[med-svn] [Git][med-team/invesalius][master] 6 commits: Fix CVE-2024-42845 (eval injection in DICOM reader). Closes: #1082875.

Santiago Vila (@sanvila) gitlab at salsa.debian.org
Thu May 7 12:03:08 BST 2026 


Santiago Vila pushed to branch master at Debian Med / invesalius


Commits:
9c9d6599 by Adrian Bunk at 2026-05-07T12:50:00+02:00
Fix CVE-2024-42845 (eval injection in DICOM reader). Closes: #1082875.

- - - - -
d4dd1451 by Santiago Vila at 2026-05-07T12:51:00+02:00
d/control: Drop "Rules-Requires-Root: no" (default).

- - - - -
a2f25409 by Santiago Vila at 2026-05-07T12:52:00+02:00
d/control: Drop "Priority: optional" (default).

- - - - -
71d8b049 by Santiago Vila at 2026-05-07T12:53:00+02:00
d/control: Update standards-version.

- - - - -
d8f7b5a1 by Santiago Vila at 2026-05-07T12:54:00+02:00
d/salsa-ci.yml: Use the simplified version.

- - - - -
cf360b5c by Santiago Vila at 2026-05-07T12:55:00+02:00
Upload for unstable as 3.1.99998-8

- - - - -


5 changed files:

- debian/changelog
- debian/control
- + debian/patches/fix-cve-2024-42845.patch
- debian/patches/series
- debian/salsa-ci.yml


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,18 @@
+invesalius (3.1.99998-8) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Adrian Bunk ]
+  * Fix CVE-2024-42845 (eval injection in DICOM reader). Closes: #1082875.
+
+  [ Santiago Vila ]
+  * Drop "Rules-Requires-Root: no" (default).
+  * Drop "Priority: optional" (default).
+  * Update standards-version.
+  * Simplify salsa-ci.yml.
+
+ -- Santiago Vila <sanvila at debian.org>  Thu, 07 May 2026 12:55:00 +0200
+
 invesalius (3.1.99998-7) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/control
=====================================
@@ -3,7 +3,6 @@ Maintainer: Debian Med Packaging Team <debian-med-packaging at lists.alioth.debian.
 Uploaders: Andreas Tille <tille at debian.org>,
            Thiago Franco de Moraes <tfmoraes at cti.gov.br>
 Section: graphics
-Priority: optional
 Build-Depends: debhelper-compat (= 13),
                python3-dev,
                python3-setuptools,
@@ -13,11 +12,10 @@ Build-Depends: debhelper-compat (= 13),
                python3-numpy,
 	       python3-puremagic
 Build-Depends-Indep: python3
-Standards-Version: 4.7.0
+Standards-Version: 4.7.4
 Vcs-Browser: https://salsa.debian.org/med-team/invesalius
 Vcs-Git: https://salsa.debian.org/med-team/invesalius.git
 Homepage: https://www.cti.gov.br/invesalius/
-Rules-Requires-Root: no
 
 Package: invesalius
 Architecture: all


=====================================
debian/patches/fix-cve-2024-42845.patch
=====================================
@@ -0,0 +1,24 @@
+From: Thiago Franco de Moraes <totonixsame at gmail.com>
+Subject: Removed eval from dicom.py (#820)
+Origin: upstream, https://github.com/invesalius/invesalius3/commit/020cd6056c30105a870cfea99939282b6ec5640b
+
+--- a/invesalius/reader/dicom.py
++++ b/invesalius/reader/dicom.py
+@@ -443,7 +443,7 @@
+         except (KeyError):
+             return ""
+         if data:
+-            return [eval(value) for value in data.split("\\")]
++            return [float(value) for value in data.split("\\")]
+         return ""
+ 
+     def GetImageLocation(self):
+@@ -456,7 +456,7 @@
+         """
+         data = self.data_image[str(0x020)][str(0x1041)]
+         if data:
+-            return eval(data)
++            return float(data)
+         return ""
+ 
+     def GetImageOffset(self):


=====================================
debian/patches/series
=====================================
@@ -7,3 +7,4 @@
 python3.13
 fix-my-types.patch
 workaround-dropped-inner1d.patch
+fix-cve-2024-42845.patch


=====================================
debian/salsa-ci.yml
=====================================
@@ -1,4 +1,3 @@
 ---
 include:
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml



View it on GitLab: https://salsa.debian.org/med-team/invesalius/-/compare/b0bfc31613cfe3b674a86dc03c0eba2ea46cbacc...cf360b5c05183ee8230eddd42203907f21eb19f2

-- 
View it on GitLab: https://salsa.debian.org/med-team/invesalius/-/compare/b0bfc31613cfe3b674a86dc03c0eba2ea46cbacc...cf360b5c05183ee8230eddd42203907f21eb19f2
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20260507/6b69255d/attachment-0001.htm>

More information about the debian-med-commit mailing list