Control: found -1 1.0.20220720-1 Control: notfound -1 1.0.20201102-1 Control: tags -1 + bookworm
Greetings, I tried to stress the CVE-2024-27629 affecting dcm2niix: | An issue in dc2niix before v.1.0.20240202 allows a local attacker to | execute arbitrary code via the generated file name is not properly | escaped and injected into a system call when certain types of | compression are used. I think that I managed to trip the vulnerability on bookworm. But it seems that on bullseye, the file name embedded in the dicom file does not trip a shell command execution. Unless I missed something, it seems that the problem did not exist à that time. I'm considering preparing a bookworm proposed update with the patch for the next point release. I'm less sure about touching bullseye for this one: the patch mangles file name upon conversion, and there is no real benefit if the problem indeed does not appear on that old operating system level. Have a nice day, :) -- .''`. Étienne Mollier <emoll...@debian.org> : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/6, please excuse my verbosity `- on air: Genesis - Domino (live)
signature.asc
Description: PGP signature
