[From nobody Sun May 3 21:07:10 2026 Received: (at submit) by bugs.debian.org; 22 Apr 2026 11:29:21 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-16.1 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, DKIM_VALID_EF,FOURLA,HAS_PACKAGE,MD5_SHA1_SUM,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 48; hammy, 150; neutral, 60; spammy, 0. spammytokens: hammytokens:0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--trixie, 0.000-+--bookworm, 0.000-+--sk:team@se Return-path: <james_montgomery@disroot.org> Received: from layka.disroot.org ([178.21.23.139]:52438) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <james_montgomery@disroot.org>) id 1wFVlf-009sNO-2B for submit@bugs.debian.org; Wed, 22 Apr 2026 11:29:21 +0000 Received: from mail01.disroot.lan (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 45A2A26E7C for <submit@bugs.debian.org>; Wed, 22 Apr 2026 13:29:15 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id IrNcpKjd5jo5 for <submit@bugs.debian.org>; Wed, 22 Apr 2026 13:29:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1776857329; bh=ZKvfgAx/sZDnPtU0gx2k6dQbPzLWi1184MMHup1X+Ac=; h=Date:From:To:Subject; b=W5DuxOxyuIILFvMInscV2R4SSjPv1s8HZXV80qTsTS+YRdBtDM3m9XxKjD11YjNBI FmXBHYNrfl693rL/rB+peFrv4KZ9TQxOx6q3r4nmEfBMyZn43V2Koyyq65Lo1f+EFR 8s1HYTazH3wC6gLrFaKwlDExB3yYS0XlVDia28GI+BUL/eDjAU6PT5PmPhOG0HpOox +H2rabncNz+Bo7QeUtpXFGo2GehUe0uA7gnjIfv3oJFzI1HksrD588b81/1OQndVMz 9SZgKNgaHRAM28OeKw7EP4Nz2bI4KnKUh9r9Mf2RSSw6/aKc3nZrQZFYPSFA94GQRb 26DbMiebt+SWg== Date: Wed, 22 Apr 2026 11:28:46 +0000 Message-ID: <093f0159fa7d9fcd6a207049b48768e4@disroot.org> From: James Montgomery <james_montgomery@disroot.org> To: submit@bugs.debian.org Subject: imagemagick: CVE-2026-40310 and CVE-2026-40311 affect stable suites Delivered-To: submit@bugs.debian.org Package: src:imagemagick Version: 8:7.1.1.43+dfsg1-1+deb13u7 Severity: important Tags: security upstream X-Debbugs-Cc: team@security.debian.org Dear Maintainer, The tracker records CVE-2026-40310 and CVE-2026-40311 as fixed in unstable by 8:7.1.2.19+dfsg1-1, but the fixes do not appear to be present in the current stable, oldstable, or oldoldstable source packages. CVE-2026-40310: A heap out-of-bounds write in the JP2 encoder when a user specifies an invalid sampling index. Upstream advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pwg5-6jfc-crvh IM7 fix: https://github.com/ImageMagick/ImageMagick/commit/3d653bea2df085c728a1c8f775808e1e9249dff9 IM6 fix: https://github.com/ImageMagick/ImageMagick6/commit/4c782c770894fc19029d4408a4de37cc491c7c25 The fix bounds parsed sampling factors with MagickMax(..., 1.0). Source inspection: - sid 8:7.1.2.19+dfsg1-1 has the fixed MagickMax guard in coders/jp2.c. - trixie 8:7.1.1.43+dfsg1-1+deb13u7 still assigns geometry_info.rho directly in coders/jp2.c. - bookworm 8:6.9.11.60+dfsg-1.6+deb12u8 and bullseye 8:6.9.11.60+dfsg-1.3+deb11u11 still parse sampling_factor directly with sscanf into parameters->subsampling_dx/subsampling_dy. CVE-2026-40311: A heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. Upstream advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r83h-crwp-3vm7 IM7 fix: https://github.com/ImageMagick/ImageMagick/commit/5facfecf1abb3fed46a08f614dcc43d1e548e20d IM6 fix: https://github.com/ImageMagick/ImageMagick6/commit/ccf3cffe819616b39374594a7b5389fc2d49260d The fix avoids adding wildcard XMP namespace properties ending in ":*". Source inspection: - sid 8:7.1.2.19+dfsg1-1 has the xmp_namespace_length guard in MagickCore/property.c. - trixie 8:7.1.1.43+dfsg1-1+deb13u7 does not have that guard in MagickCore/property.c. - bookworm 8:6.9.11.60+dfsg-1.6+deb12u8 and bullseye 8:6.9.11.60+dfsg-1.3+deb11u11 do not have that guard in magick/property.c. I did not find an existing exact BTS bug for either CVE in my package bug context checks, but please merge or close this if these are already tracked elsewhere. Regards, James ]