Your message dated Sat, 6 Dec 2025 09:41:42 +0100
with message-id <[email protected]>
and subject line Re: Bug#1121845: imagemagick: CVE-2025-65955
has caused the Debian Bug report #1121845,
regarding imagemagick: CVE-2025-65955
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121845: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121845
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: imagemagick
Version: 8:7.1.2.8+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for imagemagick.
CVE-2025-65955[0]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there
| is a vulnerability in ImageMagick’s Magick++ layer that manifests
| when Options::fontFamily is invoked with an empty string. Clearing a
| font family calls RelinquishMagickMemory on _drawInfo->font, freeing
| the font string but leaving _drawInfo->font pointing to freed memory
| while _drawInfo->family is set to that (now-invalid) pointer. Any
| later cleanup or reuse of _drawInfo->font re-frees or dereferences
| dangling memory. DestroyDrawInfo and other setters (Options::font,
| Image::font) assume _drawInfo->font remains valid, so destruction or
| subsequent updates trigger crashes or heap corruption. This
| vulnerability is fixed in 7.1.2-9 and 6.9.13-34.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-65955
https://www.cve.org/CVERecord?id=CVE-2025-65955
[1]
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q3hc-j9x5-mp9m
[2]
https://github.com/ImageMagick/ImageMagick/commit/6f81eb15f822ad86e8255be75efad6f9762c32f8
[3]
https://github.com/ImageMagick/ImageMagick6/commit/7d4c27fd4cb2a716a9c1d3346a5e79a692cfe6d8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi,
On Wed, Dec 03, 2025 at 05:10:31PM +0100, Salvatore Bonaccorso wrote:
> Source: imagemagick
> Version: 8:7.1.2.8+dfsg1-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: [email protected], Debian Security Team
> <[email protected]>
>
> Hi,
>
> The following vulnerability was published for imagemagick.
>
> CVE-2025-65955[0]:
> | ImageMagick is free and open-source software used for editing and
> | manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there
> | is a vulnerability in ImageMagick’s Magick++ layer that manifests
> | when Options::fontFamily is invoked with an empty string. Clearing a
> | font family calls RelinquishMagickMemory on _drawInfo->font, freeing
> | the font string but leaving _drawInfo->font pointing to freed memory
> | while _drawInfo->family is set to that (now-invalid) pointer. Any
> | later cleanup or reuse of _drawInfo->font re-frees or dereferences
> | dangling memory. DestroyDrawInfo and other setters (Options::font,
> | Image::font) assume _drawInfo->font remains valid, so destruction or
> | subsequent updates trigger crashes or heap corruption. This
> | vulnerability is fixed in 7.1.2-9 and 6.9.13-34.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-65955
> https://www.cve.org/CVERecord?id=CVE-2025-65955
> [1]
> https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q3hc-j9x5-mp9m
> [2]
> https://github.com/ImageMagick/ImageMagick/commit/6f81eb15f822ad86e8255be75efad6f9762c32f8
> [3]
> https://github.com/ImageMagick/ImageMagick6/commit/7d4c27fd4cb2a716a9c1d3346a5e79a692cfe6d8
>
> Please adjust the affected versions in the BTS as needed.
This CVE has been rejected as further investigation showed it is not a
security issue.
Regards,
Salvatore
--- End Message ---
