Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted imagemagick 8:7.1.2.19+dfsg1-1 (source) into unstable
Date: Fri, 17 Apr 2026 07:33:50 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 14 Apr 2026 17:35:29 +0200
Source: imagemagick
Architecture: source
Version: 8:7.1.2.19+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
 imagemagick (8:7.1.2.19+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version
   * Fix CVE-2026-33899:
     When `Magick` parses an XML file it is possible that
     a single zero byte is written out of the bounds
   * Fix CVE-2026-33900:
     The viff encoder contains an integer truncation/wraparound issue on
     32-bit builds that could trigger an out of bounds heap write,
     potentially causing a crash.
   * Fix CVE-2026-33901:
     A heap buffer overflow occurs in the MVG decoder that could result in
     an out of bounds write when processing a crafted image.
   * Fix CVE-2026-33902:
     A stack overflow vulnerability in ImageMagick's FX expression parser allows
     an attacker to crash the process by providing a deeply nested expression.
   * Fix CVE-2026-33905:
     The -sample operation has an out of bounds read when an specific offset
     is set through the `sample:offset` define that could lead to an out of
     bounds read.
   * Fix CVE-2026-33908:
     Magick frees the memory of the XML tree via the `DestroyXMLTree()`
     function; however, this process is executed recursively with no depth
     limit imposed. When Magick processes an XML file with deeply nested
     structures, it will exhaust the stack memory, resulting in a Denial of
     Service (DoS) attack.
   * Fix CVE-2026-34238:
     An integer overflow in the despeckle operation causes a heap
     buffer overflow on 32-bit builds that will result in an out of bounds write.
   * Fix CVE-2026-40169:
     A crafted image could result in an out of bounds heap write when writing a
     yaml or json output, resulting in a crash.
   * Fix CVE-2026-40183:
     The JXL encoder has an heap write overflow when a user specifies
     that the image should be encoded as 16 bit floats.
   * Fix CVE-2026-40310:
     A heap out-of-bounds write in the JP2 encoder with when a user specifies
     an invalid sampling index.
   * Fix CVE-2026-40311:
     A heap use-after-free vulnerability that can cause a crash when reading
     and printing values from an invalid XMP profile.
   * Fix CVE-2026-40312:
     An off by one error in the MSL decoder could result in a crash
     when a malicous MSL file is read.
Checksums-Sha1:
 e9472053a08a1cf6464ba32330c92a714610a521 5104 imagemagick_7.1.2.19+dfsg1-1.dsc
 3d33a961a81838e9658a93aaa288476ab4214465 10535792 imagemagick_7.1.2.19+dfsg1.orig.tar.xz
 7423ff0e85cacb4eb81e6960fa667606b7fc88b6 272140 imagemagick_7.1.2.19+dfsg1-1.debian.tar.xz
 9dcd57c3a90f94cb75a58ab8a682a48e815e2eac 8474 imagemagick_7.1.2.19+dfsg1-1_source.buildinfo
Checksums-Sha256:
 c5fe58c71f2bb2a42279396faeec6eb150dd5502eb02ca34a972812487117bff 5104 imagemagick_7.1.2.19+dfsg1-1.dsc
 40ab713dcf9778d94b054c87fee97acfb3da2cc805d929bc0544b9de52554684 10535792 imagemagick_7.1.2.19+dfsg1.orig.tar.xz
 41e725c5bf62b48f256a2397e6476afff81d1ec4f12fac80b9896c61e536ec45 272140 imagemagick_7.1.2.19+dfsg1-1.debian.tar.xz
 4f46c9bb157c890ca576543315de2c6618565260c6519b6e090b56ae9ff861db 8474 imagemagick_7.1.2.19+dfsg1-1_source.buildinfo
Files:
 cad37b4d054b80b3b0f273cc6cad4f61 5104 graphics optional imagemagick_7.1.2.19+dfsg1-1.dsc
 bd72286e10e09cd37c3388a2a99a9852 10535792 graphics optional imagemagick_7.1.2.19+dfsg1.orig.tar.xz
 e4ce93c6f9a4a18537df46e3c23117f9 272140 graphics optional imagemagick_7.1.2.19+dfsg1-1.debian.tar.xz
 a63db24e108caaec10822ee563c384d6 8474 graphics optional imagemagick_7.1.2.19+dfsg1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmnh3uUACgkQADoaLapB
CF+nNRAAr3IWPjdVw7NasH/FuN1afaEicMxI4WRLNSS1kJ5Y9r3g7l2Pdbn6SSAF
UTJi7445zSNR3EhILKg416KpTvCQiBefzTvlMBqtf38qy1ZZA2mw+8BN5w+4KEjy
H5hJyz2Fj81Pmlt21bz/Wja8tcS8KBL+ljGuVwd4EWFy8VJW+zhMcJhC94zGj8qT
09CyHJI3XM0YCP5jm1pkQmsilVvQnS/NNThS7bANHl6+3voHDJQEtVjUgql/bncn
Hn1G5+a88EXoF0IeBE8fZPVWQNj2qVBYcZFCF9xGSB14BOlUDnQPRHpOklXGFbP0
aR/LlnDXY/VkaOsIjClkOITR/R5HLc/9tDepqspJWR55OWJsecXVKLPf5m0/NlgG
5AMBW6Y0XgThPpxL8dQWXbe3vjo6JnBgopRYOEqaAno5Vh0sBrksFVoJPqFadFOb
vyqXBvYbMLPbjDBUeg0HQhDBs2j+gN1HWI38OgQ4Q9Y9Aa3dJ9a4VWsn9EcuJif8
k45tS3dElph3wRDDzKgoOjxSgcv4aNymDx/LlM32gFI1WwQm8qHvMmxjoC7nXNW4
0bTzPo9hMqz5h2cNyxeanMi3j9i9TPzeVE4GFIlAD+bW+gbZvlvoYry4QVSLM/MS
ws5lD2wGfawwmaeVE2WCnmW0632oLbM7d1Cd+RpqrQ6qYH2056E=
=gs9m
-----END PGP SIGNATURE-----
News for package imagemagick
