[med-svn] [Git][med-team/dcmtk][master] 3 commits: CVE-2026-10194.patch: new: fix CVE-2026-10194.

Étienne Mollier (@emollier) gitlab at salsa.debian.org
Mon Jun 8 18:49:22 BST 2026 


Étienne Mollier pushed to branch master at Debian Med / dcmtk


Commits:
4cdc9b71 by Étienne Mollier at 2026-06-08T19:13:13+02:00
CVE-2026-10194.patch: new: fix CVE-2026-10194.

Closes: #1139181

- - - - -
e1a42b44 by Étienne Mollier at 2026-06-08T19:14:21+02:00
d/control: add myself to uploaders.

- - - - -
10646038 by Étienne Mollier at 2026-06-08T19:48:40+02:00
d/changelog: ready for urgent upload to unstable.

- - - - -


4 changed files:

- debian/changelog
- debian/control
- + debian/patches/CVE-2026-10194.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+dcmtk (3.7.0+really3.7.0-5) unstable; urgency=high
+
+  * CVE-2026-10194.patch: new: fix CVE-2026-10194. (Closes: #1139181)
+  * d/control: add myself to uploaders.
+
+ -- Étienne Mollier <emollier at debian.org>  Mon, 08 Jun 2026 19:14:40 +0200
+
 dcmtk (3.7.0+really3.7.0-4) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/control
=====================================
@@ -1,6 +1,8 @@
 Source: dcmtk
 Maintainer: Debian Med Packaging Team <debian-med-packaging at lists.alioth.debian.org>
-Uploaders: Gert Wollny <gewo at debian.org>, Mathieu Malaterre <malat at debian.org>
+Uploaders: Gert Wollny <gewo at debian.org>,
+           Mathieu Malaterre <malat at debian.org>,
+           Étienne Mollier <emollier at debian.org>
 Section: science
 Build-Depends: cmake,
                debhelper-compat (= 13),


=====================================
debian/patches/CVE-2026-10194.patch
=====================================
@@ -0,0 +1,67 @@
+Description: Fixed remote heap buffer overflow in dcmqrscp.
+ Thanks to 'elp3pinill0' for the bug report, detailed
+ analysis, proof of concept and proposed fix.
+Author: Marco Eichelberg <eichelberg at offis.de>
+Applied-Upstream: 0f78a4ef6f645ea5530166e445e5436a5de58e75
+Last-Update: 2026-05-04
+Bug: https://support.dcmtk.org/redmine/issues/1206
+Bug-Debian: https://bugs.debian.org/1139181
+Reviewed-By: Étienne Mollier <emollier at debian.org>
+
+diff --git a/dcmqrdb/libsrc/dcmqrdbi.cc b/dcmqrdb/libsrc/dcmqrdbi.cc
+index c91116a1c..ee308abe1 100644
+--- a/dcmqrdb/libsrc/dcmqrdbi.cc
++++ b/dcmqrdb/libsrc/dcmqrdbi.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 1993-2025, OFFIS e.V.
++ *  Copyright (C) 1993-2026, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were developed by
+@@ -2471,12 +2471,16 @@ OFCondition DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages(StudyDescRec
+ 
+     DB_IdxInitLoop (&(handle_ -> idxCounter)) ;
+     while ( DB_IdxGetNext(&(handle_ -> idxCounter), &idxRec) == EC_Normal ) {
+-    if ( ! ( strncmp(idxRec. StudyInstanceUID, StudyUID, n) ) ) {
+-
+-        StudyArray[nbimages]. idxCounter = handle_ -> idxCounter ;
+-        StudyArray[nbimages]. RecordedDate = idxRec. RecordedDate ;
+-        StudyArray[nbimages++]. ImageSize = idxRec. ImageSize ;
+-    }
++        if ( ! ( strncmp(idxRec. StudyInstanceUID, StudyUID, n) ) ) {
++            StudyArray[nbimages]. idxCounter = handle_ -> idxCounter ;
++            StudyArray[nbimages]. RecordedDate = idxRec. RecordedDate ;
++            StudyArray[nbimages++]. ImageSize = idxRec. ImageSize ;
++            if (nbimages == MAX_NUMBER_OF_IMAGES) {
++                // too many images in this study, bail out
++                DCMQRDB_ERROR("maximum number of images per study (" << MAX_NUMBER_OF_IMAGES << ") exceeded");
++                return QR_EC_IndexDatabaseError;
++            }
++        }
+     }
+ 
+     /** Sort the StudyArray in order to have the oldest images first
+@@ -2563,6 +2567,8 @@ OFCondition DcmQueryRetrieveIndexDatabaseHandle::checkupinStudyDesc(StudyDescRec
+     s = matchStudyUIDInStudyDesc (pStudyDesc, StudyUID,
+                      (int)(handle_ -> maxStudiesAllowed)) ;
+ 
++    OFCondition cond;
++
+     /** If Study already exists
+      */
+ 
+@@ -2583,10 +2589,10 @@ OFCondition DcmQueryRetrieveIndexDatabaseHandle::checkupinStudyDesc(StudyDescRec
+ 
+         RequiredSize = imageSize -
+             ( handle_ -> maxBytesPerStudy - pStudyDesc[s]. StudySize ) ;
+-        deleteOldestImages(pStudyDesc, s, StudyUID, RequiredSize) ;
++        cond = deleteOldestImages(pStudyDesc, s, StudyUID, RequiredSize) ;
++        if (cond.bad()) return cond;
+     }
+ 
+-
+     }
+     else {
+ #ifdef DEBUG


=====================================
debian/patches/series
=====================================
@@ -5,3 +5,4 @@ remove_version.patch
 skip-bigendian-roundtrip-failure.patch
 hurd.patch
 CVE-2026-5663.patch
+CVE-2026-10194.patch



View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/213f23d808e97458c73dd6689b35d3466c4cc556...10646038e055de77006f57a49558b52beee7b78e

-- 
View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/213f23d808e97458c73dd6689b35d3466c4cc556...10646038e055de77006f57a49558b52beee7b78e
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20260608/79b882d9/attachment-0001.htm>

More information about the debian-med-commit mailing list