[Debian-med-packaging] Wheezy update of dcmtk?
Bálint Réczey
balint at balintreczey.hu
Tue Dec 20 23:18:25 UTC 2016
Dear Andreas & Med Team,
I have tested the the patch with the Jessie version, too, to see if the exploit
stops working with orthanc and it does stop working indeed.
(Wheezy does not have orthanc.)
The debdiff is basically the same. Should I contact the Security Team about
fixing it in Jessie, too, or someone else from the team will take care of this?
Cheers,
Balint
2016-12-20 17:17 GMT+01:00 Balint Reczey <balint at balintreczey.hu>:
> On 12/19/2016 03:58 PM, Bálint Réczey wrote:
>> Hi,
>>
>> 2016-12-19 9:10 GMT+01:00 Sébastien Jodogne <s.jodogne at gmail.com>:
>>> Dear all,
>>>
>>>> On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote:
>>>>> Hello dear maintainer(s),
>>>>>
>>>>> the Debian LTS team would like to fix the security issues which are
>>>>> currently open in the Wheezy version of dcmtk:
>>>>> https://security-tracker.debian.org/tracker/CVE-2015-8979
>>>>>
>>>>> Would you like to take care of this yourself?
>>>>
>>>> I personally feel not capable to do so and Mathieu left the team - so I
>>>> would be astonished (but definitely happy!) if he would step in for this
>>>> task. If you do not receive a positive response from Gert I doubt that
>>>> anybody else from the team would take over.
>>>
>>>
>>> I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM
>>> SCP (server) is affected (including the well-known Horos/OsiriX viewer).
>>>
>>> Orthanc was also affected by this problem. Orthanc 1.2.0 was released last
>>> week in order to fix this vulnerability in its static builds (notably for
>>> Windows and OS X). The patch we applied can be found at the following
>>> location:
>>> https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default&fileviewer=file-view-default
>>>
>>> As this patch is very simple (six lines of code), it should be easy to
>>> backport it to the DCMTK Debian package.
>>>
>>> Unfortunately, I do not know how to fix such issues in Wheezy, and I am
>>> currently under heavy pressure wrt. the Orthanc upstream project... maybe
>>> someone could do this backporting job?
>>
>> I'll do it in a few hours.
>> I have also claimed the package in dla-needed.txt.
>
> Thank you for the additional info and the potential patch.
>
> I have prepared the update for Wheezy based on the upstream patch
> instead to diverge less from upstream in case we have to patch the code
> further. The error reporting is also more verbose and accurate.
>
> Please see the diff to previous version attached.
>
> Changes:
> dcmtk (3.6.0-12+deb7u1) wheezy-security; urgency=medium
> .
> * LTS Team upload.
> * Fix remote stack buffer overflow (CVE-2015-8979) (Closes: #848830)
> * Enable tests for the fix
>
> I plan uploading the package today around 22:00 UTC.
>
> The binary packages for amd64 are also available for testing here:
>
> deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/
>
> Cheers,
> Balint
>
More information about the Debian-med-packaging
mailing list