Your message dated Sat, 04 Jul 2026 16:17:07 +0000
with message-id <[email protected]>
and subject line Bug#1129098: fixed in psd-tools 1.10.7+dfsg.1-1+deb13u1
has caused the Debian Bug report #1129098,
regarding psd-tools: CVE-2026-27809
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129098
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: psd-tools
Version: 1.12.1+dfsg.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for psd-tools.
CVE-2026-27809[0]:
| psd-tools is a Python package for working with Adobe Photoshop PSD
| files. Prior to version 1.12.2, when a PSD file contains malformed
| RLE-compressed image data (e.g. a literal run that extends past the
| expected row size), decode_rle() raises ValueError which propagated
| all the way to the user, crashing psd.composite() and psd-tools
| export. decompress() already had a fallback that replaces failed
| channels with black pixels when result is None, but it never
| triggered because the ValueError from decode_rle() was not caught.
| The fix in version 1.12.2 wraps the decode_rle() call in a
| try/except so the existing fallback handles the error gracefully.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27809
https://www.cve.org/CVERecord?id=CVE-2026-27809
[1]
https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w
[2]
https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: psd-tools
Source-Version: 1.10.7+dfsg.1-1+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
psd-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated psd-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 21 Jun 2026 20:06:58 +0300
Source: psd-tools
Architecture: source
Version: 1.10.7+dfsg.1-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Ying-Chun Liu (PaulLiu) <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1129098
Changes:
psd-tools (1.10.7+dfsg.1-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-27809: Compression module vulnerabilities (Closes: #1129098)
Checksums-Sha1:
b78e0f8bc8806c45b5207009c593c233c3598346 2208
psd-tools_1.10.7+dfsg.1-1+deb13u1.dsc
ca329c4592f1f653e3595dbcb938bcf043be4ef5 1451168
psd-tools_1.10.7+dfsg.1.orig.tar.xz
fa9c9d44be843698ea830c88eff297b40c9229b8 18296
psd-tools_1.10.7+dfsg.1-1+deb13u1.debian.tar.xz
Checksums-Sha256:
54ce4825ca89266f23bc02a7cd782f00b5f74504f7ccd484f4965374a89535fc 2208
psd-tools_1.10.7+dfsg.1-1+deb13u1.dsc
689d118334c1c599b16d6f6fd447089958d0be44df6aa5ef727626191d12d2eb 1451168
psd-tools_1.10.7+dfsg.1.orig.tar.xz
633b707e00cc6a8e9157dfb4c3ecccd84cbfa503a2a53b46dce42bcf1cbb1fb2 18296
psd-tools_1.10.7+dfsg.1-1+deb13u1.debian.tar.xz
Files:
1c033bb0879aa6c257fd8716fc86e3a5 2208 python optional
psd-tools_1.10.7+dfsg.1-1+deb13u1.dsc
e9878381b5e1646efd6a0cd7cf150182 1451168 python optional
psd-tools_1.10.7+dfsg.1.orig.tar.xz
b1a6dc066f97de9e05308ffb3c6abf34 18296 python optional
psd-tools_1.10.7+dfsg.1-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo4IycACgkQiNJCh6LY
mLEynA//fryQlaDVVaanmm9lwXSBhYE4SuM/qFnm2xtUghYigMPaaJT8kT9+IP2H
ortO0nUrf27aVFmJTJVwfH5OeUTislhdXEjMU6q0rLFhH7CzPvY1qR+Fk/vM5KbI
aHLc3uAOH5bOZyRfsJBmmC2WkjzxuC8TzKpAzxMWn8jItGuyZRY2YlZE/ze2j6B7
MKxe//TTCDnDcBn5wqMB7z5OqKPB9xC42RmdsBP/SoRm9wXFGUhiNu3V5YmxKgVw
i934mW7eyJDcWYIhXGCyy/zl0kPSWBAtuPEZy3DcpmBLEjyCMBS1y9EmSi/WD9qW
8nYXnsbp3pWiAoZoAbTSJ80H+I9Jd0ZlqWqIka0FAqn07edOSIslMkEzijLUx7O7
r+/A9egW7gS/NMYvqvs26imw3mA/96goVkqNh4mKQsVfTDv3x+goI3TsOwGvs12Q
5OU54lukS+vkxAZ8vy4U6wzATj0XLCgtFWP9aUjbaZyZ+IfpMOKd4UmWuzoQRMUs
m1/mHxvf2RUciBnTZkXfm78KrpO/Yg+G0QxRiwvyZu+qCM3Z3XAZYBDBZ1LlGjw/
geXc59Na/wWDR4jt4gh6K+xpmPZmyuDRFKrSBOAqR+rdiIf1yhAq8O2FYe/a2Bon
KJbCyj/B4Hh2M5ZSkTFmu4qrmAPNgWmPOf35cun5xyWSM3yulro=
=uWtS
-----END PGP SIGNATURE-----
pgp9Lk2KqrfrD.pgp
Description: PGP signature
--- End Message ---