-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Mar 2026 17:54:58 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc imagemagick-common imagemagick-doc libimage-magick-perl libmagick++-6-headers libmagick++-dev libmagickcore-6-headers libmagickcore-dev libmagickwand-6-headers libmagickwand-dev perlmagick
Architecture: all
Version: 8:6.9.11.60+dfsg-1.6+deb12u7
Distribution: bookworm-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Changes:
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u7) bookworm-security; urgency=high
 .
   * Fix CVE-2026-24481:
     A heap information disclosure vulnerability exists
     in ImageMagick's PSD (Adobe Photoshop) format handler.
     When processing a maliciously crafted PSD file containing
     ZIP-compressed layer data that decompresses to less than
     the expected size, uninitialized heap memory is leaked
     into the output image.
   * Fix CVE-2026-24484:
     Magick fails to check for multi-layer nested mvg
     conversions to svg, leading to DoS.
   * Fix CVE-2026-24485:
     When a PCD file does not contain a valid Sync marker, the
     DecodeImage() function becomes trapped in an infinite loop while
     searching for the Sync marker, causing the program to become
     unresponsive and continuously consume CPU resources, ultimately
     leading to system resource exhaustion and Denial of Service
     (DoS)
   * Fix CVE-2026-25576:
     A heap buffer over-read vulnerability exists in multiple
     raw image format handles. The vulnerability occurs when
     processing images with -extract dimensions larger than
     -size dimensions, causing out-of-bounds memory reads
     from a heap-allocated buffer.
   * Fix CVE-2026-25638:
     A memory leak exists in `coders/msl.c`. In the `WriteMSLImage`
     function of the `msl.c` file, resources are allocated. But the
     function returns early without releasing these allocated resources.
   * Fix CVE-2026-25795:
     `ReadSFWImage()` (`coders/sfw.c`), when temporary file
     creation fails, `read_info` is destroyed before its `filename`
     member is accessed, causing a NULL pointer dereference and crash.
   * Fix CVE-2026-25796:
     In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image
     object is not freed on three early-return paths, resulting in a
     definite memory leak (~13.5KB+ per invocation) that can be exploited
     for denial of service.
   * Fix CVE-2026-25797:
     The ps coders, responsible for writing PostScript files, fails to
     sanitize the input before writing it into the PostScript header. An
     attacker can provide a malicious file and inject arbitrary PostScript
     code. When the resulting file is processed by a printer or a viewer
     (like Ghostscript), the injected code is interpreted and executed. The
     html encoder does not properly escape strings that are written to in
     the html document. An attacker can provide a malicious file and
     injection arbitrary html code.
   * Fix CVE-2026-25798:
     A NULL pointer dereference in ClonePixelCacheRepository allows a
     remote attacker to crash any application linked against ImageMagick by
     supplying a crafted image file, resulting in denial of service.
   * Fix CVE-2026-25799:
     A logic error in YUV sampling factor validation allows an invalid
     sampling factor to bypass checks and trigger a division-by-zero during
     image loading, resulting in a reliable denial-of-service.
   * Fix CVE-2026-25897:
     An Integer Overflow vulnerability exists in the sun decoder. On 32-bit
     systems/builds, a carefully crafted image can lead to an out of bounds
     heap write.
   * Fix CVE-2026-25898:
     The UIL and XPM image encoder do not validate the
     pixel index value returned by `GetPixelIndex()` before using it as an
     array subscript. In HDRI builds, `Quantum` is a floating-point type,
     so pixel index values can be negative. An attacker can craft an image
     with negative pixel index values to trigger a global buffer overflow
     read during conversion, leading to information disclosure or a process
     crash.
   * Fix CVE-2026-25965:
     ImageMagick’s path security policy is enforced on the raw filename
     string before the filesystem resolves it. As a result, a policy rule
     such as /etc/* can be bypassed by a path traversal. The OS resolves
     the traversal and opens the sensitive file, but the policy matcher
     only sees the unnormalized path and therefore allows the read. This
     enables local file disclosure (LFI) even when policy-secure.xml is
     applied.
   * Fix CVE-2026-25968:
     A stack buffer overflow occurs when processing the an attribute
     in msl.c. A long value overflows a fixed-size stack buffer,
     leading to memory corruption
   * Fix CVE-2026-25970:
     A signed integer overflow vulnerability in ImageMagick's SIXEL decoder
     allows an attacker to trigger memory corruption and denial of service
     when processing a maliciously crafted SIXEL image file. The
     vulnerability occurs during buffer reallocation operations where
     pointer arithmetic using signed 32-bit integers overflows.
   * Fix CVE-2026-25982:
     A heap out-of-bounds read vulnerability exists in the `coders/dcm.c`
     module. When processing DICOM files with a specific configuration, the
     decoder loop incorrectly reads bytes per iteration. This causes the
     function to read past the end of the allocated buffer, potentially
     leading to a Denial of Service (crash) or Information Disclosure
     (leaking heap memory into the image).
   * Fix CVE-2026-25983:
     A crafted MSL script triggers a heap-use-after-free. The operation
     element handler replaces and frees the image while the parser
     continues reading from it, leading to a UAF in ReadBlobString during
     further parsing.
   * Fix CVE-2026-25986:
     A heap buffer overflow write vulnerability exists in ReadYUVImage()
     (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images.
   * Fix CVE-2026-25987:
     A heap buffer over-read vulnerability exists in the MAP image decoder when
     processing crafted MAP files, potentially leading to crashes or
     unintended memory disclosure during image decoding.
   * Fix CVE-2026-25988:
     Sometimes msl.c fails to update the stack index, so an image is
     stored in the wrong slot and never freed on error, causing leaks
   * Fix CVE-2026-25989:
     A crafted SVG file can cause a denial of service. An off-by-one boundary
     check (`>` instead of `>=`) that allows bypass the guard and reach an
     undefined `(size_t)` cast.
   * Fix CVE-2026-26066:
     A crafted profile contain invalid IPTC data may cause an infinite
     loop when writing it with `IPTCTEXT`
   * Fix CVE-2026-26283:
     A `continue` statement in the JPEG extent binary search loop
     in the jpeg encoder causes an infinite loop when writing persistently fails
   * Fix CVE-2026-27798:
     A heap buffer over-read vulnerability occurs when processing an image
     with small dimension using the `-wavelet-denoise` operator
   * Fix CVE-2026-27799:
     A heap buffer over-read vulnerability exists in the DJVU image format
     handler. The vulnerability occurs due to integer truncation when
     calculating the stride (row size) for pixel buffer allocation. The
     stride calculation overflows a 32-bit signed integer, resulting in an
     out-of-bounds memory reads.
Checksums-Sha1:
 0095a39b42a01df5245d4d89c0e939c7f8181ce7 170792 imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 9743123fc410d423bd1eabe3c69574045e256405 7894224 imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 2e7a0247ae0f999e5ed85d9621fa629f743d8860 1516 imagemagick-common_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 e53d39b0641496bf6828323ef790aea203236879 1620 imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 1cf9cd6c6fda9d4f8b5998611912acefa2e6a722 18972 imagemagick_6.9.11.60+dfsg-1.6+deb12u7_all-buildd.buildinfo
 ddd0d2be9f0c41e314385d2ec6637c699ca38f28 53312 libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 8776e149b98373c79bed4dc862ae395a8bd2e28c 47508 libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 88a5dd3baea13e94b9fefe0639a4c6496245d98c 1372 libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 ff967926a8323a2d686469bd4ccb798df9bdc24d 50920 libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 05e2076195a585058d134819a4850f4775c1739d 1344 libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 6b580f57b6762c380ee407e7f70ace0958cd58e0 10508 libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 0d049b214ef4780d0eda1d9dc950ba4dfc358225 1336 libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 c2baac741687d9b3401d757576c69a9e00fc5da0 1368 perlmagick_6.9.11.60+dfsg-1.6+deb12u7_all.deb
Checksums-Sha256:
 a638a18c7a70c69f85b6c15399eb1091a1785876c13b65b7d0b5dd27c7401e86 170792 imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 acdb030483422b0f58a3b58aea5623ec20d7addc7efb509d010882a7c6502eda 7894224 imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 cbdcfececc9f3f5c12e28996dd8c37da3d7c090eb1cd1f48e2c2bb517bc04f69 1516 imagemagick-common_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 f92315f0d684fff523a16714cf425fbb25ecbc6b0de42183abb24459a37bf0be 1620 imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 2dd589af66a8a258d36416f0802a0abae65e0bc43c1ed9d78b47b4614fd42f2a 18972 imagemagick_6.9.11.60+dfsg-1.6+deb12u7_all-buildd.buildinfo
 11381ceb5a9fd34126a655ca52ee5509cd7eb2478e69f6d99c3cf7713255336d 53312 libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 518e84c8439a7ec4eb24344d92a5eaafe37a1b51c6c7300ee3bf3c54cc6c3020 47508 libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 1685f846d64f37dadf940adbd85b9347f2a742b2cce65bf56cfdc1f45340ddd0 1372 libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 4e9a56ff85ff2cc969ffb721031c45da076e1e326addd1789d71b144f0fca7d9 50920 libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 dde29d439e82eac682f580d3f71d3e6c11ef0f8786cefaea8caca97c22956d91 1344 libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 08e05528f81a51efb76e389b570344ff44c401297c167ac8d3b95fdc4bc0808d 10508 libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 c1c1a0a16b0cc479404947b139a70e74e3ce3d6eefc1b38bef6f4880e841b9f1 1336 libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 16e2ae33fc7fe6cdef193021c3ecee5c8f9e0594b36927f9f1074ed99d29a899 1368 perlmagick_6.9.11.60+dfsg-1.6+deb12u7_all.deb
Files:
 4f4369e422f2343f860124672c262abc 170792 graphics optional imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 be5e2c9eef2016d9994665a51e2f6cfb 7894224 doc optional imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 5e56ac41b3f4ae01b7febad285378538 1516 oldlibs optional imagemagick-common_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 97e17891886458c27db9a72539456286 1620 oldlibs optional imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 c3696fcb1baa0816c7a51ef0c9b45a39 18972 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u7_all-buildd.buildinfo
 bffb3753ef8a55831f724a7383d92db1 53312 perl optional libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 9f9a315e833ac86075c25f6d783609b4 47508 libdevel optional libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 7ec1fa5e0ebcb8763098c86dfc33619d 1372 oldlibs optional libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 2b0db295d3c150f95bb5f79adc6c06e0 50920 libdevel optional libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 c20a59ce13aed7836ab08e3a0bbc0fce 1344 oldlibs optional libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 521d446666d62f26a8e5fc5fd322b818 10508 libdevel optional libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 557d196c8b3c1c541d46ab8163e0ab32 1336 oldlibs optional libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u7_all.deb
 91c6d11bc0e6bdb1b9a4e60a9fbbf912 1368 oldlibs optional perlmagick_6.9.11.60+dfsg-1.6+deb12u7_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmmwRNAACgkQmgPNRvTf
/zcBDBAAhYNidC3gCr0pCRHHpII4yWuteLF/0auPSqn9Qp/9UapBL+QsoV1LsYU9
Kk6Aihnkn+Mpnbq8Y5zX9zsR0BSMFlX/aJAGmzqqhUe31N/Kx+JcW5xrZRvAn9WO
vaNpAvG6bQJufgvfD68OTuETAgJ6LJaqyMgkav/wfsERB8Df634Z4Kh7LVyqwHIt
N64Ws+lTS43i8lCYj40IbYSoYGUyRHNrFMzz/cHr5qSOrW50dcZBIjaEKIU9Yvjm
6HPKYdsA1S8ZNvPZiXYhUBBqAcz3uA0xUXlxCQEWnuSwMSQdWIA7TE338bMTPGh5
xs617+JUKZLqm66Y+d7SH/3ZyRekrcCdBYJaF6tnQ31JTAa51GDXxdgZcuj7j495
Daoq7RxfWEvypzulH9PCLTRI4EKCvFQrnMcAbtZUScAp8zOrmw93luYL2DMbLd/3
75enct2KSbaBDvu8FODqvuRaF6xsL3SIcFQ7Uq15LnNFnDaLVytBkXD7oElZNtAU
ETkTIYyLbghks0rS8Qc/pe3UJZ6tOe40HPJHD7pc9aXo397/X8U0LhluKTyZExJL
bAhKQELi4uUI843nDJaVCIAiVAPd6bgP9eWDy8QJ3kmgeGpIootWqPIEgZMFBSNu
K+xpsHUHGQR1OVKWZioGsrHlzuAm92cLD3tmcjtJsQaPF0YPO6E=
=iKsp
-----END PGP SIGNATURE-----