[Debian-med-packaging] Bug#1101064: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u2

Étienne Mollier emollier at debian.org
Sat Mar 22 19:44:49 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: xmedcon at packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian.org at packages.debian.org
Usertags: pu

Hello Stable Release Managers,

I would like to bring a patch to xmedcon in bookworm.

[ Reason ]
xmedcon 0.23.0-gtk3+dfsg-1+deb12u1 is currently affected by the
minor security issue CVE-2025-2581 reported in #1100986.  The
security issue consists in an integer undeflow, according to the
CVE description; I'm not sure how remotely exploitable it is,
unless one accounts on the capability to open remote files.

[ Impact ]
xmedcon in bookworm will remain affected by the underflow of
CVE-2025-2581 if upload is not granted.

[ Tests ]
The package lacks autopkgtest support, so does its reverse
dependency amide.  I have instead proceeded to manual tests by
opening small Dicom test files I have around at hand to make
sure the change did not introduce obvious problems in xmedcon
nor in amide.  I'm afraid test was still somewhat superficial,
as I'm not that well versed in those medical images viewers.

[ Risks ]
xmedcon has only amide as strict dependency, and it has no
reverse build-dependencies caught by ratt plus dose-extra.  In
my perception, the change is pretty simple so should not be too
problematic.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
This new revision of xmedcon appends a patch to guard against
malformed Dicom files with negative dimensions, which could
result in very large memory allocation and crash due to the
underflow caused by casting from int64_t to size_t, the latter
being unsigned.

[ Other information ]
The issue is freshly addressed in sid and some architectures are
still building it as I type.  I was thus not entirely confident
to check the last case.  Unless problems were to arise, I think
the case can be considered checked in 24 hours.

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier at debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/1, please excuse my verbosity
   `-    on air: Anathema - Flying
-------------- next part --------------
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/changelog xmedcon-0.23.0-gtk3+dfsg/debian/changelog
--- xmedcon-0.23.0-gtk3+dfsg/debian/changelog	2024-08-07 17:51:22.000000000 +0200
+++ xmedcon-0.23.0-gtk3+dfsg/debian/changelog	2025-03-22 19:58:34.000000000 +0100
@@ -1,3 +1,10 @@
+xmedcon (0.23.0-gtk3+dfsg-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2025-2581.patch: new: fix CVE-2025-2581. (Closes: #1100986)
+
+ -- Étienne Mollier <emollier at debian.org>  Sat, 22 Mar 2025 19:58:34 +0100
+
 xmedcon (0.23.0-gtk3+dfsg-1+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch	2025-03-22 19:57:54.000000000 +0100
@@ -0,0 +1,40 @@
+Description: Check for overflow between size_t and int64_t.
+Author: Erik Nolf
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100986
+Applied-Upstream: e7a88836fc2277f8ab777f3ef24f917d08415559
+Reviewed-by: Étienne Mollier <emollier at debian.org>
+Last-Update: 2025-03-22
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- xmedcon.orig/libs/dicom/single.c
++++ xmedcon/libs/dicom/single.c
+@@ -22,8 +22,9 @@
+ SINGLE *dicom_single(void)
+ {
+   ELEMENT	*e;
+-  S32		length;
++  S32		length, bytes;
+   U32		i, f;
++  size_t    size;
+   char		*interpretation[]=
+   {
+     "MONOCHROME2",
+@@ -265,7 +266,17 @@
+           /* eNlf: - allocate an extra 4 bytes, otherwise the bit.c   */
+           /* eNlf: routines like source.u++ go beyond the boundaries  */
+           /* eNlf: - memset the allocated buffer for sure             */
+-          data = (U8*)malloc(width*height*pixel*frames+4);
++          bytes = (int64_t)width*height*pixel*frames+4;
++
++          /* check for overflow */
++          size = (size_t)bytes;
++          if ((int64_t)size != bytes) {
++            dicom_log(ERROR,"System size_t too small");
++            return 0L;
++          }
++
++          /* allocate memory */
++          data = (U8*)malloc(bytes);
+           if (!data)
+           {
+             dicom_log(ERROR,"Out of memory");
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/series xmedcon-0.23.0-gtk3+dfsg/debian/patches/series
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/series	2024-08-07 17:51:22.000000000 +0200
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/series	2025-03-22 19:57:11.000000000 +0100
@@ -3,3 +3,4 @@
 cross.patch
 typos.patch
 CVE-2024-29421.patch
+CVE-2025-2581.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250322/6f77e343/attachment-0001.sig>

More information about the Debian-med-packaging mailing list