Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: xmed...@packages.debian.org Control: affects -1 + src:xmedcon User: release.debian....@packages.debian.org Usertags: pu
Hi Stable Release Managers, [ Reason ] xmedcon in bookworm is affected by CVE-2024-29421. It is, quoting the description: "vulnerable to Buffer Overflow via libs/dicom/basic.c which allows an attacker to execute arbitrary code". It is currently rated minor by the security team, hence following the proposed-update process instead of a security update. The issue is tracked in #1077369. [ Impact ] xmedcon in bookworm will remain vulnerable to the risk of execution of arbitrary code if left unchanged. [ Tests ] The package does not ship with automated tests, but I verified manually that the patch in upstream code did not provoke any obvious breakages by visualising some dicom image taken from other Debian Med sample files. I also verified that the dicom visualizer amide, which depends on the libmdc3, was not showing obvious breakages caused by the change. Note: I do not know how to trip the vulnerability so I have not stressed the mitigation per se. [ Risks ] The patch fits in a screen and felt fairly obvious what is was doing to me, so I don't believe it's highly risky. It has one reverse dependency, amide, that does not seem to show much issues with the change this far. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] This revision introduces a patch to dicom loading functions, originating from upstream xmedcon 0.24.0, containing a change which is intended to guard against large element length and error out instead of running into buffer overflow conditions. [ Other info ] Have a nice day, :) -- .''`. Étienne Mollier <emoll...@debian.org> : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/2, please excuse my verbosity `- on air: Therion - The Leaf on the Oak of Far
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/changelog xmedcon-0.23.0-gtk3+dfsg/debian/changelog
--- xmedcon-0.23.0-gtk3+dfsg/debian/changelog 2023-02-05 19:35:32.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/changelog 2024-07-28 23:02:25.000000000 +0200
@@ -1,3 +1,10 @@
+xmedcon (0.23.0-gtk3+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * CVE-2024-29421.patch: new: fix CVE-2024-29421. (Closes: #1077369)
+
+ -- Étienne Mollier <emoll...@debian.org> Sun, 28 Jul 2024 23:02:25 +0200
+
xmedcon (0.23.0-gtk3+dfsg-1) unstable; urgency=medium
* New upstream version
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch 1970-01-01 01:00:00.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch 2024-07-28 23:01:35.000000000 +0200
@@ -0,0 +1,33 @@
+--- a/libs/dicom/basic.c
++++ b/libs/dicom/basic.c
+@@ -401,6 +401,16 @@ int dicom_load(VR vr)
+ if (element.vr==SQ || element.length==0xFFFFFFFF)
+ return 0;
+
++ /* eNlf: - simply prevent length values that will overflow */
++ /* eNlf: when we sum with an extra 4 bytes; thus preventing */
++ /* eNlf: a heap overflow due to a small value at malloc() */
++ /* eNlf: notified by Spike Reply Cyber Security Team */
++ if (element.length > (0xFFFFFFFF - 4)) {
++ dicom_log(ERROR,"Unsupported element length");
++ dicom_close();
++ return -4;
++ }
++
+ if (element.group==0xFFFE)
+ if (!element.encapsulated)
+ return 0;
+@@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
+ if (element.vr==SQ || element.length==0xFFFFFFFF)
+ return 0;
+
++ /* eNlf: prevent overflowed value - see dicom_load() */
++ if (element.length > (0xFFFFFFFF - 4)) {
++ dicom_log(ERROR,"Unsupported element length");
++ dicom_close();
++ return -4;
++ }
++
+ if (element.group==0xFFFE)
+ if (!element.encapsulated)
+ return 0;
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/series xmedcon-0.23.0-gtk3+dfsg/debian/patches/series
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/series 2023-02-05 19:35:32.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/series 2024-07-28 23:01:35.000000000 +0200
@@ -2,3 +2,4 @@
use_debian_packaged_niftilib.patch
cross.patch
typos.patch
+CVE-2024-29421.patch
signature.asc
Description: PGP signature
