Accepted imagemagick 8:7.1.2.15+dfsg1-1 (source) into unstable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 01 Mar 2026 00:50:41 +0100
Source: imagemagick
Architecture: source
Version: 8:7.1.2.15+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
 imagemagick (8:7.1.2.15+dfsg1-1) unstable; urgency=high
 .
   * New upstream release.
   * Fix a double free in SVG
   * Fix unreproductible doxygen documentation
   * Fix CVE-2026-24481:
     A heap information disclosure vulnerability exists
     in ImageMagick's PSD (Adobe Photoshop) format handler.
     When processing a maliciously crafted PSD file containing
     ZIP-compressed layer data that decompresses to less than
     the expected size, uninitialized heap memory is leaked
     into the output image.
   * Fix CVE-2026-24484:
     Magick fails to check for multi-layer nested mvg
     conversions to svg, leading to DoS.
   * Fix CVE-2026-24485:
     When a PCD file does not contain a valid Sync marker, the
     DecodeImage() function becomes trapped in an infinite loop while
     searching for the Sync marker, causing the program to become
     unresponsive and continuously consume CPU resources, ultimately
     leading to system resource exhaustion and Denial of Service
     (DoS)
   * Fix CVE-2026-25576:
     A heap buffer over-read vulnerability exists in multiple
     raw image format handles. The vulnerability occurs when
     processing images with -extract dimensions larger than
     -size dimensions, causing out-of-bounds memory reads
     from a heap-allocated buffer.
   * Fix CVE-2026-25637:
     A memory leak in the ASHLAR image writer allows an attacker to exhaust
     process memory by providing a crafted image that results in small
     objects that are allocated but never freed.
   * Fix CVE-2026-25638:
     A memory leak exists in `coders/msl.c`. In the `WriteMSLImage`
     function of the `msl.c` file, resources are allocated. But the
     function returns early without releasing these allocated resources.
   * Fix CVE-2026-25794:
     `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute
     the pixel buffer size. Prior to version 7.1.2-15, when image
     dimensions are large, the multiplication overflows 32-bit `int`,
     causing an undersized heap allocation followed by an out-of-bounds
     write.
   * Fix CVE-2026-25795:
     `ReadSFWImage()` (`coders/sfw.c`), when temporary file
     creation fails, `read_info` is destroyed before its `filename`
     member is accessed, causing a NULL pointer dereference and crash.
   * Fix CVE-2026-25796:
     In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image
     object is not freed on three early-return paths, resulting in a
     definite memory leak (~13.5KB+ per invocation) that can be exploited
     for denial of service.
   * Fix CVE-2026-25797:
     The ps coders, responsible for writing PostScript files, fails to
     sanitize the input before writing it into the PostScript header. An
     attacker can provide a malicious file and inject arbitrary PostScript
     code. When the resulting file is processed by a printer or a viewer
     (like Ghostscript), the injected code is interpreted and executed. The
     html encoder does not properly escape strings that are written to in
     the html document. An attacker can provide a malicious file and
     injection arbitrary html code.
   * Fix CVE-2026-25798:
     A NULL pointer dereference in ClonePixelCacheRepository allows a
     remote attacker to crash any application linked against ImageMagick by
     supplying a crafted image file, resulting in denial of service.
   * Fix CVE-2026-25799:
     A logic error in YUV sampling factor validation allows an invalid
     sampling factor to bypass checks and trigger a division-by-zero during
     image loading, resulting in a reliable denial-of-service.
   * Fix CVE-2026-25897:
     An Integer Overflow vulnerability exists in the sun decoder. On 32-bit
     systems/builds, a carefully crafted image can lead to an out of bounds
     heap write.
   * Fix CVE-2026-25898:
     The UIL and XPM image encoder do not validate the
     pixel index value returned by `GetPixelIndex()` before using it as an
     array subscript. In HDRI builds, `Quantum` is a floating-point type,
     so pixel index values can be negative. An attacker can craft an image
     with negative pixel index values to trigger a global buffer overflow
     read during conversion, leading to information disclosure or a process
     crash.
   * Fix CVE-2026-25965:
     ImageMagick’s path security policy is enforced on the raw filename
     string before the filesystem resolves it. As a result, a policy rule
     such as /etc/* can be bypassed by a path traversal. The OS resolves
     the traversal and opens the sensitive file, but the policy matcher
     only sees the unnormalized path and therefore allows the read. This
     enables local file disclosure (LFI) even when policy-secure.xml is
     applied.
   * Fix CVE-2026-25966:
     The shipped "secure" security policy includes a rule intended to
     prevent reading/writing from standard streams. However, ImageMagick
     also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1).
     This path form is not blocked by the
     secure policy templates, and therefore bypasses the protection goal of
     "no stdin/stdout."
   * Fix CVE-2026-25967:
     A stack-based buffer overflow exists in the ImageMagick FTXT image
     reader. A crafted FTXT file can cause out-of-bounds writes on the
     stack, leading to a crash.
   * Fix CVE-2026-25968:
     A stack buffer overflow occurs when processing the an attribute in
     msl.c. A long value overflows a fixed-size stack buffer, leading to
     memory corruption.
   * Fix CVE-2026-25969:
     A memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage`
     allocates a structure. However, when an exception is thrown, the
     allocated memory is not properly released, resulting in a potential
     memory leak.
   * Fix CVE-2026-25970:
     A signed integer overflow vulnerability in ImageMagick's SIXEL decoder
     allows an attacker to trigger memory corruption and denial of service
     when processing a maliciously crafted SIXEL image file. The
     vulnerability occurs during buffer reallocation operations where
     pointer arithmetic using signed 32-bit integers overflows.
   * Fix CVE-2026-25971:
     Magick fails to check for circular references between two MSLs,
     leading to a stack overflow.
   * Fix CVE-2026-25982:
     A heap out-of-bounds read vulnerability exists in the `coders/dcm.c`
     module. When processing DICOM files with a specific configuration, the
     decoder loop incorrectly reads bytes per iteration. This causes the
     function to read past the end of the allocated buffer, potentially
     leading to a Denial of Service or Information Disclosure.
   * Fix CVE-2026-25983:
     A crafted MSL script triggers a heap-use-after-free. The operation
     element handler replaces and frees the image while the parser
     continues reading from it, leading to a UAF in ReadBlobString during
     further parsing.
   * Fix CVE-2026-25985:
     A crafted SVG file containing an malicious element causes ImageMagick
     to attempt to allocate ~674 GB of memory, leading to an out-of-memory
     abort.
   * Fix CVE-2026-25986:
     A heap buffer overflow write vulnerability exists in ReadYUVImage()
     (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace)
     images. The pixel-pair loop writes one pixel beyond the allocated row
     buffer.
   * Fix CVE-2026-25987:
     A heap buffer over-read vulnerability exists in the MAP image decoder
     when processing crafted MAP files, potentially leading to crashes or
     unintended memory disclosure during image decoding.
   * Fix CVE-2026-25988:
     Sometimes msl.c fails to update the stack index, so an image is stored
     in the wrong slot and never freed on error, causing leaks.
   * Fix CVE-2026-25989:
     A crafted SVG file can cause a denial of service. An off-by-one
     boundary check (`>` instead of `>=`) that allows bypass the guard and
     reach an undefined `(size_t)` cast.
   * Fix CVE-2026-26066:
     A crafted profile contain invalid IPTC data may cause an infinite loop
     when writing it with `IPTCTEXT`.
   * Fix CVE-2026-26283:
     A `continue` statement in the JPEG extent binary search loop in the
     jpeg encoder causes an infinite loop when writing persistently fails.
   * Fix CVE-2026-26284:
     ImageMagick lacks proper boundary checking when processing
     Huffman-coded data from PCD (Photo CD) files. The decoder contains an
     function that has an incorrect initialization that could cause an out
     of bounds read.
   * Fix CVE-2026-26983:
     The MSL interpreter crashes when processing a invalid `<map>` element
     that causes it to use an image after it has been freed.
   * Fix CVE-2026-27798:
     A heap buffer over-read vulnerability occurs when processing an image
     with small dimension using the `-wavelet-denoise` operator.
   * Fix CVE-2026-27799:
     A heap buffer over-read vulnerability exists in the DJVU image format
     handler. The vulnerability occurs due to integer truncation when
     calculating the stride (row size) for pixel buffer allocation. The
     stride calculation overflows a 32-bit signed integer, resulting in an
     out-of-bounds memory reads.
Checksums-Sha1:
 68d3d60557502a54ae240a2c3f4503709e096f5e 5202 imagemagick_7.1.2.15+dfsg1-1.dsc
 1c76d8493afc715b41472d0468d4796e9f6d1ce3 10528648 imagemagick_7.1.2.15+dfsg1.orig.tar.xz
 ae32ad8e1042439fcc73505a9c0c369cf9d3dbdb 272436 imagemagick_7.1.2.15+dfsg1-1.debian.tar.xz
 4b7ab55039a7025ed54c8ff2547779733e194eb4 8805 imagemagick_7.1.2.15+dfsg1-1_source.buildinfo
Checksums-Sha256:
 d3284da5a4c7b7b5bd3c70b636740b8a81722537f2ffc0b6aec237ecb267d3b2 5202 imagemagick_7.1.2.15+dfsg1-1.dsc
 051b7969e97a3b6ca5611c0dbf92b01ed5a6b2ee7bee933c628d59da120a263c 10528648 imagemagick_7.1.2.15+dfsg1.orig.tar.xz
 c716af6d5d622c3564ae58f8a9b880da669a2ad8fbf4230dd563971db892c1a1 272436 imagemagick_7.1.2.15+dfsg1-1.debian.tar.xz
 81a9024cbc091eb4a7c128ec284b35364ed83df76a020a44a0a34e3286c8d506 8805 imagemagick_7.1.2.15+dfsg1-1_source.buildinfo
Files:
 a7d921a9d4add6b165f29f34c614e796 5202 graphics optional imagemagick_7.1.2.15+dfsg1-1.dsc
 03580c6cf9a24592d6eba8fc803b1bce 10528648 graphics optional imagemagick_7.1.2.15+dfsg1.orig.tar.xz
 3312bf71bb4098e4fa38bde80088914e 272436 graphics optional imagemagick_7.1.2.15+dfsg1-1.debian.tar.xz
 bb3b7195ad6497b1eef9e51c89fa3354 8805 graphics optional imagemagick_7.1.2.15+dfsg1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJppEWfCRAAOhotqkEIX0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeNqOFPnlA1cpbDVQ45ABLq+nrl4MizBYeZoGM3d2rh
+hYhBF0Bh7lAokW617D1agA6Gi2qQQhfAAC26g/+PVbWF4CpP6Eyf+UIy2Fhnfwv
Fx8g5ebe4RnV6dYA0JurpMWZzZi38felnRPF6tlgEu0KkwmNuUG0I4Jqzeq43So2
YQZJij4bHoqcCFE+tlYDm5qv6Oy5CgJAJ77qRHvG3b61o6g8L7c6yjvGZu3a8koP
hiVwuGQiaAEh9QbQNmK4tlEpbChv3BkJkrxt17feVaG3/GGI77sBEk9bJzRLF3Tn
mZQBEFxq+EFOxDR/fB0mT7+M79pM/hkW1Kx/OF1XEQQV7sbUTWAGc8m7oxAvxWzN
fZWvyUxzOpQd77i/bFoFMFTig7nK4B/VcfpBGEfvWsaEfIjAm7ZQEo78LMhwft3Y
Vbl2lV7wjX2uA8D8+iuRu6pHxkkVKzTO9RZoMt3i+eiIwcKb3K4Fo0syF7cB8mUk
bqLvyMqoskRPfneA8c/EHWeMeTLqUu0fAbXEJ0/5C+1hZ3Q19b2tO5VgBw37P6fi
YjlJluKYYhlnM1X2TqwYCl5AxETzNk9VoEglbo2yDo9JXjcO/OKJjM3HaEREj/HI
VpkjFEP3aXMxM7zRjcFXK/TKIBA0iwfy3WsFkLuvivbqa3K3X1etRTGuWNdXJIlD
OvoZnuYepsnDC7TtemwUr1C1SHw5PsepQ0MvxYGxVe0cXMyiHcFA+HQKrGuYC7LI
0YGbkBck1S3V0/W7iCo=
=FTkp
-----END PGP SIGNATURE-----