Accepted imagemagick 8:6.9.11.60+dfsg-1.6+deb12u7 (source) into oldstable-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Mar 2026 17:54:58 +0100
Source: imagemagick
Architecture: source
Version: 8:6.9.11.60+dfsg-1.6+deb12u7
Distribution: bookworm-security
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u7) bookworm-security; urgency=high
 .
   * Fix CVE-2026-24481:
     A heap information disclosure vulnerability exists
     in ImageMagick's PSD (Adobe Photoshop) format handler.
     When processing a maliciously crafted PSD file containing
     ZIP-compressed layer data that decompresses to less than
     the expected size, uninitialized heap memory is leaked
     into the output image.
   * Fix CVE-2026-24484:
     Magick fails to check for multi-layer nested mvg
     conversions to svg, leading to DoS.
   * Fix CVE-2026-24485:
     When a PCD file does not contain a valid Sync marker, the
     DecodeImage() function becomes trapped in an infinite loop while
     searching for the Sync marker, causing the program to become
     unresponsive and continuously consume CPU resources, ultimately
     leading to system resource exhaustion and Denial of Service
     (DoS)
   * Fix CVE-2026-25576:
     A heap buffer over-read vulnerability exists in multiple
     raw image format handles. The vulnerability occurs when
     processing images with -extract dimensions larger than
     -size dimensions, causing out-of-bounds memory reads
     from a heap-allocated buffer.
   * Fix CVE-2026-25638:
     A memory leak exists in `coders/msl.c`. In the `WriteMSLImage`
     function of the `msl.c` file, resources are allocated. But the
     function returns early without releasing these allocated resources.
   * Fix CVE-2026-25795:
     `ReadSFWImage()` (`coders/sfw.c`), when temporary file
     creation fails, `read_info` is destroyed before its `filename`
     member is accessed, causing a NULL pointer dereference and crash.
   * Fix CVE-2026-25796:
     In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image
     object is not freed on three early-return paths, resulting in a
     definite memory leak (~13.5KB+ per invocation) that can be exploited
     for denial of service.
   * Fix CVE-2026-25797:
     The ps coders, responsible for writing PostScript files, fails to
     sanitize the input before writing it into the PostScript header. An
     attacker can provide a malicious file and inject arbitrary PostScript
     code. When the resulting file is processed by a printer or a viewer
     (like Ghostscript), the injected code is interpreted and executed. The
     html encoder does not properly escape strings that are written to in
     the html document. An attacker can provide a malicious file and
     injection arbitrary html code.
   * Fix CVE-2026-25798:
     A NULL pointer dereference in ClonePixelCacheRepository allows a
     remote attacker to crash any application linked against ImageMagick by
     supplying a crafted image file, resulting in denial of service.
   * Fix CVE-2026-25799:
     A logic error in YUV sampling factor validation allows an invalid
     sampling factor to bypass checks and trigger a division-by-zero during
     image loading, resulting in a reliable denial-of-service.
   * Fix CVE-2026-25897:
     An Integer Overflow vulnerability exists in the sun decoder. On 32-bit
     systems/builds, a carefully crafted image can lead to an out of bounds
     heap write.
   * Fix CVE-2026-25898:
     The UIL and XPM image encoder do not validate the
     pixel index value returned by `GetPixelIndex()` before using it as an
     array subscript. In HDRI builds, `Quantum` is a floating-point type,
     so pixel index values can be negative. An attacker can craft an image
     with negative pixel index values to trigger a global buffer overflow
     read during conversion, leading to information disclosure or a process
     crash.
   * Fix CVE-2026-25965:
     ImageMagick’s path security policy is enforced on the raw filename
     string before the filesystem resolves it. As a result, a policy rule
     such as /etc/* can be bypassed by a path traversal. The OS resolves
     the traversal and opens the sensitive file, but the policy matcher
     only sees the unnormalized path and therefore allows the read. This
     enables local file disclosure (LFI) even when policy-secure.xml is
     applied.
   * Fix CVE-2026-25968:
     A stack buffer overflow occurs when processing the an attribute
     in msl.c. A long value overflows a fixed-size stack buffer,
     leading to memory corruption
   * Fix CVE-2026-25970:
     A signed integer overflow vulnerability in ImageMagick's SIXEL decoder
     allows an attacker to trigger memory corruption and denial of service
     when processing a maliciously crafted SIXEL image file. The
     vulnerability occurs during buffer reallocation operations where
     pointer arithmetic using signed 32-bit integers overflows.
   * Fix CVE-2026-25982:
     A heap out-of-bounds read vulnerability exists in the `coders/dcm.c`
     module. When processing DICOM files with a specific configuration, the
     decoder loop incorrectly reads bytes per iteration. This causes the
     function to read past the end of the allocated buffer, potentially
     leading to a Denial of Service (crash) or Information Disclosure
     (leaking heap memory into the image).
   * Fix CVE-2026-25983:
     A crafted MSL script triggers a heap-use-after-free. The operation
     element handler replaces and frees the image while the parser
     continues reading from it, leading to a UAF in ReadBlobString during
     further parsing.
   * Fix CVE-2026-25986:
     A heap buffer overflow write vulnerability exists in ReadYUVImage()
     (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images.
   * Fix CVE-2026-25987:
     A heap buffer over-read vulnerability exists in the MAP image decoder when
     processing crafted MAP files, potentially leading to crashes or
     unintended memory disclosure during image decoding.
   * Fix CVE-2026-25988:
     Sometimes msl.c fails to update the stack index, so an image is
     stored in the wrong slot and never freed on error, causing leaks
   * Fix CVE-2026-25989:
     A crafted SVG file can cause a denial of service. An off-by-one boundary
     check (`>` instead of `>=`) that allows bypass the guard and reach an
     undefined `(size_t)` cast.
   * Fix CVE-2026-26066:
     A crafted profile contain invalid IPTC data may cause an infinite
     loop when writing it with `IPTCTEXT`
   * Fix CVE-2026-26283:
     A `continue` statement in the JPEG extent binary search loop
     in the jpeg encoder causes an infinite loop when writing persistently fails
   * Fix CVE-2026-27798:
     A heap buffer over-read vulnerability occurs when processing an image
     with small dimension using the `-wavelet-denoise` operator
   * Fix CVE-2026-27799:
     A heap buffer over-read vulnerability exists in the DJVU image format
     handler. The vulnerability occurs due to integer truncation when
     calculating the stride (row size) for pixel buffer allocation. The
     stride calculation overflows a 32-bit signed integer, resulting in an
     out-of-bounds memory reads.
Checksums-Sha1:
 bea08b399d1bf60ed598cfe731e6f9a09597ffed 5105 imagemagick_6.9.11.60+dfsg-1.6+deb12u7.dsc
 824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz
 86727e8f08b0c18ddcbed3a4e7b5b523687c001f 296184 imagemagick_6.9.11.60+dfsg-1.6+deb12u7.debian.tar.xz
 65b2d12cc70a785089aafd46aa20c0ecbfd96d4a 8514 imagemagick_6.9.11.60+dfsg-1.6+deb12u7_source.buildinfo
Checksums-Sha256:
 f8f56e4b746d30860ce1f0c3e7df2a16655a67ec78b409fce0c1ed0a6b3ef3d6 5105 imagemagick_6.9.11.60+dfsg-1.6+deb12u7.dsc
 472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz
 e15571777dd71a89aef7dd5f595cf788c9a18320ba483fc93caa096834509cfa 296184 imagemagick_6.9.11.60+dfsg-1.6+deb12u7.debian.tar.xz
 d5f41fa21b58f195e947483745f9e8cc842adca2d3c342fdab9193250a69b3ae 8514 imagemagick_6.9.11.60+dfsg-1.6+deb12u7_source.buildinfo
Files:
 5bb31c11fb0b2362bf6a033d62501aa0 5105 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u7.dsc
 8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional imagemagick_6.9.11.60+dfsg.orig.tar.xz
 ffa2bfb79272d1ccec6608ad72057ea7 296184 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u7.debian.tar.xz
 70e91d6278ccd47f7ad2c736d952c70d 8514 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmmwPvsACgkQADoaLapB
CF9SpQ//XN8pBOwG8yykB7uSjuVZ4G+O7FepTNKZK3zwtB/Hs8K8DpekSYniLNd/
N1nlAPDnElX8/CHRfOKvHWHqgRLm7IxEb6vgDjbH2VN/qc2d7JnlzDVS41lXEZ8i
neY+fqGk6KjoX50KeYQ1DigfrM9NJl2iClbExN0ZvcRomaX6mQVjJIw1IaXHuTSe
Uf4W5cVfZItZ0vYKvDu8ucT3rcTM+NhH0KRy/a0RPuFCNo5nVjc/M8Ua5Bepdfyp
PRQBBkFkl/Wk1qxmd+Be8+uUGK3KZ7rJnIFs12OlgODXjZazfsYLHvlefCzzuNMx
SYFqvlVcoWK4F/6qP8nKbyWnUUExJy6b14rKORiPi8zqV9C+K685fyInywwSySxE
PkIN6CRecw1MaLTxjRzNrhSSlefgpRwyHWy8GK5tEY+7g0VqxZixWv4mSZf3dRjv
9ZbDoznDoBIt3yW3u6V+r+yJ7nnWGnpHazzS6E+A0HnYjqOydXKWVGwR2DWDpoPQ
5ng577ZENxpUQ7DZNO/Oa2HxU+OeRJX2vI0/CIDuUCX4FcUgsE8yPeGvTpEZe9sr
HuR0bBlBR3PbLDTnVl98+MEtWaFwjYLmzLePvA4x5C/Uk0STtwMeNipAzVtikNtH
gWN+PVdOgCsy8aUumJVwn+rx2eE4U1PB2AQ4p3CKb6FzR+/RsY4=
=/hJ3
-----END PGP SIGNATURE-----