Source: libimager-perl
Version: 1.031+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for libimager-perl.

CVE-2026-13705[0]:
| Imager versions before 1.032 for Perl have a heap out-of-bounds read
| in the bundled Imager::File::SGI reader via a 16-bit RLE literal run
| in read_rgb_16_rle.  read_rgb_16_rle guards each literal run with if
| (count > data_left), but count is a pixel count while every 16-bit
| sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1]
| and advances two bytes per pixel, so a run with data_left / 2 <
| count <= data_left passes the guard yet consumes 2 * count bytes and
| reads past the end of the buffer. The 8-bit path is unaffected
| because there one pixel is one byte.  Reading a crafted SGI image
| through Imager->read triggers the over-read before the parser
| rejects the malformed image, which can crash the process.


CVE-2026-13708[1]:
| Imager::File::JPEG versions before 1.003 for Perl leak heap memory
| when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol.
| i_readjpeg_wiol walks the marker list libjpeg returns and, for each
| APP13 marker, allocates a new buffer with *iptc_itext =
| mymalloc(...) and overwrites the previous pointer without freeing
| it. Only the final payload is later turned into a Perl scalar and
| freed, so a JPEG with N such markers leaks the first N-1 payloads on
| every read.  In a long-lived process, such as an upload or
| thumbnailing service, repeated reads accumulate these leaks and
| exhaust available memory, a denial of service.  The same handler
| ships bundled in the Imager distribution, where versions before
| 1.032 are affected and the fix ships in 1.032.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-13705
    https://www.cve.org/CVERecord?id=CVE-2026-13705
    https://lists.security.metacpan.org/cve-announce/msg/41572386/
[1] https://security-tracker.debian.org/tracker/CVE-2026-13708
    https://www.cve.org/CVERecord?id=CVE-2026-13708
    https://lists.security.metacpan.org/cve-announce/msg/41572486/

Regards,
Salvatore

Reply via email to