[Debian-med-packaging] Wheezy update of dcmtk?
Balint Reczey
balint at balintreczey.hu
Tue Dec 20 16:17:41 UTC 2016
On 12/19/2016 03:58 PM, Bálint Réczey wrote:
> Hi,
>
> 2016-12-19 9:10 GMT+01:00 Sébastien Jodogne <s.jodogne at gmail.com>:
>> Dear all,
>>
>>> On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote:
>>>> Hello dear maintainer(s),
>>>>
>>>> the Debian LTS team would like to fix the security issues which are
>>>> currently open in the Wheezy version of dcmtk:
>>>> https://security-tracker.debian.org/tracker/CVE-2015-8979
>>>>
>>>> Would you like to take care of this yourself?
>>>
>>> I personally feel not capable to do so and Mathieu left the team - so I
>>> would be astonished (but definitely happy!) if he would step in for this
>>> task. If you do not receive a positive response from Gert I doubt that
>>> anybody else from the team would take over.
>>
>>
>> I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM
>> SCP (server) is affected (including the well-known Horos/OsiriX viewer).
>>
>> Orthanc was also affected by this problem. Orthanc 1.2.0 was released last
>> week in order to fix this vulnerability in its static builds (notably for
>> Windows and OS X). The patch we applied can be found at the following
>> location:
>> https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default&fileviewer=file-view-default
>>
>> As this patch is very simple (six lines of code), it should be easy to
>> backport it to the DCMTK Debian package.
>>
>> Unfortunately, I do not know how to fix such issues in Wheezy, and I am
>> currently under heavy pressure wrt. the Orthanc upstream project... maybe
>> someone could do this backporting job?
>
> I'll do it in a few hours.
> I have also claimed the package in dla-needed.txt.
Thank you for the additional info and the potential patch.
I have prepared the update for Wheezy based on the upstream patch
instead to diverge less from upstream in case we have to patch the code
further. The error reporting is also more verbose and accurate.
Please see the diff to previous version attached.
Changes:
dcmtk (3.6.0-12+deb7u1) wheezy-security; urgency=medium
.
* LTS Team upload.
* Fix remote stack buffer overflow (CVE-2015-8979) (Closes: #848830)
* Enable tests for the fix
I plan uploading the package today around 22:00 UTC.
The binary packages for amd64 are also available for testing here:
deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/
Cheers,
Balint
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dcmtk_3.6.0-12+deb7u1.patch
Type: text/x-patch
Size: 36325 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20161220/e2662468/attachment-0001.bin>
More information about the Debian-med-packaging
mailing list