[med-svn] [Git][med-team/xmedcon][debian/bullseye] 2 commits: CVE-2024-29421.patch: new: fix CVE-2024-29421.

Wed Aug 7 19:08:11 BST 2024


Étienne Mollier pushed to branch debian/bullseye at Debian Med / xmedcon


Commits:
623e458e by Étienne Mollier at 2024-08-07T18:09:11+02:00
CVE-2024-29421.patch: new: fix CVE-2024-29421.

Closes: #1077369

- - - - -
30fed006 by Étienne Mollier at 2024-08-07T18:11:06+02:00
Ready for upload to bullseye proposed-updates.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2024-29421.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+xmedcon (0.16.3+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * CVE-2024-29421.patch: new: fix CVE-2024-29421. (Closes: #1077369)
+
+ -- Étienne Mollier <emollier at debian.org>  Wed, 07 Aug 2024 18:10:18 +0200
+
 xmedcon (0.16.3+dfsg-1) unstable; urgency=medium
 
   * Build-Depends: s/libnifti-dev/libnifti2-dev/


=====================================
debian/patches/CVE-2024-29421.patch
=====================================
@@ -0,0 +1,47 @@
+Description: Prevent overflow of value before a malloc().
+ This patch includes commits a35cd9b856c23e20cc1753e36cd9228391366082
+ from upstream, and 5131a648f09a82c26088b340bdd983fd09a6e19e for
+ additional error messaging.  This fixes CVE-2024-29421.
+
+Author: Erik Nolf
+Origin: upstream,
+        https://sourceforge.net/p/xmedcon/code/ci/5131a648f09a82c26088b340bdd983fd09a6e19e/,
+        https://sourceforge.net/p/xmedcon/code/ci/434925fca63c855dd6d24e4c018c2fa745646f9e/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077369
+Reviewed-by: Étienne Mollier <emollier at debian.org>
+Last-Update: 2024-08-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libs/dicom/basic.c
++++ b/libs/dicom/basic.c
+@@ -401,6 +401,16 @@ int dicom_load(VR vr)
+   if (element.vr==SQ || element.length==0xFFFFFFFF)
+     return 0;
+ 
++  /* eNlf: - simply prevent length values that will overflow  */
++  /* eNlf: when we sum with an extra 4 bytes; thus preventing */
++  /* eNlf: a heap overflow due to a small value at malloc()   */
++  /* eNlf: notified by Spike Reply Cyber Security Team        */
++  if (element.length > (0xFFFFFFFF - 4)) {
++    dicom_log(ERROR,"Unsupported element length");
++    dicom_close();
++    return -4;
++  }
++
+   if (element.group==0xFFFE)
+     if (!element.encapsulated)
+       return 0;
+@@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
+   if (element.vr==SQ || element.length==0xFFFFFFFF)
+     return 0;
+ 
++  /* eNlf: prevent overflowed value - see dicom_load() */
++  if (element.length > (0xFFFFFFFF - 4)) {
++    dicom_log(ERROR,"Unsupported element length");
++    dicom_close();
++    return -4;
++  }
++
+   if (element.group==0xFFFE)
+     if (!element.encapsulated)
+       return 0;


=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@ avoid_linking_to_unneeded_libs.patch
 add_gtk_libraries_to_linker.patch
 use_debian_packaged_niftilib.patch
 cross.patch
+CVE-2024-29421.patch



View it on GitLab: https://salsa.debian.org/med-team/xmedcon/-/compare/a0404cc8aa8a84afb02314737c9c393a72197160...30fed0064228a26dc87ae354a9fa1165d6e50e2a

-- 
View it on GitLab: https://salsa.debian.org/med-team/xmedcon/-/compare/a0404cc8aa8a84afb02314737c9c393a72197160...30fed0064228a26dc87ae354a9fa1165d6e50e2a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20240807/fd40d04b/attachment-0001.htm>
