Source: libimager-perl Version: 1.031+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for libimager-perl. CVE-2026-13705[0]: | Imager versions before 1.032 for Perl have a heap out-of-bounds read | in the bundled Imager::File::SGI reader via a 16-bit RLE literal run | in read_rgb_16_rle. read_rgb_16_rle guards each literal run with if | (count > data_left), but count is a pixel count while every 16-bit | sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] | and advances two bytes per pixel, so a run with data_left / 2 < | count <= data_left passes the guard yet consumes 2 * count bytes and | reads past the end of the buffer. The 8-bit path is unaffected | because there one pixel is one byte. Reading a crafted SGI image | through Imager->read triggers the over-read before the parser | rejects the malformed image, which can crash the process. CVE-2026-13708[1]: | Imager::File::JPEG versions before 1.003 for Perl leak heap memory | when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol. | i_readjpeg_wiol walks the marker list libjpeg returns and, for each | APP13 marker, allocates a new buffer with *iptc_itext = | mymalloc(...) and overwrites the previous pointer without freeing | it. Only the final payload is later turned into a Perl scalar and | freed, so a JPEG with N such markers leaks the first N-1 payloads on | every read. In a long-lived process, such as an upload or | thumbnailing service, repeated reads accumulate these leaks and | exhaust available memory, a denial of service. The same handler | ships bundled in the Imager distribution, where versions before | 1.032 are affected and the fix ships in 1.032. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-13705 https://www.cve.org/CVERecord?id=CVE-2026-13705 https://lists.security.metacpan.org/cve-announce/msg/41572386/ [1] https://security-tracker.debian.org/tracker/CVE-2026-13708 https://www.cve.org/CVERecord?id=CVE-2026-13708 https://lists.security.metacpan.org/cve-announce/msg/41572486/ Regards, Salvatore

