Debian Patches

Status for dcmtk/3.6.7-9~deb12u4

Patch Description Author Forwarded Bugs Origin Last update
0007-CVE-2024-47796.patch Fixed issue rendering invalid monochrome image. Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
If the stored number is less than the expected number, the rest of the
pixel matrix for the intermediate representation was always filled with
the value 0. Under certain, very rare conditions, this could result in
memory problems reported by an Address Sanitizer (ASAN). Now, the rest
of the matrix is filled with the smallest possible value for the image.
.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the original report, the sample
file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.

diff --git a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
index e749a6b16e9f1af9a1459875aef5b7ab308c3987..50389a5407ec3e913446c2e6ba8c6c68047edaf8 100644 (file)
Joerg Riesmeier <dicom@jriesmeier.com> yes debian 2025-01-18
0013-CVE-2025-2357.patch commit 3239a791542e1ea433d23aaa9e0a05a532ffabff

Fixed segfault in JPEG-LS decoder.

Fixed a bug in the JPEG-LS decoder that led to a segmentation fault if invalid
input data was processed, due to insufficient validation of input data.

Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).

This closes DCMTK issue #1155.

diff --git a/dcmjpls/libcharls/scan.h b/dcmjpls/libcharls/scan.h
index b4dea20d8..f13098104 100644
Marco Eichelberg <eichelberg@offis.de> no 2025-03-03
0014-CVE-2025-9732.patch commit 7ad81d69b19714936e18ea5fc74edaeb9f021ce7

Fixed issue with invalid "YBR_FULL" DICOM images.

Fixed an issue when processing an invalid DICOM image with a Photometric
Interpretation of "YBR_FULL" and a Planar Configuration of "1" where
the number of pixels stored does not match the expected number of pixels
(much too less). Now, the pixel data of such an image is not processed
at all, but an empty image (black pixels) is created instead. The user
is warned about this by an appropriate log message.

Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Joerg Riesmeier <dicom@jriesmeier.com> no 2025-08-15
0015-CVE-2025-9732b.patch commit 3de96da6cd66b1af7224561c568bc3de50cd1398

Fixed issue with commit 7ad81d69b.

Fixed an issue with recently committed changes that fix a problem with
invalid YBR_FULL images

diff --git a/dcmimage/include/dcmtk/dcmimage/diybrpxt.h b/dcmimage/include/dcmtk/dcmimage/diybrpxt.h
index c5415c149..fdaaafc2d 100644
Joerg Riesmeier <dicom@jriesmeier.com> no 2025-08-18
07_dont_export_all_executables.patch Don't add executables to cmake exports CMake exports are used by other packages that compile
and link against dcmtk. Because Debian moves some of
these executables and also dosn't install the test
executables, this import may fail leading to failure
to configure the according package.
Gert Wollny <gw.fossdev@gmail.com> no debian
f06a867513524664a1b03dfcf812d8b60fdd02cc.patch Fixed path traversal vulnerability.
Thanks to Sharon Brizinov >sharon.b@claroty.com> and Noam Moshe from
Claroty Research for the bug report and sample files.

This closes DCMTK issue #1021.
Marco Eichelberg <dicom@offis.de> no 2022-05-06
c34f4e46e672ad21accf04da0dc085e43be6f5e1.patch Fixed memory leak in single process mode.
Fixed a memory leak in dcmqrscp's single process mode.

Thanks to <songxiangpu@mail.sdu.edu.cn> for the bug report and test data.
Marco Eichelberg <dicom@offis.de> no 2022-06-09
01_dcmtk_3.6.0-1.patch The original maintainer Jürgen Salk applied a set of patches to the original code. This file contains
changes to C++ code
Jürgen Salk <jsa@debian.org> no
03_datadic_install.patch Install dict to versioned dir Mathieu Malaterre <malat@debian.org> no debian
0008-CVE-2024-52333.patch Added check to make sure: HighBit < BitsAllocated. Added check to the image preprocessing to make sure that the value of
HighBit is always less than the value of BitsAllocated. Before, this
missing check could lead to memory corruption if an invalid combination
of values was retrieved from a malformed DICOM dataset.
.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the report, sample file (PoC)
and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333.
Joerg Riesmeier <dicom@jriesmeier.com> yes debian 2025-01-18
0009-CVE-2024-27628.patch Fixed possible overflows when allocating memory. Thanks to GitHub user "bananabr" (Daniel Berredo) for the report and
suggested patch.
Michael Onken <onken@open-connections.de> yes debian 2025-01-30
0010-CVE-2024-34508-34509.patch Fixed two segmentation faults. Fixed two segmentations faults that could occur while processing an
invalid incoming DIMSE message due to insufficient error handling
causing a de-referenced NULL pointer.
.
Thanks to Nils Bars <nils.bars@rub.de> for the bug report and sample files.
.
This closes DCMTK issue #1114.
Marco Eichelberg <dicom@offis.de> yes upstream 2025-02-01
0011-CVE-2024-34508-34509_bis.patch Fixed DcmDecimalString unit tests.
diff --git a/dcmdata/tests/tvrds.cc b/dcmdata/tests/tvrds.cc
index a9132a341..0e929304d 100644
Marco Eichelberg <dicom@offis.de> no 2025-02-01
0001-Fixed-unchecked-typecasts-of-DcmItem-search-results.patch Fixed unchecked typecasts of DcmItem::search results.
DcmItem::search() returns a stack of DcmObject pointers as search results.
These pointers in most instances need to be casted to DcmItem, DcmElement
or a subclass of these. In many cases, the type of the object was not
properly checked before the typecast. This could lead to segmentation faults
when invalid DICOM datasets were processed where elements had the wrong
value representation.
Marco Eichelberg <dicom@offis.de> no 2024-04-15
0012-CVE-2022-4981.patch commit 957fb31e5d96f51ecf5cb3422c7dc2227f8e0423

Fixed dcmqrscp crash caused by malformed config file.

Fixed various issues in the dcmqrscp configuration file parser
that could cause application crashes when reading a malformed configuration
file, due to insufficient checks of the input data.

This closes DCMTK issue #1026.

Thanks to Zahra Mirzamomen <zahra.mirzamomen@monash.edu> and
Marcel Böhme <marcel.boehme@mpi-sp.org> for the bug report and sample files.

diff --git a/dcmqrdb/libsrc/dcmqrcnf.cc b/dcmqrdb/libsrc/dcmqrcnf.cc
index 686c9df2a..36a295fa2 100644
Marco Eichelberg <dicom@offis.de> no 2022-05-24
0002-Fixed-unchecked-typecasts-and-fixed-LUT-handling.patch Fixed unchecked typecasts and fixed LUT handling.
This commit adds further fixes for unchecked typecasts of DcmItem::search()
results (see description of previous commit). Furthermore, this commit
specifically addresses the handling of look-up tables (LUTs) in module
dcmpstat, where attribute (0028,3006) LUTData may use either US or OW
value representation, and (0028,3002) LUTDescriptor may be either US or SS.
The code should now properly handle all permitted value representations.
LUTData is now always written as OW in order to avoid the 64k size limit
for US in explicit VR encoding.

Thanks to Martin Zeiser from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the bug report (TALOS-2024-1957).

Together with the previous commit, this closes DCMTK issue #1120.
Marco Eichelberg <dicom@offis.de> no 2024-04-15
0003-Fixed-wrong-error-handling-previous-commit.patch Fixed wrong error handling (previous commit).
Fixed wrong error handling introduced with the previous commit.
Joerg Riesmeier <dicom@jriesmeier.com> no 2024-04-22
0009-CVE-2025-25475.patch commit bffa3e9116abb7038b432443f16b1bd390e80245

Fixed issue with invalid RLE compressed DICOM images.

Fixed issue when processing an RLE compressed image where the RLE header
contains an invalid stripe size.

Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Marco Eichelberg <eichelberg@offis.de> no 2025-01-23
0010-CVE-2025-25474.patch commit 1d205bcd307164c99e0d4bbf412110372658d847

Fixed another issue with invalid DICOM images.

Fixed issue when processing an invalid DICOM image where the number of
pixels stored does not match the expected number of pixels (too less)
and the combination of BitsAllocated and BitsStored is really unusual
(e.g. 1 bit stored, but 52 bits allocated). In cases where the last
pixel (e.g. a single bit) does not fit into the buffer of the input
pixel data, a buffer overflow occurred on the heap. Now, the last entry
of the buffer is filled with the smallest possible value (e.g. 0 in case
of unsigned data).

Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Joerg Riesmeier <dicom@jriesmeier.com> no 2025-01-21
0011-CVE-2025-25472.patch commit 410ffe2019b9db6a8f4036daac742a6f5e4d36c2

Fixed another issue with invalid mono images.

Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
In this case, only a single pixel is processed, but the pixel matrix is
much larger. Filling the rest of the pixel matrix with the smallest
possible value for the image is not working because of an optimized
memory usage (value would be out of range). Now, the pixel value to be
used is double-checked before it is actually filled into the "background"
of the image.

Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).

diff --git a/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h b/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
index 50389a540..f67967310 100644
Joerg Riesmeier <dicom@jriesmeier.com> no 2025-01-17
0016-CVE-2025-14607.patch commit 4c0e5c10079392c594d6a7abd95dd78ac0aa556a

Fixed bug in handling of odd-length data elements.

When a dataset containing an illegal odd-length attribute with a text VR
was read from file or received over a network connection, then accessing
the value of that attribute with DcmElement::getString() may return a
pointer to a string that was not properly null terminated. Using C string
functions such as strlen() or strcpy() on that string then lead to a read
beyond the end of a string, causing a segmentation fault.

Thanks to Zou Dikai <zoudikai@outlook.com> for the bug report and POC.

This closes DCMTK issue #1184.
Marco Eichelberg <eichelberg@offis.de> no 2025-12-02
0017-CVE-2025-14841.patch commit ffb1a4a37d2c876e3feeb31df4930f2aed7fa030

Fixed two possible segfaults in dcmqrscp.

Fixed two places where invalid messages may trigger a segmentation fault
due to a NULL pointer being de-referenced.

Thanks to 邹 迪凯 <zoudikai@outlook.com> for the bug report and proof-of-concept.
Marco Eichelberg <eichelberg@offis.de> no 2025-11-28
0018-CVE-2026-5663.patch commit edbb085e45788dccaf0e64d71534cfca925784b8

Sanitize all strings passed to the exec options.

Sanitize the text fields from incoming DICOM associations and DICOM objects
(such as Study Instance UID, SOP Instance UID, Patient's Name) and the
calling SCU's network presentation address by removing special characters
that may be interpreted as shell escape characters when one of the
execution options (e.g. --exec-on-reception) is in use.

Thanks to Machine Spirits UG (haftungsbeschränkt) for the bug report,
detailed analysis and proof of concept.

This closes DCMTK issue #1194.
Marco Eichelberg <eichelberg@offis.de> no 2026-03-21
0019-CVE-2026-10194.patch commit 0f78a4ef6f645ea5530166e445e5436a5de58e75

Fixed remote heap buffer overflow in dcmqrscp.

Thanks to 'elp3pinill0' for the bug report, detailed
analysis, proof of concept and proposed fix.

This closes DCMTK issue #1206.
Marco Eichelberg <eichelberg@offis.de> no 2026-05-04
0020-CVE-2026-12805.patch commit 1d4b3815c0987840a983160bfc671fef63a3105b

Fixed buffer overflow in XMLNode::parseFile().

Fixed a heap buffer overflow that could occur in the XML parser
when reading from a named pipe.

Thanks to Cristhian Daniel Rivas Zúñiga and Sebastian Andres Muñoz Morera
(Insituto Tecnológico de Costa Rica) for the bug report and fix.

This closes DCMTK issue #1208.
Marco Eichelberg <eichelberg@offis.de> no 2026-05-23

All known versions for source package 'dcmtk'

Links