[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1078176: marked as done (bookworm-pu: package dcm2niix/1.0.20220720-1+deb12u1)

Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id <9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.camel@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1078176,
regarding bookworm-pu: package dcm2niix/1.0.20220720-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1078176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078176
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: dcm2niix@packages.debian.org
Control: affects -1 + src:dcm2niix
User: release.debian.org@packages.debian.org
Usertags: pu

Aloha,

[ Reason ]
dcm2niix is affected by minor security issue CVE-2024-27629 in
bookworm: a local attacker can execute arbitrary code as the
generated file name is not properly escaped and injected into a
system call when certain types of compression are used.

[ Impact ]
dcm2niix will remain vulnerable to this issue is the upload is
not granted.

[ Tests ]
I stressed the vulnerability and found out it was affecting the
current version in bookworm.  I could then make sure that the
existing change in sid did prevent the risk of arbitrary code
execution, after applying the relevant change to the dcm2niix
version in bookworm.

I also made sure that the fix for the CVE does not result in an
autopkgtest regression in the reverse dependency heudiconv.
I would have done the same for the other reverse dependency
mricron, but autopkgtest is lacking for this one apparently.

[ Risks ]
The change is only little risky.  The change is minimal, but can
have some (limited) influence on the command output, as
characters '`' and '$' are erased by '_' with the mitigation.
The package has two reverse dependencies that shown no obvious
issues with the  fix in place.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This change includes a patch to fix CVE-2024-27629.  The patch
consists in sanitizing the output file name by erasing backticks
or dollar characters by an underscore before handing the output
file name to the next steps of the code, which may involve some
parsing by a shell.

[ Other info ]
Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier@debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/2, please excuse my verbosity
   `-    on air: Kaipa Da Capo - Det Tysta Guldet

diff -Nru dcm2niix-1.0.20220720/debian/changelog dcm2niix-1.0.20220720/debian/changelog
--- dcm2niix-1.0.20220720/debian/changelog	2022-08-12 17:21:12.000000000 +0200
+++ dcm2niix-1.0.20220720/debian/changelog	2024-08-07 21:49:01.000000000 +0200
@@ -1,3 +1,11 @@
+dcm2niix (1.0.20220720-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2024-27629.patch: new: fix risk of arbitrary code execution.
+    Fixes: CVE-2024-27629 (Closes: #1074534)
+
+ -- Étienne Mollier <emollier@debian.org>  Wed, 07 Aug 2024 21:49:01 +0200
+
 dcm2niix (1.0.20220720-1) unstable; urgency=medium
 
   [ Andreas Tille ]
diff -Nru dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch
--- dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch	1970-01-01 01:00:00.000000000 +0100
+++ dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch	2024-08-07 21:11:41.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Prevent shell expansion.
+ This fixes CVE-2024-27629.
+Author: Daniel Santos
+Bug: https://github.com/rordenlab/dcm2niix/pull/789
+Bug-Debian: https://bugs.debian.org/1074534
+Reviewed-by: Étienne Mollier <emollier@debian.org>
+Applied-Upstream: https://github.com/rordenlab/dcm2niix/commit/51cf5cdb2b2044b22b93f251bd07695e84d456af
+Last-Update: 2024-08-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- dcm2niix.orig/console/nii_dicom_batch.cpp
++++ dcm2niix/console/nii_dicom_batch.cpp
+@@ -3293,6 +3293,11 @@
+ 		if (outname[pos] == ':') //not allowed by MacOS
+ 			outname[pos] = '_';
+ #endif
++#if !defined(_WIN64) || !defined(_WIN32)
++       for (size_t pos = 0; pos < strlen(outname); pos++)
++               if (outname[pos] == '`' || outname[pos] == '$') // unix shell expansion characters
++                       outname[pos] = '_';
++#endif
+ 	cleanISO8859(outname);
+ 	//re-insert explicit path separators: -f %t/%s_%p will have folder for time, but will not segment a protocol named "fMRI\bold"
+ 	for (int pos = 0; pos < (int)strlen(outname); pos++) {
diff -Nru dcm2niix-1.0.20220720/debian/patches/series dcm2niix-1.0.20220720/debian/patches/series
--- dcm2niix-1.0.20220720/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ dcm2niix-1.0.20220720/debian/patches/series	2024-08-07 21:05:34.000000000 +0200
@@ -0,0 +1 @@
+CVE-2024-27629.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.7

Hi,

Each of these bugs relates to an update including in today's bookworm
12.7 point release.

Regards,

Adam

--- End Message ---
Reply to: