-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 04 Mar 2026 23:01:36 +0100 Source: imagemagick Binary: imagemagick-7-common imagemagick-7-doc libimage-magick-perl libmagick++-7-headers libmagick++-dev libmagickcore-7-headers libmagickcore-dev libmagickwand-7-headers libmagickwand-dev perlmagick Architecture: all Version: 8:7.1.1.43+dfsg1-1+deb13u6 Distribution: trixie-security Urgency: high Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Bastien Roucariès Description: imagemagick-7-common - image manipulation programs -- infrastructure imagemagick-7-doc - document files of ImageMagick libimage-magick-perl - Perl interface to the ImageMagick graphics routines libmagick++-7-headers - object-oriented C++ interface to ImageMagick - header files libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package libmagickcore-7-headers - low-level image manipulation library - header files libmagickcore-dev - low-level image manipulation library -- dummy package libmagickwand-7-headers - image manipulation library - headers files libmagickwand-dev - image manipulation library -- dummy package perlmagick - Perl interface to ImageMagick -- dummy package Changes: imagemagick (8:7.1.1.43+dfsg1-1+deb13u6) trixie-security; urgency=high . * Fix CVE-2026-24481: A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. * Fix CVE-2026-24484: Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS. * Fix CVE-2026-24485: When a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and Denial of Service (DoS) * Fix CVE-2026-25576: A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer. * Fix CVE-2026-25637: A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. * Fix CVE-2026-25638: A memory leak exists in `coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file, resources are allocated. But the function returns early without releasing these allocated resources. * Fix CVE-2026-25794: `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. * Fix CVE-2026-25795: `ReadSFWImage()` (`coders/sfw.c`), when temporary file creation fails, `read_info` is destroyed before its `filename` member is accessed, causing a NULL pointer dereference and crash. * Fix CVE-2026-25796: In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+ per invocation) that can be exploited for denial of service. * Fix CVE-2026-25797: The ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. * Fix CVE-2026-25798: A NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. * Fix CVE-2026-25799: A logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. * Fix CVE-2026-25897: An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. * Fix CVE-2026-25898: The UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. * Fix CVE-2026-25965: ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. * Fix CVE-2026-25966: The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." * Fix CVE-2026-25967: A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. * Fix CVE-2026-25968: A stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. * Fix CVE-2026-25969: A memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. * Fix CVE-2026-25970: A signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows. * Fix CVE-2026-25971: Magick fails to check for circular references between two MSLs, leading to a stack overflow. * Fix CVE-2026-25982: A heap out-of-bounds read vulnerability exists in the `coders/dcm.c` module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service or Information Disclosure. * Fix CVE-2026-25983: A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. * Fix CVE-2026-25985: A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. * Fix CVE-2026-25986: A heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer. * Fix CVE-2026-25987: A heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding. * Fix CVE-2026-25988: Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. * Fix CVE-2026-25989: A crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. * Fix CVE-2026-26066: A crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. * Fix CVE-2026-26283: A `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. * Fix CVE-2026-26284: ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. * Fix CVE-2026-26983: The MSL interpreter crashes when processing a invalid `` element that causes it to use an image after it has been freed. * Fix CVE-2026-27798: A heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator. * Fix CVE-2026-27799: A heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads. Checksums-Sha1: 3f72df8f5c373c225d405e308a9a07084221cf37 73000 imagemagick-7-common_7.1.1.43+dfsg1-1+deb13u6_all.deb 2d33ec9042c87f4f1eba50e9990859f58713e59b 9214768 imagemagick-7-doc_7.1.1.43+dfsg1-1+deb13u6_all.deb ddc3b6690460b1f1c76b515811b06c7057a0b2c7 18596 imagemagick_7.1.1.43+dfsg1-1+deb13u6_all-buildd.buildinfo 7269ab234151e64b4a0cc1753076703cafb46fd1 38912 libimage-magick-perl_7.1.1.43+dfsg1-1+deb13u6_all.deb 88e29ac616b8006bdfa23ab7989974990f11d68b 47672 libmagick++-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb 08a12c316c81b8cf9f53abc05235120700664316 1184 libmagick++-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb 2dfbe63a8cac5af53da4c08621362ea3aec4f06a 50432 libmagickcore-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb 328fb6086f32959e4096242401d8430c965c4585 1160 libmagickcore-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb 0b4393a86cf38de2bca60afcd27745c23dea1b07 9860 libmagickwand-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb 42de801f91bbd757018ee9d1fa2ac18520d5b0ab 1144 libmagickwand-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb 3e9e426bcd8cd96ed67dc9d12e5d40a52be61a3c 1184 perlmagick_7.1.1.43+dfsg1-1+deb13u6_all.deb Checksums-Sha256: c4f0feab32632f2eadb6951385749530fd6feb2e77da20a40def3d8665d5d277 73000 imagemagick-7-common_7.1.1.43+dfsg1-1+deb13u6_all.deb 725032953f104ebf9120edbb267b52a31e4e16bdc3e56099716789e458a8d4ed 9214768 imagemagick-7-doc_7.1.1.43+dfsg1-1+deb13u6_all.deb 313a19faab849a9c90e74aa4aac829fd8fa47395ea7201d7b24f00826d887ba2 18596 imagemagick_7.1.1.43+dfsg1-1+deb13u6_all-buildd.buildinfo 4bb7110097a42e4c4e4b5979b85bd5092a729dbf674ad8454c406fc37806caee 38912 libimage-magick-perl_7.1.1.43+dfsg1-1+deb13u6_all.deb 3232aff235715b29e3bc9085a3cd7110169b0e2a84f06fbe32a75f205676b571 47672 libmagick++-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb 13c2e0676b2cd8aae44a325fd997a67dc2e102895bcd5f8f9d6a510d24fc3081 1184 libmagick++-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb 92a5946e4a1c49864201a7b5fae85eb0e10cdc3cd4cea1e882f5ee8b79958911 50432 libmagickcore-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb aed47b08e1f1cf87644f31f8b7a29905f3b39c6e16d6b54827fbd9ba4aec7edb 1160 libmagickcore-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb 279192e687c8c0d3a5dd811dc8f5a1c3e480fbd37dedfc99e82745c07be43a42 9860 libmagickwand-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb 51d0d970f1dc26689d0384e092446e3a8833c4ccc8f284638f2d7e1e4f1d055a 1144 libmagickwand-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb aaa193167e813a05607e3341258e2168964cc3e85efecbd40c03dfb47947eda7 1184 perlmagick_7.1.1.43+dfsg1-1+deb13u6_all.deb Files: 82ef6d558f3e7fa2c6563405f1090c25 73000 graphics optional imagemagick-7-common_7.1.1.43+dfsg1-1+deb13u6_all.deb 1d1817c04c6d584d48d42a9c60bc7724 9214768 doc optional imagemagick-7-doc_7.1.1.43+dfsg1-1+deb13u6_all.deb 531751116683f792f3a77942ef3f38db 18596 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u6_all-buildd.buildinfo 3cb6f7a0e4f4baac4ff6921c3ae45467 38912 perl optional libimage-magick-perl_7.1.1.43+dfsg1-1+deb13u6_all.deb 41b05b8f009283cbed51a1fb4a979035 47672 libdevel optional libmagick++-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb 0291eb90eecf71622ff2a4ecaa9178c0 1184 oldlibs optional libmagick++-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb b2d5e08af997b18dea67ba6ad895bea0 50432 libdevel optional libmagickcore-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb 486d60bc20ef4e39848d2a85318f2421 1160 oldlibs optional libmagickcore-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb 38fe83e7c6b2021c1995b5cef5441924 9860 libdevel optional libmagickwand-7-headers_7.1.1.43+dfsg1-1+deb13u6_all.deb e7299fa4a75499be30847947adea1c41 1144 oldlibs optional libmagickwand-dev_7.1.1.43+dfsg1-1+deb13u6_all.deb 12c8d707fa81cfedac9ce2737f113efd 1184 oldlibs optional perlmagick_7.1.1.43+dfsg1-1+deb13u6_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmmt9mQACgkQmgPNRvTf /zf2AA/8C+v4/hDgn7VcJ8FHm/XA8uaN1nkhicMKr5To5YSUZDMBB1gDSO+Yky3K gcQdgfgOhD77Sn0TGRu/yDAtux5MvAcxAW3eTV7IqAFobl3V5I0dX7Gpu4fMXM2A Vne7V70vWl/HWu8lzoR+LEmfRG2UitX8tKwBnFIayMFFA28t7oNJ3xP3Y4kHGNFk mvQXlUxcbZfYH6CdDBgNadPFoBh3FUBaTcxxKCPE/xTTFWEhnEDKDhPlgBW99hBU yAbej0XBXy0BQCKwJXkJb5M91PGLDeqE+cvKkBrTOdWChyo5c8PsE5GBviR9jcMh Irdw0DHWtAMYUYf/lorKI8ay+Bu7iTBquTbjyo0iNsbTscNUNC8uRYgV1Dp7ADaI q6cJB7AJJH1HHyrqJIWMHy8+rE0LwKIE/lLbFgmm4Wv77rbV+HN/mj8JpVbbLlnr y28mnNQH9XBM9P3AeVf7V4owbQ4e3YaAte07TRpccB0WmnJSwz+4DUzWJjkPuuvs fx1zssqbnXcOgxzCYaXg6mIa09N8UuVGqUvrIMMi1V9xbA0gEpAVt8k2kS5eaZIb lgmasAJ6qjKvi34+7rYCiFYvmzrrS5FeIMc33ycam+iBkQc5ifRnOoDLiwD4IlrE 799czld1NDOYx3ve432UFXmy+yMrqmHQ387CS3EC8y9irDAxu3Y= =N6fY -----END PGP SIGNATURE-----