Alpine: multiple imagemagick packages: security update to 7.1.2.8-r0

critical Tenable Cloud Security Plugin ID 436079

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- ImageMagick is free and open-source software used for editing and manipulating digital images. Versions
prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The
issue stems from an off-by-one error that causes out-of-bounds memory access when processing format
strings containing consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix the issue.
(CVE-2025-53014)

- ImageMagick is an open source software suite for displaying, converting, and editing raster image files.
In ImageMagick versions prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability exists in the
BMP decoder on 32-bit systems. The vulnerability occurs in coders/bmp.c when calculating the extent value
by multiplying image columns by bits per pixel. On 32-bit systems with size_t of 4 bytes, a malicious BMP
file with specific dimensions can cause this multiplication to overflow and wrap to zero. The overflow
check added to address CVE-2025-57803 is placed after the overflow occurs, making it ineffective. A
specially crafted 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this
overflow, causing the bytes_per_line calculation to become zero. This vulnerability only affects 32-bit
builds of ImageMagick where default resource limits for width, height, and area have been manually
increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable, and systems
using default ImageMagick resource limits are not vulnerable. The vulnerability is fixed in versions
7.1.2-7 and 6.9.13-32. (CVE-2025-62171)

- ImageMagick is a software suite to create, edit, compose, or convert bitmap images. ImageMagick versions
prior to 7.1.2-8 are vulnerable to denial-of-service due to unsigned integer underflow and division-by-
zero in the CLAHEImage function. When tile width or height is zero, unsigned underflow occurs in pointer
arithmetic, leading to out-of-bounds memory access, and division-by-zero causes immediate crashes. This
issue has been patched in version 7.1.2-8. (CVE-2025-62594)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-53014

https://security.alpinelinux.org/vuln/CVE-2025-62171

https://security.alpinelinux.org/vuln/CVE-2025-62594

Plugin Details

Severity: Critical

ID: 436079

Version: Revision 1.3

Type: Local

Published: 11/16/2025

Updated: 2/28/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.75

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-53014

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/14/2025

Reference Information

CVE: CVE-2025-53014, CVE-2025-62171, CVE-2025-62594

IAVB: 2025-B-0117-S, 2025-B-0178-S