[From nobody Fri Apr 10 19:21:08 2026 Received: (at submit) by bugs.debian.org; 18 Dec 2025 13:05:11 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=4.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, FROMDEVELOPER,HEADER_FROM_DIFFERENT_DOMAINS,MD5_SHA1_SUM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,WORD_WITHOUT_VOWELS, XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 49; hammy, 150; neutral, 64; spammy, 0. spammytokens: hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian, 0.000-+--H*Ad:N*Bug Return-path: <salvatore.bonaccorso@gmail.com> Received: from mail-lj1-x22d.google.com ([2a00:1450:4864:20::22d]:54748) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) (Exim 4.96) (envelope-from <salvatore.bonaccorso@gmail.com>) id 1vWDgr-00FU8H-2B for submit@bugs.debian.org; Thu, 18 Dec 2025 13:05:11 +0000 Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-37cd7f9de7cso4874871fa.1 for <submit@bugs.debian.org>; Thu, 18 Dec 2025 05:05:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766063106; x=1766667906; darn=bugs.debian.org; h=date:message-id:subject:to:from:content-transfer-encoding :mime-version:sender:from:to:cc:subject:date:message-id:reply-to; bh=+5jfcTnGmBBmJsDEj+FaRpd4OHHcgsQ02Ude4gU7QTs=; b=BaJ3T5Az3dnf3/gPtX95IC9wuXcZsMbMPo//xKvCzmiNdv6zdMHZQq3sEgqVvZ57Mm XNjfQ4ngF8uskLsMDmg27rUVcbiZ2boXaFCk7JmuizTHLGrvdoddtelt+hSFqgflWfZe XuKYodwXK8xke75yT4k7QT1xQMmKVa8nrtQZCSPEsmrzfT1LrIeh9zpxSoFesDpvcuOi S0wZTf3Vz43e8kwXuRKYmSPx+7WOS2HFed65aFLLOEmqh/DAhO11+fZeR7ayDz9NCvvy BHUCle7PU+oLCXBsNNMKg4azAKLUZVTD442c7iGLU6IPh9GCUESSgw1620f72ETaosOc Jj1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766063106; x=1766667906; h=date:message-id:subject:to:from:content-transfer-encoding :mime-version:sender:x-gm-gg:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=+5jfcTnGmBBmJsDEj+FaRpd4OHHcgsQ02Ude4gU7QTs=; b=Cjn6yuT0g6FmMdwMXlDb1MtoSb7fXSOx0l77hb8Cq+vrRTRul8hD/OolysgD+KHVuM WgkIL9bl+CHTa3+F9u4rcsy5cRLy5Q+CcpQXMAx2xU8wE58M9SxUWAmjKM2BsyTv+Ppb 54kp95gZ1G6PpsWBO9rS74sZvEoyDXsIF2gTwf7v+3UBjW0laQ3iRKtn/qNT4G9R/M3n 4qpuSdaVKacvkOV2lRNHRTIbIaC1fQVqBI0Qnfl+LS52uZHeNslojP/UhRszREHF9kEJ 1sShyGalOtAvlAoV/bDVlfAPAUrLk4rAn7bphe7aF4Bz7be40REl1wkXJ2yzkokH8Ltp 3W7g== X-Gm-Message-State: AOJu0YzH3xiJSjzVSXS2m+7oyKa2LsT8jKDLyo/BrLjjIOgabSWp0V6R 6nDTYZ9JWk2XZ5OVKrACj2tEFFJZ8ZUsGypCUxRhmreiJ6H8N3YOOaTVmvp2qYaz X-Gm-Gg: AY/fxX762XWisKkyqSAzGpvTUBBOX4CWU3gBAg82GocsTlqCzlvlhd3lAU2HMG9Wkmx FINXXyhohmTWX0VkOtI3xOC6l/82GTxeGxxOtkkwSdOTy7HVSlzsGMYCaXdY2My1W1dngvU/pco zykJPPG5svPMcumKckyYS+ipxY0EvyjOos+pXLJsfjy3+Dw2nfUtd8rRmakrDfOd5o1H1YJZXMG /2vAp2w8HxEj9WeeXg2L0o5Ko/qjzRj7aOV/jCIJJTqm2E43OgQKD0GJHg6C5fgX/u+vVW/XCg7 jHFLKvN/GpdFzH/1s0uVYB7pQ+Si83qnrQg7DFasoLjULtnCFAGf9ohQHfzEJlj5u80WHSNePLF s2EVEpZi9rQj0nyctb6rfYJLGKcpTpBdOfpP2IkLPQCOKmtJxCcsbkmFPuloRgtUh3eKxs3RNZ8 OfBqPFafWtyGLttAkn/tCFqGzgwWoSbxbRMSNfwd+wOneu X-Google-Smtp-Source: AGHT+IG+kw1hALS6dRE6Ony9b7nrpBRoyHRuPa3g4Y55fuaCbMsXO8FfnBYTvtviBbtxAz64Xb6ylQ== X-Received: by 2002:a05:600c:64c8:b0:47a:814c:ee95 with SMTP id 5b1f17b1804b1-47a8f8c0532mr221917945e9.12.1766056210712; Thu, 18 Dec 2025 03:10:10 -0800 (PST) Received: from eldamar.lan (c-82-192-244-13.customer.ggaweb.ch. [82.192.244.13]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be3286e72sm33499935e9.15.2025.12.18.03.10.09 for <submit@bugs.debian.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Dec 2025 03:10:09 -0800 (PST) Sender: Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com> Received: by eldamar.lan (Postfix, from userid 1000) id DD295BE2EE7; Thu, 18 Dec 2025 12:10:08 +0100 (CET) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: dcmtk: CVE-2025-14841 Message-ID: <176605601505.3128514.12234665655131747826.reportbug@eldamar.lan> X-Mailer: reportbug 13.2.0 Date: Thu, 18 Dec 2025 12:06:55 +0100 Delivered-To: submit@bugs.debian.org Source: dcmtk Version: 3.6.9-6 Severity: important Tags: security upstream Forwarded: https://support.dcmtk.org/redmine/issues/1183 X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for dcmtk. CVE-2025-14841[0]: | A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted | element is the function DcmQueryRetrieveIndexDatabaseHandle::startFi | ndRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in | the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. | This manipulation causes null pointer dereference. The attack | requires local access. Upgrading to version 3.7.0 is sufficient to | resolve this issue. Patch name: | ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the | affected component. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-14841 https://www.cve.org/CVERecord?id=CVE-2025-14841 [1] https://support.dcmtk.org/redmine/issues/1183 [2] https://github.com/DCMTK/dcmtk/commit/ffb1a4a37d2c876e3feeb31df4930f2aed7fa030 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ]