[From nobody Fri May 8 19:55:05 2026 Received: (at submit) by bugs.debian.org; 21 Mar 2026 19:41:05 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-10.9 required=4.0 tests=BAYES_00,FOURLA, FROMDEVELOPER,MD5_SHA1_SUM,NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 30; hammy, 148; neutral, 48; spammy, 1. spammytokens:0.942-+--H*r:bugs.debian.org hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian, 0.000-+--H*Ad:N*Bug Return-path: <carnil@debian.org> Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <carnil@debian.org>) id 1w42C0-008G10-1O for submit@bugs.debian.org; Sat, 21 Mar 2026 19:41:05 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: pydicom: CVE-2026-32711 Message-ID: <177412206340.2382785.17749654882669681491.reportbug@eldamar.lan> X-Mailer: reportbug 13.2.0 Date: Sat, 21 Mar 2026 20:41:03 +0100 Delivered-To: submit@bugs.debian.org Source: pydicom Version: 2.4.3-3 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Control: found -1 2.4.3-2 Control: found -1 2.3.1-1 Control: found -1 2.0.0-1 Hi, The following vulnerability was published for pydicom. CVE-2026-32711[0]: | pydicom is a pure Python package for working with DICOM files. | Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal | through a maliciously crafted DICOMDIR ReferencedFileID when it is | set to a path outside the File-set root. pydicom resolves the path | only to confirm that it exists, but does not verify that the | resolved path remains under the File-set root. Subsequent public | FileSet operations such as copy(), write(), and | remove()+write(use_existing=True) use that unchecked path in file | I/O operations. This allows arbitrary file read/copy and, in some | flows, move/delete outside the File-set root. This issue has been | fixed in version 3.0.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-32711 https://www.cve.org/CVERecord?id=CVE-2026-32711 [1] https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28 [2] https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82 Regards, Salvatore ]