[Debian-med-packaging] Bug#1138713: Bug#1138713: orthanc: CVE-2026-10528
Étienne Mollier
emollier at debian.org
Wed Jun 3 20:55:49 BST 2026
Hi Sébastien,
> The "dcmtk" package must be fixed by introducing the following upstream patch:
> https://github.com/DCMTK/dcmtk/commit/885ff0f10372bd589b5f44cea974f28a3964cb0f
Thanks for the pointer, I have begun to work on this tonight and
integrated a patch to dcmtk that had a bit of fuzz, but does not
seem to have had negative impact yet. Changes are available on
Salsa [1].
[1]: https://salsa.debian.org/med-team/dcmtk/
I have not uploaded yet though, because I would like to tackle
appropriately the lintian error license-problem-old-unicode [2].
I fear it could be a blocker for further upload of the package
to the archive. I don't believe I have much actionable way of
correcting that though, because I don't seem to locate
equivalent files that would have been relicensed to e.g. Unicode
license v3, apart perhaps from excluding the files (but then, I
believe that some binary artifacts below oficonv/data will lack
their "source code", so this is unlikely a satisfying approach).
Digging into the corresponding bug #854209, it seems it may be
necessary to resort to contact dcmtk upstream about those items.
I'm not sure how long it could take, perhaps I need to attempt
upload anyways to avoid delaying integration of security
patches; besides, I have another CVE correction in the pipeline.
[2]: https://udd.debian.org/lintian/?packages=dcmtk
Have a good evening, :)
--
.''`. Étienne Mollier <emollier at debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/1, please excuse my verbosity
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20260603/8101725c/attachment.sig>
More information about the Debian-med-packaging
mailing list