-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 21 Jan 2026 22:54:51 +0100 Source: imagemagick Architecture: source Version: 8:7.1.1.43+dfsg1-1+deb13u5 Distribution: trixie-security Urgency: high Maintainer: ImageMagick Packaging Team Changed-By: Bastien Roucariès Closes: 1126074 1126075 1126076 1126077 Changes: imagemagick (8:7.1.1.43+dfsg1-1+deb13u5) trixie-security; urgency=high . * Fix CVE-2026-22770 (Closes: #1126074) The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. The last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails * Fix CVE-2026-23874 (Closes: #1126075) a stack overflow was found via infinite recursion in MSL (Magick Scripting Language) `` command when writing to MSL format. * Fix CVE-2026-23876 (Closes: #1126076) A heap buffer overflow vulnerability was found in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. * Fix CVE-2026-23952 (Closes: 1126077) NULL pointer dereference was found in MSL parser via tag before image load Checksums-Sha1: ac3ad08b76340e88e557fe15be92a857b53119aa 5136 imagemagick_7.1.1.43+dfsg1-1+deb13u5.dsc 103af0af388a733c043845b228cf3031c16d859b 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz 0ecd87899c9b8a8daa1b832d09b6e1977c050f97 290680 imagemagick_7.1.1.43+dfsg1-1+deb13u5.debian.tar.xz 634f6313201071dff90afc18205fa7eb4bbfd82a 8270 imagemagick_7.1.1.43+dfsg1-1+deb13u5_source.buildinfo Checksums-Sha256: 8cc5522d20d13c8aefd519b8154adabd57d45e77a6e4d41dad53e41dd6270282 5136 imagemagick_7.1.1.43+dfsg1-1+deb13u5.dsc bcb4f3c78a930a608fa4889f889edbcb384974246ad9407fce1858f2c0607bfe 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz a73149ec1064a299323306cf9a86392b4789735c3e47012c50315f19320a36ef 290680 imagemagick_7.1.1.43+dfsg1-1+deb13u5.debian.tar.xz f12abe74e2ff6579c640a2d3722b288ee792af25e66e7feb86a53dd644689ae7 8270 imagemagick_7.1.1.43+dfsg1-1+deb13u5_source.buildinfo Files: 6d1eb54ae9fd214a01f7d76568d2c172 5136 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u5.dsc 01cfb13a7c1813afb50790e431358c6c 10501740 graphics optional imagemagick_7.1.1.43+dfsg1.orig.tar.xz d1e748754f5be8e0b543d484b0d60942 290680 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u5.debian.tar.xz 8b5779309c9496adb24040b5fe0ba976 8270 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u5_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmlzocwACgkQADoaLapB CF/9SA/+L87y2EH+5zh0Ya4jwO/JlqiKfkssx8+ryr+uppzoj1c3TwS74cGW1/RH gEvzXD9Rp9wLlHg5ShOfRCgWHDM21D3D+a0XBqReDLP2bLQNOkoExZwJOgD1fltP 0BPOM/xnJk+dCHKakHhIi4Pbv2g+g9nGdKH1Ui+6DItDON+POfwyYZb+8ZiV9FBO sMiQe2SlO8l5UlOW6Xh7TgZdvdlIMFRqaHosZkAuZ2RVZGohrqQxL7xJ/RbzafP6 GupX86vA1/5ahoy5Qk5s7FM19H6ReqRqkTlMvfZ9dc8K40MG41yVefJooFzN02Hf SuD1ZL4Ia4mE5wOvyIhP0Qg4Mkot3eKFaszFh02wnH2v0em79hOGxKtAbGQmtcH3 jxy+5PiL4D8qpnAvvmo2ZaH3J8f6INrv5T9u/vD6sh+ESueNEroxVSzdwQG3eEAt KtvRnyJg4lbTaqpaYnCbAwrHDqnovk6B2qVyIXJvUxALl8tbXa1YJ8Xa+n6hWZ/8 Vcb/F7ozPqqFRcFE9xc30ys1uBzin9V/4HaKyXWguUDb/ZsUDDGwssZW5hIuieV/ sc7OxyAo7TZwXvEQ/uVP5ZCGodZOIgRV5A2IXnRkcW/OHBCa4XFQUMH8dEmToBip YN3WwdWfVKbBWRZQJJxFS8dXSltKfJhrb6kAYbjSbGIk5FDyxoY= =eDTl -----END PGP SIGNATURE-----