[Pkg-gmagick-im-team] Bug#1134627: bookworm-security debdiff for CVE-2026-40310 and CVE-2026-40311

James Montgomery james_montgomery at disroot.org
Wed Apr 22 15:48:25 BST 2026 

Hi,

I prepared a bookworm-security debdiff for CVE-2026-40310 and
CVE-2026-40311, attached.

The update is based on the current bookworm-security source package,
8:6.9.11.60+dfsg-1.6+deb12u8, and adds:

  - CVE-2026-40310: backport of the JP2 sampling-factor clamp from
    the upstream ImageMagick6 fix [1]. The bookworm code still parses
    sampling_factor with sscanf(), so the patch clamps the parsed
    subsampling values after that older parsing path.

  - CVE-2026-40311: upstream ImageMagick6 fix to avoid adding wildcard
    XMP namespace properties [2].

Validation performed:

  - quilt pop -a / quilt push -a completed cleanly
  - dpkg-buildpackage -S -us -uc -d completed successfully
  - sudo sbuild -d bookworm --arch=arm64 --chroot=bookworm-arm64-sbuild
    --chroot-mode=schroot completed successfully

sbuild reported lintian findings, but the package build itself completed
successfully and the visible lintian output appears to be pre-existing
ImageMagick package warnings rather than issues introduced by this
debdiff.

Regards,
James

[1] https://github.com/ImageMagick/ImageMagick6/commit/4c782c770894fc19029d4408a4de37cc491c7c25
[2] https://github.com/ImageMagick/ImageMagick6/commit/ccf3cffe819616b39374594a7b5389fc2d49260d
-------------- next part --------------
diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog	2026-04-12 19:57:53.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/changelog	2026-04-22 12:46:11.000000000 +0000
@@ -1,3 +1,14 @@
+imagemagick (8:6.9.11.60+dfsg-1.6+deb12u9) bookworm-security; urgency=high
+
+  * Fix CVE-2026-40310:
+    A heap out-of-bounds write was found in the JP2 encoder when a user
+    specifies an invalid sampling index. (Closes: #1134627)
+  * Fix CVE-2026-40311:
+    A heap use-after-free vulnerability was found that can cause a crash when
+    reading and printing values from an invalid XMP profile. (Closes: #1134627)
+
+ -- James Montgomery <james_montgomery at disroot.org>  Wed, 22 Apr 2026 13:05:00 +0000
+
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u8) bookworm-security; urgency=high
 
   * Fix a regression for CVE-2026-25796
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40310.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40310.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40310.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40310.patch	2026-04-22 12:45:15.000000000 +0000
@@ -0,0 +1,24 @@
+Description: CVE-2026-40310: clamp JP2 sampling factors
+ A heap out-of-bounds write was found in the JP2 encoder when a user
+ specifies an invalid sampling index.
+ .
+ The upstream fix bounds parsed sampling factors with MagickMax(..., 1.0).
+ The bookworm code still parses sampling_factor with sscanf(), so clamp the
+ parsed values after that older parsing path.
+Origin: backport, https://github.com/ImageMagick/ImageMagick6/commit/4c782c770894fc19029d4408a4de37cc491c7c25
+Bug-Debian: https://bugs.debian.org/1134627
+Forwarded: not-needed
+
+--- imagemagick-bookworm-work2.orig/coders/jp2.c
++++ imagemagick-bookworm-work2/coders/jp2.c
+@@ -976,6 +976,10 @@ static MagickBooleanType WriteJP2Image(c
+   if (image_info->sampling_factor != (const char *) NULL)
+     (void) sscanf(image_info->sampling_factor,"%d,%d",
+       &parameters->subsampling_dx,&parameters->subsampling_dy);
++  parameters->subsampling_dx=(int) MagickMax(
++    parameters->subsampling_dx,1);
++  parameters->subsampling_dy=(int) MagickMax(
++    parameters->subsampling_dy,1);
+   property=GetImageProperty(image,"comment");
+   if (property != (const char *) NULL)
+     parameters->cp_comment=(char *) property;
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40311.patch imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40311.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40311.patch	1970-01-01 00:00:00.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/CVE-2026-40311.patch	2026-04-22 12:45:15.000000000 +0000
@@ -0,0 +1,50 @@
+Description: CVE-2026-40311: skip wildcard XMP namespace properties
+ A heap use-after-free vulnerability was found that can cause a crash when
+ reading and printing values from an invalid XMP profile.
+Origin: upstream, https://github.com/ImageMagick/ImageMagick6/commit/ccf3cffe819616b39374594a7b5389fc2d49260d
+Bug-Debian: https://bugs.debian.org/1134627
+
+--- imagemagick-bookworm-work2.orig/magick/property.c
++++ imagemagick-bookworm-work2/magick/property.c
+@@ -1819,6 +1819,9 @@ static MagickBooleanType GetXMPProperty(
+           char
+             *xmp_namespace;
+ 
++          size_t
++            xmp_namespace_length;
++
+           child=GetXMLTreeChild(node,(const char *) NULL);
+           content=GetXMLTreeContent(node);
+           if ((child == (XMLTreeInfo *) NULL) &&
+@@ -1826,8 +1829,13 @@ static MagickBooleanType GetXMPProperty(
+             {
+               xmp_namespace=ConstantString(GetXMLTreeTag(node));
+               (void) SubstituteString(&xmp_namespace,"exif:","xmp:");
+-              (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
+-                xmp_namespace,ConstantString(content));
++              xmp_namespace_length=strlen(xmp_namespace);
++              if ((xmp_namespace_length <= 2) ||
++                  (*(xmp_namespace+(xmp_namespace_length-2)) != ':') ||
++                  (*(xmp_namespace+(xmp_namespace_length-1)) != '*'))
++                (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
++                 ConstantString(xmp_namespace),ConstantString(content));
++              xmp_namespace=DestroyString(xmp_namespace);
+             }
+           while (child != (XMLTreeInfo *) NULL)
+           {
+@@ -1836,8 +1844,13 @@ static MagickBooleanType GetXMPProperty(
+               {
+                 xmp_namespace=ConstantString(GetXMLTreeTag(node));
+                 (void) SubstituteString(&xmp_namespace,"exif:","xmp:");
+-                (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
+-                  xmp_namespace,ConstantString(content));
++                xmp_namespace_length=strlen(xmp_namespace);
++                if ((xmp_namespace_length <= 2) ||
++                    (*(xmp_namespace+(xmp_namespace_length-2)) != ':') ||
++                    (*(xmp_namespace+(xmp_namespace_length-1)) != '*'))
++                  (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
++                    ConstantString(xmp_namespace),ConstantString(content));
++                xmp_namespace=DestroyString(xmp_namespace);
+               }
+             child=GetXMLTreeSibling(child);
+           }
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/series imagemagick-6.9.11.60+dfsg/debian/patches/series
--- imagemagick-6.9.11.60+dfsg/debian/patches/series	2026-04-12 19:56:20.000000000 +0000
+++ imagemagick-6.9.11.60+dfsg/debian/patches/series	2026-04-22 12:44:37.000000000 +0000
@@ -157,3 +157,5 @@
 CVE-2026-32636.patch
 CVE-2026-33535.patch
 CVE-2026-33536.patch
+CVE-2026-40310.patch
+CVE-2026-40311.patch

More information about the Pkg-gmagick-im-team mailing list