I am not sure what CVE-2026-13606 is specifically about. However, there
are two recent GraphicsMagick security fixes for coders/pcd.c:
* coders/pcd.c (ReadPCDImage): Over-provision the per-channel
Huffman decode buffers and detect any attempt to overflow
them. Fixes are inspired by fixes in ImageMagick, but retaining
the original planar design. Discovered and reported by Cipher -
Causal Security (https://causalsecurity.com/) via email on June
14, 2026.
* coders/pcd.c (DecodeImage): Correct loop initialization to
prevent out of bounds read. Similar to ImageMagick commit 5204a16
which addresses ImageMagick security advisory GHSA-wrhr-rf8j-r842.
Much thanks to Petr Gajdos for bringing this to my attention.
They correspond to these Mercurial changesets:
changeset: 18093:937cdd9920bd
user: Bob Friesenhahn <[email protected]>
date: Wed Jun 24 09:08:14 2026 -0500
files: ChangeLog NEWS.txt
VisualMagick/installer/inc/version.isx coders/pcd.c magick/version.h
www/ChangeLog.html www/NEWS.html
description:
coders/pcd.c (ReadPCDImage): Over-provision the per-channel Huffman
decode buffers and detect any attempt to overflow them.
changeset: 18036:44292e321682
user: Bob Friesenhahn <[email protected]>
date: Sun Apr 12 08:50:03 2026 -0500
files: ChangeLog coders/pcd.c www/ChangeLog.html
description:
coders/pcd.c (DecodeImage): Correct loop initialization to prevent
out of bounds read (ImageMagick security advisory GHSA-wrhr-rf8j-r842)
It is a shame that so much effort is needed for an extinct format that
hardly anyone uses any more.
Bob
On 7/5/26 10:00, Salvatore Bonaccorso wrote:
Source: graphicsmagick
Version: 1.4+really1.3.46-2
Severity: important
Tags: security upstream
X-Debbugs-Cc:[email protected], Debian Security Team<[email protected]>
Hi,
The following vulnerability was published for graphicsmagick.
The information available is only from RedHat bugzilla at time of this
writing, might you reach out to upstream to see if they are ware of
it?
CVE-2026-13606[0]:
| Memory corruption via crafted Photo CD (PCD) file
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]https://security-tracker.debian.org/tracker/CVE-2026-13606
https://www.cve.org/CVERecord?id=CVE-2026-13606
[1]https://bugzilla.redhat.com/show_bug.cgi?id=2494107
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore