-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 25 Apr 2026 16:03:16 +0200 Source: imagemagick Architecture: source Version: 8:6.9.11.60+dfsg-1.6+deb12u9 Distribution: bookworm-security Urgency: medium Maintainer: ImageMagick Packaging Team Changed-By: Bastien Roucariès Closes: 1134627 Changes: imagemagick (8:6.9.11.60+dfsg-1.6+deb12u9) bookworm-security; urgency=medium . * Fix CVE-2026-25971: Magick fails to check for circular references between two MSLs, leading to a stack overflow. * Fix CVE-2026-33899: When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. * Fix CVE-2026-33900: The viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. * Fix CVE-2026-33901: A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image * Fix CVE-2026-33905 The -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. * Fix CVE-2026-33908: When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. * Fix CVE-2026-34238: An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. * Fix CVE-2026-40310: A heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. * Fix CVE-2026-40311 (Closes: #1134627): A heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. Checksums-Sha1: 0343e1b2cae03317fe2213b30cec276174b51162 5105 imagemagick_6.9.11.60+dfsg-1.6+deb12u9.dsc 824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz 64cb33cdf430bfee5b9b99e6dce29ad8e05aa220 324340 imagemagick_6.9.11.60+dfsg-1.6+deb12u9.debian.tar.xz edfcdc7f41526ab05e9d87218daab416624d6eae 8485 imagemagick_6.9.11.60+dfsg-1.6+deb12u9_source.buildinfo Checksums-Sha256: 5dec0ef2e65a0ec5c2a68915def537296c53a3906e6eb01c1174d6c531da749c 5105 imagemagick_6.9.11.60+dfsg-1.6+deb12u9.dsc 472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz f6f3ae9f565fc3e4af376653d5b1750194d4734b12af1ca417f8303791b61b07 324340 imagemagick_6.9.11.60+dfsg-1.6+deb12u9.debian.tar.xz bde6f6a87bae9303b818ca5c1a1459e9d41abef1d9d78f2b48973b1cae58a377 8485 imagemagick_6.9.11.60+dfsg-1.6+deb12u9_source.buildinfo Files: b74a51511e8e8220e67524d00e29da03 5105 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u9.dsc 8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional imagemagick_6.9.11.60+dfsg.orig.tar.xz 4cf8ab27a2ef7c2ff2606700000a602f 324340 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u9.debian.tar.xz 9afb4388a8891fda457b7fc764ebdd33 8485 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIyBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmnzxl4ACgkQADoaLapB CF83lA/4oXu+t4RKjj1X6bxkRB4Fcu9rvui+VVx0L+zcYiJOHs/M6JCYN04yVRm7 nDZfb+9okswhiHQ9/2dVj8kxRsIJGnV6MPUZhmvGJlh/WuRpg54MkolpQZctm+XT FBLJ2/gm9/be/XJ2mQiU14BJfMfUnDnbp/FF5CkaUagjgNqNGAiQiv8Lo7JWpKaF G8yG1a7likNYihE/kr6CDP1RM4kVBC8GwnoMPt4CwrdISsJubR4KNLH1tuTRWj0N DhdYidqX65yGvadzq6fBA7yRCQ2JQ2XgfIlK5JRY/VF7PRXk0E368ECvUHBU+MkB WTptFMwf9D/coA332ECIPZnOmRCo9q9MXIY7Agb35/dN1vGPH1Zzlk6d4iW5saDF 26se75DxiXwhye3JBEqWbz8/diqvpPoINke4ykbycW81JYWOFrbE4mQpf71hCglN q/4rcS8RwKMFqywPc+DrR/6hfb00rC4pup9/NEXdLe0jh/WTBMgFkLNY6W7JHVCE bmw4BBsdwZ/psFP9VWl4GPjnf1ZzH3fPtwHiCy/kroOsHNmM0ptgCl2tlPKnevEj b2aZzZWY1E8t/CY26ImxdpE2YAHlVDFq3xFbKuPzO96aj7Tk2V5b0ctJH1kcFxGT fgLN9eTqGbgUeKpYQFHCuN/HnJXl178l2GN3eGBdUjOP3HC4jA== =8tlJ -----END PGP SIGNATURE-----