[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debian-med-packaging] Wheezy update of dcmtk?



Dear all,

On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of dcmtk:
> https://security-tracker.debian.org/tracker/CVE-2015-8979
>
> Would you like to take care of this yourself?

I personally feel not capable to do so and Mathieu left the team - so I
would be astonished (but definitely happy!) if he would step in for this
task.  If you do not receive a positive response from Gert I doubt that
anybody else from the team would take over.

I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM SCP (server) is affected (including the well-known Horos/OsiriX viewer).

Orthanc was also affected by this problem. Orthanc 1.2.0 was released last week in order to fix this vulnerability in its static builds (notably for Windows and OS X). The patch we applied can be found at the following location:
https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default&fileviewer=file-view-default
 
As this patch is very simple (six lines of code), it should be easy to backport it to the DCMTK Debian package.

Unfortunately, I do not know how to fix such issues in Wheezy, and I am currently under heavy pressure wrt. the Orthanc upstream project... maybe someone could do this backporting job?

HTH,
Sébastien-


--

Reply to: