[med-svn] [Git][med-team/dcmtk][master] 4 commits: Reinstate 0007-CVE-2024-47796.patch and 0008-CVE-2024-52333.patch.
Étienne Mollier (@emollier)
gitlab at salsa.debian.org
Wed Feb 19 21:15:07 GMT 2025
Étienne Mollier pushed to branch master at Debian Med / dcmtk
Commits:
369133cd by Étienne Mollier at 2025-02-19T21:20:38+01:00
Reinstate 0007-CVE-2024-47796.patch and 0008-CVE-2024-52333.patch.
These were not part of dcmtk 3.6.9 upstream and still apply.
Thanks: Salvatore Bonaccorso
- - - - -
b50ef7d1 by Étienne Mollier at 2025-02-19T21:54:09+01:00
0009-CVE-2025-25475.patch: new: fix CVE-2025-25475.
Closes: #1098373
- - - - -
12b60829 by Étienne Mollier at 2025-02-19T21:54:45+01:00
0010-CVE-2025-25474.patch: new: fix CVE-2025-25474.
Closes: #1098374
- - - - -
ba8004ca by Étienne Mollier at 2025-02-19T21:57:06+01:00
d/changelog: ready for upload to unstable.
- - - - -
6 changed files:
- debian/changelog
- + debian/patches/0007-CVE-2024-47796.patch
- + debian/patches/0008-CVE-2024-52333.patch
- + debian/patches/0009-CVE-2025-25475.patch
- + debian/patches/0010-CVE-2025-25474.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,14 @@
+dcmtk (3.6.9-4) unstable; urgency=medium
+
+ * Team upload.
+ * Reinstate 0007-CVE-2024-47796.patch and 0008-CVE-2024-52333.patch.
+ These were not part of dcmtk 3.6.9 upstream and still apply.
+ Thanks to Salvatore Bonaccorso
+ * 0009-CVE-2025-25475.patch: new: fix CVE-2025-25475. (Closes: #1098373)
+ * 0010-CVE-2025-25474.patch: new: fix CVE-2025-25474. (Closes: #1098374)
+
+ -- Étienne Mollier <emollier at debian.org> Wed, 19 Feb 2025 21:56:48 +0100
+
dcmtk (3.6.9-3) unstable; urgency=medium
* d/patches: Remove old unused patches
=====================================
debian/patches/0007-CVE-2024-47796.patch
=====================================
@@ -0,0 +1,32 @@
+Author: Joerg Riesmeier <dicom at jriesmeier.com>
+Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
+Bug-Debian: https://bugs.debian.org/1093043
+Reviewed-By: Étienne Mollier <emollier at debian.org>
+Last-Update: 2025-01-18
+Description: Fixed issue rendering invalid monochrome image.
+ Fixed issue when rendering an invalid monochrome DICOM image where the
+ number of pixels stored does not match the expected number of pixels.
+ If the stored number is less than the expected number, the rest of the
+ pixel matrix for the intermediate representation was always filled with
+ the value 0. Under certain, very rare conditions, this could result in
+ memory problems reported by an Address Sanitizer (ASAN). Now, the rest
+ of the matrix is filled with the smallest possible value for the image.
+ .
+ Thanks to Emmanuel Tacheau from the Cisco Talos team
+ <vulndiscovery at external.cisco.com> for the original report, the sample
+ file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.
+
+--- dcmtk.orig/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
++++ dcmtk/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
+@@ -72,9 +72,9 @@
+ rescale(pixel); // "copy" or reference pixel data
+ this->determineMinMax(OFstatic_cast(T3, this->Modality->getMinValue()), OFstatic_cast(T3, this->Modality->getMaxValue()));
+ }
+- /* erase empty part of the buffer (= blacken the background) */
++ /* erase empty part of the buffer (= fill the background with the smallest possible value) */
+ if ((this->Data != NULL) && (this->InputCount < this->Count))
+- OFBitmanipTemplate<T3>::zeroMem(this->Data + this->InputCount, this->Count - this->InputCount);
++ OFBitmanipTemplate<T3>::setMem(this->Data + this->InputCount, OFstatic_cast(T3, this->Modality->getAbsMinimum()), this->Count - this->InputCount);
+ }
+ }
+
=====================================
debian/patches/0008-CVE-2024-52333.patch
=====================================
@@ -0,0 +1,48 @@
+Author: Joerg Riesmeier <dicom at jriesmeier.com>
+Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03
+Bug-Debian: https://bugs.debian.org/1093047
+Reviewed-By: Étienne Mollier <emollier at debian.org>
+Last-Update: 2025-01-18
+Description: Added check to make sure: HighBit < BitsAllocated.
+ Added check to the image preprocessing to make sure that the value of
+ HighBit is always less than the value of BitsAllocated. Before, this
+ missing check could lead to memory corruption if an invalid combination
+ of values was retrieved from a malformed DICOM dataset.
+ .
+ Thanks to Emmanuel Tacheau from the Cisco Talos team
+ <vulndiscovery at external.cisco.com> for the report, sample file (PoC)
+ and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333.
+
+--- dcmtk.orig/dcmimgle/libsrc/diimage.cc
++++ dcmtk/dcmimgle/libsrc/diimage.cc
+@@ -1,6 +1,6 @@
+ /*
+ *
+- * Copyright (C) 1996-2024, OFFIS e.V.
++ * Copyright (C) 1996-2025, OFFIS e.V.
+ * All rights reserved. See COPYRIGHT file for details.
+ *
+ * This software and supporting documentation were developed by
+@@ -549,12 +549,18 @@
+ {
+ const unsigned long fsize = OFstatic_cast(unsigned long, Rows) * OFstatic_cast(unsigned long, Columns) *
+ OFstatic_cast(unsigned long, SamplesPerPixel);
+- if ((BitsAllocated < 1) || (BitsStored < 1) || (BitsAllocated < BitsStored) ||
+- (BitsStored > OFstatic_cast(Uint16, HighBit + 1)))
++ if ((BitsAllocated < 1) || (BitsStored < 1))
+ {
+ ImageStatus = EIS_InvalidValue;
+- DCMIMGLE_ERROR("invalid values for 'BitsAllocated' (" << BitsAllocated << "), "
+- << "'BitsStored' (" << BitsStored << ") and/or 'HighBit' (" << HighBit << ")");
++ DCMIMGLE_ERROR("invalid value(s) for 'BitsAllocated' (" << BitsAllocated << "), "
++ << "and/or 'BitsStored' (" << BitsStored << ")");
++ return;
++ }
++ else if ((BitsAllocated < BitsStored) || (BitsAllocated <= HighBit) || ((BitsStored - 1) > HighBit))
++ {
++ ImageStatus = EIS_InvalidValue;
++ DCMIMGLE_ERROR("invalid combination of values for 'BitsAllocated' (" << BitsAllocated << "), "
++ << "'BitsStored' (" << BitsStored << ") and 'HighBit' (" << HighBit << ")");
+ return;
+ }
+ else if ((evr == EVR_OB) && (BitsStored <= 8))
=====================================
debian/patches/0009-CVE-2025-25475.patch
=====================================
@@ -0,0 +1,35 @@
+commit bffa3e9116abb7038b432443f16b1bd390e80245
+Author: Marco Eichelberg <eichelberg at offis.de>
+Date: Thu Jan 23 15:51:21 2025 +0100
+
+ Fixed issue with invalid RLE compressed DICOM images.
+
+ Fixed issue when processing an RLE compressed image where the RLE header
+ contains an invalid stripe size.
+
+ Thanks to Ding zhengzheng <xiaozheng.ding399 at gmail.com> for the report
+ and the sample file (PoC).
+
+--- dcmtk.orig/dcmdata/libsrc/dcrleccd.cc
++++ dcmtk/dcmdata/libsrc/dcrleccd.cc
+@@ -1,6 +1,6 @@
+ /*
+ *
+- * Copyright (C) 2002-2024, OFFIS e.V.
++ * Copyright (C) 2002-2025, OFFIS e.V.
+ * All rights reserved. See COPYRIGHT file for details.
+ *
+ * This software and supporting documentation were developed by
+@@ -348,6 +348,12 @@
+ } /* while */
+
+ // last fragment for this RLE stripe
++ if (inputBytes + byteOffset > fragmentLength)
++ {
++ DCMDATA_ERROR("stream size in RLE header is wrong");
++ inputBytes = fragmentLength-byteOffset;
++ }
++
+ result = rledecoder.decompress(rleData + byteOffset, OFstatic_cast(size_t, inputBytes));
+
+ // special handling for zero pad byte at the end of the RLE stream
=====================================
debian/patches/0010-CVE-2025-25474.patch
=====================================
@@ -0,0 +1,34 @@
+commit 1d205bcd307164c99e0d4bbf412110372658d847
+Author: Joerg Riesmeier <dicom at jriesmeier.com>
+Date: Tue Jan 21 11:12:28 2025 +0100
+
+ Fixed another issue with invalid DICOM images.
+
+ Fixed issue when processing an invalid DICOM image where the number of
+ pixels stored does not match the expected number of pixels (too less)
+ and the combination of BitsAllocated and BitsStored is really unusual
+ (e.g. 1 bit stored, but 52 bits allocated). In cases where the last
+ pixel (e.g. a single bit) does not fit into the buffer of the input
+ pixel data, a buffer overflow occurred on the heap. Now, the last entry
+ of the buffer is filled with the smallest possible value (e.g. 0 in case
+ of unsigned data).
+
+ Thanks to Ding zhengzheng <xiaozheng.ding399 at gmail.com> for the report
+ and the sample file (PoC).
+
+--- dcmtk.orig/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
++++ dcmtk/dcmimgle/include/dcmtk/dcmimgle/diinpxt.h
+@@ -643,6 +643,13 @@
+ skip -= times * bitsof_T1;
+ }
+ }
++ /* fill the remaining entry (if any) with the smallest value that is possible */
++ if (q < Data + Count)
++ {
++ DCMIMGLE_TRACE("not enough data, filling last entry of input buffer with value = " << getAbsMinimum());
++ *q = OFstatic_cast(T2, getAbsMinimum());
++ }
++
+ }
+ } else
+ DCMIMGLE_DEBUG("cannot allocate memory buffer for 'Data' in DiInputPixelTemplate::convert()");
=====================================
debian/patches/series
=====================================
@@ -2,3 +2,7 @@
#03_datadic_install.patch
07_dont_export_all_executables.patch
remove_version.patch
+0007-CVE-2024-47796.patch
+0008-CVE-2024-52333.patch
+0009-CVE-2025-25475.patch
+0010-CVE-2025-25474.patch
View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/25936bfef16c6fb58e1cc1685cea1a26ae027292...ba8004ca3ab6045867caebcbf1583e2d7170249a
--
View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/25936bfef16c6fb58e1cc1685cea1a26ae027292...ba8004ca3ab6045867caebcbf1583e2d7170249a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20250219/9dc28f1e/attachment-0001.htm>
More information about the debian-med-commit
mailing list