Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:dcmtk User: [email protected] Usertags: pu
Hi Stable Release Managers, [ Reason ] dcmtk in trixie, including dcmtk 3.6.9-5+deb13u1 pending publication via trixie-proposed-updates, is affected by CVE-2026-12805. See also important bug #1140562. CVE-2026-12805 is an issue triaged as minor by the Debian Security Team. Hence, I offer to upload via stable-proposed- updates channel instead of trixie-security. [ Impact ] If the upload is not granted, dcmtk in trixie will remain affected by CVE-2026-12805. [ Tests ] The affected code did not include update of the test suite. I had hoped to refer to upstream's ticket #1208 [1] in order to check whether there were means to stress the change to the code, but their issue tracker is down at the time of writing. That being written, I ensured that the change did not introduce regressions in reverse dependencies in testing by running their autopkgtest. [1]: https://support.dcmtk.org/redmine/issues/1208 [ Risks ] The overall change to the code consists in an effective single line in a patch straight from upstream commit. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] This update introduces the patch 0019-CVE-2026-12805.patch. It fixes the buffer overflow referenced under CVE-2026-12805 by properly checking for ftell(3) error codes. [ Other info ] On unstable side, the change should make it to forky tomorrow, as dcmtk's test suite and all reverse dependencies autopkgtest were verified in working conditions, which is encouraging. This update follows up on dcmtk 3.6.9-5+deb13u1 uploaded to trixie-proposed-update via #1139722, but which has not made it to trixie yet. It seemed saner to me to include a debdiff that restarts from 3.6.9-5+deb13u1 rather than 3.6.9-5. Hope that's ok this way? Have a nice day, :) -- .''`. Étienne Mollier <[email protected]> : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/1, please excuse my verbosity `-
diff -Nru dcmtk-3.6.9/debian/changelog dcmtk-3.6.9/debian/changelog --- dcmtk-3.6.9/debian/changelog 2026-06-11 20:54:58.000000000 +0200 +++ dcmtk-3.6.9/debian/changelog 2026-06-23 21:44:21.000000000 +0200 @@ -1,3 +1,13 @@ +dcmtk (3.6.9-5+deb13u2) trixie; urgency=medium + + * Team upload. + * CVE-2026-12805.patch: new: fix CVE-2026-12805. + This patch fixes a risk of buffer overflow by ensuring negative error + codes in XMLNode::parseFile are properly handled, as well a NULL + values. (Closes: #1140562) + + -- Étienne Mollier <[email protected]> Tue, 23 Jun 2026 21:44:21 +0200 + dcmtk (3.6.9-5+deb13u1) trixie; urgency=medium * Team upload diff -Nru dcmtk-3.6.9/debian/patches/0019-CVE-2026-12805.patch dcmtk-3.6.9/debian/patches/0019-CVE-2026-12805.patch --- dcmtk-3.6.9/debian/patches/0019-CVE-2026-12805.patch 1970-01-01 01:00:00.000000000 +0100 +++ dcmtk-3.6.9/debian/patches/0019-CVE-2026-12805.patch 2026-06-23 21:41:12.000000000 +0200 @@ -0,0 +1,34 @@ +commit 1d4b3815c0987840a983160bfc671fef63a3105b +Author: Marco Eichelberg <[email protected]> +Date: Sat May 23 17:07:58 2026 +0200 + + Fixed buffer overflow in XMLNode::parseFile(). + + Fixed a heap buffer overflow that could occur in the XML parser + when reading from a named pipe. + + Thanks to Cristhian Daniel Rivas Zúñiga and Sebastian Andres Muñoz Morera + (Insituto Tecnológico de Costa Rica) for the bug report and fix. + + This closes DCMTK issue #1208. + +--- dcmtk.orig/ofstd/libsrc/ofxml.cc ++++ dcmtk/ofstd/libsrc/ofxml.cc +@@ -1,6 +1,6 @@ + /* + * +- * Copyright (C) 2011-2023, OFFIS e.V. ++ * Copyright (C) 2011-2026, OFFIS e.V. + * All rights reserved. See COPYRIGHT file for details. + * + * This software and supporting documentation were slightly modified by +@@ -1961,7 +1961,8 @@ + if (f==NULL) { if (pResults) pResults->error=eXMLErrorFileNotFound; return emptyXMLNode; } + fseek(f,0,SEEK_END); + int l=OFstatic_cast(int, ftell(f)),headerSz=0; +- if (!l) { if (pResults) pResults->error=eXMLErrorEmpty; fclose(f); return emptyXMLNode; } ++ // DCMTK: handle situation where ftell() returns -1 ++ if (l <= 0) { if (pResults) pResults->error=eXMLErrorEmpty; fclose(f); return emptyXMLNode; } + fseek(f,0,SEEK_SET); + unsigned char *buf=OFreinterpret_cast(unsigned char*, malloc(l+4)); + l=OFstatic_cast(int, fread(buf,1,l,f)); diff -Nru dcmtk-3.6.9/debian/patches/series dcmtk-3.6.9/debian/patches/series --- dcmtk-3.6.9/debian/patches/series 2026-06-11 20:54:58.000000000 +0200 +++ dcmtk-3.6.9/debian/patches/series 2026-06-23 21:41:30.000000000 +0200 @@ -14,3 +14,4 @@ 0016-CVE-2026-5663.patch 0017-CVE-2025-14841.patch 0018-CVE-2026-10194.patch +0019-CVE-2026-12805.patch
signature.asc
Description: PGP signature

