[Pkg-gmagick-im-team] imagemagick_7.1.1.43+dfsg1-1+deb13u6_source.changes ACCEPTED into proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Sat Mar 14 12:47:26 GMT 2026
Thank you for your contribution to Debian.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Mar 2026 23:01:36 +0100
Source: imagemagick
Architecture: source
Version: 8:7.1.1.43+dfsg1-1+deb13u6
Distribution: trixie-security
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca at debian.org>
Changes:
imagemagick (8:7.1.1.43+dfsg1-1+deb13u6) trixie-security; urgency=high
.
* Fix CVE-2026-24481:
A heap information disclosure vulnerability exists
in ImageMagick's PSD (Adobe Photoshop) format handler.
When processing a maliciously crafted PSD file containing
ZIP-compressed layer data that decompresses to less than
the expected size, uninitialized heap memory is leaked
into the output image.
* Fix CVE-2026-24484:
Magick fails to check for multi-layer nested mvg
conversions to svg, leading to DoS.
* Fix CVE-2026-24485:
When a PCD file does not contain a valid Sync marker, the
DecodeImage() function becomes trapped in an infinite loop while
searching for the Sync marker, causing the program to become
unresponsive and continuously consume CPU resources, ultimately
leading to system resource exhaustion and Denial of Service
(DoS)
* Fix CVE-2026-25576:
A heap buffer over-read vulnerability exists in multiple
raw image format handles. The vulnerability occurs when
processing images with -extract dimensions larger than
-size dimensions, causing out-of-bounds memory reads
from a heap-allocated buffer.
* Fix CVE-2026-25637:
A memory leak in the ASHLAR image writer allows an attacker to exhaust
process memory by providing a crafted image that results in small
objects that are allocated but never freed.
* Fix CVE-2026-25638:
A memory leak exists in `coders/msl.c`. In the `WriteMSLImage`
function of the `msl.c` file, resources are allocated. But the
function returns early without releasing these allocated resources.
* Fix CVE-2026-25794:
`WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute
the pixel buffer size. Prior to version 7.1.2-15, when image
dimensions are large, the multiplication overflows 32-bit `int`,
causing an undersized heap allocation followed by an out-of-bounds
write.
* Fix CVE-2026-25795:
`ReadSFWImage()` (`coders/sfw.c`), when temporary file
creation fails, `read_info` is destroyed before its `filename`
member is accessed, causing a NULL pointer dereference and crash.
* Fix CVE-2026-25796:
In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image
object is not freed on three early-return paths, resulting in a
definite memory leak (~13.5KB+ per invocation) that can be exploited
for denial of service.
* Fix CVE-2026-25797:
The ps coders, responsible for writing PostScript files, fails to
sanitize the input before writing it into the PostScript header. An
attacker can provide a malicious file and inject arbitrary PostScript
code. When the resulting file is processed by a printer or a viewer
(like Ghostscript), the injected code is interpreted and executed. The
html encoder does not properly escape strings that are written to in
the html document. An attacker can provide a malicious file and
injection arbitrary html code.
* Fix CVE-2026-25798:
A NULL pointer dereference in ClonePixelCacheRepository allows a
remote attacker to crash any application linked against ImageMagick by
supplying a crafted image file, resulting in denial of service.
* Fix CVE-2026-25799:
A logic error in YUV sampling factor validation allows an invalid
sampling factor to bypass checks and trigger a division-by-zero during
image loading, resulting in a reliable denial-of-service.
* Fix CVE-2026-25897:
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit
systems/builds, a carefully crafted image can lead to an out of bounds
heap write.
* Fix CVE-2026-25898:
The UIL and XPM image encoder do not validate the
pixel index value returned by `GetPixelIndex()` before using it as an
array subscript. In HDRI builds, `Quantum` is a floating-point type,
so pixel index values can be negative. An attacker can craft an image
with negative pixel index values to trigger a global buffer overflow
read during conversion, leading to information disclosure or a process
crash.
* Fix CVE-2026-25965:
ImageMagick’s path security policy is enforced on the raw filename
string before the filesystem resolves it. As a result, a policy rule
such as /etc/* can be bypassed by a path traversal. The OS resolves
the traversal and opens the sensitive file, but the policy matcher
only sees the unnormalized path and therefore allows the read. This
enables local file disclosure (LFI) even when policy-secure.xml is
applied.
* Fix CVE-2026-25966:
The shipped "secure" security policy includes a rule intended to
prevent reading/writing from standard streams. However, ImageMagick
also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1).
This path form is not blocked by the
secure policy templates, and therefore bypasses the protection goal of
"no stdin/stdout."
* Fix CVE-2026-25967:
A stack-based buffer overflow exists in the ImageMagick FTXT image
reader. A crafted FTXT file can cause out-of-bounds writes on the
stack, leading to a crash.
* Fix CVE-2026-25968:
A stack buffer overflow occurs when processing the an attribute in
msl.c. A long value overflows a fixed-size stack buffer, leading to
memory corruption.
* Fix CVE-2026-25969:
A memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage`
allocates a structure. However, when an exception is thrown, the
allocated memory is not properly released, resulting in a potential
memory leak.
* Fix CVE-2026-25970:
A signed integer overflow vulnerability in ImageMagick's SIXEL decoder
allows an attacker to trigger memory corruption and denial of service
when processing a maliciously crafted SIXEL image file. The
vulnerability occurs during buffer reallocation operations where
pointer arithmetic using signed 32-bit integers overflows.
* Fix CVE-2026-25971:
Magick fails to check for circular references between two MSLs,
leading to a stack overflow.
* Fix CVE-2026-25982:
A heap out-of-bounds read vulnerability exists in the `coders/dcm.c`
module. When processing DICOM files with a specific configuration, the
decoder loop incorrectly reads bytes per iteration. This causes the
function to read past the end of the allocated buffer, potentially
leading to a Denial of Service or Information Disclosure.
* Fix CVE-2026-25983:
A crafted MSL script triggers a heap-use-after-free. The operation
element handler replaces and frees the image while the parser
continues reading from it, leading to a UAF in ReadBlobString during
further parsing.
* Fix CVE-2026-25985:
A crafted SVG file containing an malicious element causes ImageMagick
to attempt to allocate ~674 GB of memory, leading to an out-of-memory
abort.
* Fix CVE-2026-25986:
A heap buffer overflow write vulnerability exists in ReadYUVImage()
(coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace)
images. The pixel-pair loop writes one pixel beyond the allocated row
buffer.
* Fix CVE-2026-25987:
A heap buffer over-read vulnerability exists in the MAP image decoder
when processing crafted MAP files, potentially leading to crashes or
unintended memory disclosure during image decoding.
* Fix CVE-2026-25988:
Sometimes msl.c fails to update the stack index, so an image is stored
in the wrong slot and never freed on error, causing leaks.
* Fix CVE-2026-25989:
A crafted SVG file can cause a denial of service. An off-by-one
boundary check (`>` instead of `>=`) that allows bypass the guard and
reach an undefined `(size_t)` cast.
* Fix CVE-2026-26066:
A crafted profile contain invalid IPTC data may cause an infinite loop
when writing it with `IPTCTEXT`.
* Fix CVE-2026-26283:
A `continue` statement in the JPEG extent binary search loop in the
jpeg encoder causes an infinite loop when writing persistently fails.
* Fix CVE-2026-26284:
ImageMagick lacks proper boundary checking when processing
Huffman-coded data from PCD (Photo CD) files. The decoder contains an
function that has an incorrect initialization that could cause an out
of bounds read.
* Fix CVE-2026-26983:
The MSL interpreter crashes when processing a invalid `<map>` element
that causes it to use an image after it has been freed.
* Fix CVE-2026-27798:
A heap buffer over-read vulnerability occurs when processing an image
with small dimension using the `-wavelet-denoise` operator.
* Fix CVE-2026-27799:
A heap buffer over-read vulnerability exists in the DJVU image format
handler. The vulnerability occurs due to integer truncation when
calculating the stride (row size) for pixel buffer allocation. The
stride calculation overflows a 32-bit signed integer, resulting in an
out-of-bounds memory reads.
Checksums-Sha1:
8baaada42539d54ee04bafbfffe64b1a82349213 5136 imagemagick_7.1.1.43+dfsg1-1+deb13u6.dsc
103af0af388a733c043845b228cf3031c16d859b 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
1dea52e6c1bb0771d4dbf6c610b64c59ca7184df 312452 imagemagick_7.1.1.43+dfsg1-1+deb13u6.debian.tar.xz
a8e980fc2b13099a9cfd6d1ca018a81e5b202dba 8535 imagemagick_7.1.1.43+dfsg1-1+deb13u6_source.buildinfo
Checksums-Sha256:
cc06f6420e80907b074f134e807026b393a65b81a1f0c849fb9192180d91f1fe 5136 imagemagick_7.1.1.43+dfsg1-1+deb13u6.dsc
bcb4f3c78a930a608fa4889f889edbcb384974246ad9407fce1858f2c0607bfe 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
11bce9b28859dc5a0d9da4ff1ee2d2d576504322716ee296447a04e6d99144e6 312452 imagemagick_7.1.1.43+dfsg1-1+deb13u6.debian.tar.xz
9890a7daf4be91685324cba611b1f4b94fa261f22d302fef1825eb3b5b64af06 8535 imagemagick_7.1.1.43+dfsg1-1+deb13u6_source.buildinfo
Files:
8d009e651be9b6f98026f391036079b3 5136 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u6.dsc
01cfb13a7c1813afb50790e431358c6c 10501740 graphics optional imagemagick_7.1.1.43+dfsg1.orig.tar.xz
fbb0679eafd96c7c8d3ae7ec00fa8b9d 312452 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u6.debian.tar.xz
629c509c9aa12e1a46038fc318aea9ab 8535 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmmt79IACgkQADoaLapB
CF96thAAhIQ1yXWB2dLykSczTipl+7J4dUAA2VnNIPGVWGv2P9iGhpOwsIwjvQbL
w5dev6vfb9AyKMLWb2vnlibLuFNWBDoR73naeqQ2h6sD26OVD0Gr2kw/NQ/PlUqR
CBULVM1FBehTTSM3MRL+I70UZr0Glzv0+C9ix8gOlbXgG620/6y5F3/zliSQZMvP
WO8ukAG/36nA564U/rnwC14ahUSq24EA3EMqMnrpNSZFheCFPhWNjpIB1O1YqLvM
roQcm5PwV45tJiyXne8wTiz6ZS84KFnQKc1KM8iULNBLtbmu87JinFsVqibq3SWA
w9XC5u5H0NhVqqjl2P6k2wLYxObGdEdomNN9WmTg/CqPjZrquNLEfwvJ7nS38+k2
c8xJ3v9kf4+NS0BvzEWZCpS9bq2Xc7t64nEyRSmqoKDtBUUCJz2nC6DAK9HrdCEw
rKLS4dVMUyl9yfPTgxTHrKobwqdcaJ/6Rb727+6cP88gmE1THtdxS9wKkeOZN8Y9
BDio6gLmT3wqKFiet6Re6B0tDeKJz8FQqoTzCXCmKA+hPTfeS12qVZo4DARzB8pc
UGQ41LgUIJ8QAo2r7zAbDOkrbqJ3btRgVR7nbdStLdgbaz+se8WjYNBZKKBgyjzE
YSTEjBWhOVFvVctC5hMrzKIv4MON193JlBmBNvT2vvtGIHs/vb0=
=9Gsh
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20260314/04ef7c8f/attachment.sig>
More information about the Pkg-gmagick-im-team
mailing list