[Debian-med-packaging] Wheezy update of dcmtk?

Bálint Réczey balint at balintreczey.hu
Mon Dec 19 14:58:25 UTC 2016


Hi,

2016-12-19 9:10 GMT+01:00 Sébastien Jodogne <s.jodogne at gmail.com>:
> Dear all,
>
>> On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote:
>> > Hello dear maintainer(s),
>> >
>> > the Debian LTS team would like to fix the security issues which are
>> > currently open in the Wheezy version of dcmtk:
>> > https://security-tracker.debian.org/tracker/CVE-2015-8979
>> >
>> > Would you like to take care of this yourself?
>>
>> I personally feel not capable to do so and Mathieu left the team - so I
>> would be astonished (but definitely happy!) if he would step in for this
>> task.  If you do not receive a positive response from Gert I doubt that
>> anybody else from the team would take over.
>
>
> I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM
> SCP (server) is affected (including the well-known Horos/OsiriX viewer).
>
> Orthanc was also affected by this problem. Orthanc 1.2.0 was released last
> week in order to fix this vulnerability in its static builds (notably for
> Windows and OS X). The patch we applied can be found at the following
> location:
> https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default&fileviewer=file-view-default
>
> As this patch is very simple (six lines of code), it should be easy to
> backport it to the DCMTK Debian package.
>
> Unfortunately, I do not know how to fix such issues in Wheezy, and I am
> currently under heavy pressure wrt. the Orthanc upstream project... maybe
> someone could do this backporting job?

I'll do it in a few hours.
I have also claimed the package in dla-needed.txt.

Cheers,
Balint



More information about the Debian-med-packaging mailing list