Debian alert DLA-4448-1 (imagemagick)
| From: | rouca@debian.org | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 4448-1] imagemagick security update | |
| Date: | Sat, 24 Jan 2026 16:45:09 +0100 | |
| Message-ID: | <f04626aa37e64c44537c6eebe3016c92@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4448-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès January 24, 2026 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : imagemagick Version : 8:6.9.11.60+dfsg-1.3+deb11u9 CVE ID : CVE-2026-23874 CVE-2026-23876 CVE-2026-23952 Debian Bug : 1126075 1126076 1126077 imagemagick, a image processing suite, was affected by multiple vulnerabilities CVE-2026-23874 A stack overflow via infinite recursion was found in MSL (Magick Scripting Language) `<write>` command when writing to MSL format CVE-2026-23876 A heap buffer overflow vulnerability was found in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines CVE-2026-23952 A NULL pointer dereference vulnerability was found in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack (Deny of Service) For Debian 11 bullseye, these problems have been fixed in version 8:6.9.11.60+dfsg-1.3+deb11u9. We recommend that you upgrade your imagemagick packages. For the detailed security status of imagemagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/imagemagick Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAml06QUACgkQADoaLapB CF8B+A/7BGB+qQx1h4QDzwo2w1+avu6d2EOoIUnu0JrG73+Kpzwv1fZmzNOddbd3 SXjEG5Jx0aPu1WAiXi4TtzAnbYYvoZL2nkOe0QCOKLtmGbJGp2POtdPBltBlgb7j Ip38jVCHKQi313hroR0ZEnnzqS1SrkDkcA5KaYNXVpBXsFzZD7YUzmldPHE354qP uNiPTuOzcJ/hUJ0saXEp6Vc74klOReb1rtd/8z/iwts9jv5TMv3cWzMIC+RYns3y NTVcNKiHamhCTYtofmPXylFmJFxxpqjx18AbjOEvmmAQHj+qpGhY2SkTbsR0Xue0 X8k0vWbxot1EO1eFfw9DSx3m1ebArBum5NVLPeTmantFT4e5Ic6Xdbm+a5pnSGHi 56ltHOjuj4lHfvd05Hw8wAvfu4CWCrnjy8W/C+6tyRS4Tcwxg8A0fAO1RsH4Ss3z 3lit6D3WBOgh16AtP72YwktTOCMn7+m+3mcAjtTRC5y+711SKCgj8MZIy0Fhs5wx QE5GXrvVya5j9Ja9wBAzdYyCX69/K+LkTooyQzq31Ekkp1/0Ozvxf0YwrxtEnf6K EDyLSbTzzYHwZcBydbQ3ceo8jW37LwmqZw+NQPMT/utj2uyAHC7VeM6uB/3IwYx+ rHilNtRFLs4/CQghcGQk0vJSmKz5Thmrdu4yKBrAGeWIEnJlTTU= =epDt -----END PGP SIGNATURE-----