Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Dear release team,
The version of gdcm in jessie suffers from two security problems:
CVE-2015-8396 [1]
CVE-2015-8397 [2]
However, the security team notified my that the issue does not warrant a DSA
and I should instead just fix it via a jessie point release.
The proposed patch against the package is enclosed, it adds the according fixes
from the upstream repository.
best regards,
Gert
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8396
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8397
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
diff -ruN gdcm-2.4.4/debian/changelog gdcm-2.4.4.new/debian/changelog
--- gdcm-2.4.4/debian/changelog 2014-10-06 08:08:33.000000000 +0100
+++ gdcm-2.4.4.new/debian/changelog 2016-08-23 18:45:09.415835673 +0100
@@ -1,3 +1,11 @@
+gdcm (2.4.4-3+deb8u1) jessie-proposed-updates; urgency=medium
+
+ * add patches:
+ - d/p/CVE-2015-8396.patch: fix according security vunerability
+ - d/p/CVE-2015-8397.patch: fix according security vunerability
+
+ -- Gert Wollny <gw.foss...@gmail.com> Sat, 20 Aug 2016 22:25:15 +0100
+
gdcm (2.4.4-3) unstable; urgency=medium
* Fix issue introduced by multiarch switch. Closes: #764029
diff -ruN gdcm-2.4.4/debian/patches/CVE-2015-8396.patch gdcm-2.4.4.new/debian/patches/CVE-2015-8396.patch
--- gdcm-2.4.4/debian/patches/CVE-2015-8396.patch 1970-01-01 01:00:00.000000000 +0100
+++ gdcm-2.4.4.new/debian/patches/CVE-2015-8396.patch 2016-08-20 23:23:27.990220328 +0100
@@ -0,0 +1,103 @@
+Author: Mathieu Malaterre <mathieu.malate...@gmail.com>
+Date: Fri Dec 18 12:18:02 2015 +0100
+Description: Patches fixing CVE-2015-8396
+ Patches were backported from upstream commits
+ 92cd6d7 Always prefer boxRegion computation for area
+ 9cbca25 Fix a case when Region was never initialized
+ e0dd111 Add an extra layer of check
+ 0f6f820 Actually handle the case of error in ComputeBufferLength
+
+Index: gdcm-2.4.4/Source/MediaStorageAndFileFormat/gdcmImageRegionReader.cxx
+===================================================================
+--- gdcm-2.4.4.orig/Source/MediaStorageAndFileFormat/gdcmImageRegionReader.cxx
++++ gdcm-2.4.4/Source/MediaStorageAndFileFormat/gdcmImageRegionReader.cxx
+@@ -85,6 +85,7 @@ Region const &ImageRegionReader::GetRegi
+ size_t ImageRegionReader::ComputeBufferLength() const
+ {
+ // Is this a legal extent:
++ size_t npixels = 0;
+ if( Internals->GetRegion() )
+ {
+ if( !Internals->GetRegion()->IsValid() )
+@@ -92,10 +93,26 @@ size_t ImageRegionReader::ComputeBufferL
+ gdcmDebugMacro( "Sorry not a valid extent. Giving up" );
+ return 0;
+ }
++ npixels = this->Internals->GetRegion()->Area();
+ }
+- PixelFormat pixelInfo = ImageHelper::GetPixelFormatValue(GetFile());
+- size_t bytesPerPixel = pixelInfo.GetPixelSize();
+- return this->Internals->GetRegion()->Area()*bytesPerPixel;
++ else
++ {
++ std::vector<unsigned int> dims = ImageHelper::GetDimensionsValue(GetFile());
++ BoxRegion full;
++ // Use BoxRegion to do robust computation
++ full.SetDomain(0, dims[0] - 1,
++ 0, dims[1] - 1,
++ 0, dims[2] - 1 );
++ if( full.IsValid() )
++ {
++ gdcmDebugMacro( "Sorry not a valid extent. Giving up" );
++ return 0;
++ }
++ npixels = full.Area();
++ }
++ const PixelFormat pixelInfo = ImageHelper::GetPixelFormatValue(GetFile());
++ const size_t bytesPerPixel = pixelInfo.GetPixelSize();
++ return npixels*bytesPerPixel;
+ }
+
+ bool ImageRegionReader::ReadInformation()
+@@ -371,7 +388,17 @@ bool ImageRegionReader::ReadJPEGIntoBuff
+ theCodec.SetPixelFormat( ImageHelper::GetPixelFormatValue(GetFile()) );
+
+ std::istream* theStream = GetStreamPtr();
+- const BoxRegion &boundingbox = this->Internals->GetRegion()->ComputeBoundingBox();
++ BoxRegion boundingbox;
++ if( Internals->GetRegion() )
++ boundingbox = this->Internals->GetRegion()->ComputeBoundingBox();
++ else
++ {
++ std::vector<unsigned int> dims = ImageHelper::GetDimensionsValue(GetFile());
++ boundingbox.SetDomain(
++ 0, dims[0] - 1,
++ 0, dims[1] - 1,
++ 0, dims[2] - 1 );
++ }
+ unsigned int xmin = boundingbox.GetXMin();
+ unsigned int xmax = boundingbox.GetXMax();
+ unsigned int ymin = boundingbox.GetYMin();
+@@ -445,7 +472,13 @@ bool ImageRegionReader::ReadJPEGLSIntoBu
+ bool ImageRegionReader::ReadIntoBuffer(char *buffer, size_t buflen)
+ {
+ size_t thelen = ComputeBufferLength();
+- if( buflen < thelen )
++ if( thelen == 0 )
++ {
++ // does not sound right, something seems odd.
++ gdcmDebugMacro( "Cannot load an image of 0 bytes" );
++ return false;
++ }
++ if( buflen < thelen )
+ {
+ gdcmDebugMacro( "buffer cannot be smaller than computed buffer length" );
+ return false;
+Index: gdcm-2.4.4/Source/Common/gdcmBoxRegion.cxx
+===================================================================
+--- gdcm-2.4.4.orig/Source/Common/gdcmBoxRegion.cxx
++++ gdcm-2.4.4/Source/Common/gdcmBoxRegion.cxx
+@@ -79,6 +79,13 @@ bool BoxRegion::IsValid() const
+ {
+ return false;
+ }
++ // Some properly crafted DICOM could have bigger values, reject them:
++ // technically there is no such restrictions for Z direction
++ if (Internals->XMax > std::numeric_limits<uint16_t>::max() ||
++ Internals->YMax > std::numeric_limits<uint16_t>::max() )
++ {
++ return false;
++ }
+ return true;
+ }
+
diff -ruN gdcm-2.4.4/debian/patches/CVE-2015-8397.patch gdcm-2.4.4.new/debian/patches/CVE-2015-8397.patch
--- gdcm-2.4.4/debian/patches/CVE-2015-8397.patch 1970-01-01 01:00:00.000000000 +0100
+++ gdcm-2.4.4.new/debian/patches/CVE-2015-8397.patch 2016-08-20 22:30:26.000000000 +0100
@@ -0,0 +1,36 @@
+Description: Fix CVE-2015-8397 in jessie
+ backported upstream commit:
+ e547b1d Avoid a buffer over run with properly crafted JPEG-LS
+Author: Mathieu Malaterre <mathieu.malate...@gmail.com>
+Date: Fri Dec 11 14:35:08 2015 +0100
+
+Index: gdcm-2.4.4/Source/MediaStorageAndFileFormat/gdcmJPEGLSCodec.cxx
+===================================================================
+--- gdcm-2.4.4.orig/Source/MediaStorageAndFileFormat/gdcmJPEGLSCodec.cxx
++++ gdcm-2.4.4/Source/MediaStorageAndFileFormat/gdcmJPEGLSCodec.cxx
+@@ -449,6 +449,12 @@ bool JPEGLSCodec::DecodeExtent(
+ const unsigned int colsize = ymax - ymin + 1;
+ const unsigned int bytesPerPixel = pf.GetPixelSize();
+
++ if( outv.size() != dimensions[0] * dimensions[1] * bytesPerPixel )
++ {
++ gdcmDebugMacro( "Inconsistant buffer size. Giving up" );
++ return false;
++ }
++
+ const unsigned char *tmpBuffer1 = raw;
+ unsigned int z = 0;
+ for (unsigned int y = ymin; y <= ymax; ++y)
+@@ -505,6 +511,12 @@ bool JPEGLSCodec::DecodeExtent(
+ const unsigned int colsize = ymax - ymin + 1;
+ const unsigned int bytesPerPixel = pf.GetPixelSize();
+
++ if( outv.size() != dimensions[0] * dimensions[1] * bytesPerPixel )
++ {
++ gdcmDebugMacro( "Inconsistant buffer size. Giving up" );
++ return false;
++ }
++
+ const unsigned char *tmpBuffer1 = raw;
+ for (unsigned int y = ymin; y <= ymax; ++y)
+ {
diff -ruN gdcm-2.4.4/debian/patches/series gdcm-2.4.4.new/debian/patches/series
--- gdcm-2.4.4/debian/patches/series 2014-10-06 08:08:33.000000000 +0100
+++ gdcm-2.4.4.new/debian/patches/series 2016-08-20 22:28:52.000000000 +0100
@@ -2,3 +2,5 @@
fixhurd.patch
linkvtkdoc.patch
multiarch.patch
+CVE-2015-8396.patch
+CVE-2015-8397.patch
