Your message dated Tue, 30 Jun 2026 18:17:25 +0000
with message-id <[email protected]>
and subject line Bug#1140562: fixed in dcmtk 3.6.7-9~deb12u4
has caused the Debian Bug report #1140562,
regarding dcmtk: CVE-2026-12805
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140562
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dcmtk
Version: 3.7.0+really3.7.0-5
Severity: important
Tags: security upstream
Forwarded: https://support.dcmtk.org/redmine/issues/1208
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for dcmtk.

CVE-2026-12805[0]:
| A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected
| element is the function XMLNode::parseFile in the library
| ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-
| based buffer overflow. The attack may be performed from remote. The
| exploit has been published and may be used. This patch is called
| 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to
| apply a patch to resolve this issue. The vendor was contacted early,
| responded in a very professional manner and quickly released a fixed
| version of the affected product.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-12805
    https://www.cve.org/CVERecord?id=CVE-2026-12805
[1] https://support.dcmtk.org/redmine/issues/1208
[2] 
https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d4b3815c0987840a983160bfc671fef63a3105b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: dcmtk
Source-Version: 3.6.7-9~deb12u4
Done: Étienne Mollier <[email protected]>

We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated dcmtk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 Jun 2026 21:16:40 +0200
Source: dcmtk
Architecture: source
Version: 3.6.7-9~deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Debian Med Packaging Team 
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1100724 1113993 1122926 1123584 1133001 1139181 1140562
Changes:
 dcmtk (3.6.7-9~deb12u4) bookworm; urgency=medium
 .
   * Team upload.
   * 0012-CVE-2022-4981.patch: new: fix CVE-2022-4981.
   * 0013-CVE-2025-2357.patch: new: fix CVE-2025-2357. (Closes: #1100724)
   * *CVE-2025-9732*.patch: new.
     These two patches fix CVE-2025-9732. (Closes: #1113993)
   * 0016-CVE-2025-14607.patch: new: fix CVE-2025-14607. (Closes: #1122926)
   * 0017-CVE-2025-14841.patch: new: fix CVE-2025-14841. (Closes: #1123584)
   * 0018-CVE-2026-5663.patch: new: fix CVE-2026-5663.
     This patch required some rework from upstream due to little changes in
     the logic and the coding style. (Closes: #1133001)
   * 0019-CVE-2026-10194.patch: new: fix CVE-2026-10194. (Closes: #1139181)
   * 0020-CVE-2026-12805.patch: new: fix CVE-2026-12805.
     This patch fixes a risk of buffer overflow by ensuring negative error
     codes in XMLNode::parseFile are properly handled, as well a NULL
     values. (Closes: #1140562)
Checksums-Sha1:
 5fd1c338f4b714440fdd8a9607397762b25db3a3 2353 dcmtk_3.6.7-9~deb12u4.dsc
 85e0f685bd6e5f0a4ce7cb592b0354adbea7703b 70296 
dcmtk_3.6.7-9~deb12u4.debian.tar.xz
 558019ab5aa114688d8d5750f81872ea697a632c 11959 
dcmtk_3.6.7-9~deb12u4_amd64.buildinfo
Checksums-Sha256:
 67ebf387308cf7039ed49b78ab8ff395e375b970899778d19531512eec6831ed 2353 
dcmtk_3.6.7-9~deb12u4.dsc
 45a0d81621531bd54f2b492bafaccf49d5143f1bbb401121af5a5332fba09c82 70296 
dcmtk_3.6.7-9~deb12u4.debian.tar.xz
 dee79755ce7f6bb4dfbbd9bf25f1520e11a4e26f1fa436f387955823eaf7d01b 11959 
dcmtk_3.6.7-9~deb12u4_amd64.buildinfo
Files:
 690f5101a6d9d7c5d22690903deacb27 2353 science optional 
dcmtk_3.6.7-9~deb12u4.dsc
 cf1ad6922c13975b3b20c2cb941b6f21 70296 science optional 
dcmtk_3.6.7-9~deb12u4.debian.tar.xz
 b71756667b537e072e45ec90bcf02743 11959 science optional 
dcmtk_3.6.7-9~deb12u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmpDcPkUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdrr5A/+NHP4utL3Ep6vd/bS5MbHWUnqh5AX
G8YvyL2evb/SaeTdxFfCQmTHht+NSB5q6lB2sOzCPWRGSTHyaBj+BJL4C7GL6MVV
8pQ96OtGAv0BXhXajviULyTGfV9A2J/NNfdNmQ+UGE0d8qD4G09ByUWSUMUfKOOR
JkPtJWA68B/MqFiZjp+kKLOfEm2P2W3DBhH39oNjHFoVRBCKfHLV4eVGo4JzkC95
cprfCwqSc7hcH6Bx8urZHZOO81cDE6IRFuObbs4PNEsMU8g1RKJlPWxFiz0TSV9E
NiHrxYtSwx6Nw3NM4v4v5tA1Lpf3YkfQdGFkrZ0cqZ2PgoDaiytVhj9vz+q3f828
wFN9JGZyT9A56L37AN9nZLHt/0TVqa0hoK7D+pLtc9I1dLj3MXw1lg9C60EkKUcy
CgquCAfkfLCp01XHOLHkJXOlxo9ifcVt9DfAZtfEaKJvNjKrlRl701LmcNKxpFVD
9ras6X4JR6jhBdhY7kQYcEXYFC7aiTHtIuRCEqMYi6JpN7KcHd8ayt310kklo535
WtjETmUJTy5W9vR0UFZZRI2nSsZs0Yueex/RtCKe9dhBFpCDrVOxDm8StDKdptm0
LGksOushcVEtiU7KyRzbULwafEgO8SLyEGZXrOehOsM818g6g6iZ1hPWBTWk9HYG
T61QaKPpavOtjsA=
=ETP2
-----END PGP SIGNATURE-----

Attachment: pgpVtUFcw03FS.pgp
Description: PGP signature


--- End Message ---

Reply via email to