[From nobody Sun May 3 21:07:10 2026 Received: (at 1134627-close) by bugs.debian.org; 3 May 2026 20:04:26 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.2 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,SPF_HELO_PASS,SPF_PASS, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 128; hammy, 150; neutral, 227; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]:57410) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wJd3C-005NQG-2a for 1134627-close@bugs.debian.org; Sun, 03 May 2026 20:04:26 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by mailly.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wJd3B-002EXt-1k for 1134627-close@bugs.debian.org; Sun, 03 May 2026 20:04:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=6KlIBgVCFX+siJwwqZNEgT+xbeRWiqaB7l9RErnyFs4=; b=Cg5QqZTeSTnVCo1j5fy1W2ZMOa XR1SqTDByYiphLOGpCIrI8QzSkAQji8vqjLLO2EL7TXuuvrKfbhXXeBP6qLymboTH5QOqFrEdi0Mw ISL5xhZWpoBTsmx5kpISeMcGGTd5Yt2o+6qFsLgumUvrZs0RN1Ykf0xgfGYkKZKbGJL1p1Gc0MlLu vMV6q0xCvA6sdGf/J9+ziDCzOSWoI4ooORrEK/l/GgvvaZQUQXFSPoJvuvcHtFFdmyFmeu8ozhV/a h1Fr7jM32FwS0iWnlTN2N3KgI0HfhXzKuUjNGCuKi6jG+CdramgpJZnWa5A0uMXicJPlvOVXbRJRh vax9UC6w==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wJd3A-0000000A5ae-2hT8; Sun, 03 May 2026 20:04:24 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> To: 1134627-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: imagemagick Debian: DAK Debian-Changes: imagemagick_6.9.11.60+dfsg-1.6+deb12u9_source.changes Debian-Source: imagemagick Debian-Version: 8:6.9.11.60+dfsg-1.6+deb12u9 Debian-Architecture: source Debian-Suite: oldstable-proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1134627: fixed in imagemagick 8:6.9.11.60+dfsg-1.6+deb12u9 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============0503797750951391088==" Message-Id: <E1wJd3A-0000000A5ae-2hT8@fasolo.debian.org> Date: Sun, 03 May 2026 20:04:24 +0000 --===============0503797750951391088== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: imagemagick Source-Version: 8:6.9.11.60+dfsg-1.6+deb12u9 Done: Bastien Roucari=C3=A8s <rouca@debian.org> We believe that the bug you reported is fixed in the latest version of imagemagick, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1134627@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastien Roucari=C3=A8s <rouca@debian.org> (supplier of updated imagemagick pa= ckage) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 25 Apr 2026 16:03:16 +0200 Source: imagemagick Architecture: source Version: 8:6.9.11.60+dfsg-1.6+deb12u9 Distribution: bookworm-security Urgency: medium Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debi= an.org> Changed-By: Bastien Roucari=C3=A8s <rouca@debian.org> Closes: 1134627 Changes: imagemagick (8:6.9.11.60+dfsg-1.6+deb12u9) bookworm-security; urgency=3Dmedi= um . * Fix CVE-2026-25971: Magick fails to check for circular references between two MSLs, leading to a stack overflow. * Fix CVE-2026-33899: When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. * Fix CVE-2026-33900: The viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. * Fix CVE-2026-33901: A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image * Fix CVE-2026-33905 The -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. * Fix CVE-2026-33908: When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. * Fix CVE-2026-34238: An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. * Fix CVE-2026-40310: A heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. * Fix CVE-2026-40311 (Closes: #1134627): A heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. Checksums-Sha1: 0343e1b2cae03317fe2213b30cec276174b51162 5105 imagemagick_6.9.11.60+dfsg-1.6= +deb12u9.dsc 824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 imagemagick_6.9.11.60+dfsg.= orig.tar.xz 64cb33cdf430bfee5b9b99e6dce29ad8e05aa220 324340 imagemagick_6.9.11.60+dfsg-1= .6+deb12u9.debian.tar.xz edfcdc7f41526ab05e9d87218daab416624d6eae 8485 imagemagick_6.9.11.60+dfsg-1.6= +deb12u9_source.buildinfo Checksums-Sha256: 5dec0ef2e65a0ec5c2a68915def537296c53a3906e6eb01c1174d6c531da749c 5105 imagem= agick_6.9.11.60+dfsg-1.6+deb12u9.dsc 472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 ima= gemagick_6.9.11.60+dfsg.orig.tar.xz f6f3ae9f565fc3e4af376653d5b1750194d4734b12af1ca417f8303791b61b07 324340 imag= emagick_6.9.11.60+dfsg-1.6+deb12u9.debian.tar.xz bde6f6a87bae9303b818ca5c1a1459e9d41abef1d9d78f2b48973b1cae58a377 8485 imagem= agick_6.9.11.60+dfsg-1.6+deb12u9_source.buildinfo Files: b74a51511e8e8220e67524d00e29da03 5105 graphics optional imagemagick_6.9.11.6= 0+dfsg-1.6+deb12u9.dsc 8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional imagemagick_6.9.1= 1.60+dfsg.orig.tar.xz 4cf8ab27a2ef7c2ff2606700000a602f 324340 graphics optional imagemagick_6.9.11= .60+dfsg-1.6+deb12u9.debian.tar.xz 9afb4388a8891fda457b7fc764ebdd33 8485 graphics optional imagemagick_6.9.11.6= 0+dfsg-1.6+deb12u9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIyBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmnzxl4ACgkQADoaLapB CF83lA/4oXu+t4RKjj1X6bxkRB4Fcu9rvui+VVx0L+zcYiJOHs/M6JCYN04yVRm7 nDZfb+9okswhiHQ9/2dVj8kxRsIJGnV6MPUZhmvGJlh/WuRpg54MkolpQZctm+XT FBLJ2/gm9/be/XJ2mQiU14BJfMfUnDnbp/FF5CkaUagjgNqNGAiQiv8Lo7JWpKaF G8yG1a7likNYihE/kr6CDP1RM4kVBC8GwnoMPt4CwrdISsJubR4KNLH1tuTRWj0N DhdYidqX65yGvadzq6fBA7yRCQ2JQ2XgfIlK5JRY/VF7PRXk0E368ECvUHBU+MkB WTptFMwf9D/coA332ECIPZnOmRCo9q9MXIY7Agb35/dN1vGPH1Zzlk6d4iW5saDF 26se75DxiXwhye3JBEqWbz8/diqvpPoINke4ykbycW81JYWOFrbE4mQpf71hCglN q/4rcS8RwKMFqywPc+DrR/6hfb00rC4pup9/NEXdLe0jh/WTBMgFkLNY6W7JHVCE bmw4BBsdwZ/psFP9VWl4GPjnf1ZzH3fPtwHiCy/kroOsHNmM0ptgCl2tlPKnevEj b2aZzZWY1E8t/CY26ImxdpE2YAHlVDFq3xFbKuPzO96aj7Tk2V5b0ctJH1kcFxGT fgLN9eTqGbgUeKpYQFHCuN/HnJXl178l2GN3eGBdUjOP3HC4jA=3D=3D =3D8tlJ -----END PGP SIGNATURE----- --===============0503797750951391088== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCafeqSAAKCRCb9qggYcy5 IZ9tAQCaGixu6M0QoU78TiRbmpZKVgBDk/sHaCjRhNH62ePJYAEAitfyVOFTUgpx M1OoygHkrT9/aLpVnveubInwHsdQlgk= =nb37 -----END PGP SIGNATURE----- --===============0503797750951391088==-- ]