Hi Étienne, On Wed, Aug 07, 2024 at 10:54:25PM +0200, Étienne Mollier wrote: > Control: found -1 1.0.20220720-1 > Control: notfound -1 1.0.20201102-1 > Control: tags -1 + bookworm > > Greetings, > > I tried to stress the CVE-2024-27629 affecting dcm2niix: > | An issue in dc2niix before v.1.0.20240202 allows a local attacker to > | execute arbitrary code via the generated file name is not properly > | escaped and injected into a system call when certain types of > | compression are used. > > I think that I managed to trip the vulnerability on bookworm. > But it seems that on bullseye, the file name embedded in the > dicom file does not trip a shell command execution. Unless I > missed something, it seems that the problem did not exist à that > time. > > I'm considering preparing a bookworm proposed update with the > patch for the next point release. I'm less sure about touching > bullseye for this one: the patch mangles file name upon > conversion, and there is no real benefit if the problem indeed > does not appear on that old operating system level. > > Have a nice day, :)
Thanks for your work! And thanks for preparing the bookworm-pu update if you find time for it. About bullseye, yes this might be, it might be dass the issue is covered. If we are not 100% sure the vulnerable code os not there, then rather err on the safe side and on tracker side do not mark it as not-affected. But I agree then, that you leave the bullseye update out for now. Maybe even leaning to mark it <ignored> in the security-tracker for bullseye. Regards, Salvatore
