[Debian-med-packaging] Bug#1077549: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1

Mon Jul 29 22:00:38 BST 2024

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: xmedcon at packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian.org at packages.debian.org
Usertags: pu

Hi Stable Release Managers,

[ Reason ]
xmedcon in bookworm is affected by CVE-2024-29421.  It is,
quoting the description: "vulnerable to Buffer Overflow via
libs/dicom/basic.c which allows an attacker to execute arbitrary
code".  It is currently rated minor by the security team, hence
following the proposed-update process instead of a security
update.  The issue is tracked in #1077369.

[ Impact ]
xmedcon in bookworm will remain vulnerable to the risk of
execution of arbitrary code if left unchanged.

[ Tests ]
The package does not ship with automated tests, but I verified
manually that the patch in upstream code did not provoke any
obvious breakages by visualising some dicom image taken from
other Debian Med sample files.  I also verified that the dicom
visualizer amide, which depends on the libmdc3, was not showing
obvious breakages caused by the change.

Note: I do not know how to trip the vulnerability so I have not
stressed the mitigation per se.

[ Risks ]
The patch fits in a screen and felt fairly obvious what is was
doing to me, so I don't believe it's highly risky.  It has one
reverse dependency, amide, that does not seem to show much
issues with the change this far.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This revision introduces a patch to dicom loading functions,
originating from upstream xmedcon 0.24.0, containing a change
which is intended to guard against large element length and
error out instead of running into buffer overflow conditions.

[ Other info ]
Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier at debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/2, please excuse my verbosity
   `-    on air: Therion - The Leaf on the Oak of Far
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xmedcon_0.23.0-gtk3+dfsg-1_to_0.23.0-gtk3+dfsg-1+deb12u1.patch
Type: text/x-diff
Size: 2394 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240729/ca17e51c/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240729/ca17e51c/attachment.sig>