Alpine: multiple imagemagick packages: security update to 7.1.2.12-r0

medium Tenable Self-Hosted Container Security Plugin ID 436708

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9
and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its
ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header
and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where
size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping
around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later
operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version
7.1.2-10. (CVE-2025-66628)

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
version 7.1.1-14, ImageMagick crashes when processing a crafted TIFF file. Version 7.1.1-14 fixes the
issue. (CVE-2025-68469)

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12
fixes the issue. (CVE-2025-68618)

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
version 7.1.2-12, Magick fails to check for circular references between two MVGs, leading to a stack
overflow. This is a DoS vulnerability, and any situation that allows reading the mvg file will be
affected. Version 7.1.2-12 fixes the issue. (CVE-2025-68950)

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused
an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Version 7.1.2-12
fixes the issue. (CVE-2025-69204)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-66628

https://security.alpinelinux.org/vuln/CVE-2025-68469

https://security.alpinelinux.org/vuln/CVE-2025-68618

https://security.alpinelinux.org/vuln/CVE-2025-68950

https://security.alpinelinux.org/vuln/CVE-2025-69204

Plugin Details

Severity: Medium

ID: 436708

Version: Revision 1.5

Type: Local

Published: 1/13/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-69204

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-68469

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 8/25/2025

Reference Information

CVE: CVE-2025-66628, CVE-2025-68469, CVE-2025-68618, CVE-2025-68950, CVE-2025-69204

IAVB: 2025-B-0205-S, 2026-B-0004-S