[Debian-med-packaging] Bug#1095072: Bug#1095072: orthanc: Orthanc crashes with lastest dcmtk or libdcmtk15 security update

Sébastien Jodogne s.jodogne at gmail.com
Mon Feb 3 14:37:01 GMT 2025 

Hello,

Thanks for the report. However, this bug is not specific to the
"orthanc" package and should be reassigned to the "dcmtk" package.

To reproduce, in terminal 1:

$ docker run --rm -t -i -p 2000:2000 debian:bullseye
# apt update && apt install -y dcmtk
# storescp 2000

In terminal 2:

$ storescu localhost 2000 sample.dcm

This results in a segmentation fault in terminal 1.

A similar issue is reported in Ubuntu 20.04:
https://bugs.launchpad.net/ubuntu/+source/dcmtk/+bug/2081100

Kind Regards,
Sébastien-


On Mon, 3 Feb 2025 at 15:18, <inframan at alara-group.fr> wrote:
>
> Package: orthanc
> Version: 1.9.2+really1.9.1+dfsg-1+deb11u1
> Severity: grave
> Justification: renders package unusable
> X-Debbugs-Cc: debian-lts at lists.debian.org
>
> Dear Maintainer,
>
> The last dcmtk/libdcmtk15 security update (3.6.5-1+deb11u1) causes
> orthanc server to segfault as soon as a dicom file is received.
>
> Here is the content of syslog :
> Feb  3 14:02:27 quaoar systemd[1]: Started Lightweight, RESTful DICOM server for healthcare and medical research.
> Feb  3 14:02:46 quaoar kernel: [ 2559.234663] Orthanc[16701]: segfault at 312e42 ip 00007fea92533c90 sp 00007fea857f9988 error 4 in libdcmnet.so.15.3.6.5 (deleted)[7fea924cf000+ad000]
> Feb  3 14:02:46 quaoar kernel: [ 2559.248240] Code: 48 89 c2 48 c7 40 10 00 00 00 00 c6 40 18 00 48 8d 05 04 37 07 00 48 89 02 48 89 5a 20 5b 5d 41 5c e9 64 b4 f9 ff 0f 1f 40 00 <48> 83 7f 10 00 41 54 74 27 48 8b 47 08 48 8b 70 08 80 7e 18 00 75
> Feb  3 14:02:46 quaoar systemd[1]: orthanc.service: Main process exited, code=killed, status=11/SEGV
> Feb  3 14:02:46 quaoar systemd[1]: orthanc.service: Failed with result 'signal'.
>
> I have been able to reproduce this crash on a fresh bullseye install with default
> configuration for everything (and just sending a dicom file on port 4242).
>
> Reverting the dcmtk/libdcmtk15 to the previous version (3.6.5-1) solves the problem, but is obviously not an acceptable solution, as it leaves the system with a security hole.
>
> Thank you by advance,
>
> Nicolas Chamouard
>
>
> -- System Information:
> Debian Release: 11.11
>   APT prefers oldstable-updates
>   APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-33-cloud-amd64 (SMP w/4 CPU threads)
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages orthanc depends on:
> ii  adduser                                            3.118+deb11u1
> ii  dcmtk                                              3.6.5-1
> ii  init-system-helpers                                1.60
> ii  libboost-filesystem1.74.0                          1.74.0-9
> ii  libboost-iostreams1.74.0                           1.74.0-9
> ii  libboost-locale1.74.0                              1.74.0-9
> ii  libboost-regex1.74.0 [libboost-regex1.74.0-icu67]  1.74.0-9
> ii  libboost-thread1.74.0                              1.74.0-9
> ii  libc6                                              2.31-13+deb11u11
> ii  libcivetweb1                                       1.13+dfsg-5
> ii  libcurl4                                           7.74.0-1.3+deb11u14
> ii  libdcmtk15                                         3.6.5-1
> ii  libgcc-s1                                          10.2.1-6
> ii  libjpeg62-turbo                                    1:2.0.6-4
> ii  libjsoncpp24                                       1.9.4-4
> ii  liblua5.3-0                                        5.3.3-1.1+deb11u1
> ii  libpng16-16                                        1.6.37-3
> ii  libpugixml1v5                                      1.11.4-1
> ii  libsqlite3-0                                       3.34.1-3+deb11u1
> ii  libssl1.1                                          1.1.1w-0+deb11u2
> ii  libstdc++6                                         10.2.1-6
> ii  libuuid1                                           2.36.1-8+deb11u2
> ii  locales                                            2.31-13+deb11u11
> ii  lsb-base                                           11.1.0
> ii  tzdata                                             2024b-0+deb11u1
> ii  zlib1g                                             1:1.2.11.dfsg-2+deb11u2
>
> orthanc recommends no packages.
>
> orthanc suggests no packages.
>
> -- Configuration Files:
> /etc/orthanc/credentials.json [Errno 13] Permission non accordée: '/etc/orthanc/credentials.json'
> /etc/orthanc/orthanc.json changed [not included]
>
> -- no debconf information
> _______________________________________________
> Debian-med-packaging mailing list
> Debian-med-packaging at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-packaging



-- 
Sébastien Jodogne
Web: https://perso.uclouvain.be/sebastien.jodogne/

More information about the Debian-med-packaging mailing list