Hi Salvatore, Salvatore Bonaccorso, on 2024-08-08: > Hi Étienne, > > On Wed, Aug 07, 2024 at 10:54:25PM +0200, Étienne Mollier wrote: > > Control: found -1 1.0.20220720-1 > > Control: notfound -1 1.0.20201102-1 > > Control: tags -1 + bookworm > > > > Greetings, > > > > I tried to stress the CVE-2024-27629 affecting dcm2niix: > > | An issue in dc2niix before v.1.0.20240202 allows a local attacker to > > | execute arbitrary code via the generated file name is not properly > > | escaped and injected into a system call when certain types of > > | compression are used. > > > > I think that I managed to trip the vulnerability on bookworm. > > But it seems that on bullseye, the file name embedded in the > > dicom file does not trip a shell command execution. Unless I > > missed something, it seems that the problem did not exist à that > > time. > > > > I'm considering preparing a bookworm proposed update with the > > patch for the next point release. I'm less sure about touching > > bullseye for this one: the patch mangles file name upon > > conversion, and there is no real benefit if the problem indeed > > does not appear on that old operating system level. > > > > Have a nice day, :) > > Thanks for your work! And thanks for preparing the bookworm-pu update > if you find time for it.
The bookworm-pu would be #1078176. > About bullseye, yes this might be, it might be dass the issue is > covered. If we are not 100% sure the vulnerable code os not there, > then rather err on the safe side and on tracker side do not mark it as > not-affected. But I agree then, that you leave the bullseye update out > for now. Maybe even leaning to mark it <ignored> in the > security-tracker for bullseye. I agree <ignored> is probably the appropriate tagging. It gives a hint to passers by that the change won't be applied. Have a nice day, :) -- .''`. Étienne Mollier <emoll...@debian.org> : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/4, please excuse my verbosity `-
signature.asc
Description: PGP signature
