[Debian-med-packaging] Bug#1078169: bullseye-pu: package xmedcon/0.16.3+dfsg-1+deb11u1
Étienne Mollier
emollier at debian.org
Wed Aug 7 18:57:03 BST 2024
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: xmedcon at packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian.org at packages.debian.org
Usertags: pu
Greetings,
This is basically the same request as #1077549 except this time
it is for oldstable bullseye.
[ Reason ]
xmedcon in bullseye is affected by CVE-2024-29421. It is,
quoting the description: "vulnerable to Buffer Overflow via
libs/dicom/basic.c which allows an attacker to execute arbitrary
code". It is currently rated minor by the security team, hence
following the proposed-update process instead of a security
update. The issue is tracked in #1077369.
[ Impact ]
xmedcon in bullseye will remain vulnerable to the risk of
execution of arbitrary code if left unchanged.
[ Tests ]
The package does not ship with automated tests, but I verified
manually that the patch in upstream code did not provoke any
obvious breakages by visualising some dicom image taken from
other Debian Med sample files. I also verified that the dicom
visualizer amide, which depends on the libmdc3, was not showing
obvious breakages caused by the change.
[ Risks ]
The patch fits in a screen and felt fairly obvious what is was
doing to me, so I don't believe it's highly risky. It has one
reverse dependency, amide, that does not seem to show much
issues with the change this far.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in oldstable
[*] the issue is verified as fixed in unstable
[ Changes ]
This revision introduces a patch to dicom loading functions,
originating from upstream xmedcon 0.24.0, containing a change
which is intended to guard against large element length and
error out instead of running into buffer overflow conditions.
[ Other info ]
Have a nice day, :)
--
.''`. Étienne Mollier <emollier at debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/0, please excuse my verbosity
`-
-------------- next part --------------
diff -Nru xmedcon-0.16.3+dfsg/debian/changelog xmedcon-0.16.3+dfsg/debian/changelog
--- xmedcon-0.16.3+dfsg/debian/changelog 2020-12-07 15:51:18.000000000 +0100
+++ xmedcon-0.16.3+dfsg/debian/changelog 2024-08-07 18:10:18.000000000 +0200
@@ -1,3 +1,10 @@
+xmedcon (0.16.3+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * CVE-2024-29421.patch: new: fix CVE-2024-29421. (Closes: #1077369)
+
+ -- Étienne Mollier <emollier at debian.org> Wed, 07 Aug 2024 18:10:18 +0200
+
xmedcon (0.16.3+dfsg-1) unstable; urgency=medium
* Build-Depends: s/libnifti-dev/libnifti2-dev/
diff -Nru xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch
--- xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch 1970-01-01 01:00:00.000000000 +0100
+++ xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch 2024-08-07 18:08:39.000000000 +0200
@@ -0,0 +1,47 @@
+Description: Prevent overflow of value before a malloc().
+ This patch includes commits a35cd9b856c23e20cc1753e36cd9228391366082
+ from upstream, and 5131a648f09a82c26088b340bdd983fd09a6e19e for
+ additional error messaging. This fixes CVE-2024-29421.
+
+Author: Erik Nolf
+Origin: upstream,
+ https://sourceforge.net/p/xmedcon/code/ci/5131a648f09a82c26088b340bdd983fd09a6e19e/,
+ https://sourceforge.net/p/xmedcon/code/ci/434925fca63c855dd6d24e4c018c2fa745646f9e/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077369
+Reviewed-by: Étienne Mollier <emollier at debian.org>
+Last-Update: 2024-08-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libs/dicom/basic.c
++++ b/libs/dicom/basic.c
+@@ -401,6 +401,16 @@ int dicom_load(VR vr)
+ if (element.vr==SQ || element.length==0xFFFFFFFF)
+ return 0;
+
++ /* eNlf: - simply prevent length values that will overflow */
++ /* eNlf: when we sum with an extra 4 bytes; thus preventing */
++ /* eNlf: a heap overflow due to a small value at malloc() */
++ /* eNlf: notified by Spike Reply Cyber Security Team */
++ if (element.length > (0xFFFFFFFF - 4)) {
++ dicom_log(ERROR,"Unsupported element length");
++ dicom_close();
++ return -4;
++ }
++
+ if (element.group==0xFFFE)
+ if (!element.encapsulated)
+ return 0;
+@@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
+ if (element.vr==SQ || element.length==0xFFFFFFFF)
+ return 0;
+
++ /* eNlf: prevent overflowed value - see dicom_load() */
++ if (element.length > (0xFFFFFFFF - 4)) {
++ dicom_log(ERROR,"Unsupported element length");
++ dicom_close();
++ return -4;
++ }
++
+ if (element.group==0xFFFE)
+ if (!element.encapsulated)
+ return 0;
diff -Nru xmedcon-0.16.3+dfsg/debian/patches/series xmedcon-0.16.3+dfsg/debian/patches/series
--- xmedcon-0.16.3+dfsg/debian/patches/series 2020-12-07 15:51:18.000000000 +0100
+++ xmedcon-0.16.3+dfsg/debian/patches/series 2024-08-07 18:08:39.000000000 +0200
@@ -2,3 +2,4 @@
add_gtk_libraries_to_linker.patch
use_debian_packaged_niftilib.patch
cross.patch
+CVE-2024-29421.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240807/758d0208/attachment.sig>
More information about the Debian-med-packaging
mailing list