-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 25 Apr 2026 16:03:16 +0200 Source: imagemagick Binary: imagemagick-6-common imagemagick-6-doc imagemagick-common imagemagick-doc libimage-magick-perl libmagick++-6-headers libmagick++-dev libmagickcore-6-headers libmagickcore-dev libmagickwand-6-headers libmagickwand-dev perlmagick Architecture: all Version: 8:6.9.11.60+dfsg-1.6+deb12u9 Distribution: bookworm-security Urgency: medium Maintainer: all Build Daemon (x86-csail-02) Changed-By: Bastien Roucariès Description: imagemagick-6-common - image manipulation programs -- infrastructure imagemagick-6-doc - document files of ImageMagick imagemagick-common - image manipulation programs -- infrastructure dummy package imagemagick-doc - document files of ImageMagick -- dummy package libimage-magick-perl - Perl interface to the ImageMagick graphics routines libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package libmagickcore-6-headers - low-level image manipulation library - header files libmagickcore-dev - low-level image manipulation library -- dummy package libmagickwand-6-headers - image manipulation library - headers files libmagickwand-dev - image manipulation library -- dummy package perlmagick - Perl interface to ImageMagick -- dummy package Closes: 1134627 Changes: imagemagick (8:6.9.11.60+dfsg-1.6+deb12u9) bookworm-security; urgency=medium . * Fix CVE-2026-25971: Magick fails to check for circular references between two MSLs, leading to a stack overflow. * Fix CVE-2026-33899: When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. * Fix CVE-2026-33900: The viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. * Fix CVE-2026-33901: A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image * Fix CVE-2026-33905 The -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. * Fix CVE-2026-33908: When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. * Fix CVE-2026-34238: An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. * Fix CVE-2026-40310: A heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. * Fix CVE-2026-40311 (Closes: #1134627): A heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. Checksums-Sha1: 62c51dda78670b24519eec507f2d6dc8dc43bb7b 172196 imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u9_all.deb bd697cf64ef16fb36a539a3c4163558ba0b518b9 7897108 imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u9_all.deb 3954c43d3fecbb50a05f94ac616d954bce7e944b 1512 imagemagick-common_6.9.11.60+dfsg-1.6+deb12u9_all.deb 78afa039b0c82f437d0de89aa2b2eb0e16cf3c4d 1620 imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u9_all.deb b5bf59484cd9a05f70b478df83cfdf96e3a0f2e6 18972 imagemagick_6.9.11.60+dfsg-1.6+deb12u9_all-buildd.buildinfo 01af4c0b9e18b20112f477af9a885ed8e0d1116d 53304 libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u9_all.deb 1601602a388f37222ddbdedcbcdf15c874a2d797 47496 libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb c8c1a403b0375cd447efd8e6f2c9e52e60a8f8c7 1372 libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb 30ea2ce707ac6a806a7b71e7e3f7eaf524ba1c94 50920 libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb a5ec330e2162a947bc5ac20482a6cb426441f43d 1340 libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb 1004538db508721192ca9e023e1f0543d566e4a2 10504 libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb a59a6512f6313f9d64273a6e9eb52349cf852ec8 1328 libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb 6ba67e0b884689137d39c1d85046eb1ec95c249b 1364 perlmagick_6.9.11.60+dfsg-1.6+deb12u9_all.deb Checksums-Sha256: 77080ff2a8ffd6a2c16c3bcb9276b38aa81149d73c9d1d7dd06bc0608ec936fd 172196 imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u9_all.deb cff16bb4c5ce1bb0f6367f27ffd752c0b7e67acdec109e0aea1a7ffefe550024 7897108 imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u9_all.deb 9ae1d77e25c272230915ceecf82121c7b5f24bc1cbc78ff72f7f4415ee24d272 1512 imagemagick-common_6.9.11.60+dfsg-1.6+deb12u9_all.deb 9182574fc9a499ea1151771771f990db0cc3e8ad755835b68fdaab3a225f0734 1620 imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u9_all.deb 32f02914d957150f84e97f911936adb915cea5066d39949bb9dd415bdc6fe9cf 18972 imagemagick_6.9.11.60+dfsg-1.6+deb12u9_all-buildd.buildinfo 63635bc498d4bb326cc059078aee0624c40e83fc858436abe15d898ec7728bf9 53304 libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u9_all.deb 89bb8c8bd11034ff024eb6186e29bdc24f5b97038b6a68211cc3d7337c50952d 47496 libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb 6be34c5216e7934f327f63b61530282be03944e5f7d64f0b2cca265d52d42189 1372 libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb e8853a5a0781c98d4e0e8f6f89d72264639004161c39f03d7171d9b18100a694 50920 libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb 9ca8e333f752c126b2f7293c8ebbd15e530f244830961af9e4422ebffbbe9858 1340 libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb 10dbaea096bf3d72eec3b1911278831496699c4ea238a07ce10dd3b73a69fac7 10504 libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb cc166494b624186303c96e38f70f51e136bf4a7a1d2d0a74abbdf5d62a422afa 1328 libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb a90be46db5f52aea8be91ad1ee216a82c93fc72b8940288042bcccb8171b6adb 1364 perlmagick_6.9.11.60+dfsg-1.6+deb12u9_all.deb Files: 21f76149e539e46edb196228f8220f6b 172196 graphics optional imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u9_all.deb 0e205dca485d3ac6014ac9b7c0be459c 7897108 doc optional imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u9_all.deb d0400ad72e4bc69e918a8d67f498aed4 1512 oldlibs optional imagemagick-common_6.9.11.60+dfsg-1.6+deb12u9_all.deb a86fbab45507227a423c90d28ff117e2 1620 oldlibs optional imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u9_all.deb 6739f96d230a4a17d67c16a1ac36cbc8 18972 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u9_all-buildd.buildinfo 30eb0e482bd08f27ddfb681b47b10757 53304 perl optional libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u9_all.deb 56ed6d4aecfb50004c1c94d1d7801d34 47496 libdevel optional libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb 2f10c0a479c62afbf8aaba6fa0356c6e 1372 oldlibs optional libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb 099ace19e211dddc45b851bd9bea15e6 50920 libdevel optional libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb 71944c19a27f5228cf983a7ac2d12902 1340 oldlibs optional libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb 07321075dc4739f31996cbe2b776a51f 10504 libdevel optional libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u9_all.deb 4feb373b31f9d93da1b1c7fe7544aa74 1328 oldlibs optional libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u9_all.deb a5142afd5deeca0f348cd4e505ded6c5 1364 oldlibs optional perlmagick_6.9.11.60+dfsg-1.6+deb12u9_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXLxUpUHQBQBTDtd4aBVi67oXtfkFAmnz2QgACgkQaBVi67oX tfk2uw//e+124RD96+JnbuE8iUeEBddgvsJ75TIuVpjjeJLNOav+g1sfHwkZxrW/ O4fnIXGslt/anaUrbGMx0ALI4TvdgetXPnQbGaD7HXoO1+mNvwYxeTyL00QZDeVI W4UE+/Z9S5pRluWR5sPqMlh+AzfYbvNf9KFIJVmKl52OX/A6FyrJqoodjb2WTdVk X8W/AMmDLclKVVlinAUXALG22lfX9HIAHaDemBH3TECbCaXCywVV9BLlI1pP0h+N wq7sScdLIpgg//NV3qoCE5ZazvJt1upzm+yoV+6FRgORd7G4ljkDYNQtjnYZtePx WqWGmgPgIzw+J4uHMj64td3be3omhMdm/joet2lxN14XcDWRCqPDTeJkjyuZU6bS shkZJRdEoCd2mf5eDuTvivcJmBIu91AHOUtGHhvBL/KN0/sceKmF+6CpfRx7wal6 F3rVPAtYxppS7ZjcCewhHx3vGxB+fDTkQTHIKHb8D5oa5ybhEaJwjwX7EMMZqZis 9asCwRNYIbr7D9pFbzGMw+JbB+WDESWDoRYQxpkmJghrYg0Wd5u7Y6/UvvBBGTst +DMGAI4eKlLVhIicuACBBiJmwyQUIOI6PkRHbitO57VjWsEcO4iejsefPKqsCtjh wD0+4Es3jHrXm9O1f5sVxAMJ0T5cqvJ26o8/D5uoYuFUM4EQUSQ= =zAx0 -----END PGP SIGNATURE-----