Your message dated Thu, 29 Jan 2026 18:49:20 +0000
with message-id <[email protected]>
and subject line Bug#1126075: fixed in imagemagick 8:6.9.11.60+dfsg-1.6+deb12u6
has caused the Debian Bug report #1126075,
regarding imagemagick: CVE-2026-23874
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126075
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: imagemagick
Version: 8:7.1.2.12+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for imagemagick.
CVE-2026-23874[0]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. Versions prior to 7.1.2-13 have a stack
| overflow via infinite recursion in MSL (Magick Scripting Language)
| `<write>` command when writing to MSL format. Version 7.1.2-13 fixes
| the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-23874
https://www.cve.org/CVERecord?id=CVE-2026-23874
[1]
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844
[2]
https://github.com/ImageMagick/ImageMagick/commit/2a09644b10a5b146e0a7c63b778bd74a112ebec3
[3]
https://github.com/ImageMagick/ImageMagick6/commit/fe2970bbbe02c6fe875cc2b269390a3165d57706
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.9.11.60+dfsg-1.6+deb12u6
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Jan 2026 22:54:51 +0100
Source: imagemagick
Architecture: source
Version: 8:6.9.11.60+dfsg-1.6+deb12u6
Distribution: bookworm-security
Urgency: high
Maintainer: ImageMagick Packaging Team
<[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1126075 1126076 1126077
Changes:
imagemagick (8:6.9.11.60+dfsg-1.6+deb12u6) bookworm-security; urgency=high
.
* Fix CVE-2026-23874 (Closes: #1126075)
a stack overflow was found via infinite recursion in
MSL (Magick Scripting Language) `<write>` command when
writing to MSL format.
* Fix CVE-2026-23876 (Closes: #1126076)
A heap buffer overflow vulnerability was found in the XBM
image decoder (ReadXBMImage) allows an attacker to write
controlled data past the allocated heap buffer when
processing a maliciously crafted image file.
Any operation that reads or identifies an image can
trigger the overflow, making it exploitable via common
image upload and processing pipelines.
* Fix CVE-2026-23952 (Closes: 1126077)
NULL pointer dereference was found in MSL parser via <comment>
tag before image load
Checksums-Sha1:
8f1920435eb663545836777b075284fc06af8118 5106
imagemagick_6.9.11.60+dfsg-1.6+deb12u6.dsc
824a63dce5e54bd8b78077d671d8ab06300a8848 9395144
imagemagick_6.9.11.60+dfsg.orig.tar.xz
3a67d62f25cf7f5beba07503074ce94504bdfc50 279512
imagemagick_6.9.11.60+dfsg-1.6+deb12u6.debian.tar.xz
00caf1fa5a3ca5748f387853b19f8be2b3ab2c5e 8249
imagemagick_6.9.11.60+dfsg-1.6+deb12u6_source.buildinfo
Checksums-Sha256:
799fed83cad9abf34645cc9390620c6fe4b01a00544e3f52416a0e2dbdef8b26 5106
imagemagick_6.9.11.60+dfsg-1.6+deb12u6.dsc
472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144
imagemagick_6.9.11.60+dfsg.orig.tar.xz
7519571167b790528dcee982ba97f5e2ac0c685a7b63215e47c72fb673f87920 279512
imagemagick_6.9.11.60+dfsg-1.6+deb12u6.debian.tar.xz
9bba7b5461a64301d8c2cca7bf68faa1f0a206f0366f4fd8512b8ed3ee3e794c 8249
imagemagick_6.9.11.60+dfsg-1.6+deb12u6_source.buildinfo
Files:
72530400c95866003a1c7ddfc247934c 5106 graphics optional
imagemagick_6.9.11.60+dfsg-1.6+deb12u6.dsc
8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional
imagemagick_6.9.11.60+dfsg.orig.tar.xz
e10cecab9b0ab09a9b1259568ba2ef20 279512 graphics optional
imagemagick_6.9.11.60+dfsg-1.6+deb12u6.debian.tar.xz
725b1a64c035c9724882ad5b54a32c53 8249 graphics optional
imagemagick_6.9.11.60+dfsg-1.6+deb12u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmlzoakACgkQADoaLapB
CF/j4A/8CMpBl/7dSjucA1bG7yX3hqXithkUImjbkpSKZK1oT593qT1ACEAIVNzq
v71xTM9iQnn6kdUJH8EQ+J2XmaSRA1ZRELI9hrwdk4+LnEr4TWtqp/J736IBQRzx
yBLY865auTzblDgqs7bF+q6B/nhyKdFT6P8Td4AaSvUJBLekjGvWeeA2YUNWiNYL
uQnr5MpXH/XWnE+9SnaYozWTFPkWb/WookRH7UWOmDYNQBKw9T5lBEZepzP4q18q
R6JdlmANY6+nQmLn9Cud6U/zxExIeXFgxj7kvVsqaZYfBxuCReWYmbkJqjRUIinc
9JYCUW6eDG3vFv1ul1BlMoiPYTnFsUToWq0y2QQmuya35jx9dARSOrDu+EP7WfWh
Y8A2S3HKu61K7V5vPsCnVExnBh9s3Wm+I2OgDBikyBSws7rrJNQoSlgmRLCT1+RY
RPgL6sDcCbEHErb4I8M+6rZzJC6fc3IvQe0waSQWT/ZFKt5hJZzgjKwu+ZrEvK0p
8SI6GCQ2P3jSB08de9qAPzyajYykDCD4jj+q68r3PdvPZLJJoD+HdvjQFJAHzTEz
lFPhNBgYcW2zJTYNMg+LdLCU8lJ1Maex6KpME2nagFwJK4v3D/3iIxLXtrH5pPUk
H8kmVHzhx8huFZGCfbwZQ8R0ZmfDhS3mGqnvq0s1h6fxsXG7dxk=
=OfqJ
-----END PGP SIGNATURE-----
pgpZiAcaIzuxk.pgp
Description: PGP signature
--- End Message ---
