[Pkg-gmagick-im-team] imagemagick_7.1.1.43+dfsg1-1+deb13u7_source.changes ACCEPTED into proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Sun Mar 22 22:03:05 GMT 2026
Thank you for your contribution to Debian.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Mar 2026 00:43:38 +0100
Source: imagemagick
Architecture: source
Version: 8:7.1.1.43+dfsg1-1+deb13u7
Distribution: trixie-security
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca at debian.org>
Changes:
imagemagick (8:7.1.1.43+dfsg1-1+deb13u7) trixie-security; urgency=high
.
* Fix CVE-2026-28493:
An integer overflow vulnerability exists in the SIXEL decoder.
* Fix CVE-2026-28494:
A stack buffer overflow exists in ImageMagick's morphology
kernel parsing functions. User-controlled kernel strings
exceeding a buffer are copied into fixed-size stack buffers
via memcpy without bounds checking, resulting in stack
corruption.
* Fix CVE-2026-28686:
A heap-buffer-overflow vulnerability exists in the PCL
encoder due to an undersized output buffer allocation
* Fix CVE-2026-28687:
A heap use-after-free vulnerability in ImageMagick's
MSL decoder allows an attacker to trigger access to
freed memory by crafting an MSL file.
* Fix CVE-2026-28688:
A heap-use-after-free vulnerability exists in the MSL encoder,
where a cloned image is destroyed twice. The MSL coder does not support
writing MSL so the write capability has been removed.
* Fix CVE-2026-28689:
domain="path" authorization is checked before final
file open/use. A symlink swap between check-time and use
time bypasses policy-denied read/write
* Fix CVE-2026-28690:
a stack buffer overflow vulnerability exists in the
MNG encoder. There is a bounds checks missing that could
corrupting the stack with attacker-controlled data.
* Fix CVE-2026-28691:
An uninitialized pointer dereference vulnerability exists
in the JBIG decoder due to a missing check
* Fix CVE-2026-28692:
The MAT decoder uses 32-bit arithmetic due to incorrect
parenthesization resulting in a heap over-read.
* Fix CVE-2026-28693:
An integer overflow in DIB coder can result in out of
bounds read or write
* Fix CVE-2026-30883:
An extremely large image profile could result in a heap
overflow when encoding a PNG image.
* Fix CVE-2026-30929:
MagnifyImage uses a fixed-size stack buffer.
When using a specific image it is possible to overflow
this buffer and corrupt the stack.
* Fix CVE-2026-30931
A heap-based buffer overflow in the UHDR encoder
can happen due to truncation of a value and it would
allow an out of bounds write.
* Fix CVE-2026-30935:
BilateralBlurImage contains a heap buffer over-read caused
by an incorrect conversion. When processing a crafted image
with the -bilateral-blur operation an out of bounds read
can occur.
* Fix CVE-2026-30936:
A crafted image could cause an out of bounds heap write inside the
WaveletDenoiseImage method. When processing a crafted image with
the -wavelet-denoise operation an out of bounds write can occur.
* Fix CVE-2026-30937:
A 32-bit unsigned integer overflow in the XWD (X Windows)
encoder can cause an undersized heap buffer allocation.
When writing a extremely large image an out of bounds heap
write can occur
* Fix CVE-2026-31853:
An overflow on 32-bit systems can cause a crash in the
SFW decoder when processing extremely large images.
* Fix CVE-2026-32259:
When a memory allocation fails in the sixel encoder it would
be possible to write past the end of a buffer on the stack
* Port SVG and MSL coder to 7.1.2-16
Checksums-Sha1:
ff13af1c92fb97043070df2bde8e5bf4f1c6d10a 5136 imagemagick_7.1.1.43+dfsg1-1+deb13u7.dsc
103af0af388a733c043845b228cf3031c16d859b 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
535d099fdebf4a33686355bfca11817cded1af57 329408 imagemagick_7.1.1.43+dfsg1-1+deb13u7.debian.tar.xz
9e1fa4836fdf3a460a5ef727329de465d91b9502 8506 imagemagick_7.1.1.43+dfsg1-1+deb13u7_source.buildinfo
Checksums-Sha256:
21d15ec531e5f7a540c3e3a56ec96568c65149a509c3acad4e6d0f857dfeff0a 5136 imagemagick_7.1.1.43+dfsg1-1+deb13u7.dsc
bcb4f3c78a930a608fa4889f889edbcb384974246ad9407fce1858f2c0607bfe 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
d96f2576d7e7f2d03819d680a01c9382eae036472026b54b6b6194bec96327c5 329408 imagemagick_7.1.1.43+dfsg1-1+deb13u7.debian.tar.xz
12b56ee5400c70a64926309afd78e1b3fbdb42aff173962b51571a05068f6a96 8506 imagemagick_7.1.1.43+dfsg1-1+deb13u7_source.buildinfo
Files:
aa3977d9e8af214d20f5af1b13030c6b 5136 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u7.dsc
01cfb13a7c1813afb50790e431358c6c 10501740 graphics optional imagemagick_7.1.1.43+dfsg1.orig.tar.xz
681ca251d2bc268ff6db206e525236c9 329408 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u7.debian.tar.xz
3c33b0548fcf7a778ce9b07d34d30af2 8506 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmm8C7cACgkQADoaLapB
CF+XSQ//TIpwGCo3VyZpR87OAHb4Zc+MKzuUIriM7gqMkqnVosoa2qhHvVB2KYsu
EBAbcXnghSDj7osDi/GoHlC6tqKXrg0GFhGk/Ktyip8a/CZaTfMakrosd4p8/GVe
XsgkT3z2CKwjE2PeR5Di/xfjTCzxfNo1lKZ3n90gGKTfDiOgkcfIeKAOlhPtHLBb
NPToiiIpicPOgpYY0QfVmpbS9+GDXT6VIYk81XmJ65AF/AsR51JOkkPzV63bwiwR
J33OZn7bibDLnX4Igl9irIubwVBmQgkITdsKtlbvucBRDuIMUWsCgbbFFZ3TUVff
UYYCNoGCMH8XBKyMga6uttkNMbLCubDXIiMhHheL9S2RHAOMtYkR7fZaD6Yba6DM
gYWk5ncZ0TC+HcgCXMgRYIRlq4n21plm8+cMj7KBrAzBfBuML4IigY9OMzj0HXK7
SzjCaiSTMs4I3v28ka71UaOixCLK90ZISjJNOqb7i8LPiEAJuNzTjJjpnaKnbe9M
6DQwU9NgKpYsNv4iZkcxrg/lD9iuWpHy3/wABriV0VJM6LPsBDV9uuBo/iwymuUi
wqPQLE7GvIFSfMMRqOdH4Cs/2F3gwrXSm0yGl4LhTZDx5lVb878Qk5yuSIQc8rGu
ysFEHXwMV/iJZNvQbHrVwYm1V9zhFXRXUtjwM8zg4MKuRjeR5ps=
=/pFq
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20260322/4bea31fa/attachment.sig>
More information about the Pkg-gmagick-im-team
mailing list