Hi, On Sun, Jul 28, 2024 at 11:17:03PM +0200, Étienne Mollier wrote: > Control: found -1 0.23.0-gtk3+dfsg-1 > Control: found -1 0.16.3+dfsg-1 > > Hi Salvatore, > > Salvatore Bonaccorso, on 2024-07-28: > > The following vulnerability was published for xmedcon. > > > > CVE-2024-29421[0]: > > | xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer > > | Overflow via libs/dicom/basic.c which allows an attacker to execute > > | arbitrary code. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-29421 > > https://www.cve.org/CVERecord?id=CVE-2024-29421 > > Thanks for the notice, update in sid is on her way, if not there > already. I think that I isolated the relevant change upstream. > That would be: > > -------8<--------------8<--------------8<--------------8<------- > --- a/libs/dicom/basic.c > +++ b/libs/dicom/basic.c > @@ -401,6 +401,16 @@ int dicom_load(VR vr) > if (element.vr==SQ || element.length==0xFFFFFFFF) > return 0; > > + /* eNlf: - simply prevent length values that will overflow */ > + /* eNlf: when we sum with an extra 4 bytes; thus preventing */ > + /* eNlf: a heap overflow due to a small value at malloc() */ > + /* eNlf: notified by Spike Reply Cyber Security Team */ > + if (element.length > (0xFFFFFFFF - 4)) { > + dicom_log(ERROR,"Unsupported element length"); > + dicom_close(); > + return -4; > + } > + > if (element.group==0xFFFE) > if (!element.encapsulated) > return 0; > @@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr) > if (element.vr==SQ || element.length==0xFFFFFFFF) > return 0; > > + /* eNlf: prevent overflowed value - see dicom_load() */ > + if (element.length > (0xFFFFFFFF - 4)) { > + dicom_log(ERROR,"Unsupported element length"); > + dicom_close(); > + return -4; > + } > + > if (element.group==0xFFFE) > if (!element.encapsulated) > return 0; > ------->8-------------->8-------------->8-------------->8------- > > It applies without fuzz to the version in bookworm and even in > bullseye. From quick attempt the patch didn't interfere with > normal operation of the program (although I don't really have > much to give it to eat, so I may not have stressed the affected > code path). If that makes sense, I can liaise with the release > team for the next point release in August, or do you prefer we > proceed to a security upgrade earlier? (I guess not, given the > "Minor issue" in the notes I see in the security tracker web > page, but asking just in case.)
Yes correct, an update via the upcoming point release is enough for this issue! Thanks for taking care of it! > Have a nice day, :) I wish the same to you! Regards, Salvatore

