Bug#1077549: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1077549: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1
From: Étienne Mollier <emollier@debian.org>
Date: Mon, 29 Jul 2024 23:00:38 +0200
Message-id: <[🔎] ZqgC9ky4KKjwDK9J@fusion.emlwks999.eu>
Reply-to: Étienne Mollier <emollier@debian.org>, 1077549@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: xmedcon@packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

[ Reason ]
xmedcon in bookworm is affected by CVE-2024-29421.  It is,
quoting the description: "vulnerable to Buffer Overflow via
libs/dicom/basic.c which allows an attacker to execute arbitrary
code".  It is currently rated minor by the security team, hence
following the proposed-update process instead of a security
update.  The issue is tracked in #1077369.

[ Impact ]
xmedcon in bookworm will remain vulnerable to the risk of
execution of arbitrary code if left unchanged.

[ Tests ]
The package does not ship with automated tests, but I verified
manually that the patch in upstream code did not provoke any
obvious breakages by visualising some dicom image taken from
other Debian Med sample files.  I also verified that the dicom
visualizer amide, which depends on the libmdc3, was not showing
obvious breakages caused by the change.

Note: I do not know how to trip the vulnerability so I have not
stressed the mitigation per se.

[ Risks ]
The patch fits in a screen and felt fairly obvious what is was
doing to me, so I don't believe it's highly risky.  It has one
reverse dependency, amide, that does not seem to show much
issues with the change this far.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This revision introduces a patch to dicom loading functions,
originating from upstream xmedcon 0.24.0, containing a change
which is intended to guard against large element length and
error out instead of running into buffer overflow conditions.

[ Other info ]
Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier@debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/2, please excuse my verbosity
   `-    on air: Therion - The Leaf on the Oak of Far

diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/changelog xmedcon-0.23.0-gtk3+dfsg/debian/changelog
--- xmedcon-0.23.0-gtk3+dfsg/debian/changelog	2023-02-05 19:35:32.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/changelog	2024-07-28 23:02:25.000000000 +0200
@@ -1,3 +1,10 @@
+xmedcon (0.23.0-gtk3+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2024-29421.patch: new: fix CVE-2024-29421. (Closes: #1077369)
+
+ -- Étienne Mollier <emollier@debian.org>  Sun, 28 Jul 2024 23:02:25 +0200
+
 xmedcon (0.23.0-gtk3+dfsg-1) unstable; urgency=medium
 
   * New upstream version
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch	2024-07-28 23:01:35.000000000 +0200
@@ -0,0 +1,33 @@
+--- a/libs/dicom/basic.c
++++ b/libs/dicom/basic.c
+@@ -401,6 +401,16 @@ int dicom_load(VR vr)
+   if (element.vr==SQ || element.length==0xFFFFFFFF)
+     return 0;
+ 
++  /* eNlf: - simply prevent length values that will overflow  */
++  /* eNlf: when we sum with an extra 4 bytes; thus preventing */
++  /* eNlf: a heap overflow due to a small value at malloc()   */
++  /* eNlf: notified by Spike Reply Cyber Security Team        */
++  if (element.length > (0xFFFFFFFF - 4)) {
++    dicom_log(ERROR,"Unsupported element length");
++    dicom_close();
++    return -4;
++  }
++
+   if (element.group==0xFFFE)
+     if (!element.encapsulated)
+       return 0;
+@@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
+   if (element.vr==SQ || element.length==0xFFFFFFFF)
+     return 0;
+ 
++  /* eNlf: prevent overflowed value - see dicom_load() */
++  if (element.length > (0xFFFFFFFF - 4)) {
++    dicom_log(ERROR,"Unsupported element length");
++    dicom_close();
++    return -4;
++  }
++
+   if (element.group==0xFFFE)
+     if (!element.encapsulated)
+       return 0;
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/series xmedcon-0.23.0-gtk3+dfsg/debian/patches/series
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/series	2023-02-05 19:35:32.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/series	2024-07-28 23:01:35.000000000 +0200
@@ -2,3 +2,4 @@
 use_debian_packaged_niftilib.patch
 cross.patch
 typos.patch
+CVE-2024-29421.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1077515: bookworm-pu: package putty/0.78-2+deb12u2
Next by Date: Processed: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1
Previous by thread: Processed: bookworm-pu: package putty/0.78-2+deb12u2
Next by thread: Processed: bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1
Index(es):
- Date
- Thread