Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #836592,
regarding jessie-pu: package gdcm/2.4.4-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
836592: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836592
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Dear release team,
The version of gdcm in jessie suffers from two security problems:
CVE-2015-8396 [1]
CVE-2015-8397 [2]
However, the security team notified my that the issue does not warrant a DSA
and I should instead just fix it via a jessie point release.
The proposed patch against the package is enclosed, it adds the according fixes
from the upstream repository.
best regards,
Gert
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8396
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8397
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
diff -ruN gdcm-2.4.4/debian/changelog gdcm-2.4.4.new/debian/changelog
--- gdcm-2.4.4/debian/changelog 2014-10-06 08:08:33.000000000 +0100
+++ gdcm-2.4.4.new/debian/changelog 2016-08-23 18:45:09.415835673 +0100
@@ -1,3 +1,11 @@
+gdcm (2.4.4-3+deb8u1) jessie-proposed-updates; urgency=medium
+
+ * add patches:
+ - d/p/CVE-2015-8396.patch: fix according security vunerability
+ - d/p/CVE-2015-8397.patch: fix according security vunerability
+
+ -- Gert Wollny <gw.foss...@gmail.com> Sat, 20 Aug 2016 22:25:15 +0100
+
gdcm (2.4.4-3) unstable; urgency=medium
* Fix issue introduced by multiarch switch. Closes: #764029
diff -ruN gdcm-2.4.4/debian/patches/CVE-2015-8396.patch gdcm-2.4.4.new/debian/patches/CVE-2015-8396.patch
--- gdcm-2.4.4/debian/patches/CVE-2015-8396.patch 1970-01-01 01:00:00.000000000 +0100
+++ gdcm-2.4.4.new/debian/patches/CVE-2015-8396.patch 2016-08-20 23:23:27.990220328 +0100
@@ -0,0 +1,103 @@
+Author: Mathieu Malaterre <mathieu.malate...@gmail.com>
+Date: Fri Dec 18 12:18:02 2015 +0100
+Description: Patches fixing CVE-2015-8396
+ Patches were backported from upstream commits
+ 92cd6d7 Always prefer boxRegion computation for area
+ 9cbca25 Fix a case when Region was never initialized
+ e0dd111 Add an extra layer of check
+ 0f6f820 Actually handle the case of error in ComputeBufferLength
+
+Index: gdcm-2.4.4/Source/MediaStorageAndFileFormat/gdcmImageRegionReader.cxx
+===================================================================
+--- gdcm-2.4.4.orig/Source/MediaStorageAndFileFormat/gdcmImageRegionReader.cxx
++++ gdcm-2.4.4/Source/MediaStorageAndFileFormat/gdcmImageRegionReader.cxx
+@@ -85,6 +85,7 @@ Region const &ImageRegionReader::GetRegi
+ size_t ImageRegionReader::ComputeBufferLength() const
+ {
+ // Is this a legal extent:
++ size_t npixels = 0;
+ if( Internals->GetRegion() )
+ {
+ if( !Internals->GetRegion()->IsValid() )
+@@ -92,10 +93,26 @@ size_t ImageRegionReader::ComputeBufferL
+ gdcmDebugMacro( "Sorry not a valid extent. Giving up" );
+ return 0;
+ }
++ npixels = this->Internals->GetRegion()->Area();
+ }
+- PixelFormat pixelInfo = ImageHelper::GetPixelFormatValue(GetFile());
+- size_t bytesPerPixel = pixelInfo.GetPixelSize();
+- return this->Internals->GetRegion()->Area()*bytesPerPixel;
++ else
++ {
++ std::vector<unsigned int> dims = ImageHelper::GetDimensionsValue(GetFile());
++ BoxRegion full;
++ // Use BoxRegion to do robust computation
++ full.SetDomain(0, dims[0] - 1,
++ 0, dims[1] - 1,
++ 0, dims[2] - 1 );
++ if( full.IsValid() )
++ {
++ gdcmDebugMacro( "Sorry not a valid extent. Giving up" );
++ return 0;
++ }
++ npixels = full.Area();
++ }
++ const PixelFormat pixelInfo = ImageHelper::GetPixelFormatValue(GetFile());
++ const size_t bytesPerPixel = pixelInfo.GetPixelSize();
++ return npixels*bytesPerPixel;
+ }
+
+ bool ImageRegionReader::ReadInformation()
+@@ -371,7 +388,17 @@ bool ImageRegionReader::ReadJPEGIntoBuff
+ theCodec.SetPixelFormat( ImageHelper::GetPixelFormatValue(GetFile()) );
+
+ std::istream* theStream = GetStreamPtr();
+- const BoxRegion &boundingbox = this->Internals->GetRegion()->ComputeBoundingBox();
++ BoxRegion boundingbox;
++ if( Internals->GetRegion() )
++ boundingbox = this->Internals->GetRegion()->ComputeBoundingBox();
++ else
++ {
++ std::vector<unsigned int> dims = ImageHelper::GetDimensionsValue(GetFile());
++ boundingbox.SetDomain(
++ 0, dims[0] - 1,
++ 0, dims[1] - 1,
++ 0, dims[2] - 1 );
++ }
+ unsigned int xmin = boundingbox.GetXMin();
+ unsigned int xmax = boundingbox.GetXMax();
+ unsigned int ymin = boundingbox.GetYMin();
+@@ -445,7 +472,13 @@ bool ImageRegionReader::ReadJPEGLSIntoBu
+ bool ImageRegionReader::ReadIntoBuffer(char *buffer, size_t buflen)
+ {
+ size_t thelen = ComputeBufferLength();
+- if( buflen < thelen )
++ if( thelen == 0 )
++ {
++ // does not sound right, something seems odd.
++ gdcmDebugMacro( "Cannot load an image of 0 bytes" );
++ return false;
++ }
++ if( buflen < thelen )
+ {
+ gdcmDebugMacro( "buffer cannot be smaller than computed buffer length" );
+ return false;
+Index: gdcm-2.4.4/Source/Common/gdcmBoxRegion.cxx
+===================================================================
+--- gdcm-2.4.4.orig/Source/Common/gdcmBoxRegion.cxx
++++ gdcm-2.4.4/Source/Common/gdcmBoxRegion.cxx
+@@ -79,6 +79,13 @@ bool BoxRegion::IsValid() const
+ {
+ return false;
+ }
++ // Some properly crafted DICOM could have bigger values, reject them:
++ // technically there is no such restrictions for Z direction
++ if (Internals->XMax > std::numeric_limits<uint16_t>::max() ||
++ Internals->YMax > std::numeric_limits<uint16_t>::max() )
++ {
++ return false;
++ }
+ return true;
+ }
+
diff -ruN gdcm-2.4.4/debian/patches/CVE-2015-8397.patch gdcm-2.4.4.new/debian/patches/CVE-2015-8397.patch
--- gdcm-2.4.4/debian/patches/CVE-2015-8397.patch 1970-01-01 01:00:00.000000000 +0100
+++ gdcm-2.4.4.new/debian/patches/CVE-2015-8397.patch 2016-08-20 22:30:26.000000000 +0100
@@ -0,0 +1,36 @@
+Description: Fix CVE-2015-8397 in jessie
+ backported upstream commit:
+ e547b1d Avoid a buffer over run with properly crafted JPEG-LS
+Author: Mathieu Malaterre <mathieu.malate...@gmail.com>
+Date: Fri Dec 11 14:35:08 2015 +0100
+
+Index: gdcm-2.4.4/Source/MediaStorageAndFileFormat/gdcmJPEGLSCodec.cxx
+===================================================================
+--- gdcm-2.4.4.orig/Source/MediaStorageAndFileFormat/gdcmJPEGLSCodec.cxx
++++ gdcm-2.4.4/Source/MediaStorageAndFileFormat/gdcmJPEGLSCodec.cxx
+@@ -449,6 +449,12 @@ bool JPEGLSCodec::DecodeExtent(
+ const unsigned int colsize = ymax - ymin + 1;
+ const unsigned int bytesPerPixel = pf.GetPixelSize();
+
++ if( outv.size() != dimensions[0] * dimensions[1] * bytesPerPixel )
++ {
++ gdcmDebugMacro( "Inconsistant buffer size. Giving up" );
++ return false;
++ }
++
+ const unsigned char *tmpBuffer1 = raw;
+ unsigned int z = 0;
+ for (unsigned int y = ymin; y <= ymax; ++y)
+@@ -505,6 +511,12 @@ bool JPEGLSCodec::DecodeExtent(
+ const unsigned int colsize = ymax - ymin + 1;
+ const unsigned int bytesPerPixel = pf.GetPixelSize();
+
++ if( outv.size() != dimensions[0] * dimensions[1] * bytesPerPixel )
++ {
++ gdcmDebugMacro( "Inconsistant buffer size. Giving up" );
++ return false;
++ }
++
+ const unsigned char *tmpBuffer1 = raw;
+ for (unsigned int y = ymin; y <= ymax; ++y)
+ {
diff -ruN gdcm-2.4.4/debian/patches/series gdcm-2.4.4.new/debian/patches/series
--- gdcm-2.4.4/debian/patches/series 2014-10-06 08:08:33.000000000 +0100
+++ gdcm-2.4.4.new/debian/patches/series 2016-08-20 22:28:52.000000000 +0100
@@ -2,3 +2,5 @@
fixhurd.patch
linkvtkdoc.patch
multiarch.patch
+CVE-2015-8396.patch
+CVE-2015-8397.patch
--- End Message ---
--- Begin Message ---
Version: 8.6
The updates referred to in each of these bugs were included in today's
stable point release.
Regards,
Adam
--- End Message ---
