[med-svn] [Git][med-team/gdcm][debian/bullseye] 2 commits: CVE-2025-11266.patch: Avoid out-of-bounds vulnerability. The issue was...

Emmanuel Arias (@eamanu) gitlab at salsa.debian.org
Sat Dec 20 17:23:55 GMT 2025 


Emmanuel Arias pushed to branch debian/bullseye at Debian Med / gdcm


Commits:
324ce7c9 by Emmanuel Arias at 2025-12-20T14:16:16-03:00
CVE-2025-11266.patch: Avoid out-of-bounds vulnerability. The issue was triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments. This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing.

- - - - -
64e00639 by Emmanuel Arias at 2025-12-20T14:20:16-03:00
Non-maintainer uploaded by the LTS Security Team.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2025-11266.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,11 +1,20 @@
-gdcm (3.0.8-2+deb11u1) bullseye; urgency=medium
+gdcm (3.0.8-2+deb11u1) bullseye-security; urgency=medium
 
-  * Team upload.
+  * Non-maintainer upload by the LTS Security Team.
+
+  [ Étienne Mollier ]
   * CVE-2024-*.patch: new: fix multiple security issues.
     This patch set addresses CVE-2024-22373, CVE-2024-22391 and
     CVE-2024-25569. (Closes: #1070387)
 
- -- Étienne Mollier <emollier at debian.org>  Sun, 05 May 2024 23:22:59 +0200
+  [ Emmanuel Arias ]
+  * CVE-2025-11266.patch: Avoid out-of-bounds vulnerability. The issue
+    was triggered during parsing of a malformed DICOM file containing
+    encapsulated PixelData fragments. This vulnerability leads to a
+    segmentation fault caused by an out-of-bounds memory access due to
+    unsigned integer underflow in buffer indexing.
+
+ -- Emmanuel Arias <eamanu at debian.org>  Sat, 20 Dec 2025 14:11:38 -0300
 
 gdcm (3.0.8-2) unstable; urgency=medium
 


=====================================
debian/patches/CVE-2025-11266.patch
=====================================
@@ -0,0 +1,31 @@
+From 5829c95c8ac3afa9a3a3413675e948959c28a789 Mon Sep 17 00:00:00 2001
+From: Mathieu Malaterre <mathieu.malaterre at gmail.com>
+Date: Fri, 26 Sep 2025 10:04:53 +0200
+Subject: [PATCH] Fix VU#591834.1
+
+Original report is:
+
+Vulnerability VU#591834.1 (VU#591834)
+Date Added: 2025-08-21
+Description: An out-of-bounds read vulnerability exists in the Grassroots DICOM library (GDCM), specifically within the SequenceOfFragments::ReadValue method. The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments).
+
+Origin: https://github.com/malaterre/GDCM/commit/5829c95c8ac3afa9a3a3413675e948959c28a789
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-11266
+Bug-Debian: htts://bugs.debian.org/1122862
+---
+ .../gdcmSequenceOfFragments.h                                   | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/DataStructureAndEncodingDefinition/gdcmSequenceOfFragments.h b/Source/DataStructureAndEncodingDefinition/gdcmSequenceOfFragments.h
+index 269b2ae75..5ee35f2ff 100644
+--- a/Source/DataStructureAndEncodingDefinition/gdcmSequenceOfFragments.h
++++ b/Source/DataStructureAndEncodingDefinition/gdcmSequenceOfFragments.h
+@@ -237,7 +237,7 @@ std::istream& ReadValue(std::istream &is, bool /*readvalues*/)
+       const size_t lastf = Fragments.size() - 1;
+       const ByteValue *bv = Fragments[ lastf ].GetByteValue();
+       const char *a = bv->GetPointer();
+-      gdcmAssertAlwaysMacro( (unsigned char)a[ bv->GetLength() - 3 ] == 0xfe );
++      gdcmAssertAlwaysMacro( bv->GetLength() >= 3 && (unsigned char)a[ bv->GetLength() - 3 ] == 0xfe );
+       Fragments[ lastf ].SetByteValue( bv->GetPointer(), bv->GetLength() - 3 );
+       is.seekg( -11, std::ios::cur );
+       gdcm_assert( is.good() );


=====================================
debian/patches/series
=====================================
@@ -10,3 +10,4 @@ rename-pdf.patch
 CVE-2024-22373.patch
 CVE-2024-22391.patch
 CVE-2024-25569.patch
+CVE-2025-11266.patch



View it on GitLab: https://salsa.debian.org/med-team/gdcm/-/compare/b5928eec54c5947aa4719ab8b3dd47e1f52b8b31...64e00639d65c729243c99f21b38f1b0ed590c3a4

-- 
View it on GitLab: https://salsa.debian.org/med-team/gdcm/-/compare/b5928eec54c5947aa4719ab8b3dd47e1f52b8b31...64e00639d65c729243c99f21b38f1b0ed590c3a4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20251220/39fbe57a/attachment-0001.htm>

More information about the debian-med-commit mailing list