[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1077549: marked as done (bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1)

Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id <9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.camel@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1077549,
regarding bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1077549: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077549
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: xmedcon@packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

[ Reason ]
xmedcon in bookworm is affected by CVE-2024-29421.  It is,
quoting the description: "vulnerable to Buffer Overflow via
libs/dicom/basic.c which allows an attacker to execute arbitrary
code".  It is currently rated minor by the security team, hence
following the proposed-update process instead of a security
update.  The issue is tracked in #1077369.

[ Impact ]
xmedcon in bookworm will remain vulnerable to the risk of
execution of arbitrary code if left unchanged.

[ Tests ]
The package does not ship with automated tests, but I verified
manually that the patch in upstream code did not provoke any
obvious breakages by visualising some dicom image taken from
other Debian Med sample files.  I also verified that the dicom
visualizer amide, which depends on the libmdc3, was not showing
obvious breakages caused by the change.

Note: I do not know how to trip the vulnerability so I have not
stressed the mitigation per se.

[ Risks ]
The patch fits in a screen and felt fairly obvious what is was
doing to me, so I don't believe it's highly risky.  It has one
reverse dependency, amide, that does not seem to show much
issues with the change this far.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This revision introduces a patch to dicom loading functions,
originating from upstream xmedcon 0.24.0, containing a change
which is intended to guard against large element length and
error out instead of running into buffer overflow conditions.

[ Other info ]
Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier@debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/2, please excuse my verbosity
   `-    on air: Therion - The Leaf on the Oak of Far

diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/changelog xmedcon-0.23.0-gtk3+dfsg/debian/changelog
--- xmedcon-0.23.0-gtk3+dfsg/debian/changelog	2023-02-05 19:35:32.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/changelog	2024-07-28 23:02:25.000000000 +0200
@@ -1,3 +1,10 @@
+xmedcon (0.23.0-gtk3+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2024-29421.patch: new: fix CVE-2024-29421. (Closes: #1077369)
+
+ -- Étienne Mollier <emollier@debian.org>  Sun, 28 Jul 2024 23:02:25 +0200
+
 xmedcon (0.23.0-gtk3+dfsg-1) unstable; urgency=medium
 
   * New upstream version
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2024-29421.patch	2024-07-28 23:01:35.000000000 +0200
@@ -0,0 +1,33 @@
+--- a/libs/dicom/basic.c
++++ b/libs/dicom/basic.c
+@@ -401,6 +401,16 @@ int dicom_load(VR vr)
+   if (element.vr==SQ || element.length==0xFFFFFFFF)
+     return 0;
+ 
++  /* eNlf: - simply prevent length values that will overflow  */
++  /* eNlf: when we sum with an extra 4 bytes; thus preventing */
++  /* eNlf: a heap overflow due to a small value at malloc()   */
++  /* eNlf: notified by Spike Reply Cyber Security Team        */
++  if (element.length > (0xFFFFFFFF - 4)) {
++    dicom_log(ERROR,"Unsupported element length");
++    dicom_close();
++    return -4;
++  }
++
+   if (element.group==0xFFFE)
+     if (!element.encapsulated)
+       return 0;
+@@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
+   if (element.vr==SQ || element.length==0xFFFFFFFF)
+     return 0;
+ 
++  /* eNlf: prevent overflowed value - see dicom_load() */
++  if (element.length > (0xFFFFFFFF - 4)) {
++    dicom_log(ERROR,"Unsupported element length");
++    dicom_close();
++    return -4;
++  }
++
+   if (element.group==0xFFFE)
+     if (!element.encapsulated)
+       return 0;
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/series xmedcon-0.23.0-gtk3+dfsg/debian/patches/series
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/series	2023-02-05 19:35:32.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/series	2024-07-28 23:01:35.000000000 +0200
@@ -2,3 +2,4 @@
 use_debian_packaged_niftilib.patch
 cross.patch
 typos.patch
+CVE-2024-29421.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.7

Hi,

Each of these bugs relates to an update including in today's bookworm
12.7 point release.

Regards,

Adam

--- End Message ---
Reply to: