[Debian-med-packaging] Bug#1078169: bullseye-pu: package xmedcon/0.16.3+dfsg-1+deb11u1

Étienne Mollier emollier at debian.org
Wed Aug 7 18:57:03 BST 2024


Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: xmedcon at packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian.org at packages.debian.org
Usertags: pu

Greetings,

This is basically the same request as #1077549 except this time
it is for oldstable bullseye.

[ Reason ]
xmedcon in bullseye is affected by CVE-2024-29421.  It is,
quoting the description: "vulnerable to Buffer Overflow via
libs/dicom/basic.c which allows an attacker to execute arbitrary
code".  It is currently rated minor by the security team, hence
following the proposed-update process instead of a security
update.  The issue is tracked in #1077369.

[ Impact ]
xmedcon in bullseye will remain vulnerable to the risk of
execution of arbitrary code if left unchanged.

[ Tests ]
The package does not ship with automated tests, but I verified
manually that the patch in upstream code did not provoke any
obvious breakages by visualising some dicom image taken from
other Debian Med sample files.  I also verified that the dicom
visualizer amide, which depends on the libmdc3, was not showing
obvious breakages caused by the change.

[ Risks ]
The patch fits in a screen and felt fairly obvious what is was
doing to me, so I don't believe it's highly risky.  It has one
reverse dependency, amide, that does not seem to show much
issues with the change this far.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in oldstable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This revision introduces a patch to dicom loading functions,
originating from upstream xmedcon 0.24.0, containing a change
which is intended to guard against large element length and
error out instead of running into buffer overflow conditions.

[ Other info ]
Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier at debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/0, please excuse my verbosity
   `-
-------------- next part --------------
diff -Nru xmedcon-0.16.3+dfsg/debian/changelog xmedcon-0.16.3+dfsg/debian/changelog
--- xmedcon-0.16.3+dfsg/debian/changelog	2020-12-07 15:51:18.000000000 +0100
+++ xmedcon-0.16.3+dfsg/debian/changelog	2024-08-07 18:10:18.000000000 +0200
@@ -1,3 +1,10 @@
+xmedcon (0.16.3+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * CVE-2024-29421.patch: new: fix CVE-2024-29421. (Closes: #1077369)
+
+ -- Étienne Mollier <emollier at debian.org>  Wed, 07 Aug 2024 18:10:18 +0200
+
 xmedcon (0.16.3+dfsg-1) unstable; urgency=medium
 
   * Build-Depends: s/libnifti-dev/libnifti2-dev/
diff -Nru xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch
--- xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch	2024-08-07 18:08:39.000000000 +0200
@@ -0,0 +1,47 @@
+Description: Prevent overflow of value before a malloc().
+ This patch includes commits a35cd9b856c23e20cc1753e36cd9228391366082
+ from upstream, and 5131a648f09a82c26088b340bdd983fd09a6e19e for
+ additional error messaging.  This fixes CVE-2024-29421.
+
+Author: Erik Nolf
+Origin: upstream,
+        https://sourceforge.net/p/xmedcon/code/ci/5131a648f09a82c26088b340bdd983fd09a6e19e/,
+        https://sourceforge.net/p/xmedcon/code/ci/434925fca63c855dd6d24e4c018c2fa745646f9e/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077369
+Reviewed-by: Étienne Mollier <emollier at debian.org>
+Last-Update: 2024-08-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libs/dicom/basic.c
++++ b/libs/dicom/basic.c
+@@ -401,6 +401,16 @@ int dicom_load(VR vr)
+   if (element.vr==SQ || element.length==0xFFFFFFFF)
+     return 0;
+ 
++  /* eNlf: - simply prevent length values that will overflow  */
++  /* eNlf: when we sum with an extra 4 bytes; thus preventing */
++  /* eNlf: a heap overflow due to a small value at malloc()   */
++  /* eNlf: notified by Spike Reply Cyber Security Team        */
++  if (element.length > (0xFFFFFFFF - 4)) {
++    dicom_log(ERROR,"Unsupported element length");
++    dicom_close();
++    return -4;
++  }
++
+   if (element.group==0xFFFE)
+     if (!element.encapsulated)
+       return 0;
+@@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
+   if (element.vr==SQ || element.length==0xFFFFFFFF)
+     return 0;
+ 
++  /* eNlf: prevent overflowed value - see dicom_load() */
++  if (element.length > (0xFFFFFFFF - 4)) {
++    dicom_log(ERROR,"Unsupported element length");
++    dicom_close();
++    return -4;
++  }
++
+   if (element.group==0xFFFE)
+     if (!element.encapsulated)
+       return 0;
diff -Nru xmedcon-0.16.3+dfsg/debian/patches/series xmedcon-0.16.3+dfsg/debian/patches/series
--- xmedcon-0.16.3+dfsg/debian/patches/series	2020-12-07 15:51:18.000000000 +0100
+++ xmedcon-0.16.3+dfsg/debian/patches/series	2024-08-07 18:08:39.000000000 +0200
@@ -2,3 +2,4 @@
 add_gtk_libraries_to_linker.patch
 use_debian_packaged_niftilib.patch
 cross.patch
+CVE-2024-29421.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240807/758d0208/attachment.sig>


More information about the Debian-med-packaging mailing list