[med-svn] [Git][med-team/dcmtk][master] 2 commits: 0011-CVE-2025-25472.patch: new: fix CVE-2025-25472.

Étienne Mollier (@emollier) gitlab at salsa.debian.org
Wed Feb 19 21:31:42 GMT 2025 


Étienne Mollier pushed to branch master at Debian Med / dcmtk


Commits:
abf4e061 by Étienne Mollier at 2025-02-19T22:30:36+01:00
0011-CVE-2025-25472.patch: new: fix CVE-2025-25472.

- - - - -
f2d9ee36 by Étienne Mollier at 2025-02-19T22:31:16+01:00
d/changelog: ready for upload to unstable.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0011-CVE-2025-25472.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,4 +1,4 @@
-dcmtk (3.6.9-4) UNRELEASED; urgency=medium
+dcmtk (3.6.9-4) unstable; urgency=medium
 
   * Team upload.
   * Reinstate 0007-CVE-2024-47796.patch and 0008-CVE-2024-52333.patch.
@@ -6,8 +6,9 @@ dcmtk (3.6.9-4) UNRELEASED; urgency=medium
     Thanks to Salvatore Bonaccorso
   * 0009-CVE-2025-25475.patch: new: fix CVE-2025-25475. (Closes: #1098373)
   * 0010-CVE-2025-25474.patch: new: fix CVE-2025-25474. (Closes: #1098374)
+  * 0011-CVE-2025-25472.patch: new: fix CVE-2025-25472.
 
- -- Étienne Mollier <emollier at debian.org>  Wed, 19 Feb 2025 21:56:48 +0100
+ -- Étienne Mollier <emollier at debian.org>  Wed, 19 Feb 2025 22:30:57 +0100
 
 dcmtk (3.6.9-3) unstable; urgency=medium
 


=====================================
debian/patches/0011-CVE-2025-25472.patch
=====================================
@@ -0,0 +1,49 @@
+commit 410ffe2019b9db6a8f4036daac742a6f5e4d36c2
+Author: Joerg Riesmeier <dicom at jriesmeier.com>
+Date:   Fri Jan 17 17:53:50 2025 +0100
+
+    Fixed another issue with invalid mono images.
+    
+    Fixed issue when rendering an invalid monochrome DICOM image where the
+    number of pixels stored does not match the expected number of pixels.
+    In this case, only a single pixel is processed, but the pixel matrix is
+    much larger. Filling the rest of the pixel matrix with the smallest
+    possible value for the image is not working because of an optimized
+    memory usage (value would be out of range). Now, the pixel value to be
+    used is double-checked before it is actually filled into the "background"
+    of the image.
+    
+    Thanks to Ding zhengzheng <xiaozheng.ding399 at gmail.com> for the report
+    and the sample file (PoC).
+
+diff --git a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
+index 50389a540..f67967310 100644
+--- a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
++++ b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
+@@ -28,6 +28,7 @@
+ #include "dcmtk/ofstd/ofbmanip.h"
+ #include "dcmtk/ofstd/ofcast.h"
+ #include "dcmtk/ofstd/ofdiag.h"      /* for DCMTK_DIAGNOSTIC macros */
++#include "dcmtk/ofstd/oflimits.h"    /* for OFnumeric_limits<> */
+ 
+ #include "dcmtk/dcmimgle/dimopxt.h"
+ #include "dcmtk/dcmimgle/diinpx.h"
+@@ -72,9 +73,16 @@ class DiMonoInputPixelTemplate
+                 rescale(pixel);                     // "copy" or reference pixel data
+                 this->determineMinMax(OFstatic_cast(T3, this->Modality->getMinValue()), OFstatic_cast(T3, this->Modality->getMaxValue()));
+             }
+-            /* erase empty part of the buffer (= fill the background with the smallest possible value) */
++            /* erase empty part of the buffer */
+             if ((this->Data != NULL) && (this->InputCount < this->Count))
+-                OFBitmanipTemplate<T3>::setMem(this->Data + this->InputCount, OFstatic_cast(T3, this->Modality->getAbsMinimum()), this->Count - this->InputCount);
++            {
++                /* that means, fill the background with the smallest value that is possible */
++                const T3 minOut = OFnumeric_limits<T3>::min();
++                const T3 background = (this->Modality->getAbsMinimum() < OFstatic_cast(double, minOut)) ? minOut : OFstatic_cast(T3, this->Modality->getAbsMinimum());
++                const size_t count = (this->Count - this->InputCount);
++                DCMIMGLE_DEBUG("filing empty part of the intermediate pixel data (" << count << " pixels) with value = " << OFstatic_cast(double, background));
++                OFBitmanipTemplate<T3>::setMem(this->Data + this->InputCount, background, count);
++            }
+         }
+     }
+ 


=====================================
debian/patches/series
=====================================
@@ -6,3 +6,4 @@ remove_version.patch
 0008-CVE-2024-52333.patch
 0009-CVE-2025-25475.patch
 0010-CVE-2025-25474.patch
+0011-CVE-2025-25472.patch



View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/49bf780b4972bd8464cac0b1cf42fffb7812177b...f2d9ee36571912c0d7de2d335b1d79c47aaf548b

-- 
View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/49bf780b4972bd8464cac0b1cf42fffb7812177b...f2d9ee36571912c0d7de2d335b1d79c47aaf548b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20250219/ce85f65f/attachment-0001.htm>

More information about the debian-med-commit mailing list