Bug#1095072: marked as done (dcmtk: crashes orthanc with lastest security update)

Wed, 12 Feb 2025 14:00:47 -0800 

Your message dated Wed, 12 Feb 2025 23:57:45 +0200
with message-id <Z60ZWV4h+lrAuIpl@localhost>
and subject line Re: Bug#1095072: orthanc: Orthanc crashes with lastest dcmtk 
or libdcmtk15 security update
has caused the Debian Bug report #1095072,
regarding dcmtk: crashes orthanc with lastest security update
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1095072: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095072
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: orthanc
Version: 1.9.2+really1.9.1+dfsg-1+deb11u1
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: debian-...@lists.debian.org

Dear Maintainer,

The last dcmtk/libdcmtk15 security update (3.6.5-1+deb11u1) causes
orthanc server to segfault as soon as a dicom file is received.

Here is the content of syslog : 
Feb  3 14:02:27 quaoar systemd[1]: Started Lightweight, RESTful DICOM server 
for healthcare and medical research.
Feb  3 14:02:46 quaoar kernel: [ 2559.234663] Orthanc[16701]: segfault at 
312e42 ip 00007fea92533c90 sp 00007fea857f9988 error 4 in libdcmnet.so.15.3.6.5 
(deleted)[7fea924cf000+ad000]
Feb  3 14:02:46 quaoar kernel: [ 2559.248240] Code: 48 89 c2 48 c7 40 10 00 00 
00 00 c6 40 18 00 48 8d 05 04 37 07 00 48 89 02 48 89 5a 20 5b 5d 41 5c e9 64 
b4 f9 ff 0f 1f 40 00 <48> 83 7f 10 00 41 54 74 27 48 8b 47 08 48 8b 70 08 80 7e 
18 00 75
Feb  3 14:02:46 quaoar systemd[1]: orthanc.service: Main process exited, 
code=killed, status=11/SEGV
Feb  3 14:02:46 quaoar systemd[1]: orthanc.service: Failed with result 'signal'.

I have been able to reproduce this crash on a fresh bullseye install with 
default
configuration for everything (and just sending a dicom file on port 4242).

Reverting the dcmtk/libdcmtk15 to the previous version (3.6.5-1) solves the 
problem, but is obviously not an acceptable solution, as it leaves the system 
with a security hole.

Thank you by advance,

Nicolas Chamouard


-- System Information:
Debian Release: 11.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-33-cloud-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages orthanc depends on:
ii  adduser                                            3.118+deb11u1
ii  dcmtk                                              3.6.5-1
ii  init-system-helpers                                1.60
ii  libboost-filesystem1.74.0                          1.74.0-9
ii  libboost-iostreams1.74.0                           1.74.0-9
ii  libboost-locale1.74.0                              1.74.0-9
ii  libboost-regex1.74.0 [libboost-regex1.74.0-icu67]  1.74.0-9
ii  libboost-thread1.74.0                              1.74.0-9
ii  libc6                                              2.31-13+deb11u11
ii  libcivetweb1                                       1.13+dfsg-5
ii  libcurl4                                           7.74.0-1.3+deb11u14
ii  libdcmtk15                                         3.6.5-1
ii  libgcc-s1                                          10.2.1-6
ii  libjpeg62-turbo                                    1:2.0.6-4
ii  libjsoncpp24                                       1.9.4-4
ii  liblua5.3-0                                        5.3.3-1.1+deb11u1
ii  libpng16-16                                        1.6.37-3
ii  libpugixml1v5                                      1.11.4-1
ii  libsqlite3-0                                       3.34.1-3+deb11u1
ii  libssl1.1                                          1.1.1w-0+deb11u2
ii  libstdc++6                                         10.2.1-6
ii  libuuid1                                           2.36.1-8+deb11u2
ii  locales                                            2.31-13+deb11u11
ii  lsb-base                                           11.1.0
ii  tzdata                                             2024b-0+deb11u1
ii  zlib1g                                             1:1.2.11.dfsg-2+deb11u2

orthanc recommends no packages.

orthanc suggests no packages.

-- Configuration Files:
/etc/orthanc/credentials.json [Errno 13] Permission non accordée: 
'/etc/orthanc/credentials.json'
/etc/orthanc/orthanc.json changed [not included]

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 3.6.5-1+deb11u3

On Mon, Feb 03, 2025 at 04:27:08PM +0200, Adrian Bunk wrote:
> On Mon, Feb 03, 2025 at 03:15:28PM +0100, infra...@alara-group.fr wrote:
> >...
> > Reverting the dcmtk/libdcmtk15 to the previous version (3.6.5-1) solves the 
> > problem, but is obviously not an acceptable solution, as it leaves the 
> > system with a security hole.
> 
> Thanks for the report, I'll check how my update broke that.
>...

This is now fixed in 3.6.5-1+deb11u3

cu
Adrian

--- End Message ---

Reply via email to