[Debian-med-packaging] Bug#1074534: Bug#1074534: dcm2niix: CVE-2024-27629
Salvatore Bonaccorso
carnil at debian.org
Thu Aug 8 04:43:37 BST 2024
Hi Étienne,
On Wed, Aug 07, 2024 at 10:54:25PM +0200, Étienne Mollier wrote:
> Control: found -1 1.0.20220720-1
> Control: notfound -1 1.0.20201102-1
> Control: tags -1 + bookworm
>
> Greetings,
>
> I tried to stress the CVE-2024-27629 affecting dcm2niix:
> | An issue in dc2niix before v.1.0.20240202 allows a local attacker to
> | execute arbitrary code via the generated file name is not properly
> | escaped and injected into a system call when certain types of
> | compression are used.
>
> I think that I managed to trip the vulnerability on bookworm.
> But it seems that on bullseye, the file name embedded in the
> dicom file does not trip a shell command execution. Unless I
> missed something, it seems that the problem did not exist à that
> time.
>
> I'm considering preparing a bookworm proposed update with the
> patch for the next point release. I'm less sure about touching
> bullseye for this one: the patch mangles file name upon
> conversion, and there is no real benefit if the problem indeed
> does not appear on that old operating system level.
>
> Have a nice day, :)
Thanks for your work! And thanks for preparing the bookworm-pu update
if you find time for it.
About bullseye, yes this might be, it might be dass the issue is
covered. If we are not 100% sure the vulnerable code os not there,
then rather err on the safe side and on tracker side do not mark it as
not-affected. But I agree then, that you leave the bullseye update out
for now. Maybe even leaning to mark it <ignored> in the
security-tracker for bullseye.
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list