[SECURITY] [DLA 4448-1] imagemagick security update

Sat, 24 Jan 2026 07:45:37 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4448-1                [email protected]
https://www.debian.org/lts/security/                   Bastien Roucariès
January 24, 2026                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : imagemagick
Version        : 8:6.9.11.60+dfsg-1.3+deb11u9
CVE ID         : CVE-2026-23874 CVE-2026-23876 CVE-2026-23952
Debian Bug     : 1126075 1126076 1126077

imagemagick, a image processing suite, was affected by multiple vulnerabilities

CVE-2026-23874

    A stack overflow via infinite recursion was found
    in MSL (Magick Scripting Language) `<write>` command when writing to
    MSL format

CVE-2026-23876

    A heap buffer overflow vulnerability was found in the XBM image decoder
    (ReadXBMImage) allows an attacker to write controlled data past the
    allocated heap buffer when processing a maliciously crafted image file.
    Any operation that reads or identifies an image can trigger the overflow,
    making it exploitable via common image upload and processing pipelines

CVE-2026-23952

    A NULL pointer dereference vulnerability was found in the MSL
    (Magick Scripting Language) parser when processing <comment> tags before
    images are loaded. This can lead to DoS attack (Deny of Service)

For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u9.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAml06QUACgkQADoaLapB
CF8B+A/7BGB+qQx1h4QDzwo2w1+avu6d2EOoIUnu0JrG73+Kpzwv1fZmzNOddbd3
SXjEG5Jx0aPu1WAiXi4TtzAnbYYvoZL2nkOe0QCOKLtmGbJGp2POtdPBltBlgb7j
Ip38jVCHKQi313hroR0ZEnnzqS1SrkDkcA5KaYNXVpBXsFzZD7YUzmldPHE354qP
uNiPTuOzcJ/hUJ0saXEp6Vc74klOReb1rtd/8z/iwts9jv5TMv3cWzMIC+RYns3y
NTVcNKiHamhCTYtofmPXylFmJFxxpqjx18AbjOEvmmAQHj+qpGhY2SkTbsR0Xue0
X8k0vWbxot1EO1eFfw9DSx3m1ebArBum5NVLPeTmantFT4e5Ic6Xdbm+a5pnSGHi
56ltHOjuj4lHfvd05Hw8wAvfu4CWCrnjy8W/C+6tyRS4Tcwxg8A0fAO1RsH4Ss3z
3lit6D3WBOgh16AtP72YwktTOCMn7+m+3mcAjtTRC5y+711SKCgj8MZIy0Fhs5wx
QE5GXrvVya5j9Ja9wBAzdYyCX69/K+LkTooyQzq31Ekkp1/0Ozvxf0YwrxtEnf6K
EDyLSbTzzYHwZcBydbQ3ceo8jW37LwmqZw+NQPMT/utj2uyAHC7VeM6uB/3IwYx+
rHilNtRFLs4/CQghcGQk0vJSmKz5Thmrdu4yKBrAGeWIEnJlTTU=
=epDt
-----END PGP SIGNATURE-----

Reply via email to