openSUSE has issued an advisory on April 22:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NPVKK6XVDNZQVOOYGCEQVGQHUWYX64EY/

Status comment: Patch available from openSUSE => Patches available from openSUSE
Summary: graphicsmagick new security issue CVE-2026-26284 => graphicsmagick new security issues CVE-2026-26284, CVE-2026-33535
CVE: CVE-2026-26284 => CVE-2026-26284, CVE-2026-33535

For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix security vulnerabilities:

ImageMagick has heap overflow in pcd decoder that leads to out of bounds read. (CVE-2026-26284)

ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction. (CVE-2026-33535)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/BMSWBU7XGK6MZYTE62GVV7BFJIH6PSZU/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NPVKK6XVDNZQVOOYGCEQVGQHUWYX64EY/
========================

Updated packages in core/updates_testing:
========================
graphicsmagick-1.3.40-1.5.mga9
graphicsmagick-doc-1.3.40-1.5.mga9
lib(64)graphicsmagick++12-1.3.40-1.5.mga9
lib(64)graphicsmagick-devel-1.3.40-1.5.mga9
lib(64)graphicsmagick3-1.3.40-1.5.mga9
lib(64)graphicsmagickwand2-1.3.40-1.5.mga9
perl-Graphics-Magick-1.3.40-1.5.mga9

from SRPM:
graphicsmagick-1.3.40-1.5.mga9.src.rpm

Updated packages in tainted/updates_testing:
========================
graphicsmagick-1.3.40-1.5.mga9.tainted
graphicsmagick-doc-1.3.40-1.5.mga9.tainted
lib(64)graphicsmagick++12-1.3.40-1.5.mga9.tainted
lib(64)graphicsmagick-devel-1.3.40-1.5.mga9.tainted
lib(64)graphicsmagick3-1.3.40-1.5.mga9.tainted
lib(64)graphicsmagickwand2-1.3.40-1.5.mga9.tainted
perl-Graphics-Magick-1.3.40-1.5.mga9.tainted

from SRPM:
graphicsmagick-1.3.40-1.5.mga9.tainted.src.rpm

Version: Cauldron => 9
Assignee: bugsquad => qa-bugs
Source RPM: graphicsmagick-1.3.46-3.mga10, graphicsmagick-1.3.40-1.4.mga9 => graphicsmagick-1.3.40-1.4.mga9.src.rpm, graphicsmagick-1.3.40-1.4.mga9.tainted.src.rpm
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Flags: affects_mga9+ => (none)
Status comment: Patches available from openSUSE => (none)

MGA9-64 server Plasma Wayland on Compaq H000SB
Installed core versions and used tests as in bug 35199 after deleting  the oldr result files.
$ convert IMG_1251.jpg test.png
$ convert IMG_1251.jpg -background grey44 -vignette 0x5  test2.gif
$ mogrify -rotate 270  IMG_1259.jpg
$ mogrify -rotate 90  IMG_1259.jpg
$ convert IMG_1259.jpg tIMG_1259.tiff
$ identify tIMG_1259.tiff
tIMG_1259.tiff TIFF 4608x3456 4608x3456+0+0 8-bit sRGB 45.567MiB 0.000u 0:00.001
$ convert -resize 120%x80%   tIMG_1259.tiff tine.jpg
$ identify tine.jpg
tine.jpg JPEG 5530x2765 5530x2765+0+0 8-bit sRGB 3.28125MiB 0.000u 0:00.001
$ gm convert IMG_1271.jpg tIMG_1271.tiff
gm convert: tIMG_1271.tiff: Invalid tag "Predictor" (not supported by codec). (_TIFFVGetField).
This is the same as in my previous update test. The generated file displays OK, so no regression.
$ gm display IMG_1272.jpg
$ gm convert -magnify tine.jpg ti2x.jpg
$ gm convert -resize 300%  tine.jpg ti3x.jpg

All generated files show expected effects and correctly display.
Coming back for same test on tainted versions.

CC: (none) => herman.viaene

While installing the tainted versions, removed all core versions, removed the result files and repeated all the commands above with the same positive results.
Note: difference between core and tainted versions shows in slightly larger result files.
Good for me.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0117.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED