-6.9.13.29-1.amzn2023.0.1.aarch64

src:
    ImageMagick-6.9.13.29-1.amzn2023.0.1.src

x86_64:
    ImageMagick-c++-devel-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-c++-debuginfo-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-devel-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-perl-debuginfo-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-debuginfo-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-perl-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-doc-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-c++-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-debugsource-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-libs-debuginfo-6.9.13.29-1.amzn2023.0.1.x86_64
    ImageMagick-libs-6.9.13.29-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-55212, CVE-2025-57807

Mitre: CVE-2025-55212, CVE-2025-57807