Your message dated Tue, 30 Jun 2026 18:17:07 +0000
with message-id <[email protected]>
and subject line Bug#1140562: fixed in dcmtk 3.6.9-5+deb13u2
has caused the Debian Bug report #1140562,
regarding dcmtk: CVE-2026-12805
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140562
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dcmtk
Version: 3.7.0+really3.7.0-5
Severity: important
Tags: security upstream
Forwarded: https://support.dcmtk.org/redmine/issues/1208
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for dcmtk.
CVE-2026-12805[0]:
| A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected
| element is the function XMLNode::parseFile in the library
| ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-
| based buffer overflow. The attack may be performed from remote. The
| exploit has been published and may be used. This patch is called
| 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to
| apply a patch to resolve this issue. The vendor was contacted early,
| responded in a very professional manner and quickly released a fixed
| version of the affected product.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-12805
https://www.cve.org/CVERecord?id=CVE-2026-12805
[1] https://support.dcmtk.org/redmine/issues/1208
[2]
https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d4b3815c0987840a983160bfc671fef63a3105b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dcmtk
Source-Version: 3.6.9-5+deb13u2
Done: Étienne Mollier <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated dcmtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Jun 2026 21:44:21 +0200
Source: dcmtk
Architecture: source
Version: 3.6.9-5+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1113993 1122926 1123584 1133001 1139181 1140562
Changes:
dcmtk (3.6.9-5+deb13u2) trixie; urgency=medium
.
* Team upload.
* CVE-2026-12805.patch: new: fix CVE-2026-12805.
This patch fixes a risk of buffer overflow by ensuring negative error
codes in XMLNode::parseFile are properly handled, as well a NULL
values. (Closes: #1140562)
.
dcmtk (3.6.9-5+deb13u1) trixie; urgency=medium
.
* Team upload
* d/patches/*-CVE-2025-9732.patch: new.
These changes pulled from dcmtk upstream address CVE-2025-9732.
(Closes: #1113993)
* 0015-CVE-2025-14607.patch: new: fix CVE-2025-14607. (Closes: #1122926)
* 0016-CVE-2026-5663.patch: new: fix CVE-2026-5663. (Closes: #1133001)
* 0017-CVE-2025-14841.patch: new: fix CVE-2025-14841. (Closes: #1123584)
* 0018-CVE-2026-10194.patch: new: fix CVE-2026-10194. (Closes: #1139181)
Checksums-Sha1:
1f975701c3c8e0f9c74dc1de2f58c777751a7d4c 2565 dcmtk_3.6.9-5+deb13u2.dsc
9691f8fab87370c8f55bb4a3ab9437fa7d335bcd 39648
dcmtk_3.6.9-5+deb13u2.debian.tar.xz
Checksums-Sha256:
a70995acc262f47434117d2d1264176003e1a8cf67d352f595cfa470e2e1c091 2565
dcmtk_3.6.9-5+deb13u2.dsc
87027ffc6f18eb11c75957e0c7d9488c6cd69c920b7f020c35909b9e64388814 39648
dcmtk_3.6.9-5+deb13u2.debian.tar.xz
Files:
5598d5fb7c2016a0a34bfbc7cf27c6ef 2565 science optional
dcmtk_3.6.9-5+deb13u2.dsc
92826d816857511f4e3667927e368058 39648 science optional
dcmtk_3.6.9-5+deb13u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmpDao4UHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdpTNxAAxwoOwajdp5Z/n5GgP1D6twii+CBs
RBd5mbdxekkHNA4IBfdlrnvFhsRjLUQroF7D0xjOuFe0cL2dg04Qh2gD+VoDeKKb
40mC41FahTMABA5NT4Je/59KgTKpZce5RkgbIKVnHwcpCShWlG99bYzxc11FzPVt
fR6pDM2vRRaP/Z1a0UGpi4YP1iOYYR3cpdM6Ym1hjcfVTqP+J81lWOvkIn7I+Jt2
hoVnQvkpoRHFn2TicW07EQCQVlVQ5Yy8KsgVsiGh6Og9GEv4rU1b0cFkDlPJ3sNv
lcbpz3hLOe0J9NfOtkI9103Vi05aaRWOXTp5x1v9AB/3mth1td8rjFNqUlQ0tBaA
4xjj3ke4LehO4RmSkLuYfkKrQkV/4+veuMQXtsA7BnNc0ZwziDXHINjliXcdCFdG
TVJQkyD9T8/nue89Zt91uMhksX44tbi3+vD+DkUlCocJIxC5UqxlG75VU5T0m7dw
+nEtodtEmqNY5Nb6IwgcFfgpHsCW+WSob9kelhuHfkGE4WI+Gt4KCcsA/w1TBw62
XORPCeGxmFPnSQaHb6JW+i92VYtDug65mpPFsjJejDka5gsc0F8SUWJAvVP9Vx/J
WtH1+Xfk9Bob96GasIdrBmco6UdoraZB0gB5MTBLnGJw3BL9U7qNTplH9PEwuFhL
wiovk98EWwvZ4NQ=
=dBgP
-----END PGP SIGNATURE-----
pgpqAak1D5wc_.pgp
Description: PGP signature
--- End Message ---