-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Jun 2025 10:48:02 +0200
Source: dcmtk
Architecture: source
Version: 3.6.5-1+deb11u4
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Med Packaging Team
<debian-med-packag...@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1017743 1098373 1098374 1100724
Changes:
dcmtk (3.6.5-1+deb11u4) bullseye-security; urgency=medium
.
[ Andreas Henriksson ]
* Cherry-pick upstream fixes for
- CVE-2025-25472: A buffer overflow in DCMTK git master v3.6.9+ DEV
allows attackers to cause a Denial of Service (DoS) via a crafted DCM
file. (Introduced by fix for CVE-2024-47796)
- CVE-2025-25474: DCMTK v3.6.9+ DEV was discovered to contain a buffer
overflow via the component /dcmimgle/diinpxt.h.
(Closes: #1098374)
- CVE-2025-25475: A NULL pointer dereference in the component
/libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a
Denial of Service (DoS) via a crafted DICOM file.
(Closes: #1098373)
* Cherry-pick upstream fix for path-traversal vulns
- CVE-2022-2119: OFFIS DCMTK's (All versions prior to 3.6.7) service
class provider (SCP) is vulnerable to path traversal, allowing an
attacker to write DICOM files into arbitrary directories under
controlled names. This could allow remote code execution.
- CVE-2022-2120: OFFIS DCMTK's (All versions prior to 3.6.7) service
class user (SCU) is vulnerable to relative path traversal, allowing an
attacker to write DICOM files into arbitrary directories under
controlled names. This could allow remote code execution.
... both fixed in same patch. (Closes: #1017743)
.
[ Bastien Roucariès ]
* Backport testsuite to salsa CI
* Fix CVE-2025-2357 (CLoses: #1100724)
This vulnerability affects unknown code of the component
dcmjpls JPEG-LS Decoder. The manipulation leads to memory corruption.
he attack can be initiated remotely
Checksums-Sha1:
a9b8ccb9230999c9283f6147c2b15beb1ab566e8 2300 dcmtk_3.6.5-1+deb11u4.dsc
491f7c206f1ed746634af3062b6b791519b13dab 6483626 dcmtk_3.6.5.orig.tar.gz
9c1a99437a2e222cf4e360d5d2fe938ac1ce2ff3 54132
dcmtk_3.6.5-1+deb11u4.debian.tar.xz
469ac8ca4d8765c34782ea56b0197dddd496d4ba 11142
dcmtk_3.6.5-1+deb11u4_amd64.buildinfo
Checksums-Sha256:
a7b7adfdd6172654f3463b34bc9186ce88668568397869f6a467b1718792b011 2300
dcmtk_3.6.5-1+deb11u4.dsc
a05178665f21896dbb0974106dba1ad144975414abd760b4cf8f5cc979f9beb9 6483626
dcmtk_3.6.5.orig.tar.gz
a1df4db9bf770bc5718476f71e94a10d1ba50a809c8ac3c337e04ffadcbf66a1 54132
dcmtk_3.6.5-1+deb11u4.debian.tar.xz
0dab59c67f09b17775ff2ce9e9c36dd333975f01f66e3d2be884ef96263f8a3e 11142
dcmtk_3.6.5-1+deb11u4_amd64.buildinfo
Files:
b09a5854fbc23666f1d7eaebc543f936 2300 science optional
dcmtk_3.6.5-1+deb11u4.dsc
e19707f64ee5695c496b9c1e48e39d07 6483626 science optional
dcmtk_3.6.5.orig.tar.gz
79f1818f5b6a8c74a05d7e884c7f1898 54132 science optional
dcmtk_3.6.5-1+deb11u4.debian.tar.xz
bca2fb7bd61baad9a9be19f82c43e872 11142 science optional
dcmtk_3.6.5-1+deb11u4_amd64.buildinfo-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmhan74ACgkQADoaLapB CF+vhBAAiEFYHwgbMjEFjY96ot8z/ec/t9fSJ87vs0YSFRcIsbDNhLu7XMVso71x 8X3Jo646I9DMFXRfMYE2qu/iswuG5G/Cz4LuO0Eah1BzN74Ss2SnqCj/SnMBeuOa invWqcFyHEbX5cV8/DCfE3hBdxmlcn14njeHL5h687sieFnHJV0VOBa8B+4AETBd XTpHieFLEzB8cjD4UPy32oLvamTrnpAYZdRogsHSa4MtWXw3YtGWjxJ7CEzzkuQS 7Xd2j+iqjEuHROge0YPw6iJMe2EBqrmDAuZ8l382EMpHxdODcsDNxRLKfoula5gA Q+yQ+fZT8oPyfoOvZRQoxhA1IhNsQDNEaTBEKjxKZvWxusl6858LjfUFINWMmdoi DlmVWoIyXXZqsoIB7dAuVVhuU4jvf+XFIKfqG3xWTv3tjzZPMb/H+8uZ30Hp0Kvd zvUZ8dvIWOQr1UYo0O2UlfSaC/JeS8RNziOAmxUByxFYQfQeSPm52r1Llj69XO0A esuthsZbvxaVLo7hORrqnFDl67hNjJ20YJONF/AL91WWBWtQQlxIeRavFmwEEJ8/ F3RcFRDGYF3kVsxSdv75HgGUqg0woclPk+W2EUwx+NpA7/pr4BBB93GUVsL+Pobh 9jk5WlHGGS0Z/s4tU8/HBjq1Ph1q/p/fGyrIKoZvtqckhxIHcXQ= =BBPW -----END PGP SIGNATURE-----
pgpMZGtReAokR.pgp
Description: PGP signature
