[med-svn] [Git][med-team/dcmtk][debian/bookworm] 3 commits: 0010-CVE-2024-34508-34509.patch: new.

Étienne Mollier (@emollier) gitlab at salsa.debian.org
Sat Feb 1 19:11:26 GMT 2025 


Étienne Mollier pushed to branch debian/bookworm at Debian Med / dcmtk


Commits:
d56f3ce0 by Étienne Mollier at 2025-02-01T15:00:12+01:00
0010-CVE-2024-34508-34509.patch: new.

This patch fixes CVE-2024-34508 and CVE-2024-34509.

- - - - -
0215c85c by Étienne Mollier at 2025-02-01T15:00:42+01:00
0011-CVE-2024-34508-34509_bis.patch: new.

This introduces upstream's fix to the test regression introduced by
the mitigations against CVE-2024-34508 and CVE-2024-34509.

- - - - -
55cfe5d8 by Étienne Mollier at 2025-02-01T20:10:29+01:00
d/changelog: ready for upload to bookworm.

- - - - -


4 changed files:

- debian/changelog
- + debian/patches/0010-CVE-2024-34508-34509.patch
- + debian/patches/0011-CVE-2024-34508-34509_bis.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,4 +1,4 @@
-dcmtk (3.6.7-9~deb12u2) UNRELEASED; urgency=medium
+dcmtk (3.6.7-9~deb12u2) bookworm; urgency=medium
 
   * Team upload.
   * 0007-CVE-2024-47796.patch: new.
@@ -7,10 +7,13 @@ dcmtk (3.6.7-9~deb12u2) UNRELEASED; urgency=medium
     This patch addresses CVE-2024-52333. (Closes: #1093047)
   * 0009-CVE-2024-27628.patch: new.
     This patch fixes CVE-2024-27628. (Closes: #1074483)
- TODO: check whether the following issues are fixable: CVE-2024-28130,
- CVE-2024-34508 and CVE-2024-34509.
+  * 0010-CVE-2024-34508-34509.patch: new.
+    This patch fixes CVE-2024-34508 and CVE-2024-34509.
+  * 0011-CVE-2024-34508-34509_bis.patch: new.
+    This introduces upstream's fix to the test regression introduced by
+    the mitigation against CVE-2024-34508 and CVE-2024-34509.
 
- -- Étienne Mollier <emollier at debian.org>  Thu, 30 Jan 2025 20:39:58 +0100
+ -- Étienne Mollier <emollier at debian.org>  Sat, 01 Feb 2025 20:09:27 +0100
 
 dcmtk (3.6.7-9~deb12u1) bookworm; urgency=medium
 


=====================================
debian/patches/0010-CVE-2024-34508-34509.patch
=====================================
@@ -0,0 +1,88 @@
+Applied-Upstream: c78e434c0c5f9d932874f0b17a8b4ce305ca01f5
+Author: Marco Eichelberg <dicom at offis.de>
+Bug: https://support.dcmtk.org/redmine/issues/1114
+Reviewed-By: Étienne Mollier <emollier at debian.org>
+Last-Update: 2025-02-01
+Description: Fixed two segmentation faults.
+ Fixed two segmentations faults that could occur while processing an
+ invalid incoming DIMSE message due to insufficient error handling
+ causing a de-referenced NULL pointer.
+ .
+ Thanks to Nils Bars <nils.bars at rub.de> for the bug report and sample files.
+ .
+ This closes DCMTK issue #1114.
+
+--- dcmtk.orig/dcmdata/libsrc/dcelem.cc
++++ dcmtk/dcmdata/libsrc/dcelem.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 1994-2021, OFFIS e.V.
++ *  Copyright (C) 1994-2024, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were developed by
+@@ -717,6 +717,13 @@
+             if (isStreamNew)
+                 delete readStream;
+         }
++        else
++        {
++            errorFlag = EC_InvalidStream; // incomplete dataset read from stream
++            DCMDATA_ERROR("DcmElement: " << getTagName() << " " << getTag()
++                << " larger (" << getLengthField() << ") than remaining bytes ("
++                << getTransferredBytes() << ") in file, premature end of stream");
++        }
+     }
+     /* return result value */
+     return errorFlag;
+--- dcmtk.orig/dcmnet/libsrc/dimcmd.cc
++++ dcmtk/dcmnet/libsrc/dimcmd.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 1994-2021, OFFIS e.V.
++ *  Copyright (C) 1994-2024, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were partly developed by
+@@ -205,22 +205,25 @@
+             return parseErrorWithMsg("dimcmd:getString: string too small", t);
+         } else {
+             ec =  elem->getString(aString);
+-            strncpy(s, aString, maxlen);
+-            if (spacePadded)
++            if (ec.good())
+             {
+-                /* before we remove leading and tailing spaces we want to know
+-                 * whether the string is actually space padded. Required to communicate
+-                 * with dumb peers which send space padded UIDs and fail if they
+-                 * receive correct UIDs back.
+-                 *
+-                 * This test can only detect space padded strings if
+-                 * dcmEnableAutomaticInputDataCorrection is false; otherwise the padding
+-                 * has already been removed by dcmdata at this stage.
+-                 */
+-                size_t s_len = strlen(s);
+-                if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse;
++                strncpy(s, aString, maxlen);
++                if (spacePadded)
++                {
++                    /* before we remove leading and tailing spaces we want to know
++                     * whether the string is actually space padded. Required to communicate
++                     * with dumb peers which send space padded UIDs and fail if they
++                     * receive correct UIDs back.
++                     *
++                     * This test can only detect space padded strings if
++                     * dcmEnableAutomaticInputDataCorrection is false; otherwise the padding
++                     * has already been removed by dcmdata at this stage.
++                     */
++                    size_t s_len = strlen(s);
++                    if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse;
++                }
++                DU_stripLeadingAndTrailingSpaces(s);
+             }
+-            DU_stripLeadingAndTrailingSpaces(s);
+         }
+     }
+     return (ec.good())? ec : DIMSE_PARSEFAILED;


=====================================
debian/patches/0011-CVE-2024-34508-34509_bis.patch
=====================================
@@ -0,0 +1,63 @@
+Applied-Upstream: 66c317feae446deda1a389226aa24c95a0eeac4c
+Author: Marco Eichelberg <dicom at offis.de>
+Reviewed-By: Étienne Mollier <emollier at debian.org>
+Last-Update: 2025-02-01
+Description: Fixed DcmDecimalString unit tests.
+
+diff --git a/dcmdata/tests/tvrds.cc b/dcmdata/tests/tvrds.cc
+index a9132a341..0e929304d 100644
+--- a/dcmdata/tests/tvrds.cc
++++ b/dcmdata/tests/tvrds.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 2011-2020, OFFIS e.V.
++ *  Copyright (C) 2011-2024, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were developed by
+@@ -30,7 +30,7 @@
+ 
+ OFTEST(dcmdata_decimalString_1)
+ {
+-    DcmDecimalString decStr(DCM_ContourData, EVR_DS);
++    DcmDecimalString decStr(DCM_ContourData);
+     OFVector<Float64> doubleVals;
+     OFCHECK(decStr.putString("1\\2.0\\3.5\\-4.99\\+500.005\\6.66E-01").good());
+     OFCHECK(decStr.getFloat64Vector(doubleVals).good());
+@@ -45,7 +45,7 @@ OFTEST(dcmdata_decimalString_1)
+ 
+ OFTEST(dcmdata_decimalString_2)
+ {
+-    DcmDecimalString decStr(DCM_ContourData, EVR_DS);
++    DcmDecimalString decStr(DCM_ContourData);
+     OFVector<Float64> doubleVals;
+     /* insert a NULL byte into the string */
+     OFCHECK(decStr.putString("1\\2.0\\3.5\\-4.99\0\\+500.005\\6.66E-01", 34).good());
+@@ -61,7 +61,7 @@ OFTEST(dcmdata_decimalString_2)
+ 
+ OFTEST(dcmdata_decimalString_3)
+ {
+-    DcmDecimalString decStr(DCM_ContourData, EVR_DS);
++    DcmDecimalString decStr(DCM_ContourData);
+     OFVector<Float64> doubleVals;
+     /* insert a NULL byte into the string */
+     OFCHECK(decStr.putOFStringArray(OFString("1\\2.0\\3.5\\-4.99\0\\+500.005\\6.66E-01", 34)).good());
+@@ -77,7 +77,7 @@ OFTEST(dcmdata_decimalString_3)
+ 
+ OFTEST(dcmdata_decimalString_4)
+ {
+-    DcmDecimalString decStr(DCM_ContourData, EVR_DS);
++    DcmDecimalString decStr(DCM_ContourData);
+     OFVector<Float64> doubleVals;
+     OFCHECK(decStr.putString("1\\2.0\\3.5\\-4.99\\+500.005\\6.66E-01\\").good());
+     OFCHECK_EQUAL(decStr.getVM(), 7);
+@@ -96,7 +96,7 @@ OFTEST(dcmdata_decimalString_putFloat64)
+ {
+     // Test insertion in the beginning
+     OFString testStr;
+-    DcmDecimalString decStr(DCM_ContourData, EVR_DS);
++    DcmDecimalString decStr(DCM_ContourData);
+     OFCHECK(decStr.putFloat64(0, 0).good());
+     decStr.getOFStringArray(testStr);
+     OFCHECK(testStr == "0");


=====================================
debian/patches/series
=====================================
@@ -13,3 +13,5 @@ c34f4e46e672ad21accf04da0dc085e43be6f5e1.patch
 0007-CVE-2024-47796.patch
 0008-CVE-2024-52333.patch
 0009-CVE-2024-27628.patch
+0010-CVE-2024-34508-34509.patch
+0011-CVE-2024-34508-34509_bis.patch



View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/916288316817aba48cfa91298deead5ff600a0e7...55cfe5d82040fb4d0afd34ad52217ad850adba7b

-- 
View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/916288316817aba48cfa91298deead5ff600a0e7...55cfe5d82040fb4d0afd34ad52217ad850adba7b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20250201/491891e0/attachment-0001.htm>

More information about the debian-med-commit mailing list