Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: dcm2n...@packages.debian.org Control: affects -1 + src:dcm2niix User: release.debian....@packages.debian.org Usertags: pu
Aloha, [ Reason ] dcm2niix is affected by minor security issue CVE-2024-27629 in bookworm: a local attacker can execute arbitrary code as the generated file name is not properly escaped and injected into a system call when certain types of compression are used. [ Impact ] dcm2niix will remain vulnerable to this issue is the upload is not granted. [ Tests ] I stressed the vulnerability and found out it was affecting the current version in bookworm. I could then make sure that the existing change in sid did prevent the risk of arbitrary code execution, after applying the relevant change to the dcm2niix version in bookworm. I also made sure that the fix for the CVE does not result in an autopkgtest regression in the reverse dependency heudiconv. I would have done the same for the other reverse dependency mricron, but autopkgtest is lacking for this one apparently. [ Risks ] The change is only little risky. The change is minimal, but can have some (limited) influence on the command output, as characters '`' and '$' are erased by '_' with the mitigation. The package has two reverse dependencies that shown no obvious issues with the fix in place. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] This change includes a patch to fix CVE-2024-27629. The patch consists in sanitizing the output file name by erasing backticks or dollar characters by an underscore before handing the output file name to the next steps of the code, which may involve some parsing by a shell. [ Other info ] Have a nice day, :) -- .''`. Étienne Mollier <emoll...@debian.org> : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/2, please excuse my verbosity `- on air: Kaipa Da Capo - Det Tysta Guldet
diff -Nru dcm2niix-1.0.20220720/debian/changelog dcm2niix-1.0.20220720/debian/changelog --- dcm2niix-1.0.20220720/debian/changelog 2022-08-12 17:21:12.000000000 +0200 +++ dcm2niix-1.0.20220720/debian/changelog 2024-08-07 21:49:01.000000000 +0200 @@ -1,3 +1,11 @@ +dcm2niix (1.0.20220720-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * CVE-2024-27629.patch: new: fix risk of arbitrary code execution. + Fixes: CVE-2024-27629 (Closes: #1074534) + + -- Étienne Mollier <emoll...@debian.org> Wed, 07 Aug 2024 21:49:01 +0200 + dcm2niix (1.0.20220720-1) unstable; urgency=medium [ Andreas Tille ] diff -Nru dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch --- dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch 1970-01-01 01:00:00.000000000 +0100 +++ dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch 2024-08-07 21:11:41.000000000 +0200 @@ -0,0 +1,24 @@ +Description: Prevent shell expansion. + This fixes CVE-2024-27629. +Author: Daniel Santos +Bug: https://github.com/rordenlab/dcm2niix/pull/789 +Bug-Debian: https://bugs.debian.org/1074534 +Reviewed-by: Étienne Mollier <emoll...@debian.org> +Applied-Upstream: https://github.com/rordenlab/dcm2niix/commit/51cf5cdb2b2044b22b93f251bd07695e84d456af +Last-Update: 2024-08-07 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- dcm2niix.orig/console/nii_dicom_batch.cpp ++++ dcm2niix/console/nii_dicom_batch.cpp +@@ -3293,6 +3293,11 @@ + if (outname[pos] == ':') //not allowed by MacOS + outname[pos] = '_'; + #endif ++#if !defined(_WIN64) || !defined(_WIN32) ++ for (size_t pos = 0; pos < strlen(outname); pos++) ++ if (outname[pos] == '`' || outname[pos] == '$') // unix shell expansion characters ++ outname[pos] = '_'; ++#endif + cleanISO8859(outname); + //re-insert explicit path separators: -f %t/%s_%p will have folder for time, but will not segment a protocol named "fMRI\bold" + for (int pos = 0; pos < (int)strlen(outname); pos++) { diff -Nru dcm2niix-1.0.20220720/debian/patches/series dcm2niix-1.0.20220720/debian/patches/series --- dcm2niix-1.0.20220720/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ dcm2niix-1.0.20220720/debian/patches/series 2024-08-07 21:05:34.000000000 +0200 @@ -0,0 +1 @@ +CVE-2024-27629.patch
signature.asc
Description: PGP signature
