-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 May 2026 22:36:03 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc imagemagick-common imagemagick-doc libimage-magick-perl libmagick++-6-headers libmagick++-dev libmagickcore-6-headers libmagickcore-dev libmagickwand-6-headers libmagickwand-dev perlmagick
Architecture: all
Version: 8:6.9.11.60+dfsg-1.6+deb12u10
Distribution: bookworm-security
Urgency: high
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Changes:
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u10) bookworm-security; urgency=high
 .
   * Fix CVE-2026-33901 regression:
     Previous fix breaks rendering of some MVG files.
   * Fix CVE-2026-42050:
     A malicious MIFF file could trigger an overflow when a user opens it
     in the he display tool and right-clicks a tile to invoke the
     Load/Update menu item.
   * Fix CVE-2026-42326:
     Heap Buffer Over-Read in IPTC encoder
   * Fix CVE-2026-45031:
     Policy Bypass in PSD decoder
     Due to a missing check in the PSD decoder it would be
     possible to bypass the list-length resource policy when
     decoding a PSD image. Other security limits would still apply.
   * Fix CVE-2026-45359:
     Heap Buffer Over-Read in connected components when the user
     supplies an invalid keep-top define.
     An invalid connected-components:keep-top value could result
     in a heap buffer over-read when performing the connected components
     operation.
   * Fix CVE-2026-45359:
     Heap Buffer Over-Read in connected components when the user
     supplies an invalid keep-top define.
     An invalid connected-components:keep-top value could result
     in a heap buffer over-read when performing the connected components
     operation.
   * Fix CVE-2026-45624:
     Heap Buffer Over-Read of 24 bytes in distort operation.
     When performing a polynomial distortion an out of bounds over-read of
     24 bytes can occur when specifying specific arguments.
   * Fix CVE-2026-45664:
     Policy Bypass in MNG decoder
     Because of a missing check in the MNG coder it would be possible
     to read more images than the list limit policy would allow
     resulting in excessive resource use.
   * Fix CVE-2026-46520:
     Heap Buffer Over-Write in IPL decoder when reading multiple
     images of different dimensions
     When reading multiple images with different dimensions an out of
     bounds heap write can occur.
   * Fix CVE-2026-46521:
     Heap Buffer Over-Write in MIFF encoder when using LZMA compression.
     When using LZMA compression in the MIFF encoder an out of bounds
     write can occur due to a missing check.
   * Fix CVE-2026-46522:
     Infinite Loop in the MIFF decoder can lead to CPU exhaustion.
     Due to a missing check in the MIFF decoder a crafted file could
     cause an infinite loop resulting in CPU exhaustion.
   * Fix CVE-2026-46523:
     Use-After-Free in MSL decoder.
     A crafted MSL image can trigger a heap-use-after-free.
   * Fix CVE-2026-46559:
     Heap Buffer Over-Write of a single byte in the JP2 encoder.
     An incorrect check in the JP2 will result in an heap buffer over
     write of a single byte when specifying certain options.
   * backport distribute cache from 6.9.13-48
   * Fix CVE-2026-46692:
     Heap Buffer Over-Write in distributed pixel cache server
     An attacker who can connect to a magick -distribute-cache
     service can cause a heap buffer over-write in the server process.
   * Fix CVE-2026-46693:
     Race Condition in distributed pixel cache server can result
     in file descriptor hijacking
     An attacker who can connect to a magick -distribute-cache service can
     hijack a file descriptor in the server process when a race condition is met.
   * Fix CVE-2026-47165:
     Information Disclosure in distributed pixel cache server because it is
     not using a challenge–response authentication model.
     The distributed pixel cache was originally designed to operate without a
     challenge–response authentication model. However, given today’s heightened
     security expectations, we have changed our implementation.
   * Fix CVE-2026-47166:
     Heap Buffer Over-Read in distributed pixel cache server.
     An attacker who can connect to a magick -distribute-cache service
     can cause a heap buffer over-read in the server processs.
Checksums-Sha1:
 f9770ce03569cb4473743ad7b1000ca9ade42539 173220 imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 0118f608c7ec2509244c8daa53e95f18dd391bcb 7898300 imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 58e25baf42aa0158113ea289b1559e0753c83c22 1512 imagemagick-common_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 c01e2c2f4912d11573bac3b006cb9de3132e8b27 1616 imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 a09e78238a41c03a0618e90afdf8bf462fc0fbcb 19027 imagemagick_6.9.11.60+dfsg-1.6+deb12u10_all-buildd.buildinfo
 2c4db0c842dcb59e4063bc6327682b880679e4c6 53308 libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 620c9c33c45ae17a80254253806d0e5d9d84e2ea 47516 libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 242deef7f735907c26dd55a6295594f06691c833 1368 libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 1dbef7da9b4aca9cfae248d642bb7eec6a551486 50924 libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 310d09d8fb277bc12d28289c76d9d1a5672fbd46 1340 libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 db9b2015e1324ab90c500b88437619cc53293693 10500 libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 ed87f1da1b4638c5c72821361e22646ec2a1b127 1324 libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 026f5157683dc2b49393f3a91451693a9086c0a6 1364 perlmagick_6.9.11.60+dfsg-1.6+deb12u10_all.deb
Checksums-Sha256:
 42a1c63dafe77e512b4cd3dfc5d5e27a4ac669ca88ab1ef6c1bcdc6bf6d6f629 173220 imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 fbf146c61a7711199c68281f4f598365ddba9d4fd580f7988c5470ec29cb3c99 7898300 imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 7f610d7cb73dca42ca3dbf092d450133339de95187d654e7241e1ad19a72b482 1512 imagemagick-common_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 17093e3a70473c9616232109704ef23a39087cc4e3f1e8c32a50a69baed38ad5 1616 imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 42027545b9ef9f7f643d50cf5de7f647c4a3536a935070222654dd533b72053d 19027 imagemagick_6.9.11.60+dfsg-1.6+deb12u10_all-buildd.buildinfo
 8b486e59bd548c773723de4820ed8289bbec4e17667b791db61b832e81b30123 53308 libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 3cf23ae5b71ce2cad9dc93a8373c7af9ec97affa2d01027ab288b713d0ac3a0c 47516 libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 9289fdd5bb85432a13032157145ad06098c447a968acd0fc1c8a554177f229e0 1368 libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 38661f68304fbce969f62494dcf444a0554d7db5574bd2e9fc7f1b084b439895 50924 libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 d50d11ea3e1f1082005046e61958b37bb6dc0b0fd3d8229aa17a99e4c7730858 1340 libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 e930390d79a5dd90036d600a701e8b0bb589bd08e3a3592bdc898d5c8d02bc01 10500 libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 f2e6baa8e6d1a648afa3a680fa0b041c1e6dccbd0216b62e69e98fa69ba3c31e 1324 libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 8de8250934dd3361503dcad6e2fa1de327d3fa579cbbee4005e2587d2c772d14 1364 perlmagick_6.9.11.60+dfsg-1.6+deb12u10_all.deb
Files:
 09dec0be0b3740e87c28639e6b3198de 173220 graphics optional imagemagick-6-common_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 58e42a1b0722b7592b8d5d63978f3ac4 7898300 doc optional imagemagick-6-doc_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 416a8b0b78a24bbf4629389d3deb8843 1512 oldlibs optional imagemagick-common_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 5c36ef4824b0b16014ee9153833c9884 1616 oldlibs optional imagemagick-doc_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 081594f63bcecdc1fca4b8751ce35c55 19027 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u10_all-buildd.buildinfo
 54bf7b744205c1fc5b6d82cb7983a921 53308 perl optional libimage-magick-perl_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 b892b4b17357eb830a10a3c49db13e57 47516 libdevel optional libmagick++-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 a4046ae7569eaf8662481dff6e77c392 1368 oldlibs optional libmagick++-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 2e89061c9a17e6d243ed275ab620dbd2 50924 libdevel optional libmagickcore-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 5caeee59b1bf128d53a5579f7d642309 1340 oldlibs optional libmagickcore-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 d532d538ca41777e9d46bdc1a53a2ece 10500 libdevel optional libmagickwand-6-headers_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 1768653146a025ebdf84f72c64e74384 1324 oldlibs optional libmagickwand-dev_6.9.11.60+dfsg-1.6+deb12u10_all.deb
 fe9d6ef4e7c1a989a4986bd00fc368f2 1364 oldlibs optional perlmagick_6.9.11.60+dfsg-1.6+deb12u10_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmoZWQoACgkQN8Ugyu9d
QiRxuhAAlBGuGJTgTu+4gIKHH6IBB3TiRsbItJvO3f39nCQqFg5GyvZcm9hT06CW
fcYFgi3AJA8xDl+yUrSg5TocPgYEaNDtZoIMp/orvtFNQd7dhQMecQ+HQcL1JnHX
WvAHJaSm5IgNffcGH9yW/j0R/a0POsV/NaVHBkX4pnO/nKAKJJ+hpb/w3vFiXg16
Tah2b859497TfebsLDbL0fPdKxjBGpN4/hnESZPIjXoeeWwPGMVD+4YlUWk9IdWL
rsa19q3fgwYNA191KK7bTqgo3PZqCBdph42CyDfzjc7ht8WkF+54rJlIdh2Az5Vb
6IW2sQiykaPC2Af78TEPoAYZJsePNjgaPsQ6BUfhI4jgPD3lCDKQ0oJGBTmkty0B
fD9aCgE1PUu2IzJK6dsZ18IqGtWF2pl1NdEgwxxMTuL7fhMGkafQcnAz5WfPkdh4
rf/Jzuy0QmpCh38H8wznZ5/iR1KDlJyIMt/Cnol0j0X/kiaRkOB1S63gdd00zFqC
x8kbAf56qq9/Ztp21FvnWapg9V1NgOiktWsIqG/Jw4kSQkTR67yz8qUt7BcAiL3n
EcV2/BgykL8JAu70vnJutW9HAg4H9CSj//MewV8M8LY5ITUQUv2gojTMarcDift/
EJ3bD7gM2GF+LCfAVxjTF/jR99UGigTemSqW1JLxbumZpLideco=
=CpRa
-----END PGP SIGNATURE-----