35256 – graphicsmagick new security issues CVE-2026-28690 and CVE-2026-30883

Bug 35256 - graphicsmagick new security issues CVE-2026-28690 and CVE-2026-30883

Summary: graphicsmagick new security issues CVE-2026-28690 and CVE-2026-30883

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-03-23 14:52 CET by Nicolas Salguero
Modified:	2026-03-25 18:32 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	graphicsmagick-1.3.40-1.3.mga9.src.rpm, graphicsmagick-1.3.40-1.3.mga9.tainted.src.rpm
CVE:	CVE-2026-28690, CVE-2026-30883
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-23 14:52:54 CET

openSUSE has issued an advisory on March 20:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/UHRHM3VZ5CG6TQ5X4EQBR77LTWVJJQVY/

Nicolas Salguero 2026-03-23 14:53:39 CET

Source RPM: (none) => graphicsmagick-1.3.46-2.mga10.src.rpm, graphicsmagick-1.3.40-1.3.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2026-30883
Flags: (none) => affects_mga9+

Comment 1 Nicolas Salguero 2026-03-23 14:56:37 CET

CVE-2026-28690 is also fixed by a patch from openSUSE.

CVE: CVE-2026-30883 => CVE-2026-28690, CVE-2026-30883
Summary: graphicsmagick new security issue CVE-2026-30883 => graphicsmagick new security issues CVE-2026-28690 and CVE-2026-30883

Comment 2 Nicolas Salguero 2026-03-23 15:11:10 CET

For Cauldron, graphicsmagick-1.3.46-3.mga10 and graphicsmagick-1.3.46-3.mga10.tainted fix the issues.

Version: Cauldron => 9
Flags: affects_mga9+ => (none)
Whiteboard: MGA9TOO => (none)
Source RPM: graphicsmagick-1.3.46-2.mga10.src.rpm, graphicsmagick-1.3.40-1.3.mga9.src.rpm => graphicsmagick-1.3.40-1.3.mga9.src.rpm

Nicolas Salguero 2026-03-23 15:11:22 CET

Source RPM: graphicsmagick-1.3.40-1.3.mga9.src.rpm => graphicsmagick-1.3.40-1.3.mga9.src.rpm, graphicsmagick-1.3.40-1.3.mga9.tainted.src.rpm

Comment 3 Nicolas Salguero 2026-03-23 15:29:35 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

GraphicsMagick has a stack write buffer overflow in MNG encoder. (CVE-2026-28690)

GraphicsMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder. (CVE-2026-30883)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/UHRHM3VZ5CG6TQ5X4EQBR77LTWVJJQVY/
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.40-1.4.mga9
graphicsmagick-doc-1.3.40-1.4.mga9
lib(64)graphicsmagick++12-1.3.40-1.4.mga9
lib(64)graphicsmagick-devel-1.3.40-1.4.mga9
lib(64)graphicsmagick3-1.3.40-1.4.mga9
lib(64)graphicsmagickwand2-1.3.40-1.4.mga9
perl-Graphics-Magick-1.3.40-1.4.mga9

from SRPM:
graphicsmagick-1.3.40-1.4.mga9.src.rpm

Updated packages in tainted/updates_testing:
========================
graphicsmagick-1.3.40-1.4.mga9.tainted
graphicsmagick-doc-1.3.40-1.4.mga9.tainted
lib(64)graphicsmagick++12-1.3.40-1.4.mga9.tainted
lib(64)graphicsmagick-devel-1.3.40-1.4.mga9.tainted
lib(64)graphicsmagick3-1.3.40-1.4.mga9.tainted
lib(64)graphicsmagickwand2-1.3.40-1.4.mga9.tainted
perl-Graphics-Magick-1.3.40-1.4.mga9.tainted

from SRPM:
graphicsmagick-1.3.40-1.4.mga9.tainted.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 4 Herman Viaene 2026-03-24 10:45:08 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
Installed core versions, deleted result files from bug 35199 and repeated the commands with the same OK results.
Coming back for tainted versions.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2026-03-24 11:02:06 CET

Installed tainted versions without issues, repeated sam tests; all OK.
Sidenote: why do we (packagers and testers) have to go over these packages again in one week time??

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

katnatek 2026-03-24 18:55:33 CET

Keywords: (none) => advisory

Comment 6 Thomas Andrews 2026-03-25 16:23:11 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2026-03-25 18:32:21 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0067.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.