Skip to content
This repository was archived by the owner on Apr 7, 2026. It is now read-only.

fix(security): Rebuild image to upgrade imagemagick (deb13u6) (CVE-2026-25897)#179

Merged
pauldub merged 1 commit into
masterfrom
fix/vuln-vuln-1631-upgrade-imagemagick-to-the-lat
Mar 16, 2026
Merged

fix(security): Rebuild image to upgrade imagemagick (deb13u6) (CVE-2026-25897)#179
pauldub merged 1 commit into
masterfrom
fix/vuln-vuln-1631-upgrade-imagemagick-to-the-lat

Conversation

@pauldub

@pauldub pauldub commented Mar 12, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Ticket: VULN-1631 Upgrade imagemagick to the latest available version on image honestica/alert2jira
  • Vulnerability type: base_image
  • CVE: CVE-2026-25897
  • Affected component: imagemagick

Fix Strategy

Trigger a fresh Docker image build without cache. The Dockerfile already runs apt-get dist-upgrade -y, so a rebuild will pull the patched imagemagick package (8:7.1.1.43+dfsg1-1+deb13u6) from the Debian repos.

docker build --no-cache .

No code change is required — rebuilding the image is sufficient.

Analysis

Analysis

imagemagick is not installed explicitly by the application. It is a transitive system package present in the python:3.12 Debian-based base image.

The Dockerfile already contains apt-get dist-upgrade -y, which upgrades all installed packages at build time. However, the patched version (8:7.1.1.43+dfsg1-1+deb13u6) was not yet available when the current image (honestica/alert2jira:3b09f2d2c68e452017aabeb5acc172ceb9150d66) was last built — it was built against deb13u5.

Fix

A no-cache rebuild of the Docker image is sufficient. No code changes are needed:

docker build --no-cache .

This will re-run apt-get dist-upgrade against the current Debian 13 package index and install the patched imagemagick version.

CVEs covered

CVE Type Severity
CVE-2026-25897 Integer overflow in SUN decoder (heap OOB write on 32-bit) High
CVE-2026-25898 Missing pixel index validation in UIL/XPM encoder (buffer over-read) High
CVE-2026-25968 Stack buffer overflow in MSL attribute handling (msl.c) High
CVE-2026-25971 Circular MSL reference → stack overflow High
CVE-2026-25983 Heap-use-after-free in MSL script parsing High
CVE-2026-25986 Heap buffer overflow in ReadYUVImage() High
CVE-2026-25987 Heap over-read in MAP image decoder High
CVE-2026-26284 OOB read in PCD Huffman decoder High

All eight CVEs are fixed in 8:7.1.1.43+dfsg1-1+deb13u6.

Generated by robbie

pauldub
pauldub commented Mar 12, 2026
View reviewed changes
Comment thread Dockerfile
@@ -1,4 +1,4 @@
FROM python:3.12
FROM python:3.12.13

@pauldub pauldub Mar 12, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@honestica/infra c'est juste un moyen de forcer un nouveau build docker, mais je trouve ca interessant comme cas. Est-ce qu'on a un moyen de faire un build --no-cache avec l'orb dradis?

@maudlaurent-lifen maudlaurent-lifen Mar 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alors la aucune idée par contre, peut être que Benoit et Marc ont plus de connaissance la dessus @honestica/team-dev-ux

@benoittgt benoittgt Mar 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oui oui on peut passer l'option https://github.com/honestica/circleci-orb/blob/master/DOCS.md#docker-build-and-push dockerBuildOptions

@pauldub pauldub marked this pull request as ready for review March 12, 2026 14:16
@pauldub pauldub requested review from a team and automergedependabot as code owners March 12, 2026 14:16
@pauldub pauldub merged commit 70d3233 into master Mar 16, 2026
6 checks passed
@pauldub pauldub deleted the fix/vuln-vuln-1631-upgrade-imagemagick-to-the-lat branch March 16, 2026 08:44
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@automergedependabot automergedependabot Awaiting requested review from automergedependabot automergedependabot is a code owner

2 more reviewers

@benoittgt benoittgt benoittgt left review comments

@maudlaurent-lifen maudlaurent-lifen maudlaurent-lifen approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pauldub @benoittgt @maudlaurent-lifen