[Pkg-gmagick-im-team] Bug#1134627: imagemagick: CVE-2026-40310 and CVE-2026-40311 affect stable suites

James Montgomery james_montgomery at disroot.org
Wed Apr 22 12:28:46 BST 2026 

Package: src:imagemagick
Version: 8:7.1.1.43+dfsg1-1+deb13u7
Severity: important
Tags: security upstream
X-Debbugs-Cc: team at security.debian.org

Dear Maintainer,

The tracker records CVE-2026-40310 and CVE-2026-40311 as fixed in
unstable by 8:7.1.2.19+dfsg1-1, but the fixes do not appear to be
present in the current stable, oldstable, or oldoldstable source
packages.

CVE-2026-40310:

  A heap out-of-bounds write in the JP2 encoder when a user specifies an
  invalid sampling index.

  Upstream advisory:
  https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pwg5-6jfc-crvh

  IM7 fix:
  https://github.com/ImageMagick/ImageMagick/commit/3d653bea2df085c728a1c8f775808e1e9249dff9

  IM6 fix:
  https://github.com/ImageMagick/ImageMagick6/commit/4c782c770894fc19029d4408a4de37cc491c7c25

  The fix bounds parsed sampling factors with MagickMax(..., 1.0).
  Source inspection:
  - sid 8:7.1.2.19+dfsg1-1 has the fixed MagickMax guard in coders/jp2.c.
  - trixie 8:7.1.1.43+dfsg1-1+deb13u7 still assigns geometry_info.rho
    directly in coders/jp2.c.
  - bookworm 8:6.9.11.60+dfsg-1.6+deb12u8 and bullseye
    8:6.9.11.60+dfsg-1.3+deb11u11 still parse sampling_factor directly
    with sscanf into parameters->subsampling_dx/subsampling_dy.

CVE-2026-40311:

  A heap use-after-free vulnerability that can cause a crash when reading
  and printing values from an invalid XMP profile.

  Upstream advisory:
  https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r83h-crwp-3vm7

  IM7 fix:
  https://github.com/ImageMagick/ImageMagick/commit/5facfecf1abb3fed46a08f614dcc43d1e548e20d

  IM6 fix:
  https://github.com/ImageMagick/ImageMagick6/commit/ccf3cffe819616b39374594a7b5389fc2d49260d

  The fix avoids adding wildcard XMP namespace properties ending in ":*".
  Source inspection:
  - sid 8:7.1.2.19+dfsg1-1 has the xmp_namespace_length guard in
    MagickCore/property.c.
  - trixie 8:7.1.1.43+dfsg1-1+deb13u7 does not have that guard in
    MagickCore/property.c.
  - bookworm 8:6.9.11.60+dfsg-1.6+deb12u8 and bullseye
    8:6.9.11.60+dfsg-1.3+deb11u11 do not have that guard in
    magick/property.c.

I did not find an existing exact BTS bug for either CVE in my package
bug context checks, but please merge or close this if these are already
tracked elsewhere.

Regards,
James

More information about the Pkg-gmagick-im-team mailing list