SUSE has issued an advisory on April 3: https://lwn.net/Articles/1016352/
Fix: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-27795Source RPM: (none) => graphicsmagick
Status comment: (none) => Patch available from upstream
Suggested advisory: ======================== The updated packages fix a security vulnerability: ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits. (CVE-2025-27795) References: https://lwn.net/Articles/1016352/ ======================== Updated packages in core/updates_testing: ======================== graphicsmagick-1.3.40-1.1.mga9 graphicsmagick-doc-1.3.40-1.1.mga9 lib(64)graphicsmagick++12-1.3.40-1.1.mga9 lib(64)graphicsmagick3-1.3.40-1.1.mga9 lib(64)graphicsmagick-devel-1.3.40-1.1.mga9 lib(64)graphicsmagickwand2-1.3.40-1.1.mga9 perl-Graphics-Magick-1.3.40-1.1.mga9 from SRPM: graphicsmagick-1.3.40-1.1.mga9.src.rpm Updated packages in tainted/updates_testing: ======================== graphicsmagick-1.3.40-1.1.mga9.tainted graphicsmagick-doc-1.3.40-1.1.mga9.tainted lib(64)graphicsmagick++12-1.3.40-1.1.mga9.tainted lib(64)graphicsmagick3-1.3.40-1.1.mga9.tainted lib(64)graphicsmagick-devel-1.3.40-1.1.mga9.tainted lib(64)graphicsmagickwand2-1.3.40-1.1.mga9.tainted perl-Graphics-Magick-1.3.40-1.1.mga9.tainted from SRPM: graphicsmagick-1.3.40-1.1.mga9.tainted.src.rpm
Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugsSource RPM: graphicsmagick => graphicsmagick-1.3.40-1.mga9.src.rpm, graphicsmagick-1.3.40-1.mga9.tainted.src.rpmVersion: Cauldron => 9Status comment: Patch available from upstream => (none)Whiteboard: MGA9TOO => (none)
openSUSE has issued an advisory on April 3: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/ message/24QCG7UCRKCAUVWHKRASS2RHMWXRXGZ2/
Whiteboard: (none) => MGA9TOOVersion: 9 => CauldronAssignee: qa-bugs => nicolas.salgueroCVE: CVE-2025-27795 => CVE-2025-27795, CVE-2025-27796Summary: graphicsmagick new security issue CVE-2025-27795 => graphicsmagick new security issues CVE-2025-2779[56]
After verification, CVE-2025-27796 only affected Cauldron.
CVE: CVE-2025-27795, CVE-2025-27796 => CVE-2025-27795Version: Cauldron => 9Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA9TOO => (none)
MGA9-64 Plasma Wayland on Compaq H000SB First installed the core versions and followed the wiki as in bug 30211, with the same remark as in bug 28088 $ gm convert D053.jpg D053.tiff gm convert: D053.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField). but the resulting tiff image is OK, so no regression. Test includes the perl test. Continuing for the tainted versions.
CC: (none) => herman.viaene
Installed tainted without problems. Deleted all test results from core test above and rerun all commands. All results OK.
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0132.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED