[CLSA-2026:1774010344] Fix of 8 CVEs

Type:

security

Severity:

Critical

Release date:

2026-03-20 12:39:07 UTC

Description:

   * SECURITY UPDATE: stack buffer overflow in msl.c (attribute handling),
     path traversal bypass of security policy, XSS in HTML coder output,
     and MSL attribute overflow
     - debian/patches/CVE-2026-25797_CVE-2026-25965_CVE-2026-25968_CVE-2026-25982.patch: Fix memory leaks,
       stack overflows, integer overflows and out‑of‑bounds reads; add bounds
       checks, validate DCM entry sizes, sanitize PostScript filenames,
       canonicalize paths and free resources; escape user-controlled strings
       written as raw HTML in the HTML coder; cause was unsafe header and
       filename parsing, incorrect assumptions about byte counts, path
       resolution, unnormalized path matching allowing policy bypass, and
       unescaped HTML output enabling cross-site scripting.
     - CVE-2026-25797
     - CVE-2026-25965
     - CVE-2026-25968
     - CVE-2026-25982
   * SECURITY UPDATE: null pointer dereference in msl.c (repage/roll handlers)
     - debian/patches/CVE-2026-25983.patch: move image null‑checks before
       accessing image attributes in the repage and roll MSL tag handlers;
       cause was dereferencing the image pointer for page geometry and
       dimensions before verifying the image was defined.
     - CVE-2026-25983
   * SECURITY UPDATE: infinite recursion via crafted MSL/SVG/MVG files
     - debian/patches/CVE-2026-25971.patch: add global Splay tree guards in
       MSL and SVG coders to detect and reject recursive image references;
       block dangerous protocols (ftp, http, mvg, vid) in DrawPrimitive;
       cause was unbounded recursion through nested image reads.
     - CVE-2026-25971
   * SECURITY UPDATE: null pointer dereference in msl.c (comment/label handlers)
     - debian/patches/CVE-2026-23952.patch: add image null-checks before
       accessing image properties in the comment and label MSL end-element
       handlers; cause was dereferencing the image pointer for
       DeleteImageProperty before verifying the image was defined.
     - CVE-2026-23952
   * SECURITY UPDATE: MSLPushImage return value not captured
     - debian/patches/CVE-2026-25988.patch: change MSLPushImage to return
       the new image index and capture the return value in the MSL image
       tag handler; cause was the local index variable not being updated
       after pushing a new image onto the stack.
     - CVE-2026-25988

Updated packages:

imagemagick_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:013061a6b5b86944c0a7f97a135e99fcc53f6b3e
imagemagick-6.q16_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:1be21cdf3804638152ea9ede92ae20836d19a72f
imagemagick-common_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:e81e9da452f55362452cbf78ef4d8e279bf277c6
imagemagick-doc_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:2f0063f8ff56867db7d6f06d9dd8881a5f4e3149
libimage-magick-perl_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:5e229b3701e6acd93819fc7696f2973e89d02f6a
libimage-magick-q16-perl_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:1d044e7d558651527630a3edab3a4bdd863ddf1b
libmagick++-6-headers_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:f5fbf3641b6e222fa4f86ace94eafa5de28e590b
libmagick++-6.q16-5v5_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:3b04f0154c4bd6125ac5c54ba827b39b3828ce95
libmagick++-6.q16-dev_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:50b66d662d70b3c15ffc3b38d2cf10078bcbd85f
libmagick++-dev_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:a2139ada17adec81cd72916d94bff8421a884301
libmagickcore-6-arch-config_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:166f480a46abf969a3e3e0fbe57256a4e893dc60
libmagickcore-6-headers_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:63e0ae9cbf8e8b5ec4b982d27b4eb2764496d5b6
libmagickcore-6.q16-2_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:7dfb4c1294f57959e5668261fb9b2f581d77b0e1
libmagickcore-6.q16-2-extra_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:752f21294a79c9a9817d0b563376b174f2ad8830
libmagickcore-6.q16-dev_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:c49c0ebf793b8089804349be268d9897a167c2ab
libmagickcore-dev_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:305f4d7080405e529aafdd708fe63e1b2c901d4c
libmagickwand-6-headers_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:5e3d472a1e5f5310d5f1ea6389e58a0d473478c7
libmagickwand-6.q16-2_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:4e9a20e032ef7c87a6e267256a7acb78cfeb214e
libmagickwand-6.q16-dev_6.8.9.9-7ubuntu5.17+tuxcare.els39_amd64.deb
sha:4b98aaf77ace866d0df745806b22a97b3217e848
libmagickwand-dev_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:47d20abe600f5b6571ce9b508bc3f2e32b78dd2a
perlmagick_6.8.9.9-7ubuntu5.17+tuxcare.els39_all.deb
sha:85ad51f242e543cc474d5a22c758e9490bc56fa2

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.