Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:dcmtk
User: [email protected]
Usertags: pu

Hi Stable Release Managers,

[ Reason ]
dcmtk in trixie, including dcmtk 3.6.9-5+deb13u1 pending
publication via trixie-proposed-updates, is affected by
CVE-2026-12805.  See also important bug #1140562.

CVE-2026-12805 is an issue triaged as minor by the Debian
Security Team.  Hence, I offer to upload via stable-proposed-
updates channel instead of trixie-security.

[ Impact ]
If the upload is not granted, dcmtk in trixie will remain
affected by CVE-2026-12805.

[ Tests ]
The affected code did not include update of the test suite.
I had hoped to refer to upstream's ticket #1208 [1] in order to
check whether there were means to stress the change to the code,
but their issue tracker is down at the time of writing.  That
being written, I ensured that the change did not introduce
regressions in reverse dependencies in testing by running their
autopkgtest.

[1]: https://support.dcmtk.org/redmine/issues/1208

[ Risks ]
The overall change to the code consists in an effective single
line in a patch straight from upstream commit.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This update introduces the patch 0019-CVE-2026-12805.patch.  It
fixes the buffer overflow referenced under CVE-2026-12805 by
properly checking for ftell(3) error codes.

[ Other info ]
On unstable side, the change should make it to
forky tomorrow, as dcmtk's test suite and all reverse
dependencies autopkgtest were verified in working conditions,
which is encouraging.

This update follows up on dcmtk 3.6.9-5+deb13u1 uploaded to
trixie-proposed-update via #1139722, but which has not made it
to trixie yet.  It seemed saner to me to include a debdiff that
restarts from 3.6.9-5+deb13u1 rather than 3.6.9-5.  Hope that's
ok this way?

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <[email protected]>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/1, please excuse my verbosity
   `-
diff -Nru dcmtk-3.6.9/debian/changelog dcmtk-3.6.9/debian/changelog
--- dcmtk-3.6.9/debian/changelog        2026-06-11 20:54:58.000000000 +0200
+++ dcmtk-3.6.9/debian/changelog        2026-06-23 21:44:21.000000000 +0200
@@ -1,3 +1,13 @@
+dcmtk (3.6.9-5+deb13u2) trixie; urgency=medium
+
+  * Team upload.
+  * CVE-2026-12805.patch: new: fix CVE-2026-12805.
+    This patch fixes a risk of buffer overflow by ensuring negative error
+    codes in XMLNode::parseFile are properly handled, as well a NULL
+    values. (Closes: #1140562)
+
+ -- Étienne Mollier <[email protected]>  Tue, 23 Jun 2026 21:44:21 +0200
+
 dcmtk (3.6.9-5+deb13u1) trixie; urgency=medium
 
   * Team upload
diff -Nru dcmtk-3.6.9/debian/patches/0019-CVE-2026-12805.patch 
dcmtk-3.6.9/debian/patches/0019-CVE-2026-12805.patch
--- dcmtk-3.6.9/debian/patches/0019-CVE-2026-12805.patch        1970-01-01 
01:00:00.000000000 +0100
+++ dcmtk-3.6.9/debian/patches/0019-CVE-2026-12805.patch        2026-06-23 
21:41:12.000000000 +0200
@@ -0,0 +1,34 @@
+commit 1d4b3815c0987840a983160bfc671fef63a3105b
+Author: Marco Eichelberg <[email protected]>
+Date:   Sat May 23 17:07:58 2026 +0200
+
+    Fixed buffer overflow in XMLNode::parseFile().
+    
+    Fixed a heap buffer overflow that could occur in the XML parser
+    when reading from a named pipe.
+    
+    Thanks to Cristhian Daniel Rivas Zúñiga and Sebastian Andres Muñoz Morera
+    (Insituto Tecnológico de Costa Rica) for the bug report and fix.
+    
+    This closes DCMTK issue #1208.
+
+--- dcmtk.orig/ofstd/libsrc/ofxml.cc
++++ dcmtk/ofstd/libsrc/ofxml.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 2011-2023, OFFIS e.V.
++ *  Copyright (C) 2011-2026, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were slightly modified by
+@@ -1961,7 +1961,8 @@
+     if (f==NULL) { if (pResults) pResults->error=eXMLErrorFileNotFound; 
return emptyXMLNode; }
+     fseek(f,0,SEEK_END);
+     int l=OFstatic_cast(int, ftell(f)),headerSz=0;
+-    if (!l) { if (pResults) pResults->error=eXMLErrorEmpty; fclose(f); return 
emptyXMLNode; }
++    // DCMTK: handle situation where ftell() returns -1
++    if (l <= 0) { if (pResults) pResults->error=eXMLErrorEmpty; fclose(f); 
return emptyXMLNode; }
+     fseek(f,0,SEEK_SET);
+     unsigned char *buf=OFreinterpret_cast(unsigned char*, malloc(l+4));
+     l=OFstatic_cast(int, fread(buf,1,l,f));
diff -Nru dcmtk-3.6.9/debian/patches/series dcmtk-3.6.9/debian/patches/series
--- dcmtk-3.6.9/debian/patches/series   2026-06-11 20:54:58.000000000 +0200
+++ dcmtk-3.6.9/debian/patches/series   2026-06-23 21:41:30.000000000 +0200
@@ -14,3 +14,4 @@
 0016-CVE-2026-5663.patch
 0017-CVE-2025-14841.patch
 0018-CVE-2026-10194.patch
+0019-CVE-2026-12805.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to