Hi, 2016-12-19 9:10 GMT+01:00 Sébastien Jodogne <s.jodo...@gmail.com>: > Dear all, > >> On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote: >> > Hello dear maintainer(s), >> > >> > the Debian LTS team would like to fix the security issues which are >> > currently open in the Wheezy version of dcmtk: >> > https://security-tracker.debian.org/tracker/CVE-2015-8979 >> > >> > Would you like to take care of this yourself? >> >> I personally feel not capable to do so and Mathieu left the team - so I >> would be astonished (but definitely happy!) if he would step in for this >> task. If you do not receive a positive response from Gert I doubt that >> anybody else from the team would take over. > > > I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM > SCP (server) is affected (including the well-known Horos/OsiriX viewer). > > Orthanc was also affected by this problem. Orthanc 1.2.0 was released last > week in order to fix this vulnerability in its static builds (notably for > Windows and OS X). The patch we applied can be found at the following > location: > https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default&fileviewer=file-view-default > > As this patch is very simple (six lines of code), it should be easy to > backport it to the DCMTK Debian package. > > Unfortunately, I do not know how to fix such issues in Wheezy, and I am > currently under heavy pressure wrt. the Orthanc upstream project... maybe > someone could do this backporting job?
I'll do it in a few hours. I have also claimed the package in dla-needed.txt. Cheers, Balint