[Debian-med-packaging] Bug#1095072: orthanc: Orthanc crashes with lastest dcmtk or libdcmtk15 security update

Santiago Ruano Rincón santiagorr at riseup.net
Wed Feb 5 17:02:00 GMT 2025 

Hi,

El 03/02/25 a las 15:15, inframan at alara-group.fr escribió:
> Package: orthanc
> Version: 1.9.2+really1.9.1+dfsg-1+deb11u1
> Severity: grave
> Justification: renders package unusable
> X-Debbugs-Cc: debian-lts at lists.debian.org
> 
> Dear Maintainer,
> 
> The last dcmtk/libdcmtk15 security update (3.6.5-1+deb11u1) causes
> orthanc server to segfault as soon as a dicom file is received.
> 
> Here is the content of syslog : 
> Feb  3 14:02:27 quaoar systemd[1]: Started Lightweight, RESTful DICOM server for healthcare and medical research.
> Feb  3 14:02:46 quaoar kernel: [ 2559.234663] Orthanc[16701]: segfault at 312e42 ip 00007fea92533c90 sp 00007fea857f9988 error 4 in libdcmnet.so.15.3.6.5 (deleted)[7fea924cf000+ad000]
> Feb  3 14:02:46 quaoar kernel: [ 2559.248240] Code: 48 89 c2 48 c7 40 10 00 00 00 00 c6 40 18 00 48 8d 05 04 37 07 00 48 89 02 48 89 5a 20 5b 5d 41 5c e9 64 b4 f9 ff 0f 1f 40 00 <48> 83 7f 10 00 41 54 74 27 48 8b 47 08 48 8b 70 08 80 7e 18 00 75
> Feb  3 14:02:46 quaoar systemd[1]: orthanc.service: Main process exited, code=killed, status=11/SEGV
> Feb  3 14:02:46 quaoar systemd[1]: orthanc.service: Failed with result 'signal'.
> 
> I have been able to reproduce this crash on a fresh bullseye install with default
> configuration for everything (and just sending a dicom file on port 4242).
> 
> Reverting the dcmtk/libdcmtk15 to the previous version (3.6.5-1) solves the problem, but is obviously not an acceptable solution, as it leaves the system with a security hole.
> 
> Thank you by advance,
> 
> Nicolas Chamouard

Thank you for this bug report.

For awareness, I am explicitly CCing Adrian, who prepared the dcmtk
update. Adrian are you able to look at this?

Cheers,

 -- Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250205/78327920/attachment.sig>

More information about the Debian-med-packaging mailing list