[Pkg-gmagick-im-team] imagemagick_7.1.1.43+dfsg1-1+deb13u9_source.changes ACCEPTED into proposed-updates

Debian FTP Masters ftpmaster at ftp-master.debian.org
Wed May 27 08:47:05 BST 2026 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 May 2026 18:01:44 +0200
Source: imagemagick
Architecture: source
Version: 8:7.1.1.43+dfsg1-1+deb13u9
Distribution: trixie-security
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team at lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca at debian.org>
Changes:
 imagemagick (8:7.1.1.43+dfsg1-1+deb13u9) trixie-security; urgency=high
 .
   * Fix CVE-2026-33901 regression:
     Previous fix breaks rendering of some MVG files.
   * Fix CVE-2026-42050:
     A malicious MIFF file could trigger an overflow when a user opens it
     in the he display tool and right-clicks a tile to invoke the
     Load/Update menu item.
   * Fix CVE-2026-42326:
     Heap Buffer Over-Read in IPTC encoder
   * Fix CVE-2026-45031:
     Policy Bypass in PSD decoder. Due to a missing check in the
     PSD decoder it would be possible to bypass the list-length
     resource policy when decoding a PSD image. Other security
     limits would still apply.
   * Fix CVE-2026-45358:
     Heap Buffer Over-Read of a single byte in meta encoder.
     An of by one in the meta encoder could result in an out
     of bounds read of a single byte in the meta encoder.
   * Fix CVE-2026-45359:
     Heap Buffer Over-Read in connected components when the user
     supplies an invalid keep-top define.
     An invalid connected-components:keep-top value could result
     in a heap buffer over-read when performing the connected components
     operation.
   * Fix CVE-2026-45624:
     Heap Buffer Over-Read of 24 bytes in distort operation.
     When performing a polynomial distortion an out of bounds over-read of
     24 bytes can occur when specifying specific arguments.
   * Fix CVE-2026-45664:
     Policy Bypass in MNG decoder
     Because of a missing check in the MNG coder it would be possible
     to read more images than the list limit policy would allow
     resulting in excessive resource use.
   * Fix CVE-2026-46520:
     Heap Buffer Over-Write in IPL decoder when reading multiple
     images of different dimensions
     When reading multiple images with different dimensions an out of
     bounds heap write can occur.
   * Fix CVE-2026-46521:
     Heap Buffer Over-Write in MIFF encoder when using LZMA compression.
     When using LZMA compression in the MIFF encoder an out of bounds
     write can occur due to a missing check
   * Fix CVE-2026-46522:
     Infinite Loop in the MIFF decoder can lead to CPU exhaustion.
     Due to a missing check in the MIFF decoder a crafted file could
     cause an infinite loop resulting in CPU exhaustion.
   * Fix CVE-2026-46523:
     Use-After-Free in MSL decoder.
     A crafted MSL image can trigger a heap-use-after-free.
   * Fix CVE-2026-46557:
     Stack overflow in fx operation.
     Due to a missing depth check a stack overflow can occur in the
     fx operation by passing a crafted argument.
   * Fix CVE-2026-46559:
     Heap Buffer Over-Write of a single byte in the JP2 encoder.
     An incorrect check in the JP2 will result in an heap buffer over
     write of a single byte when specifying certain options.
   * Fix CVE-2026-46692:
     Heap Buffer Over-Write in distributed pixel cache server
     An attacker who can connect to a magick -distribute-cache
     service can cause a heap buffer over-write in the server process.
   * Fix CVE-2026-46693:
     Race Condition in distributed pixel cache server can result
     in file descriptor hijacking
     An attacker who can connect to a magick -distribute-cache service can
     hijack a file descriptor in the server process when a race condition is met.
   * Fix CVE-2026-47165:
     Information Disclosure in distributed pixel cache server because it is
     not using a challenge–response authentication model.
     The distributed pixel cache was originally designed to operate without a
     challenge–response authentication model. However, given today’s heightened
     security expectations, we have changed our implementation.
   * Fix CVE-2026-47166:
     Heap Buffer Over-Read in distributed pixel cache server.
     An attacker who can connect to a magick -distribute-cache service
     can cause a heap buffer over-read in the server process.
Checksums-Sha1:
 651e98dffdf5f38f248adffe218e3ca39f239b8e 5136 imagemagick_7.1.1.43+dfsg1-1+deb13u9.dsc
 103af0af388a733c043845b228cf3031c16d859b 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 e9b5f7db208dd518356b0f14a74ad65d2287d428 342248 imagemagick_7.1.1.43+dfsg1-1+deb13u9.debian.tar.xz
 086cdc64144b8afb00cad884a2aab6ac64434384 8616 imagemagick_7.1.1.43+dfsg1-1+deb13u9_source.buildinfo
Checksums-Sha256:
 5ed72512cc726eb14fc80520c5e87dab979e8a591cf6faca98e18554e93bcdd8 5136 imagemagick_7.1.1.43+dfsg1-1+deb13u9.dsc
 bcb4f3c78a930a608fa4889f889edbcb384974246ad9407fce1858f2c0607bfe 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 ecaa16ef9c69645dd7526a698b6401c3e7b91d1be1d8708ae4ce6011b309300b 342248 imagemagick_7.1.1.43+dfsg1-1+deb13u9.debian.tar.xz
 3b94690d0589d3876ee30f4233afd1a61f44f4410c08d3c30f312b82d3e659c4 8616 imagemagick_7.1.1.43+dfsg1-1+deb13u9_source.buildinfo
Files:
 9c3b89fbae41ae84810cdabfd5fd7b7d 5136 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u9.dsc
 01cfb13a7c1813afb50790e431358c6c 10501740 graphics optional imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 968e71e29f0db4083a015419ba595b9b 342248 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u9.debian.tar.xz
 1b5261ebaf3f1c19e8784942d5fe9831 8616 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmoUeDEACgkQADoaLapB
CF8Y+Q//T0BWr2R+KsuPKG5LniHTn20oVwJTOXErgpbwAox/Z0ThpnXa9kuaSM0v
pnKInZuGILXr9uPZamxju7Sbxo7ALfUk6OEsfcTTfMwjYqa3JomNxT25aeYkvG4d
KVBTysZDX2FA1sMEDW/rtDglQOffFdkYf6vwzfSLhyf2WwL1m9pLopDl2/fFvKbs
fFJnc0Wpl9M/sIcluAwrb0ZfrvoUZA9f+h+dfmRoE6Fvxz1b2FVKvx9yaX/ZlCu3
bKKvEpShYnaA50SJQB/6mSMzxItgOoFKJTPalldOr7cNFMcQw8N7EY8BkFe9e5WY
hjXX3C7N4n2t3AfKnz02Ph9D/MTPqE0yJHq5iQB4OSoQXrcnjgdh9pPSQvbv5Tcr
yo5ixdNSzDmTDdIQSVtTVegGxGfpLD6TYD1Nz0TzVMuGhl74jUxw6zV3sLrhLCA4
7KtZ1a737TeJ3hnFbEsSAA/vVz3AtFvIn6eSCEJ5ZY1h9gPF0f6Dbo6tA0o78DGE
2ClDN4sgdAEY4wk2+v/S1caJso4F38NdlFO23PUNbwqIGWl4MPHCbaw2Qde9Apgi
8xzt0kTGhZUJ3M0h6n3CN/x+d818/uKSpGXsTUo7pEvvtMxO6zWXRAHuWa2QWhPm
rFHiP6AT/90QzKZHnZfU6yzRsP46WzTbxskPLUQAPQWcCldozlM=
=jRwS
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20260527/1a1c70ef/attachment.sig>

More information about the Pkg-gmagick-im-team mailing list