[Debian-med-packaging] Bug#1070387: gdcm: CVE-2024-25569 CVE-2024-22373 CVE-2024-22391

[Moritz Mühlenhoff]

Source: gdcm
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for gdcm.

These are fixed in 3.0.24:

CVE-2024-25569[0]:
| An out-of-bounds read vulnerability exists in the
| RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot
| DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of-
| bounds read. An attacker can provide a malicious file to trigger
| this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944

CVE-2024-22373[1]:
| An out-of-bounds write vulnerability exists in the
| JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu
| Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can
| lead to a heap buffer overflow. An attacker can provide a malicious
| file to trigger this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935

CVE-2024-22391[2]:
| A heap-based buffer overflow vulnerability exists in the
| LookupTable::SetLUT functionality of Mathieu Malaterre Grassroot
| DICOM 3.0.23. A specially crafted malformed file can lead to memory
| corruption. An attacker can provide a malicious file to trigger this
| vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25569
    https://www.cve.org/CVERecord?id=CVE-2024-25569
[1] https://security-tracker.debian.org/tracker/CVE-2024-22373
    https://www.cve.org/CVERecord?id=CVE-2024-22373
[2] https://security-tracker.debian.org/tracker/CVE-2024-22391
    https://www.cve.org/CVERecord?id=CVE-2024-22391

Please adjust the affected versions in the BTS as needed.