-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 21 Jan 2026 23:43:36 +0100 Source: imagemagick Architecture: source Version: 8:6.9.11.60+dfsg-1.3+deb11u9 Distribution: bullseye-security Urgency: high Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1126075 1126076 1126077 Changes: imagemagick (8:6.9.11.60+dfsg-1.3+deb11u9) bullseye-security; urgency=high . * Fix CVE-2026-23874 (Closes: #1126075) a stack overflow was found via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. * Fix CVE-2026-23876 (Closes: #1126076) A heap buffer overflow vulnerability was found in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. * Fix CVE-2026-23952 (Closes: 1126077) NULL pointer dereference was found in MSL parser via <comment> tag before image load Checksums-Sha1: d22f5ef0bd8e1cc6d7c0519ac81194f96a11c8ce 5106 imagemagick_6.9.11.60+dfsg-1.3+deb11u9.dsc 824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz 60a7fa6a8fd4da595785a91eb93f2c573918e24c 280556 imagemagick_6.9.11.60+dfsg-1.3+deb11u9.debian.tar.xz b451ffe609b55e26c698cf51c719cc8acb7bbad7 8249 imagemagick_6.9.11.60+dfsg-1.3+deb11u9_source.buildinfo Checksums-Sha256: 479cc6de4d1ea784d7612d3bf5688d1c10f845675828e5143d0ad5b3bb5e885f 5106 imagemagick_6.9.11.60+dfsg-1.3+deb11u9.dsc 472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz dc282b5e6c0710f571d2bcf3b0ca6c1c31c39d0afbb244db320704972c8334f9 280556 imagemagick_6.9.11.60+dfsg-1.3+deb11u9.debian.tar.xz 0045dd7292020af1263ea369f7aa4f2f935963a504b293f51a87d792b92da6ec 8249 imagemagick_6.9.11.60+dfsg-1.3+deb11u9_source.buildinfo Files: 7c679cdd472f3e9e31792090dbab0971 5106 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u9.dsc 8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional imagemagick_6.9.11.60+dfsg.orig.tar.xz b82c01121dc122f8b71b02a47450d07a 280556 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u9.debian.tar.xz 7cf7f037d636b2a739b0a777c2edd351 8249 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAml0yG4ACgkQADoaLapB CF9m6Q/7BGFPkCOBhu9cbMXBZyxcQZisiSyO7us48nIIwGjPcm0yfId1mWGoGsja 3/JjB34sPO1GDG3vZe8FZkoHdiDDCA86ZSN7ryy0ZG8RrcyuuPGEC/cmQE1TpCN+ M1otzWYLcCFrUMA6cj7AHQBt3Xvf5akgOrdDznqX8PAY6rm9eXUqW/b4PR4+MLTD 6iT6M7ZamoLubzWip9ta3zOgi7R1SBFQp/ZAzDa2IMM0e+Qyp72KnUZHBOCGAfuK O6EQbWRW16SVl/VLn35T54A1bkewO+5DM0fg2Rv8fTTJT7XM+6OCXa9rQPJLs17/ +4u9q6QMPWSZQ22gycso5i/1V3l6VJuLUo5rDSNddBYcguflWLQ9IDaI7jbtyz+M TWPbfCL8dFNY9s3zkd6PsrC67I4/ire9U9D3qGxQgE4pAo0B5vaXEMFcVuhatN81 SbY9mhpOTwO8nequjHyRc1qZ9RLuNOPrVzDtk6Pl2vOGIWTjNGjlmrmrBZxWlGA6 sxczRsbqZ4YvlLHpGSYqsYcn50RHGjunRwSh4tTk/Hjqa4FsoXXTSKtFORiZaBw6 YTXvLQGJJ1t/P8uEdtPkc8afbhNt7B3wL0nu/mZ8qkPVk8W2iRk4BT1Ap1/TTQmF 6ZGyZM6VOIemruK+JQxixH0UFuKH3oAmFoE4AkTmb/vJzAeSFjM= =hCJY -----END PGP SIGNATURE-----
