Source: dcmtk Version: 3.7.0+really3.7.0-6 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for dcmtk. I still filled this as RC level, but I'm unsure if they really would warrant a security advisory, in particular the critical rated one needs to connect to a malicious DICOM server. CVE-2026-50003[0]: | A malicious or compromised server can make a DCMTK client using bit- | preserving C-GET storage mode write files outside the chosen output | directory, using both relative (../) paths and absolute paths. CVE-2026-50254[1]: | An unauthenticated remote attacker can repeatedly send a single | crafted connection request to leak memory. Against storescp in its | default single-process mode, memory grows quickly and the service is | eventually killed, after which it stops accepting connections until | an operator restarts it. CVE-2026-35505[2]: | An unauthenticated remote attacker can repeatedly send crafted | connection requests to leak memory. In single-process deployments | the memory grows until the service is killed and the port stops | responding until restart. CVE-2026-52868[3]: | An unauthenticated attacker can read worklist records from a | directory outside the intended per-AE worklist storage area. In a | multi-area deployment, this can cross departmental or clinic data | separation. CVE-2026-44628[4]: | An unauthenticated attacker can crash the worklist server with a | single crafted query when the server has a valid Called AE Title / | storage directory, the expected lockfile, and at least one matching | worklist record. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-50003 https://www.cve.org/CVERecord?id=CVE-2026-50003 [1] https://security-tracker.debian.org/tracker/CVE-2026-50254 https://www.cve.org/CVERecord?id=CVE-2026-50254 [2] https://security-tracker.debian.org/tracker/CVE-2026-35505 https://www.cve.org/CVERecord?id=CVE-2026-35505 [3] https://security-tracker.debian.org/tracker/CVE-2026-52868 https://www.cve.org/CVERecord?id=CVE-2026-52868 [4] https://security-tracker.debian.org/tracker/CVE-2026-44628 https://www.cve.org/CVERecord?id=CVE-2026-44628 [5] https://www.openwall.com/lists/oss-security/2026/07/01/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

