[Pkg-gmagick-im-team] imagemagick_7.1.1.43+dfsg1-1+deb13u11_source.changes ACCEPTED into proposed-updates->stable-new

Debian FTP Masters ftpmaster at ftp-master.debian.org
Tue Jul 7 22:10:04 BST 2026


Thank you for your contribution to Debian.

Mapping stable-security to proposed-updates.

Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 02 Jul 2026 22:08:14 +0200
Source: imagemagick
Architecture: source
Version: 8:7.1.1.43+dfsg1-1+deb13u11
Distribution: trixie-security
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca at debian.org>
Changes:
 imagemagick (8:7.1.1.43+dfsg1-1+deb13u11) trixie-security; urgency=medium
 .
   * Fix CVE-2026-53466:
     An integer overflow in the XCF decoder can result in an out of bounds
     read when a crafted image is read, potentially resulting in a crash.
   * Fix CVE-2026-53467:
     The MNG decoder contains a possible heap information disclosure
     vulnerability because part of the pixels are left unchanged.
   * Backport MagickCore/draw.c from 7.1.2-26
   * Fix CVE-2026-55577:
     A heap buffer overflow occurs in the MVG decoder that could result
     in an out of bounds write when processing a crafted image.
   * Fix CVE-2026-55594:
     A missing depth check in the MVG decoder will result in a stack overflow
     when a crafted image is provided.
   * Fix CVE-2026-55597:
     An incorrect handling of arguments can cause a heap buffer over-write
     in the JP2 encoder
   * Fix CVE-2026-55628:
     The `-concatenate` operation is missing policy checks, potentially resulting
     in both reading and writing to paths disallowed by the security policy.
   * Fix CVE-2026-56361:
     Attackers can trigger heap buffer overflow by providing incorrect
     morphology parameters causing single pixel memory access violations.
   * Fix CVE-2026-56363:
     An attacker can supply a large binomial kernel value causing integer overflow,
     resulting in division by zero and application crash.
   * Fix CVE-2026-56364:
     A memory leak vulnerability in LoadOpenCLDeviceBenchmark() function
     when parsing malformed OpenCL device profile XML files with unclosed device
     elements. Attackers with write access to the OpenCL cache directory can place
     malicious XML files to exhaust memory and cause denial of service.
   * Fix CVE-2026-56365:
     A memory leak vulnerability in the PNG encoder when writing MNG images.
   * Fix CVE-2026-56367:
     An integer overflow in the PSB (PSD v2) RLE decoding path
     (ReadPSDChannelRLE in coders/psd.c) that causes a heap out-of-bounds read
     on 32-bit builds.
   * Fix CVE-2026-56368:
     A memory leak vulnerability in multiple coders that write raw pixel data
     where allocated objects are not properly freed. Attackers can trigger
     this leak by processing specially crafted images, causing memory exhaustion
     and denial of service.
   * Fix CVE-2026-56370:
     ImageMagick contains an out-of-bounds access vulnerability in
     ConnectedComponentsImage() when processing connected-components artifacts
     with invalid indices. Attackers can trigger access violations by
     specifying malformed connected-components definitions via CLI,
     causing denial of service or potential code execution.
   * Fix CVE-2026-56371;
     A memory leak in coders/txt.c when processing TXT files with texture
     attributes: the texture object allocated via ReadImage is not released
     when GetTypeMetrics fails, leaking memory each time a crafted TXT file
     with a texture attribute is processed.
   * Fix CVE-2026-56376:
     A heap use-after-free in the meta coder: when memory allocation fails,
     a single byte is written to a stale pointer. Remote attackers can trigger
     it by processing specially crafted image files, causing a denial of service.
   * Fix CVE-2026-56377:
     ImageMagick contains an incorrect policy check that allows attackers
     to create or truncate files disallowed by security policies.
   * Fix CVE-2026-56378:
     ImageMagick contains a heap out-of-bounds read in the PCD coder's DecodeImage
     loop. A crafted PCD file can trigger a one-byte heap out-of-bounds read
     during image decoding, resulting in denial of service and potential
     disclosure of an adjacent heap byte.
Checksums-Sha1:
 f390b6441b8b4baa73202d5f80660da3b9fd7419 5165 imagemagick_7.1.1.43+dfsg1-1+deb13u11.dsc
 103af0af388a733c043845b228cf3031c16d859b 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 6f417a41f7f20ec7063620a9d172245fd3867e7d 360084 imagemagick_7.1.1.43+dfsg1-1+deb13u11.debian.tar.xz
 198e89146e9658d7ab4da06c19275a14bd57965b 8551 imagemagick_7.1.1.43+dfsg1-1+deb13u11_source.buildinfo
Checksums-Sha256:
 66108f89a7dd1b650bfc4358841a31be0038559aadaad8f3fb3faa8c238899fe 5165 imagemagick_7.1.1.43+dfsg1-1+deb13u11.dsc
 bcb4f3c78a930a608fa4889f889edbcb384974246ad9407fce1858f2c0607bfe 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 f29aebfd4c6d734e708df683d0bdabf2ccab181f52ac932cf7ec5d94dcf1473b 360084 imagemagick_7.1.1.43+dfsg1-1+deb13u11.debian.tar.xz
 c5cf896a1868631d4847b7573106b2b3d3f696671a4e215aa1e1762b47ffea10 8551 imagemagick_7.1.1.43+dfsg1-1+deb13u11_source.buildinfo
Files:
 a4930c68b50c701e02b7b33cc6658ae4 5165 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u11.dsc
 01cfb13a7c1813afb50790e431358c6c 10501740 graphics optional imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 2637ef7d7f0caf88d148dd861793c1e1 360084 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u11.debian.tar.xz
 f18d58dccbd691c5fdc8482751d411b0 8551 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u11_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmpLyGUACgkQADoaLapB
CF/fIRAAqzbRoO3PMhhhjD/LknwAQS1JewnoSv964Sl2Wh1wvJTNftsKyxMccw7d
5ZSAqRg8bqEokT+17j55wjToEd75i9Fst4pNyqclsGIA8VaPINBG+Vm7K5XgGB05
vxeR/ayKz+c6LzMNeRqryRyM6gEVDJWKBcmYZ9GeGK16wM85D+6dAgNiPO8IcDDC
ZL40qW6cWmqooQoPXtyzQRbdkggUSWJf1rT8GKcdbx6sf7ATyyoQ+i0q4TBzKqL0
rgLqSHQvRG7zN12xh+aSojHfsJ68V2QnUl4HO/77vtmP+i+zM+u4PYk0RK5k4z7x
mVkmL2U/B/WFTV955rKK7wPr1bF3akT1gRDAh14MReScYbsW/awqPfp+i6XNzY2w
7s3tYyD2G9BOFajatG5bCHA3qEDh/XI837Ruy7x9CeVEn9T7bpSEaUAdlcjxj9nP
O0QK7wE9LlNrOX/0KxWhgYRt+C9yG+UT0RNSlzQVtq1/1yOFV3jhNG/NXBgR7aTo
ZRclnn11OLC+vHlK0QrrlBFmYL8/WITaO+BOJNoznl5PONjpuMU7xzTJZR5E7Zep
JbmyRGA3CuFGUsZz+lqw+MKIhhIJUk0tpQXrPNG+igVnm0pDI45O7MQDD95ezFp6
FR9sVKkuSYKvbcWwRpwM43lbK147bN43l6iIVNDc7cXUTTQtr6c=
=3W3S
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20260707/10179d17/attachment.sig>


More information about the Pkg-gmagick-im-team mailing list