Source: psd-tools Version: 1.12.1+dfsg.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for psd-tools. CVE-2026-27809[0]: | psd-tools is a Python package for working with Adobe Photoshop PSD | files. Prior to version 1.12.2, when a PSD file contains malformed | RLE-compressed image data (e.g. a literal run that extends past the | expected row size), decode_rle() raises ValueError which propagated | all the way to the user, crashing psd.composite() and psd-tools | export. decompress() already had a fallback that replaces failed | channels with black pixels when result is None, but it never | triggered because the ValueError from decode_rle() was not caught. | The fix in version 1.12.2 wraps the decode_rle() call in a | try/except so the existing fallback handles the error gracefully. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27809 https://www.cve.org/CVERecord?id=CVE-2026-27809 [1] https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w [2] https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
