Control: found -1 0.23.0-gtk3+dfsg-1 Control: found -1 0.16.3+dfsg-1 Hi Salvatore,
Salvatore Bonaccorso, on 2024-07-28: > The following vulnerability was published for xmedcon. > > CVE-2024-29421[0]: > | xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer > | Overflow via libs/dicom/basic.c which allows an attacker to execute > | arbitrary code. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-29421 > https://www.cve.org/CVERecord?id=CVE-2024-29421 Thanks for the notice, update in sid is on her way, if not there already. I think that I isolated the relevant change upstream. That would be: -------8<--------------8<--------------8<--------------8<------- --- a/libs/dicom/basic.c +++ b/libs/dicom/basic.c @@ -401,6 +401,16 @@ int dicom_load(VR vr) if (element.vr==SQ || element.length==0xFFFFFFFF) return 0; + /* eNlf: - simply prevent length values that will overflow */ + /* eNlf: when we sum with an extra 4 bytes; thus preventing */ + /* eNlf: a heap overflow due to a small value at malloc() */ + /* eNlf: notified by Spike Reply Cyber Security Team */ + if (element.length > (0xFFFFFFFF - 4)) { + dicom_log(ERROR,"Unsupported element length"); + dicom_close(); + return -4; + } + if (element.group==0xFFFE) if (!element.encapsulated) return 0; @@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr) if (element.vr==SQ || element.length==0xFFFFFFFF) return 0; + /* eNlf: prevent overflowed value - see dicom_load() */ + if (element.length > (0xFFFFFFFF - 4)) { + dicom_log(ERROR,"Unsupported element length"); + dicom_close(); + return -4; + } + if (element.group==0xFFFE) if (!element.encapsulated) return 0; ------->8-------------->8-------------->8-------------->8------- It applies without fuzz to the version in bookworm and even in bullseye. From quick attempt the patch didn't interfere with normal operation of the program (although I don't really have much to give it to eat, so I may not have stressed the affected code path). If that makes sense, I can liaise with the release team for the next point release in August, or do you prefer we proceed to a security upgrade earlier? (I guess not, given the "Minor issue" in the notes I see in the security tracker web page, but asking just in case.) Have a nice day, :) -- .''`. Étienne Mollier <emoll...@debian.org> : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/1, please excuse my verbosity `- on air: Tony Levin - Dog One
signature.asc
Description: PGP signature
