[Debian-med-packaging] Bug#1074534: Bug#1074534: dcm2niix: CVE-2024-27629

Étienne Mollier emollier at debian.org
Thu Aug 8 08:06:05 BST 2024 

Hi Salvatore,

Salvatore Bonaccorso, on 2024-08-08:
> Hi Étienne,
> 
> On Wed, Aug 07, 2024 at 10:54:25PM +0200, Étienne Mollier wrote:
> > Control: found -1 1.0.20220720-1
> > Control: notfound -1 1.0.20201102-1
> > Control: tags -1 + bookworm
> > 
> > Greetings,
> > 
> > I tried to stress the CVE-2024-27629 affecting dcm2niix:
> > | An issue in dc2niix before v.1.0.20240202 allows a local attacker to
> > | execute arbitrary code via the generated file name is not properly
> > | escaped and injected into a system call when certain types of
> > | compression are used.
> > 
> > I think that I managed to trip the vulnerability on bookworm.
> > But it seems that on bullseye, the file name embedded in the
> > dicom file does not trip a shell command execution.  Unless I
> > missed something, it seems that the problem did not exist à that
> > time.
> > 
> > I'm considering preparing a bookworm proposed update with the
> > patch for the next point release.  I'm less sure about touching
> > bullseye for this one: the patch mangles file name upon
> > conversion, and there is no real benefit if the problem indeed
> > does not appear on that old operating system level.
> > 
> > Have a nice day,  :)
> 
> Thanks for your work! And thanks for preparing the bookworm-pu update
> if you find time for it.

The bookworm-pu would be #1078176.

> About bullseye, yes this might be, it might be dass the issue is
> covered. If we are not 100% sure the vulnerable code os not there,
> then rather err on the safe side and on tracker side do not mark it as
> not-affected. But I agree then, that you leave the bullseye update out
> for now. Maybe even leaning to mark it <ignored> in the
> security-tracker for bullseye.

I agree <ignored> is probably the appropriate tagging.  It gives
a hint to passers by that the change won't be applied.

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier at debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/4, please excuse my verbosity
   `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240808/d6a35b85/attachment-0001.sig>

More information about the Debian-med-packaging mailing list