Your message dated Sun, 21 Dec 2025 13:19:04 +0000
with message-id <[email protected]>
and subject line Bug#1122862: fixed in gdcm 3.0.24-8
has caused the Debian Bug report #1122862,
regarding gdcm: CVE-2025-11266
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122862
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gdcm
Version: 3.0.24-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gdcm.
CVE-2025-11266[0]:
| An out-of-bounds write vulnerability exists in the Grassroots DICOM
| library (GDCM). The issue is triggered during parsing of a malformed
| DICOM file containing encapsulated PixelData fragments (compressed
| image data stored as multiple fragments). This vulnerability leads
| to a segmentation fault caused by an out-of-bounds memory access due
| to unsigned integer underflow in buffer indexing. It is exploitable
| via file input, simply opening a crafted malicious DICOM file is
| sufficient to trigger the crash, resulting in a denial-of-service
| condition.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11266
https://www.cve.org/CVERecord?id=CVE-2025-11266
[1]
https://github.com/malaterre/GDCM/commit/5829c95c8ac3afa9a3a3413675e948959c28a789
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gdcm
Source-Version: 3.0.24-8
Done: Emmanuel Arias <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gdcm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Arias <[email protected]> (supplier of updated gdcm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Dec 2025 14:51:00 -0300
Source: gdcm
Architecture: source
Version: 3.0.24-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Emmanuel Arias <[email protected]>
Closes: 1122862
Changes:
gdcm (3.0.24-8) unstable; urgency=medium
.
* Team upload.
* CVE-2025-11266.patch: Avoid out-of-bounds vulnerability. The issue
was triggered during parsing of a malformed DICOM file containing
encapsulated PixelData fragments. This vulnerability leads to a
segmentation fault caused by an out-of-bounds memory access due to
unsigned integer underflow in buffer indexing (Closes: #1122862).
Checksums-Sha1:
ac80b7fa3f20f857e0ed4b9cdbe4f47adaa247b8 3223 gdcm_3.0.24-8.dsc
cb5a6e875508a0d2b910d8030ce103fdaecc0949 282500 gdcm_3.0.24-8.debian.tar.xz
66db1cc57f202ae86c240f2e2e462d2b0685ee82 33017 gdcm_3.0.24-8_amd64.buildinfo
Checksums-Sha256:
d2138ee16d958978e26eab295c788ea4368974f9f312b711ce43298dc59a8e82 3223
gdcm_3.0.24-8.dsc
93a5b0960215a3c4c19c723a0757f6c93bdcdb5939ae062181e24dbaf902b31c 282500
gdcm_3.0.24-8.debian.tar.xz
44092c675aed3d924aa0790daf8c39016bc213daf1df3e83f09c79ec70212a5b 33017
gdcm_3.0.24-8_amd64.buildinfo
Files:
ee11a6417f5cd16e788e0e22567ddacd 3223 libs optional gdcm_3.0.24-8.dsc
3ba8db0e4757b3de3a0b47106746f2b5 282500 libs optional
gdcm_3.0.24-8.debian.tar.xz
85be623659c5ba6c6995205044da9449 33017 libs optional
gdcm_3.0.24-8_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmlH7tcSHGVhbWFudUBk
ZWJpYW4ub3JnAAoJEPqd7F3hHGPxEeUP/jDVpXmS1N3G+aecMkxTvtpPBL1Z5uEj
oHHD76eMLfPNvMRAg+LSBEckDlRCbHwnpbuP225qJwBPDbioOlE+qtTHj+myyUZz
d2AXpleU/h1Llyb7qCQnMFwu8oKxaR/K6yD5UWyYN8jSC7y4n0dwtCcYfWsz1JZ7
4iwa8ak35HN063QrFwBpi4E+ZhU/7rTeZJZYEBGG5/uHOsJjgATiOuna8Iu3iWCH
IAaNb3Cxz82tG6ghAeCcjmMAaHYZLx9keTBqCFNHwMzM1nDrgws+DT0AQVOoaj2n
kExzpV3WbQv0eiIYbqXl2YcozshfsRLyJrQ1swb8shfvegPaUBmmQJPLGkC7bOiO
NWCfYKVtqinOJwukGp0XZC7+D+AqDiykGqPad2JQOB8WwMxUhvVw638Pb+TeZEi2
SOXW8rFS8ml2uHf95+ayIY2X34OSx/lIcrv0jrs1ELBqZ6BKVRnvU5Zo3KQQxFdl
DdJSntI4NA54F5SMb9R1RZiGSJeWIP8veUco/cQp4lDNyfqpyLO2w0h7fGWdoQKw
XlM7jq2SGSjgcv3gxyHoLLe1duhXqcYwB61cJ18fRIcWpl7272a+0lN0Kc8GWJ3t
afm1vqiEKIwK13Xk72wUQocMyku1Zjv8wAkdNyORN6U9Jk9+D6HE+h6x9hT0DMjr
fDOgPY4azd38
=7pOF
-----END PGP SIGNATURE-----
pgpeLzdm0ag32.pgp
Description: PGP signature
--- End Message ---
