[From nobody Thu May 7 12:21:06 2026 Received: (at submit) by bugs.debian.org; 27 Sep 2024 13:31:59 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02 (2021-04-09) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=4.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,SUBJ_LACKS_WORDS autolearn=no autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 22; hammy, 127; neutral, 30; spammy, 0. spammytokens: hammytokens:0.000-+--H*r:jmm, 0.000-+--UD:security-tracker.debian.org, 0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg, 0.000-+--H*M:westfalen Return-path: <jmm@inutil.org> Received: from vps-b7ad3695.vps.ovh.net ([51.38.114.215]:60644) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from <jmm@inutil.org>) id 1suB4g-003OKA-FV for submit@bugs.debian.org; Fri, 27 Sep 2024 13:31:59 +0000 Received: from hullmann.fritz.box (p5089a1ba.dip0.t-ipconnect.de [80.137.161.186]) by vps-b7ad3695.vps.ovh.net (Postfix) with ESMTPSA id D61E745 for <submit@bugs.debian.org>; Fri, 27 Sep 2024 13:31:56 +0000 (UTC) Received: from jmm by hullmann.fritz.box with local (Exim 4.98) (envelope-from <jmm@hullmann.westfalen.local>) id 1suB4e-000000009H7-2ZuE for submit@bugs.debian.org; Fri, 27 Sep 2024 15:31:56 +0200 Date: Fri, 27 Sep 2024 15:31:56 +0200 To: submit@bugs.debian.org Subject: invesalius: CVE-2024-42845 Message-ID: <ZvazzOPkxe_0PX1f@pisco.westfalen.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org> Delivered-To: submit@bugs.debian.org Source: invesalius X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for invesalius. CVE-2024-42845[0]: | An eval Injection vulnerability in the component | invesalius/reader/dicom.py of InVesalius 3.1.99991 through 3.1.99998 | allows attackers to execute arbitrary code via loading a crafted | DICOM file. Not sure if that has actually been reported upstream, currently the only reference is https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-42845 https://www.cve.org/CVERecord?id=CVE-2024-42845 Please adjust the affected versions in the BTS as needed. ]