[From nobody Sat Apr 11 13:21:03 2026
Received: (at submit) by bugs.debian.org; 10 Apr 2026 18:48:44 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00, FOURLA,
 FROMDEVELOPER, 
 NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 62; hammy, 150; neutral, 172; spammy,
 0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian,
 0.000-+--H*Ad:N*Bug
Return-path: <carnil@debian.org>
Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from <carnil@debian.org>) id 1wBGuI-00CWb3-1p
 for submit@bugs.debian.org; Fri, 10 Apr 2026 18:48:44 +0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: orthanc: CVE-2026-5437 CVE-2026-5438 CVE-2026-5439 CVE-2026-5440
 CVE-2026-5441 CVE-2026-5442 CVE-2026-5443 CVE-2026-5444 CVE-2026-5445
Message-ID: <177584691911.4033183.2569235399622841623.reportbug@eldamar.lan>
X-Mailer: reportbug 13.2.0
Date: Fri, 10 Apr 2026 20:48:39 +0200
Delivered-To: submit@bugs.debian.org

Source: orthanc
Version: 1.12.10+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for orthanc.

CVE-2026-5437[0]:
| An out-of-bounds read vulnerability exists in `DicomStreamReader`
| during DICOM meta-header parsing. When processing malformed metadata
| structures, the parser may read beyond the bounds of the allocated
| metadata buffer. Although this issue does not typically crash the
| server or expose data directly to the attacker, it reflects
| insufficient input validation in the parsing logic.


CVE-2026-5438[1]:
| A gzip decompression bomb vulnerability exists when Orthanc
| processes HTTP request with `Content-Encoding: gzip`. The server
| does not enforce limits on decompressed size and allocates memory
| based on attacker-controlled compression metadata. A specially
| crafted gzip payload can trigger excessive memory allocation and
| exhaust system memory.


CVE-2026-5439[2]:
| A memory exhaustion vulnerability exists in ZIP archive processing.
| Orthanc automatically extracts ZIP archives uploaded to certain
| endpoints and trusts metadata fields describing the uncompressed
| size of archived files. An attacker can craft a small ZIP archive
| containing a forged size value, causing the server to allocate
| extremely large buffers during extraction.


CVE-2026-5440[3]:
| A memory exhaustion vulnerability exists in the HTTP server due to
| unbounded use of the `Content-Length` header.  The server allocates
| memory directly based on the attacker supplied header value without
| enforcing an upper limit. A crafted HTTP request containing an
| extremely large `Content-Length` value can trigger excessive memory
| allocation and server termination, even without sending a request
| body.


CVE-2026-5441[4]:
| An out-of-bounds read vulnerability exists in the `DecodePsmctRle1`
| function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression
| routine, which decodes the proprietary Philips Compression format,
| does not properly validate escape markers placed near the end of the
| compressed data stream. A crafted sequence at the end of the buffer
| can cause the decoder to read beyond the allocated memory region and
| leak heap data into the rendered image output.


CVE-2026-5442[5]:
| A heap buffer overflow vulnerability exists in the DICOM image
| decoder. Dimension fields are encoded using Value Representation
| (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short
| (US), which allows extremely large dimensions to be processed. This
| causes an integer overflow during frame size calculation and results
| in out-of-bounds memory access during image decoding.


CVE-2026-5443[6]:
| A heap buffer overflow vulnerability exists during the decoding of
| `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit
| multiplication for width and height calculations. If these values
| overflow, the validation check incorrectly succeeds, allowing the
| decoder to read and write to memory beyond allocated buffers.


CVE-2026-5444[7]:
| A heap buffer overflow vulnerability exists in the PAM image parsing
| logic. When Orthanc processes a crafted PAM image embedded in a
| DICOM file, image dimensions are multiplied using 32-bit unsigned
| arithmetic. Specially chosen values can cause an integer overflow
| during buffer size calculation, resulting in the allocation of a
| small buffer followed by a much larger write operation during pixel
| processing.


CVE-2026-5445[8]:
| An out-of-bounds read vulnerability exists in the
| `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The
| lookup-table decoding logic used for `PALETTE COLOR` images does not
| validate pixel indices against the lookup table size. Crafted images
| containing indices larger than the palette size cause the decoder to
| read beyond allocated lookup table memory and expose heap contents
| in the output image.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-5437
    https://www.cve.org/CVERecord?id=CVE-2026-5437
[1] https://security-tracker.debian.org/tracker/CVE-2026-5438
    https://www.cve.org/CVERecord?id=CVE-2026-5438
[2] https://security-tracker.debian.org/tracker/CVE-2026-5439
    https://www.cve.org/CVERecord?id=CVE-2026-5439
[3] https://security-tracker.debian.org/tracker/CVE-2026-5440
    https://www.cve.org/CVERecord?id=CVE-2026-5440
[4] https://security-tracker.debian.org/tracker/CVE-2026-5441
    https://www.cve.org/CVERecord?id=CVE-2026-5441
[5] https://security-tracker.debian.org/tracker/CVE-2026-5442
    https://www.cve.org/CVERecord?id=CVE-2026-5442
[6] https://security-tracker.debian.org/tracker/CVE-2026-5443
    https://www.cve.org/CVERecord?id=CVE-2026-5443
[7] https://security-tracker.debian.org/tracker/CVE-2026-5444
    https://www.cve.org/CVERecord?id=CVE-2026-5444
[8] https://security-tracker.debian.org/tracker/CVE-2026-5445
    https://www.cve.org/CVERecord?id=CVE-2026-5445
[9] https://kb.cert.org/vuls/id/536588

Regards,
Salvatore
]