- Package:
- src:psd-tools
- Source:
- src:psd-tools
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-21 17:11:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for psd-tools. CVE-2026-27809[0]: | psd-tools is a Python package for working with Adobe Photoshop PSD | files. Prior to version 1.12.2, when a PSD file contains malformed | RLE-compressed image data (e.g. a literal run that extends past the | expected row size), decode_rle() raises ValueError which propagated | all the way to the user, crashing psd.composite() and psd-tools | export. decompress() already had a fallback that replaces failed | channels with black pixels when result is None, but it never | triggered because the ValueError from decode_rle() was not caught. | The fix in version 1.12.2 wraps the decode_rle() call in a | try/except so the existing fallback handles the error gracefully. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27809 https://www.cve.org/CVERecord?id=CVE-2026-27809 [1] https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w [2] https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
psd-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1129098@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ying-Chun Liu (PaulLiu) <paulliu@debian.org> (supplier of updated psd-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 04 Apr 2026 18:59:47 +0100
Source: psd-tools
Architecture: source
Version: 1.14.2+dfsg.1-1
Distribution: unstable
Urgency: low
Maintainer: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Changed-By: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Closes: 1129098
Changes:
psd-tools (1.14.2+dfsg.1-1) unstable; urgency=low
.
* New upstream release.
- Upstream fixes the CVE-2026-27809 (Closes: #1129098)
Checksums-Sha1:
92aa7af5566958e8cf2a7b377ceff903a0b81a7a 2222 psd-tools_1.14.2+dfsg.1-1.dsc
e1303d2d4ee349c224d25cb0a663c1514c35bea9 1591652 psd-tools_1.14.2+dfsg.1.orig.tar.xz
9547191539986f5782910d777fbf371473284f40 12144 psd-tools_1.14.2+dfsg.1-1.debian.tar.xz
08471bedcdceae2d790b23d8068fb41178f87b8c 11438 psd-tools_1.14.2+dfsg.1-1_source.buildinfo
Checksums-Sha256:
3e703734581e006c62f43b73d0abed6076eed198c2ed508ebe3628cebf0016ff 2222 psd-tools_1.14.2+dfsg.1-1.dsc
09efdf494f81a608bd56ba59579716c980e10509318e3391fb8e369d6a96e701 1591652 psd-tools_1.14.2+dfsg.1.orig.tar.xz
58f26168bd7ebb8914d84620e870d7c59d6a986ca39af6461e430c343ece58c5 12144 psd-tools_1.14.2+dfsg.1-1.debian.tar.xz
bce37ab47abb1f29dd9cf15486028f4abe77654870ef4084b3d669f268308982 11438 psd-tools_1.14.2+dfsg.1-1_source.buildinfo
Files:
2a7619109c29e5b18776fdbc90c5370b 2222 python optional psd-tools_1.14.2+dfsg.1-1.dsc
155103565bc8002e1295054d04ac5fbf 1591652 python optional psd-tools_1.14.2+dfsg.1.orig.tar.xz
44173c905c1785ea83551d629efa1eef 12144 python optional psd-tools_1.14.2+dfsg.1-1.debian.tar.xz
75cf97ea7d6b7d993d7806c03fcc1c3f 11438 python optional psd-tools_1.14.2+dfsg.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEo2h49GQQhoFgDLZIRBc/oT0FiIgFAmnRVN0THHBhdWxsaXVA
ZGViaWFuLm9yZwAKCRBEFz+hPQWIiJzvEAC6/9K1GlNC3t82Ch/OBKCqkay3ZdYm
hNgDdH4RO2RlxN6r2kwdfeLCuH502vnMdvkeqPT5Q8go3rzRUqo1s3ZVS2aBwM1G
cCbmHCL7V8bI72OusdnDYR6hzjR0Hg2Fw2h4shCLykCiChiZ/hsta8HbWpJsC5lo
RuR1UOXKXSQVCx8d6TLEywzALSKzs7McsK7m9+J5Ak/qRv4MNB7yt9GqAs3HCpKX
0v0cMepFG8mHLnfNm7rB+x1FcHF4+MFA+XtkoS4rVx8OiJveG4QKMalYwZz6IV+j
qKzgrTe/i6ZKf0yjvNoDtzrd6PzfY4i+ez8X98/JldV3JZ1w4YBI0EUQ/KFaQxuS
CEF8ldjCo5nOJN5LIXaaSHg8xc1/DApqgnEqIoA+F+HVIznu8FDKGZEOvwV6nAtG
DcfD+rNc4+tsnngjuzcdshXMfunodnCrOrnWfUeel7a2UBqglDst0DKSjkkFx8sG
vJ7qFRN3v7QSWVyaj8rraRR6oPNiIBLH8sa11l2nl1hCf4S7ZgyJkR1bp4YABU/C
lC974aqwO61qfLMkBkfvP2Xj55DAma/Z1dxCc90QOmAxXXZLLNfH2qwPiy16LasH
J8qztFl/hY4Zc76PkPMNA2ooeeyDI2pulsfGGC3qdCmkbrN7qDxtriQl4GlmHAUb
YZeN9YPBydFK3g==
=bqSS
-----END PGP SIGNATURE-----