Discussion:
Processed: bookworm-pu: package dcmtk/3.6.7-9~deb12u3
Add Reply
Debian Bug Tracking System
2025-02-12 23:10:02 UTC
Reply
Permalink
affects -1 + src:dcmtk
Bug #1095854 [release.debian.org] bookworm-pu: package dcmtk/3.6.7-9~deb12u3
Added indication that 1095854 affects src:dcmtk
--
1095854: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095854
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2025-02-12 23:30:01 UTC
Reply
Permalink
tags -1 moreinfo
Bug #1095854 [release.debian.org] bookworm-pu: package dcmtk/3.6.7-9~deb12u3
Added tag(s) moreinfo.
--
1095854: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095854
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Étienne Mollier
2025-02-12 23:30:01 UTC
Reply
Permalink
Control: tags -1 moreinfo
+--- dcmtk.orig/dcmdata/include/dcmtk/dcmdata/dcelem.h
++++ dcmtk/dcmdata/include/dcmtk/dcmdata/dcelem.h
+ */
+ virtual OFBool isLeaf() const { return OFTrue; }
+
++ /** check if this element can be safely casted to DcmElement
++ */
++ virtual OFBool isElement() const { return OFTrue; }
++
+ /** check if value of this element is loaded into main memory
+ */
+--- dcmtk.orig/dcmdata/include/dcmtk/dcmdata/dcobject.h
++++ dcmtk/dcmdata/include/dcmtk/dcmdata/dcobject.h
+ /*
+ *
+- * Copyright (C) 1994-2020, OFFIS e.V.
++ * Copyright (C) 1994-2024, OFFIS e.V.
+ * All rights reserved. See COPYRIGHT file for details.
+ *
+ * This software and supporting documentation were developed by
+ */
+ virtual OFBool isLeaf() const = 0;
+
++ /** check if this element can be safely casted to DcmElement
++ */
++ virtual OFBool isElement() const { return OFFalse; }
++
+ /** check if this element is nested in a sequence of items, i.e.\ not a
+ * top-level or stand-alone element
I'm not sure how come this hasn't cropped up with autopkgtest of
reverse dependencies. Anyway, I see in #1094991 that Adrian
Bunk can offer a better proposal.

Have a nice day, :)
--
.''`. Étienne Mollier <***@debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/1, please excuse my verbosity
`- on air: Pattern-Seeking Animals - No Burden Left To Ca

Étienne Mollier
2025-02-13 21:40:01 UTC
Reply
Permalink
Control: tags -1 - moreinfo

Greetings,

I attached the new debdiff to include the patch set provided by
Adrian Bunk in #1094991 instead of mine. The main difference is
that the ABI breaking methods are removed, and their invocations
have been replaced by explicit checks everywhere they were
called, e.g. isElement invocations from the original patch set
like:

stack.top()->isElement()

are replaced by:

dynamic_cast<DcmElement*>(stack.top()) != nullptr

I have rerun most tests to make sure they are still okay; I have
a tail of reverse dependency rebuilds pending completion, but no
issues so far otherwise.

Have a nice day, :)
--
.''`. Étienne Mollier <***@debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/1, please excuse my verbosity
`-
Étienne Mollier
2025-02-19 21:30:01 UTC
Reply
Permalink
Hi,

We've been informed of a couple of supplemental security issues
in dcmtk, see #1098373 about CVE-2025-25475 and #1098374 about
CVE-2025-25474. Given how the patch set applies without
problems, I suspect dcmtk in stable is affected too, and that we
might want to include the fixes in the present proposed update.
Fixes are not in unstable as of now, but they will soon.

Have a nice day, :)
--
.''`. Étienne Mollier <***@debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/2, please excuse my verbosity
`- on air: Moon Safari - Crossed the Rubicon
Étienne Mollier
2025-02-19 21:40:01 UTC
Reply
Permalink
Post by Étienne Mollier
We've been informed of a couple of supplemental security issues
in dcmtk, see #1098373 about CVE-2025-25475 and #1098374 about
CVE-2025-25474. Given how the patch set applies without
problems, I suspect dcmtk in stable is affected too, and that we
might want to include the fixes in the present proposed update.
Fixes are not in unstable as of now, but they will soon.
In addition, there is CVE-2025-25472, caused by the initial fix
for CVE-2024-47796.

Have a nice day, :)
--
.''`. Étienne Mollier <***@debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/0, please excuse my verbosity
`-
Étienne Mollier
2025-02-20 21:20:02 UTC
Reply
Permalink
Greetings,
Post by Étienne Mollier
Post by Étienne Mollier
We've been informed of a couple of supplemental security issues
in dcmtk, see #1098373 about CVE-2025-25475 and #1098374 about
CVE-2025-25474. Given how the patch set applies without
problems, I suspect dcmtk in stable is affected too, and that we
might want to include the fixes in the present proposed update.
Fixes are not in unstable as of now, but they will soon.
In addition, there is CVE-2025-25472, caused by the initial fix
for CVE-2024-47796.
I attach a debdiff proposal to include the recently introduced
patches in unstable to fix CVE-2025-25475, CVE-2025-25474 and
CVE-2025-25472 in addition to the changes initially required to
get CVE-2024-28130 sorted.

Have a nice day, :)
--
.''`. Étienne Mollier <***@debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/0, please excuse my verbosity
`-
Debian Bug Tracking System
2025-02-13 21:40:02 UTC
Reply
Permalink
tags -1 - moreinfo
Bug #1095854 [release.debian.org] bookworm-pu: package dcmtk/3.6.7-9~deb12u3
Removed tag(s) moreinfo.
--
1095854: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095854
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...