1. 漏洞描述

Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.

Security Fix(es):

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. This issue has been patched in versions 6.9.13-27 and 7.1.2-1.(CVE-2025-55154)

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, there is undefined behavior (function-type-mismatch) in splay tree cloning callback. This results in a deterministic abort under UBSan (DoS in sanitizer builds), with no crash in a non-sanitized build. This issue has been patched in versions 6.9.13-27 and 7.1.2-1.(CVE-2025-55160)

A vulnerability classified as problematic was found in ImageMagick up to 6.9.13-27/7.1.2-1 (Image Processing Software).The manipulation of the argument width/height with an unknown input leads to a unknown weakness. The CWE definition for the vulnerability is CWE-369. The product divides a value by zero.As an impact it is known to affect availability.Upgrading to version 6.9.13-28 or 7.1.2-2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 5f0bcf986b8b5e90567750d31a37af502b73f2af is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-55212)

A vulnerability was found in ImageMagick up to 6.9.13-27/7.1.2-1 (Image Processing Software). It has been classified as critical.CWE is classifying the issue as CWE-123. Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 6.9.13-28 or 7.1.2-2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 439b362b93c074eea6c3f834d84982b43ef057d5 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-55298)

A vulnerability was found in ImageMagick up to 6.9.13-27/7.1.2-1 on 32-bit (Image Processing Software). It has been rated as critical.Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Impacted is confidentiality, integrity, and availability.Upgrading to version 6.9.13-28 or 7.1.2-2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 2c55221f4d38193adcb51056c14cf238fbcc35d7 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.(CVE-2025-57803)

2. 影响范围

3. 影响组件

4. 修复版本

5. 修复方法

方法一：下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存，如 xxx.rpm
2、通过rpm命令升级，如 rpm -Uvh xxx.rpm

方法二：通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包，如 yum install 包名

6. 下载链接

KY3.4-5A:

x86_64:

     ImageMagick   

     ImageMagick-c++   

     ImageMagick-c++-devel   

     ImageMagick-devel   

     ImageMagick-help   

     ImageMagick-perl   

aarch64:

     ImageMagick   

     ImageMagick-c++   

     ImageMagick-c++-devel   

     ImageMagick-devel   

     ImageMagick-help   

     ImageMagick-perl