Bug#1101064: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u2

Étienne Mollier Sat, 22 Mar 2025 12:48:48 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: xmed...@packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian....@packages.debian.org
Usertags: pu


Hello Stable Release Managers,

I would like to bring a patch to xmedcon in bookworm.

[ Reason ]
xmedcon 0.23.0-gtk3+dfsg-1+deb12u1 is currently affected by the
minor security issue CVE-2025-2581 reported in #1100986.  The
security issue consists in an integer undeflow, according to the
CVE description; I'm not sure how remotely exploitable it is,
unless one accounts on the capability to open remote files.

[ Impact ]
xmedcon in bookworm will remain affected by the underflow of
CVE-2025-2581 if upload is not granted.

[ Tests ]
The package lacks autopkgtest support, so does its reverse
dependency amide.  I have instead proceeded to manual tests by
opening small Dicom test files I have around at hand to make
sure the change did not introduce obvious problems in xmedcon
nor in amide.  I'm afraid test was still somewhat superficial,
as I'm not that well versed in those medical images viewers.

[ Risks ]
xmedcon has only amide as strict dependency, and it has no
reverse build-dependencies caught by ratt plus dose-extra.  In
my perception, the change is pretty simple so should not be too
problematic.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
This new revision of xmedcon appends a patch to guard against
malformed Dicom files with negative dimensions, which could
result in very large memory allocation and crash due to the
underflow caused by casting from int64_t to size_t, the latter
being unsigned.

[ Other information ]
The issue is freshly addressed in sid and some architectures are
still building it as I type.  I was thus not entirely confident
to check the last case.  Unless problems were to arise, I think
the case can be considered checked in 24 hours.

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emoll...@debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/1, please excuse my verbosity
   `-    on air: Anathema - Flying

diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/changelog 
xmedcon-0.23.0-gtk3+dfsg/debian/changelog
--- xmedcon-0.23.0-gtk3+dfsg/debian/changelog   2024-08-07 17:51:22.000000000 
+0200
+++ xmedcon-0.23.0-gtk3+dfsg/debian/changelog   2025-03-22 19:58:34.000000000 
+0100
@@ -1,3 +1,10 @@
+xmedcon (0.23.0-gtk3+dfsg-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2025-2581.patch: new: fix CVE-2025-2581. (Closes: #1100986)
+
+ -- Étienne Mollier <emoll...@debian.org>  Sat, 22 Mar 2025 19:58:34 +0100
+
 xmedcon (0.23.0-gtk3+dfsg-1+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch 
xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch 1970-01-01 
01:00:00.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch 2025-03-22 
19:57:54.000000000 +0100
@@ -0,0 +1,40 @@
+Description: Check for overflow between size_t and int64_t.
+Author: Erik Nolf
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100986
+Applied-Upstream: e7a88836fc2277f8ab777f3ef24f917d08415559
+Reviewed-by: Étienne Mollier <emoll...@debian.org>
+Last-Update: 2025-03-22
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- xmedcon.orig/libs/dicom/single.c
++++ xmedcon/libs/dicom/single.c
+@@ -22,8 +22,9 @@
+ SINGLE *dicom_single(void)
+ {
+   ELEMENT     *e;
+-  S32         length;
++  S32         length, bytes;
+   U32         i, f;
++  size_t    size;
+   char                *interpretation[]=
+   {
+     "MONOCHROME2",
+@@ -265,7 +266,17 @@
+           /* eNlf: - allocate an extra 4 bytes, otherwise the bit.c   */
+           /* eNlf: routines like source.u++ go beyond the boundaries  */
+           /* eNlf: - memset the allocated buffer for sure             */
+-          data = (U8*)malloc(width*height*pixel*frames+4);
++          bytes = (int64_t)width*height*pixel*frames+4;
++
++          /* check for overflow */
++          size = (size_t)bytes;
++          if ((int64_t)size != bytes) {
++            dicom_log(ERROR,"System size_t too small");
++            return 0L;
++          }
++
++          /* allocate memory */
++          data = (U8*)malloc(bytes);
+           if (!data)
+           {
+             dicom_log(ERROR,"Out of memory");
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/series 
xmedcon-0.23.0-gtk3+dfsg/debian/patches/series
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/series      2024-08-07 
17:51:22.000000000 +0200
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/series      2025-03-22 
19:57:11.000000000 +0100
@@ -3,3 +3,4 @@
 cross.patch
 typos.patch
 CVE-2024-29421.patch
+CVE-2025-2581.patch

signature.asc
Description: PGP signature

Bug#1101064: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u2

Reply via email to