-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 21 Jan 2026 22:54:51 +0100 Source: imagemagick Architecture: source Version: 8:7.1.2.13+dfsg1-1 Distribution: unstable Urgency: high Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1126074 1126075 1126076 1126077 Changes: imagemagick (8:7.1.2.13+dfsg1-1) unstable; urgency=high . * New upstream version * Fix CVE-2026-22770 (Closes: #1126074) The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. The last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails * Fix CVE-2026-23874 (Closes: #1126075) a stack overflow was found via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. * Fix CVE-2026-23876 (Closes: #1126076) A heap buffer overflow vulnerability was found in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. * Fix CVE-2026-23952 (Closes: 1126077) NULL pointer dereference was found in MSL parser via <comment> tag before image load Checksums-Sha1: a6005cdc26c3e9859956313788ad4ef2a8cc2009 5202 imagemagick_7.1.2.13+dfsg1-1.dsc c2faca7104b0bfa92eef065504e0889e549a2cc1 10524452 imagemagick_7.1.2.13+dfsg1.orig.tar.xz e50dad0117c55ad6732b7591653e7281eca45dcc 268004 imagemagick_7.1.2.13+dfsg1-1.debian.tar.xz d514ee33ba3686e9ed9e6b023ebf19385cfa4a1e 8336 imagemagick_7.1.2.13+dfsg1-1_source.buildinfo Checksums-Sha256: 47f3ad7fa7667bad841ec5cfa2c82432f346eb407b55abaaf2fcd4afe0372b95 5202 imagemagick_7.1.2.13+dfsg1-1.dsc 491e46c2dea8bc92de69d41cb80e9a4cf6a8db1778742f99f82f47203c0e8106 10524452 imagemagick_7.1.2.13+dfsg1.orig.tar.xz 18793469ad352b48c006fa07fb471f52efbffbaf6751afee9e0886f70506c638 268004 imagemagick_7.1.2.13+dfsg1-1.debian.tar.xz d6ea1aca3ac34a72eb8a2ddb7596ab6633c53cbf66cbdca721a1ee0c57114128 8336 imagemagick_7.1.2.13+dfsg1-1_source.buildinfo Files: 0980fc4ffc11822f00e137e60ea157ab 5202 graphics optional imagemagick_7.1.2.13+dfsg1-1.dsc bc179c284f888b7a7e6dff9349b529e0 10524452 graphics optional imagemagick_7.1.2.13+dfsg1.orig.tar.xz 680d623062216faeded8a41599037240 268004 graphics optional imagemagick_7.1.2.13+dfsg1-1.debian.tar.xz 0d96ae4272f3904499ce1168b8dc46a4 8336 graphics optional imagemagick_7.1.2.13+dfsg1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- wsG7BAEBCgBvBYJpcV6eCRAAOhotqkEIX0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmfOdXLPsftm58/k92XGqQzrT578Mqan/Egd8PeaSyCl uxYhBF0Bh7lAokW617D1agA6Gi2qQQhfAACBoBAAq4KPhFsznYGIJI/UPVyZaFX1 depOWbqFEADx9maG3fY9Ve7pH2N1oLF28I2h9oZu+OHGP7+g2t4AKdKvagBTTn2U yq6X8miUpWaFTVnZUfiVqhT6fZFLDC8PTL3w94XDqwwhSaVJfUwMo2M2JsEfrZ+a EYOh4SjywvlrsLyF7wqM2rtRYXTYqTMofxVjKTMR1jGjFAeQMvRBDw7cZ8909axf XIlyR9+zboxrc+oAS3NSyfzMtu/imtv8J8tewNnnHwANGENu5byGnl44kApe52aT tCImG+wvnYXBIeCNLcCjd3qq5JdnQMrA5Sei61+ROlG2rCsSKKDEqZEMamXATelJ AXkVToF6FQx+PtcgerZe+GySWlyyYV/4FcEQrFFFyjHYfg36QxC8GA7sP3mWgVJc g0/BUMNK/taLe42mjP3CJODAwv8gBbNON2kfd0/W+rcwYbTk8005yQBAn5MJ2eUo DK0Cbu3WK8hQ8Tk2WcTu7EICt5xqjLMtiaku3H/D0UXaeSeCS9EgmdVjkBBGuP5U KMeWf5znQgxZshLFosnE0tB02oHx8tN+fqfiniJ2rfGcDyrkw5F99DoY5ir7bwtu vToF3Cv9u0TQYxgbHwlQ77TAbALLrq2VpGdjckev8ullBe+Z7Z9YsoMQg/y3YIGC AlqnGYkDcuwwkZNmG08= =3Qzw -----END PGP SIGNATURE-----
