[ubuntu/resolute-proposed] imagemagick 8:7.1.2.15+dfsg1-1 (Accepted)

Thu Mar 5 20:54:46 UTC 2026

imagemagick (8:7.1.2.15+dfsg1-1) unstable; urgency=high

  * New upstream release.
  * Fix a double free in SVG
  * Fix unreproductible doxygen documentation
  * Fix CVE-2026-24481:
    A heap information disclosure vulnerability exists
    in ImageMagick's PSD (Adobe Photoshop) format handler.
    When processing a maliciously crafted PSD file containing
    ZIP-compressed layer data that decompresses to less than
    the expected size, uninitialized heap memory is leaked
    into the output image.
  * Fix CVE-2026-24484:
    Magick fails to check for multi-layer nested mvg
    conversions to svg, leading to DoS.
  * Fix CVE-2026-24485:
    When a PCD file does not contain a valid Sync marker, the
    DecodeImage() function becomes trapped in an infinite loop while
    searching for the Sync marker, causing the program to become
    unresponsive and continuously consume CPU resources, ultimately
    leading to system resource exhaustion and Denial of Service
    (DoS)
  * Fix CVE-2026-25576:
    A heap buffer over-read vulnerability exists in multiple
    raw image format handles. The vulnerability occurs when
    processing images with -extract dimensions larger than
    -size dimensions, causing out-of-bounds memory reads
    from a heap-allocated buffer.
  * Fix CVE-2026-25637:
    A memory leak in the ASHLAR image writer allows an attacker to exhaust
    process memory by providing a crafted image that results in small
    objects that are allocated but never freed.
  * Fix CVE-2026-25638:
    A memory leak exists in `coders/msl.c`. In the `WriteMSLImage`
    function of the `msl.c` file, resources are allocated. But the
    function returns early without releasing these allocated resources.
  * Fix CVE-2026-25794:
    `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute
    the pixel buffer size. Prior to version 7.1.2-15, when image
    dimensions are large, the multiplication overflows 32-bit `int`,
    causing an undersized heap allocation followed by an out-of-bounds
    write.
  * Fix CVE-2026-25795:
    `ReadSFWImage()` (`coders/sfw.c`), when temporary file
    creation fails, `read_info` is destroyed before its `filename`
    member is accessed, causing a NULL pointer dereference and crash.
  * Fix CVE-2026-25796:
    In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image
    object is not freed on three early-return paths, resulting in a
    definite memory leak (~13.5KB+ per invocation) that can be exploited
    for denial of service.
  * Fix CVE-2026-25797:
    The ps coders, responsible for writing PostScript files, fails to
    sanitize the input before writing it into the PostScript header. An
    attacker can provide a malicious file and inject arbitrary PostScript
    code. When the resulting file is processed by a printer or a viewer
    (like Ghostscript), the injected code is interpreted and executed. The
    html encoder does not properly escape strings that are written to in
    the html document. An attacker can provide a malicious file and
    injection arbitrary html code.
  * Fix CVE-2026-25798:
    A NULL pointer dereference in ClonePixelCacheRepository allows a
    remote attacker to crash any application linked against ImageMagick by
    supplying a crafted image file, resulting in denial of service.
  * Fix CVE-2026-25799:
    A logic error in YUV sampling factor validation allows an invalid
    sampling factor to bypass checks and trigger a division-by-zero during
    image loading, resulting in a reliable denial-of-service.
  * Fix CVE-2026-25897:
    An Integer Overflow vulnerability exists in the sun decoder. On 32-bit
    systems/builds, a carefully crafted image can lead to an out of bounds
    heap write.
  * Fix CVE-2026-25898:
    The UIL and XPM image encoder do not validate the
    pixel index value returned by `GetPixelIndex()` before using it as an
    array subscript. In HDRI builds, `Quantum` is a floating-point type,
    so pixel index values can be negative. An attacker can craft an image
    with negative pixel index values to trigger a global buffer overflow
    read during conversion, leading to information disclosure or a process
    crash.
  * Fix CVE-2026-25965:
    ImageMagick’s path security policy is enforced on the raw filename
    string before the filesystem resolves it. As a result, a policy rule
    such as /etc/* can be bypassed by a path traversal. The OS resolves
    the traversal and opens the sensitive file, but the policy matcher
    only sees the unnormalized path and therefore allows the read. This
    enables local file disclosure (LFI) even when policy-secure.xml is
    applied.
  * Fix CVE-2026-25966:
    The shipped "secure" security policy includes a rule intended to
    prevent reading/writing from standard streams. However, ImageMagick
    also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1).
    This path form is not blocked by the
    secure policy templates, and therefore bypasses the protection goal of
    "no stdin/stdout."
  * Fix CVE-2026-25967:
    A stack-based buffer overflow exists in the ImageMagick FTXT image
    reader. A crafted FTXT file can cause out-of-bounds writes on the
    stack, leading to a crash.
  * Fix CVE-2026-25968:
    A stack buffer overflow occurs when processing the an attribute in
    msl.c. A long value overflows a fixed-size stack buffer, leading to
    memory corruption.
  * Fix CVE-2026-25969:
    A memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage`
    allocates a structure. However, when an exception is thrown, the
    allocated memory is not properly released, resulting in a potential
    memory leak.
  * Fix CVE-2026-25970:
    A signed integer overflow vulnerability in ImageMagick's SIXEL decoder
    allows an attacker to trigger memory corruption and denial of service
    when processing a maliciously crafted SIXEL image file. The
    vulnerability occurs during buffer reallocation operations where
    pointer arithmetic using signed 32-bit integers overflows.
  * Fix CVE-2026-25971:
    Magick fails to check for circular references between two MSLs,
    leading to a stack overflow.
  * Fix CVE-2026-25982:
    A heap out-of-bounds read vulnerability exists in the `coders/dcm.c`
    module. When processing DICOM files with a specific configuration, the
    decoder loop incorrectly reads bytes per iteration. This causes the
    function to read past the end of the allocated buffer, potentially
    leading to a Denial of Service or Information Disclosure.
  * Fix CVE-2026-25983:
    A crafted MSL script triggers a heap-use-after-free. The operation
    element handler replaces and frees the image while the parser
    continues reading from it, leading to a UAF in ReadBlobString during
    further parsing.
  * Fix CVE-2026-25985:
    A crafted SVG file containing an malicious element causes ImageMagick
    to attempt to allocate ~674 GB of memory, leading to an out-of-memory
    abort.
  * Fix CVE-2026-25986:
    A heap buffer overflow write vulnerability exists in ReadYUVImage()
    (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace)
    images. The pixel-pair loop writes one pixel beyond the allocated row
    buffer.
  * Fix CVE-2026-25987:
    A heap buffer over-read vulnerability exists in the MAP image decoder
    when processing crafted MAP files, potentially leading to crashes or
    unintended memory disclosure during image decoding.
  * Fix CVE-2026-25988:
    Sometimes msl.c fails to update the stack index, so an image is stored
    in the wrong slot and never freed on error, causing leaks.
  * Fix CVE-2026-25989:
    A crafted SVG file can cause a denial of service. An off-by-one
    boundary check (`>` instead of `>=`) that allows bypass the guard and
    reach an undefined `(size_t)` cast.
  * Fix CVE-2026-26066:
    A crafted profile contain invalid IPTC data may cause an infinite loop
    when writing it with `IPTCTEXT`.
  * Fix CVE-2026-26283:
    A `continue` statement in the JPEG extent binary search loop in the
    jpeg encoder causes an infinite loop when writing persistently fails.
  * Fix CVE-2026-26284:
    ImageMagick lacks proper boundary checking when processing
    Huffman-coded data from PCD (Photo CD) files. The decoder contains an
    function that has an incorrect initialization that could cause an out
    of bounds read.
  * Fix CVE-2026-26983:
    The MSL interpreter crashes when processing a invalid `<map>` element
    that causes it to use an image after it has been freed.
  * Fix CVE-2026-27798:
    A heap buffer over-read vulnerability occurs when processing an image
    with small dimension using the `-wavelet-denoise` operator.
  * Fix CVE-2026-27799:
    A heap buffer over-read vulnerability exists in the DJVU image format
    handler. The vulnerability occurs due to integer truncation when
    calculating the stride (row size) for pixel buffer allocation. The
    stride calculation overflows a 32-bit signed integer, resulting in an
    out-of-bounds memory reads.

Date: 2026-03-01 22:38:26.468624+00:00
Signed-By: Jeremy Bícha <jbicha at ubuntu.com>
https://launchpad.net/ubuntu/+source/imagemagick/8:7.1.2.15+dfsg1-1
-------------- next part --------------
Sorry, changesfile not available.