Source: imagemagick Version: 8:7.1.2.8+dfsg1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for imagemagick. CVE-2025-65955[0]: | ImageMagick is free and open-source software used for editing and | manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there | is a vulnerability in ImageMagick’s Magick++ layer that manifests | when Options::fontFamily is invoked with an empty string. Clearing a | font family calls RelinquishMagickMemory on _drawInfo->font, freeing | the font string but leaving _drawInfo->font pointing to freed memory | while _drawInfo->family is set to that (now-invalid) pointer. Any | later cleanup or reuse of _drawInfo->font re-frees or dereferences | dangling memory. DestroyDrawInfo and other setters (Options::font, | Image::font) assume _drawInfo->font remains valid, so destruction or | subsequent updates trigger crashes or heap corruption. This | vulnerability is fixed in 7.1.2-9 and 6.9.13-34. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-65955 https://www.cve.org/CVERecord?id=CVE-2025-65955 [1] https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q3hc-j9x5-mp9m Please adjust the affected versions in the BTS as needed. Regards, Salvatore
