-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 May 2026 18:01:44 +0200
Source: imagemagick
Binary: imagemagick-7-common imagemagick-7-doc libimage-magick-perl libmagick++-7-headers libmagick++-dev libmagickcore-7-headers libmagickcore-dev libmagickwand-7-headers libmagickwand-dev perlmagick
Architecture: all
Version: 8:7.1.1.43+dfsg1-1+deb13u9
Distribution: trixie-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 imagemagick-7-common - image manipulation programs -- infrastructure
 imagemagick-7-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libmagick++-7-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-7-headers - low-level image manipulation library - header files
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-7-headers - image manipulation library - headers files
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Changes:
 imagemagick (8:7.1.1.43+dfsg1-1+deb13u9) trixie-security; urgency=high
 .
   * Fix CVE-2026-33901 regression:
     Previous fix breaks rendering of some MVG files.
   * Fix CVE-2026-42050:
     A malicious MIFF file could trigger an overflow when a user opens it
     in the he display tool and right-clicks a tile to invoke the
     Load/Update menu item.
   * Fix CVE-2026-42326:
     Heap Buffer Over-Read in IPTC encoder
   * Fix CVE-2026-45031:
     Policy Bypass in PSD decoder. Due to a missing check in the
     PSD decoder it would be possible to bypass the list-length
     resource policy when decoding a PSD image. Other security
     limits would still apply.
   * Fix CVE-2026-45358:
     Heap Buffer Over-Read of a single byte in meta encoder.
     An of by one in the meta encoder could result in an out
     of bounds read of a single byte in the meta encoder.
   * Fix CVE-2026-45359:
     Heap Buffer Over-Read in connected components when the user
     supplies an invalid keep-top define.
     An invalid connected-components:keep-top value could result
     in a heap buffer over-read when performing the connected components
     operation.
   * Fix CVE-2026-45624:
     Heap Buffer Over-Read of 24 bytes in distort operation.
     When performing a polynomial distortion an out of bounds over-read of
     24 bytes can occur when specifying specific arguments.
   * Fix CVE-2026-45664:
     Policy Bypass in MNG decoder
     Because of a missing check in the MNG coder it would be possible
     to read more images than the list limit policy would allow
     resulting in excessive resource use.
   * Fix CVE-2026-46520:
     Heap Buffer Over-Write in IPL decoder when reading multiple
     images of different dimensions
     When reading multiple images with different dimensions an out of
     bounds heap write can occur.
   * Fix CVE-2026-46521:
     Heap Buffer Over-Write in MIFF encoder when using LZMA compression.
     When using LZMA compression in the MIFF encoder an out of bounds
     write can occur due to a missing check
   * Fix CVE-2026-46522:
     Infinite Loop in the MIFF decoder can lead to CPU exhaustion.
     Due to a missing check in the MIFF decoder a crafted file could
     cause an infinite loop resulting in CPU exhaustion.
   * Fix CVE-2026-46523:
     Use-After-Free in MSL decoder.
     A crafted MSL image can trigger a heap-use-after-free.
   * Fix CVE-2026-46557:
     Stack overflow in fx operation.
     Due to a missing depth check a stack overflow can occur in the
     fx operation by passing a crafted argument.
   * Fix CVE-2026-46559:
     Heap Buffer Over-Write of a single byte in the JP2 encoder.
     An incorrect check in the JP2 will result in an heap buffer over
     write of a single byte when specifying certain options.
   * Fix CVE-2026-46692:
     Heap Buffer Over-Write in distributed pixel cache server
     An attacker who can connect to a magick -distribute-cache
     service can cause a heap buffer over-write in the server process.
   * Fix CVE-2026-46693:
     Race Condition in distributed pixel cache server can result
     in file descriptor hijacking
     An attacker who can connect to a magick -distribute-cache service can
     hijack a file descriptor in the server process when a race condition is met.
   * Fix CVE-2026-47165:
     Information Disclosure in distributed pixel cache server because it is
     not using a challenge–response authentication model.
     The distributed pixel cache was originally designed to operate without a
     challenge–response authentication model. However, given today’s heightened
     security expectations, we have changed our implementation.
   * Fix CVE-2026-47166:
     Heap Buffer Over-Read in distributed pixel cache server.
     An attacker who can connect to a magick -distribute-cache service
     can cause a heap buffer over-read in the server process.
Checksums-Sha1:
 5292f406b87506bf211d2a78ca33dae4aa0493f7 75560 imagemagick-7-common_7.1.1.43+dfsg1-1+deb13u9_all.deb
 55fdda3cc8de2797c4768b290959ce0bb4e2009a 9217444 imagemagick-7-doc_7.1.1.43+dfsg1-1+deb13u9_all.deb
 68a5a6ae3ccd99a6237a768ad66dd958223a696c 18818 imagemagick_7.1.1.43+dfsg1-1+deb13u9_all-buildd.buildinfo
 bb62f4f566de1f24c4b63e481d65ef0bce940ee2 38912 libimage-magick-perl_7.1.1.43+dfsg1-1+deb13u9_all.deb
 8784aeb89d5dba9a33e82cad5390df23aff93608 47632 libmagick++-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 dcefdfdf1ebb335609686d6b7d1f30aa0bc26cac 1184 libmagick++-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 df59bf85f26f125f7572b4e701650b0f8eb894c5 50380 libmagickcore-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 1e041b57fbf3e09ad41d5feec352c8c30d153057 1164 libmagickcore-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 b88ab78bd23f028a4709e9720ac3b13f33fa415e 9860 libmagickwand-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 e94525bfb70b99b9a5e1e76b958faccf5bac85b3 1144 libmagickwand-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 248af02580a25dbc1d9d867cc85fd9f8bc5f0b9d 1188 perlmagick_7.1.1.43+dfsg1-1+deb13u9_all.deb
Checksums-Sha256:
 1e132798cc0740f19d1ffeff6d2b6ba17880b637f19c7bfe3a93c9c8f068732d 75560 imagemagick-7-common_7.1.1.43+dfsg1-1+deb13u9_all.deb
 27b0c5e2325073ba66e9a0e225d9741ccd27a738c85060629d54b2b9c3ed2b6a 9217444 imagemagick-7-doc_7.1.1.43+dfsg1-1+deb13u9_all.deb
 4d4e7233d2ec585f9fb758ea975ac2a66937afa87ecc79b80bdeb8388dea7738 18818 imagemagick_7.1.1.43+dfsg1-1+deb13u9_all-buildd.buildinfo
 594f9a6691e349ba001634683aa1f1da391fd7617b3aa21860588c71ddae7fc8 38912 libimage-magick-perl_7.1.1.43+dfsg1-1+deb13u9_all.deb
 87daba33ff80eb7473afd10c390d1593cf5cc4856018234c4e8363ac3b947c3f 47632 libmagick++-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 802205c158126bfaf89fd2e584d67d64869d93ddd30e77381f8343f391ebe1e6 1184 libmagick++-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 4e3356001231dab9944916214ddff5e44fe67781427bf772c2281052bfa9b0ae 50380 libmagickcore-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 9b1f7ad9071c5129626cee5be0b5cc119298578f21c020d0546863798201b28e 1164 libmagickcore-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 ab8296c498bc6c7b423333b41955b3e319aea155dc39a7f2f3655c2cef0f183a 9860 libmagickwand-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 f1322cbcfddaa7e8fa366bf0b26939447ed777bc4efb9cd62f4a78fd01b85c02 1144 libmagickwand-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 e3aee4731ff7ae01b0573b6dd15638dc86a734c4769f860748dbb84c2471b7f5 1188 perlmagick_7.1.1.43+dfsg1-1+deb13u9_all.deb
Files:
 c5c323c91aafcc650964370e6e8e34fd 75560 graphics optional imagemagick-7-common_7.1.1.43+dfsg1-1+deb13u9_all.deb
 05ed072ed0921fc32d9aa67d78f24f6e 9217444 doc optional imagemagick-7-doc_7.1.1.43+dfsg1-1+deb13u9_all.deb
 559aef3d10e713a79e5cc11eb7f542ee 18818 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u9_all-buildd.buildinfo
 aaa2a586ffed374d3ee72bbb5fea5f2d 38912 perl optional libimage-magick-perl_7.1.1.43+dfsg1-1+deb13u9_all.deb
 72aeb6ccab90654fef7b1a3d3536ffe1 47632 libdevel optional libmagick++-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 4088ffce372971dfb2cc722c692f49f0 1184 oldlibs optional libmagick++-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 fdd5c3b32e37bfe80b5f4b05e64af5e1 50380 libdevel optional libmagickcore-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 3c79fed87a53da4497220176fbb8165b 1164 oldlibs optional libmagickcore-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 5d806eb6a476710d2a541e79eb333cb3 9860 libdevel optional libmagickwand-7-headers_7.1.1.43+dfsg1-1+deb13u9_all.deb
 9b33ff4026fbb0d8c2d45b641fb7e67c 1144 oldlibs optional libmagickwand-dev_7.1.1.43+dfsg1-1+deb13u9_all.deb
 c8c449c11baeb47c1b38a7cdff452b1a 1188 oldlibs optional perlmagick_7.1.1.43+dfsg1-1+deb13u9_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmoUfcQACgkQmgPNRvTf
/zdOLA/+PqkiXc0wJzYrtkkCJX9y5FjM92ji/3WNbYvwwUQtZXERCw+teLi9wWFn
Ms7+dCJpUzQZO5LOPFTnEeachDhLVP/6P4xjBxjw2PhKtmRvGZoWuZckl8z4U5Bw
e+6Z/YdYWTW0W8o+82TxIs3zYzFmsMkUsk9oDIkAp8iR4AMkDQuKvIcloz3A44R0
jtKqOFWHNQV8onQC8wdTIw/SM+m3Yc2cpGH3l2RBQGbabTHCil0st7mHj3COafLX
F0/XIbXdJuaLxOnZteKTNw/R/IXgBMsEfL3X0CHXKAaDUAPU6/MtvkR524IYb3iN
6pgzo3RAPumHMpTBK5y9iq0xCjXJ3muG7aseA4tlxd6/xLl0rsiljXYvgGdGaBzc
zWa6C46MFLFKr1oZ03diz4ZJwNKA7kwTr8Cvd+CuVinYKgqP5UWM/WRxeO8G2uUh
NPbLLULXiB7lvmfpyEZOBFWNcLeEmGvsMqB8kEMogurMXDNI/FArmruB3eBfHu6k
+2Cw7O0wU5CoTW3TxiRhkCrkO5s03QvsMWOOX8TguhsifxW2y75l6VeoqOoFS0YW
LmpKQws0lhaC/kFD7BumRhtzbzcShelMSP2P5gF7XVAZ+w3mgnFyuFKahrGWDb7e
aGMqUy13a8Lj0ly8/0ouQ7dbtdKunSZjbUI1VFOdL5HUU3wiGiU=
=/b//
-----END PGP SIGNATURE-----