Your message dated Sat, 17 May 2025 09:37:59 +0000
with message-id <[email protected]>
and subject line Close 1101064
has caused the Debian Bug report #1101064,
regarding bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101064: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101064
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:xmedcon
User: [email protected]
Usertags: pu
Hello Stable Release Managers,
I would like to bring a patch to xmedcon in bookworm.
[ Reason ]
xmedcon 0.23.0-gtk3+dfsg-1+deb12u1 is currently affected by the
minor security issue CVE-2025-2581 reported in #1100986. The
security issue consists in an integer undeflow, according to the
CVE description; I'm not sure how remotely exploitable it is,
unless one accounts on the capability to open remote files.
[ Impact ]
xmedcon in bookworm will remain affected by the underflow of
CVE-2025-2581 if upload is not granted.
[ Tests ]
The package lacks autopkgtest support, so does its reverse
dependency amide. I have instead proceeded to manual tests by
opening small Dicom test files I have around at hand to make
sure the change did not introduce obvious problems in xmedcon
nor in amide. I'm afraid test was still somewhat superficial,
as I'm not that well versed in those medical images viewers.
[ Risks ]
xmedcon has only amide as strict dependency, and it has no
reverse build-dependencies caught by ratt plus dose-extra. In
my perception, the change is pretty simple so should not be too
problematic.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in stable
[ ] the issue is verified as fixed in unstable
[ Changes ]
This new revision of xmedcon appends a patch to guard against
malformed Dicom files with negative dimensions, which could
result in very large memory allocation and crash due to the
underflow caused by casting from int64_t to size_t, the latter
being unsigned.
[ Other information ]
The issue is freshly addressed in sid and some architectures are
still building it as I type. I was thus not entirely confident
to check the last case. Unless problems were to arise, I think
the case can be considered checked in 24 hours.
Have a nice day, :)
--
.''`. Étienne Mollier <[email protected]>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/1, please excuse my verbosity
`- on air: Anathema - Flying
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/changelog
xmedcon-0.23.0-gtk3+dfsg/debian/changelog
--- xmedcon-0.23.0-gtk3+dfsg/debian/changelog 2024-08-07 17:51:22.000000000
+0200
+++ xmedcon-0.23.0-gtk3+dfsg/debian/changelog 2025-03-22 19:58:34.000000000
+0100
@@ -1,3 +1,10 @@
+xmedcon (0.23.0-gtk3+dfsg-1+deb12u2) bookworm; urgency=medium
+
+ * Team upload.
+ * CVE-2025-2581.patch: new: fix CVE-2025-2581. (Closes: #1100986)
+
+ -- Étienne Mollier <[email protected]> Sat, 22 Mar 2025 19:58:34 +0100
+
xmedcon (0.23.0-gtk3+dfsg-1+deb12u1) bookworm; urgency=medium
* Team upload.
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch
xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch 1970-01-01
01:00:00.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch 2025-03-22
19:57:54.000000000 +0100
@@ -0,0 +1,40 @@
+Description: Check for overflow between size_t and int64_t.
+Author: Erik Nolf
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100986
+Applied-Upstream: e7a88836fc2277f8ab777f3ef24f917d08415559
+Reviewed-by: Étienne Mollier <[email protected]>
+Last-Update: 2025-03-22
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- xmedcon.orig/libs/dicom/single.c
++++ xmedcon/libs/dicom/single.c
+@@ -22,8 +22,9 @@
+ SINGLE *dicom_single(void)
+ {
+ ELEMENT *e;
+- S32 length;
++ S32 length, bytes;
+ U32 i, f;
++ size_t size;
+ char *interpretation[]=
+ {
+ "MONOCHROME2",
+@@ -265,7 +266,17 @@
+ /* eNlf: - allocate an extra 4 bytes, otherwise the bit.c */
+ /* eNlf: routines like source.u++ go beyond the boundaries */
+ /* eNlf: - memset the allocated buffer for sure */
+- data = (U8*)malloc(width*height*pixel*frames+4);
++ bytes = (int64_t)width*height*pixel*frames+4;
++
++ /* check for overflow */
++ size = (size_t)bytes;
++ if ((int64_t)size != bytes) {
++ dicom_log(ERROR,"System size_t too small");
++ return 0L;
++ }
++
++ /* allocate memory */
++ data = (U8*)malloc(bytes);
+ if (!data)
+ {
+ dicom_log(ERROR,"Out of memory");
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/series
xmedcon-0.23.0-gtk3+dfsg/debian/patches/series
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/series 2024-08-07
17:51:22.000000000 +0200
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/series 2025-03-22
19:57:11.000000000 +0100
@@ -3,3 +3,4 @@
cross.patch
typos.patch
CVE-2024-29421.patch
+CVE-2025-2581.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
