-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 27 May 2026 22:36:03 +0200 Source: imagemagick Architecture: source Version: 8:6.9.11.60+dfsg-1.6+deb12u10 Distribution: bookworm-security Urgency: high Maintainer: ImageMagick Packaging Team Changed-By: Bastien Roucariès Changes: imagemagick (8:6.9.11.60+dfsg-1.6+deb12u10) bookworm-security; urgency=high . * Fix CVE-2026-33901 regression: Previous fix breaks rendering of some MVG files. * Fix CVE-2026-42050: A malicious MIFF file could trigger an overflow when a user opens it in the he display tool and right-clicks a tile to invoke the Load/Update menu item. * Fix CVE-2026-42326: Heap Buffer Over-Read in IPTC encoder * Fix CVE-2026-45031: Policy Bypass in PSD decoder Due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply. * Fix CVE-2026-45359: Heap Buffer Over-Read in connected components when the user supplies an invalid keep-top define. An invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation. * Fix CVE-2026-45359: Heap Buffer Over-Read in connected components when the user supplies an invalid keep-top define. An invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation. * Fix CVE-2026-45624: Heap Buffer Over-Read of 24 bytes in distort operation. When performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments. * Fix CVE-2026-45664: Policy Bypass in MNG decoder Because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. * Fix CVE-2026-46520: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions When reading multiple images with different dimensions an out of bounds heap write can occur. * Fix CVE-2026-46521: Heap Buffer Over-Write in MIFF encoder when using LZMA compression. When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check. * Fix CVE-2026-46522: Infinite Loop in the MIFF decoder can lead to CPU exhaustion. Due to a missing check in the MIFF decoder a crafted file could cause an infinite loop resulting in CPU exhaustion. * Fix CVE-2026-46523: Use-After-Free in MSL decoder. A crafted MSL image can trigger a heap-use-after-free. * Fix CVE-2026-46559: Heap Buffer Over-Write of a single byte in the JP2 encoder. An incorrect check in the JP2 will result in an heap buffer over write of a single byte when specifying certain options. * backport distribute cache from 6.9.13-48 * Fix CVE-2026-46692: Heap Buffer Over-Write in distributed pixel cache server An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process. * Fix CVE-2026-46693: Race Condition in distributed pixel cache server can result in file descriptor hijacking An attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. * Fix CVE-2026-47165: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model. The distributed pixel cache was originally designed to operate without a challenge–response authentication model. However, given today’s heightened security expectations, we have changed our implementation. * Fix CVE-2026-47166: Heap Buffer Over-Read in distributed pixel cache server. An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server processs. Checksums-Sha1: 8d37c90885614a6b061817a6e79889e136cbec91 5109 imagemagick_6.9.11.60+dfsg-1.6+deb12u10.dsc 824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz 9d0b1940f25ca718ae284641dfc917dd70718d07 334908 imagemagick_6.9.11.60+dfsg-1.6+deb12u10.debian.tar.xz eb6c88c1d41fbd98b8f8d0811638df12dd689666 8522 imagemagick_6.9.11.60+dfsg-1.6+deb12u10_source.buildinfo Checksums-Sha256: 3f89e5581cf597f24afb257e42f72c3598bae7aafab5661fa44da5f2a06bed12 5109 imagemagick_6.9.11.60+dfsg-1.6+deb12u10.dsc 472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz 16b952b48e91a9c8265d6dc3e7aa7985ded7a4ed22f31dd9ba60c1ce22b0a449 334908 imagemagick_6.9.11.60+dfsg-1.6+deb12u10.debian.tar.xz ff6da9a53fdebfb894d0768eebc10123ca8691a3791aeedfa65e8f64af543ebe 8522 imagemagick_6.9.11.60+dfsg-1.6+deb12u10_source.buildinfo Files: 008eff37125c81b95c195e4f676150a5 5109 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u10.dsc 8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional imagemagick_6.9.11.60+dfsg.orig.tar.xz 5f9b73d3f03cff058c963a382b65c555 334908 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u10.debian.tar.xz ce6b327dfc09dd15cfc9ecb4dd60b508 8522 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u10_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmoZS4UACgkQADoaLapB CF99SBAAqUOd80DiFf5w5PD5XehAwjP7edja4b8azmcSGVd0hRZ+hXNsx6X/yu5r x5u401LEE5dFW9cn+N9DakT9OS3b8bd9wN2hx+Mb2k+/n9WYpjFThx3e2zdTtC6V Ex2WKjh2oXm2XSjHYDgmo7gcVOxSUzMTqEEH98AtY4P5SofSl24FayPeqObQOTPi H/j7h69T5Z3WGPtWL/jE/kTabsvz5ojvTsbcHGbJGtUJ0NGJP+F4lNQ88WLgobv5 AsWjP0aTbgaYtvnjRC6Xs0OiwscQ3dQ+ZOji+IhfjETl4N2E4fXxueOUaljNxo3M VkXJkA8du3JPqCPW3Cnk0m6gVwn1z3001W+k8UmFzFqrM9UhOlD8gxAf+Jfpopqk 3WyHzuWGV5PSBvA4yHr5dzys3BWItsXW5j+uIcr2WLMMClQ4ap0f1xdf+e8QTOp2 o4iN9iY/YJXYdhpLMFOBMst61HK8aJRsRpHsQVs2J2iYA/Z2MbeldGx6YYk274da d1YZSu5hDZ3ER/iawKlD5iFVRuBnR1ysbzHqV1HxqeVzzPCT7p7/NSuCUI5zsrpT PF4pTxEFSBQ0j0FcjAPilbJp7vMNR8lRlCVvx5SmshRsTVGJi5ESu20l2fhpo+iv E8C/fwetHzOzoWKIxZ//V+2flvFHwpK/BFygq3ONzEgFbxixw5g= =AE7H -----END PGP SIGNATURE-----