I am not sure what CVE-2026-13606 is specifically about. However, there are two recent GraphicsMagick security fixes for coders/pcd.c:

        * coders/pcd.c (ReadPCDImage): Over-provision the per-channel
        Huffman decode buffers and detect any attempt to overflow
        them. Fixes are inspired by fixes in ImageMagick, but retaining
        the original planar design. Discovered and reported by Cipher -
        Causal Security (https://causalsecurity.com/) via email on June
        14, 2026.

       * coders/pcd.c (DecodeImage): Correct loop initialization to
        prevent out of bounds read. Similar to ImageMagick commit 5204a16
        which addresses ImageMagick security advisory GHSA-wrhr-rf8j-r842.
        Much thanks to Petr Gajdos for bringing this to my attention.

They correspond to these Mercurial changesets:

   changeset:   18093:937cdd9920bd
   user:        Bob Friesenhahn <[email protected]>
   date:        Wed Jun 24 09:08:14 2026 -0500
   files:       ChangeLog NEWS.txt
   VisualMagick/installer/inc/version.isx coders/pcd.c magick/version.h
   www/ChangeLog.html www/NEWS.html
   description:
   coders/pcd.c (ReadPCDImage): Over-provision the per-channel Huffman
   decode buffers and detect any attempt to overflow them.

   changeset:   18036:44292e321682
   user:        Bob Friesenhahn <[email protected]>
   date:        Sun Apr 12 08:50:03 2026 -0500
   files:       ChangeLog coders/pcd.c www/ChangeLog.html
   description:
   coders/pcd.c (DecodeImage): Correct loop initialization to prevent
   out of bounds read (ImageMagick security advisory GHSA-wrhr-rf8j-r842)

It is a shame that so much effort is needed for an extinct format that hardly anyone uses any more.

Bob

On 7/5/26 10:00, Salvatore Bonaccorso wrote:
Source: graphicsmagick
Version: 1.4+really1.3.46-2
Severity: important
Tags: security upstream
X-Debbugs-Cc:[email protected], Debian Security Team<[email protected]>

Hi,

The following vulnerability was published for graphicsmagick.

The information available is only from RedHat bugzilla at time of this
writing, might you reach out to upstream to see if they are ware of
it?

CVE-2026-13606[0]:
| Memory corruption via crafted Photo CD (PCD) file

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0]https://security-tracker.debian.org/tracker/CVE-2026-13606
     https://www.cve.org/CVERecord?id=CVE-2026-13606
[1]https://bugzilla.redhat.com/show_bug.cgi?id=2494107

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to