[Debian-med-packaging] Bug#1095072: Bug#1095072: orthanc: Orthanc crashes with lastest dcmtk or libdcmtk15 security update
Sébastien Jodogne
s.jodogne at gmail.com
Mon Feb 3 14:37:01 GMT 2025
Hello,
Thanks for the report. However, this bug is not specific to the
"orthanc" package and should be reassigned to the "dcmtk" package.
To reproduce, in terminal 1:
$ docker run --rm -t -i -p 2000:2000 debian:bullseye
# apt update && apt install -y dcmtk
# storescp 2000
In terminal 2:
$ storescu localhost 2000 sample.dcm
This results in a segmentation fault in terminal 1.
A similar issue is reported in Ubuntu 20.04:
https://bugs.launchpad.net/ubuntu/+source/dcmtk/+bug/2081100
Kind Regards,
Sébastien-
On Mon, 3 Feb 2025 at 15:18, <inframan at alara-group.fr> wrote:
>
> Package: orthanc
> Version: 1.9.2+really1.9.1+dfsg-1+deb11u1
> Severity: grave
> Justification: renders package unusable
> X-Debbugs-Cc: debian-lts at lists.debian.org
>
> Dear Maintainer,
>
> The last dcmtk/libdcmtk15 security update (3.6.5-1+deb11u1) causes
> orthanc server to segfault as soon as a dicom file is received.
>
> Here is the content of syslog :
> Feb 3 14:02:27 quaoar systemd[1]: Started Lightweight, RESTful DICOM server for healthcare and medical research.
> Feb 3 14:02:46 quaoar kernel: [ 2559.234663] Orthanc[16701]: segfault at 312e42 ip 00007fea92533c90 sp 00007fea857f9988 error 4 in libdcmnet.so.15.3.6.5 (deleted)[7fea924cf000+ad000]
> Feb 3 14:02:46 quaoar kernel: [ 2559.248240] Code: 48 89 c2 48 c7 40 10 00 00 00 00 c6 40 18 00 48 8d 05 04 37 07 00 48 89 02 48 89 5a 20 5b 5d 41 5c e9 64 b4 f9 ff 0f 1f 40 00 <48> 83 7f 10 00 41 54 74 27 48 8b 47 08 48 8b 70 08 80 7e 18 00 75
> Feb 3 14:02:46 quaoar systemd[1]: orthanc.service: Main process exited, code=killed, status=11/SEGV
> Feb 3 14:02:46 quaoar systemd[1]: orthanc.service: Failed with result 'signal'.
>
> I have been able to reproduce this crash on a fresh bullseye install with default
> configuration for everything (and just sending a dicom file on port 4242).
>
> Reverting the dcmtk/libdcmtk15 to the previous version (3.6.5-1) solves the problem, but is obviously not an acceptable solution, as it leaves the system with a security hole.
>
> Thank you by advance,
>
> Nicolas Chamouard
>
>
> -- System Information:
> Debian Release: 11.11
> APT prefers oldstable-updates
> APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-33-cloud-amd64 (SMP w/4 CPU threads)
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages orthanc depends on:
> ii adduser 3.118+deb11u1
> ii dcmtk 3.6.5-1
> ii init-system-helpers 1.60
> ii libboost-filesystem1.74.0 1.74.0-9
> ii libboost-iostreams1.74.0 1.74.0-9
> ii libboost-locale1.74.0 1.74.0-9
> ii libboost-regex1.74.0 [libboost-regex1.74.0-icu67] 1.74.0-9
> ii libboost-thread1.74.0 1.74.0-9
> ii libc6 2.31-13+deb11u11
> ii libcivetweb1 1.13+dfsg-5
> ii libcurl4 7.74.0-1.3+deb11u14
> ii libdcmtk15 3.6.5-1
> ii libgcc-s1 10.2.1-6
> ii libjpeg62-turbo 1:2.0.6-4
> ii libjsoncpp24 1.9.4-4
> ii liblua5.3-0 5.3.3-1.1+deb11u1
> ii libpng16-16 1.6.37-3
> ii libpugixml1v5 1.11.4-1
> ii libsqlite3-0 3.34.1-3+deb11u1
> ii libssl1.1 1.1.1w-0+deb11u2
> ii libstdc++6 10.2.1-6
> ii libuuid1 2.36.1-8+deb11u2
> ii locales 2.31-13+deb11u11
> ii lsb-base 11.1.0
> ii tzdata 2024b-0+deb11u1
> ii zlib1g 1:1.2.11.dfsg-2+deb11u2
>
> orthanc recommends no packages.
>
> orthanc suggests no packages.
>
> -- Configuration Files:
> /etc/orthanc/credentials.json [Errno 13] Permission non accordée: '/etc/orthanc/credentials.json'
> /etc/orthanc/orthanc.json changed [not included]
>
> -- no debconf information
> _______________________________________________
> Debian-med-packaging mailing list
> Debian-med-packaging at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-packaging
--
Sébastien Jodogne
Web: https://perso.uclouvain.be/sebastien.jodogne/
More information about the Debian-med-packaging
mailing list