[Debian-med-packaging] Bug#1077549: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1
Étienne Mollier
emollier at debian.org
Mon Jul 29 22:00:38 BST 2024
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: xmedcon at packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian.org at packages.debian.org
Usertags: pu
Hi Stable Release Managers,
[ Reason ]
xmedcon in bookworm is affected by CVE-2024-29421. It is,
quoting the description: "vulnerable to Buffer Overflow via
libs/dicom/basic.c which allows an attacker to execute arbitrary
code". It is currently rated minor by the security team, hence
following the proposed-update process instead of a security
update. The issue is tracked in #1077369.
[ Impact ]
xmedcon in bookworm will remain vulnerable to the risk of
execution of arbitrary code if left unchanged.
[ Tests ]
The package does not ship with automated tests, but I verified
manually that the patch in upstream code did not provoke any
obvious breakages by visualising some dicom image taken from
other Debian Med sample files. I also verified that the dicom
visualizer amide, which depends on the libmdc3, was not showing
obvious breakages caused by the change.
Note: I do not know how to trip the vulnerability so I have not
stressed the mitigation per se.
[ Risks ]
The patch fits in a screen and felt fairly obvious what is was
doing to me, so I don't believe it's highly risky. It has one
reverse dependency, amide, that does not seem to show much
issues with the change this far.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
This revision introduces a patch to dicom loading functions,
originating from upstream xmedcon 0.24.0, containing a change
which is intended to guard against large element length and
error out instead of running into buffer overflow conditions.
[ Other info ]
Have a nice day, :)
--
.''`. Étienne Mollier <emollier at debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/2, please excuse my verbosity
`- on air: Therion - The Leaf on the Oak of Far
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xmedcon_0.23.0-gtk3+dfsg-1_to_0.23.0-gtk3+dfsg-1+deb12u1.patch
Type: text/x-diff
Size: 2394 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240729/ca17e51c/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240729/ca17e51c/attachment.sig>
More information about the Debian-med-packaging
mailing list