Debian Patches

Status for dcmtk/3.7.0+really3.7.0-7

Patch Description Author Forwarded Bugs Origin Last update
01_dcmtk_3.6.0-1.patch The original maintainer Jürgen Salk applied a set of patches to the original code. This file contains
changes to C++ code
Jürgen Salk <jsa@debian.org> not-needed
07_dont_export_all_executables.patch Don't add executables to cmake exports CMake exports are used by other packages that compile
and link against dcmtk. Because Debian moves some of
these executables and also dosn't install the test
executables, this import may fail leading to failure
to configure the according package.
Gert Wollny <gw.fossdev@gmail.com> not-needed debian
remove_version.patch Remove version

===================================================================
Mathieu Malaterre <malat@debian.org> not-needed debian 2025-03-21
skip-bigendian-roundtrip-failure.patch skip test failure on big endian systems. The issue is known upstream and supposed to be fixed in an upcoming
version.
Étienne Mollier <emollier@debian.org> not-needed debian upstream 2026-02-17
hurd.patch Added support for GNU Hurd in OFgetExecutablePath().
Thanks to Pino Toscano (GitHub user pinotree) for the pull request.

This closes GitHub PR #137.
Marco Eichelberg <eichelberg@offis.de> no 2026-01-30
CVE-2026-5663.patch Sanitize all strings passed to the exec options. Sanitize the text fields from incoming DICOM associations and DICOM objects
(such as Study Instance UID, SOP Instance UID, Patient's Name) and the
calling SCU's network presentation address by removing special characters
that may be interpreted as shell escape characters when one of the
execution options (e.g. --exec-on-reception) is in use.
.
Thanks to Machine Spirits UG (haftungsbeschränkt) for the bug report,
detailed analysis and proof of concept.
.
This closes DCMTK issue #1194.
Marco Eichelberg <eichelberg@offis.de> yes debian upstream 2026-03-21
CVE-2026-10194.patch Fixed remote heap buffer overflow in dcmqrscp. Thanks to 'elp3pinill0' for the bug report, detailed
analysis, proof of concept and proposed fix.

diff --git a/dcmqrdb/libsrc/dcmqrdbi.cc b/dcmqrdb/libsrc/dcmqrdbi.cc
index c91116a1c..ee308abe1 100644
Marco Eichelberg <eichelberg@offis.de> yes debian upstream 2026-05-04
CVE-2026-12805.patch commit 1d4b3815c0987840a983160bfc671fef63a3105b

Fixed buffer overflow in XMLNode::parseFile().

Fixed a heap buffer overflow that could occur in the XML parser
when reading from a named pipe.

Thanks to Cristhian Daniel Rivas Zúñiga and Sebastian Andres Muñoz Morera
(Insituto Tecnológico de Costa Rica) for the bug report and fix.

This closes DCMTK issue #1208.
Marco Eichelberg <eichelberg@offis.de> no 2026-05-23
CVE-2026-50003.patch Fixed path traversal in DcmSCU bit-pres. C-GET. In DCMSCU_STORAGE_BIT_PRESERVING mode, the C-STORE sub-operation
handler in handleCGETSession() built the on-disk filename from the
peer-supplied AffectedSOPInstanceUID without sanitization, allowing
a malicious C-STORE SCP to write files outside the configured
storage directory via path-separator or "../" sequences in the UID.
.
The DISK mode path was already sanitized (via createStorageFilename(),
fixed in commit f06a86751 for CVE-2022-2120); this branch was missed.
The fix mirrors the same pattern (sanitize a local OFString copy) so
the request struct stays intact and the C-STORE response still echoes
the peer's original UID per protocol.
.
Affects all consumers of DcmSCU using DCMSCU_STORAGE_BIT_PRESERVING,
including getscu --bit-preserving.
.
This fixes DCMTK issue #1207.
.
Thanks to Abhinav Agarwal for the report and analysis.
Michael Onken <onken@open-connections.de> no debian 2026-05-12
CVE-2026-50254.patch Fix extNegList leaks on A-ASSOCIATE parse failure. Thanks for the report and analysis to Abhinav Agarwal.
.
This closes DCMTK feature #126.

diff --git a/dcmnet/libsrc/dulconst.cc b/dcmnet/libsrc/dulconst.cc
index 063cf5aba..d7f17c923 100644
Michael Onken <onken@open-connections.de> no debian 2026-05-26
CVE-2026-35505.patch Fix A-ASSOCIATE-RQ/AC error-path leaks in DUL FSM. AE_3_AssociateConfirmationAccept and AE_6_ExamineAssociateRequest leaked
the whole parsed PDU graph (presentation contexts, transfer syntax
sub-chains, role list, user info) on error returns taken after
parseAssociate() succeeded, since only the success path freed it. For an
SCP this is remotely triggerable and accumulates per connection.
.
Free the parsed PDU before each such return;
translatePresentationContextList() also frees the proposed transfer
syntax list of a rejected context. Add a dcmnet regression test
(tassocleak.cc) driving the AE_6 zero-transfer-syntax path against an
in-process DcmSCP; leak-clean with the fix under DCMTK_WITH_SANITIZERS.
.
Thanks for the report and analysis to Abhinav Agarwal.
.
This closes DCMTK issue #1217.
Michael Onken <onken@open-connections.de> no debian 2026-05-29
CVE-2026-52868.patch commit e3878daf870cd2db50eadfde38615f0afae8a584

Fix path traversal in wlmscpfs through Called AET.

The wlmscpfs SCP appended the Called Application Entity Title received
in the A-ASSOCIATE-RQ directly onto the configured worklist data file
path and used the existence of the resulting directory as an access
control decision. Because DICOM VR AE permits the characters "/", "\"
and ".", a peer could send a 16-byte AE title such as "../secret/VICTIM"
and have wlmscpfs serve worklist records from a sibling directory of
the configured root. With option --request-file-path enabled, the same
AE title (and the Patient ID) was substituted into the output filename
template without sanitization, producing an arbitrary-location write
primitive outside the configured request file directory.

This commit closes both holes:

- wlmscpfs now rejects any A-ASSOCIATE-RQ whose Called AE title is not
safe to use as a single filesystem path component, refusing the
association with WLM_BAD_AE_SERVICE. The validation is implemented in
the new static method WlmFileSystemInteractionManager::IsValidAETitle\
ForFilesystem, which rejects empty or over-long titles, any title
containing a dot, and delegates the remaining character check to
OFStandard::sanitizeAETitle (sanitize-and-compare).

- The placeholder substitution in storeRequestToFile now passes each
substituted value (#a, #c, #p) through OFStandard::sanitizeAETitle
before insertion, and additionally sanitizes the final filename, so
that any path separator surviving the substitution is defanged.

Supporting changes:

- Promote storescp's private sanitizeAETitle helper into the public
OFStandard::sanitizeAETitle, with documentation noting that the
function is also used by wlmscpfs to validate filesystem path
components (so widening the allow list has downstream effects).
- Replace storescp's local copy of the helper with the new public one.
- Add a forward declaration of DcmSequenceOfItems in wlfsim.h that
was previously missing (existing callers happened to include dctk.h
first).
- Document the new behaviour in the wlmscpfs man page.

Tests:

- New ofstd_OFStandard_sanitizeAETitle test covers the lifted helper
(path separators, NUL, control bytes, high-range bytes, shell
metacharacters, the quotation-mark preservation behaviour, and
empty/length-1 edge cases).
- New dcmwlm_aetitle_validation test covers the validator directly
with every path-traversal payload from the bug report ("../secret/\
VICTIM", "../CARDIOLOGY", "..", ".", "..\secret"), dotted variants
("MY.AE", "foo..bar", ".foo", "foo."), structural rejections (empty,
17 bytes, embedded NUL, tab, 0xFF), shell metacharacters, and a row
of legitimate AE titles that must still be accepted.
- dcmwlm previously had no OFTEST scaffolding; tests.cc has been added
along with the corresponding CMakeLists.txt and Makefile.in entries.

Thanks to Abhinav Agarwal for the report.
Michael Onken <onken@open-connections.de> no 2026-05-19
CVE-2026-44628a.patch Fix wlmscpfs crash on VR-spoofed seq. attributes. wldsfs.cc cast findAndGetElement() results to DcmSequenceOfItems*
without checking the VR. A C-FIND with a dictionary-SQ tag declared
under a non-SQ wire VR (Explicit VR) thus dispatched through the wrong
vtable and crashes the SCP (see also CVE-2024-28130 in dcmpstat).
.
Use findAndGetSequence(), which validates the VR. Also guard getItem(0)
against an empty ScheduledProcedureStepSequence and drop a bogus cast.
.
Thanks for the report and analysis to Abhinav Agarwal.
.
This closes DCMTK issue #1218.

diff --git a/dcmwlm/libsrc/wldsfs.cc b/dcmwlm/libsrc/wldsfs.cc
index ee83d7b07..7bb4db1f8 100644
Michael Onken <onken@open-connections.de> no debian 2026-05-29
CVE-2026-44628b.patch Fix VR-spoofed sequence cast crash in wlfsim, too. Apply the same findAndGetSequence() fix to the unchecked casts in
DatasetIsComplete() and ReferencedStudyOrPatientSequenceIsAbsent...()
as in f4e0074.

diff --git a/dcmwlm/libsrc/wlfsim.cc b/dcmwlm/libsrc/wlfsim.cc
index 40a93c4eb..8543f795a 100644
Michael Onken <onken@open-connections.de> no debian 2026-05-29

All known versions for source package 'dcmtk'

Links