-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 01 May 2026 14:47:40 +0200 Source: imagemagick Architecture: source Version: 8:6.9.11.60+dfsg-1.3+deb11u12 Distribution: bullseye-security Urgency: medium Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1134627 Changes: imagemagick (8:6.9.11.60+dfsg-1.3+deb11u12) bullseye-security; urgency=medium . * Fix CVE-2026-33899: When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. * Fix CVE-2026-33900: The viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. * Fix CVE-2026-33901: A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image * Fix CVE-2026-33905 The -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. * Fix CVE-2026-33908: When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. * Fix CVE-2026-34238: An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. * Fix CVE-2026-40310: A heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. * Fix CVE-2026-40311 (Closes: #1134627): A heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. Checksums-Sha1: 9f5b7608c5d78f669117415e0d73c38d68080b6c 5109 imagemagick_6.9.11.60+dfsg-1.3+deb11u12.dsc 824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz 6003ac16b81bd88af23e409e3d2848c1048b414c 325444 imagemagick_6.9.11.60+dfsg-1.3+deb11u12.debian.tar.xz 8a612f9db544771acb38290efb97d40ad3f8bc07 8588 imagemagick_6.9.11.60+dfsg-1.3+deb11u12_source.buildinfo Checksums-Sha256: 0481d5a962058944fcef8c9452a1f8e52635ef507f1a2dcc14eafeb5410d220e 5109 imagemagick_6.9.11.60+dfsg-1.3+deb11u12.dsc 472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz 1bc0adadd7308dd6ec9321dc3560b48065186204ed38b13152784f78dc383100 325444 imagemagick_6.9.11.60+dfsg-1.3+deb11u12.debian.tar.xz e9378e7c09c0139d63cc3f45c62bf63f89e10efa7f321ea34f7d43b2892d71fc 8588 imagemagick_6.9.11.60+dfsg-1.3+deb11u12_source.buildinfo Files: 11aac2d34f1a058f5bc41ae4ead3c208 5109 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u12.dsc 8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional imagemagick_6.9.11.60+dfsg.orig.tar.xz 05f6d3b61b3bca183d21f551ebd875d1 325444 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u12.debian.tar.xz 555e862aeb119ed1c3d2ee771bff9b1a 8588 graphics optional imagemagick_6.9.11.60+dfsg-1.3+deb11u12_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmn0/3oACgkQADoaLapB CF9xsA//e0qMJ1eznteDbt45ZD8bDZ6zNmPoomgIYEsfGtSAj83P/38EX6fx6OUH vC+VQ7avToh4tqCYozn0vOZSQyITLrm3ynDXGM0tSlfXkBp57udQ03dKHDTgIknL Fmp62vSxPWSemGccLeAUi1E3g8k2k2YpJtycxJfbUap6Rr4xXSuPmehJ5ZuGLZGT ijuBL1FoOXcsMfOpWLe1QA8XZZM1l505TQf2qfDUMTp2YlQE5Qu5P8Sa7Qc63UZV i3sO4sIeZQWxN4z4hA6oCiaspXZSBtdlTYUGAIgiuTKfjY8C+YcMzpNRaMgEc5XX Sw3wKUP5ilPJM35CMCCJfGxypJ7xK1S/tvDDT5bSM+g361obwLF1D20snmbXNDi6 yGSgliH/S+3Lnoi5L5HQFCkoxK53Bp3HaRNLfahQ7H/YGPCPZcvEoX8uOE0Sn74M MdDWCY9orD16wok+daeIn4pVIh3bDf1sOnmsuNZ9uGoPKOzn8jwaZdLpUcvZTsBK HRTOXSQVyGsjhcuIvM6GyHu+APVSdm1BLBuyWFQU0E64xXD/C3d1oVy6hrmQVx3L APTI8iiJzPadxM7lb9uhQNsir4wobFe5Sayhu1xuBD5FH7+uYNB8+qE4uDsgKsDZ pTVwBCW1o69F07w2Lg4RDlYwykDj0QUWiL2cabKAQgOJkGNs1+8= =GSVD -----END PGP SIGNATURE-----
