[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1101064: marked as done (bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u2)

Your message dated Sat, 17 May 2025 09:37:59 +0000
with message-id <E1uGDzT-005KKH-17@coccia.debian.org>
and subject line Close 1101064
has caused the Debian Bug report #1101064,
regarding bookworm-pu: package xmedcon/0.23.0-gtk3+dfsg-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1101064: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101064
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: xmedcon@packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian.org@packages.debian.org
Usertags: pu

Hello Stable Release Managers,

I would like to bring a patch to xmedcon in bookworm.

[ Reason ]
xmedcon 0.23.0-gtk3+dfsg-1+deb12u1 is currently affected by the
minor security issue CVE-2025-2581 reported in #1100986.  The
security issue consists in an integer undeflow, according to the
CVE description; I'm not sure how remotely exploitable it is,
unless one accounts on the capability to open remote files.

[ Impact ]
xmedcon in bookworm will remain affected by the underflow of
CVE-2025-2581 if upload is not granted.

[ Tests ]
The package lacks autopkgtest support, so does its reverse
dependency amide.  I have instead proceeded to manual tests by
opening small Dicom test files I have around at hand to make
sure the change did not introduce obvious problems in xmedcon
nor in amide.  I'm afraid test was still somewhat superficial,
as I'm not that well versed in those medical images viewers.

[ Risks ]
xmedcon has only amide as strict dependency, and it has no
reverse build-dependencies caught by ratt plus dose-extra.  In
my perception, the change is pretty simple so should not be too
problematic.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
This new revision of xmedcon appends a patch to guard against
malformed Dicom files with negative dimensions, which could
result in very large memory allocation and crash due to the
underflow caused by casting from int64_t to size_t, the latter
being unsigned.

[ Other information ]
The issue is freshly addressed in sid and some architectures are
still building it as I type.  I was thus not entirely confident
to check the last case.  Unless problems were to arise, I think
the case can be considered checked in 24 hours.

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier@debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/1, please excuse my verbosity
   `-    on air: Anathema - Flying

diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/changelog xmedcon-0.23.0-gtk3+dfsg/debian/changelog
--- xmedcon-0.23.0-gtk3+dfsg/debian/changelog	2024-08-07 17:51:22.000000000 +0200
+++ xmedcon-0.23.0-gtk3+dfsg/debian/changelog	2025-03-22 19:58:34.000000000 +0100
@@ -1,3 +1,10 @@
+xmedcon (0.23.0-gtk3+dfsg-1+deb12u2) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2025-2581.patch: new: fix CVE-2025-2581. (Closes: #1100986)
+
+ -- Étienne Mollier <emollier@debian.org>  Sat, 22 Mar 2025 19:58:34 +0100
+
 xmedcon (0.23.0-gtk3+dfsg-1+deb12u1) bookworm; urgency=medium
 
   * Team upload.
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/CVE-2025-2581.patch	2025-03-22 19:57:54.000000000 +0100
@@ -0,0 +1,40 @@
+Description: Check for overflow between size_t and int64_t.
+Author: Erik Nolf
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100986
+Applied-Upstream: e7a88836fc2277f8ab777f3ef24f917d08415559
+Reviewed-by: Étienne Mollier <emollier@debian.org>
+Last-Update: 2025-03-22
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- xmedcon.orig/libs/dicom/single.c
++++ xmedcon/libs/dicom/single.c
+@@ -22,8 +22,9 @@
+ SINGLE *dicom_single(void)
+ {
+   ELEMENT	*e;
+-  S32		length;
++  S32		length, bytes;
+   U32		i, f;
++  size_t    size;
+   char		*interpretation[]=
+   {
+     "MONOCHROME2",
+@@ -265,7 +266,17 @@
+           /* eNlf: - allocate an extra 4 bytes, otherwise the bit.c   */
+           /* eNlf: routines like source.u++ go beyond the boundaries  */
+           /* eNlf: - memset the allocated buffer for sure             */
+-          data = (U8*)malloc(width*height*pixel*frames+4);
++          bytes = (int64_t)width*height*pixel*frames+4;
++
++          /* check for overflow */
++          size = (size_t)bytes;
++          if ((int64_t)size != bytes) {
++            dicom_log(ERROR,"System size_t too small");
++            return 0L;
++          }
++
++          /* allocate memory */
++          data = (U8*)malloc(bytes);
+           if (!data)
+           {
+             dicom_log(ERROR,"Out of memory");
diff -Nru xmedcon-0.23.0-gtk3+dfsg/debian/patches/series xmedcon-0.23.0-gtk3+dfsg/debian/patches/series
--- xmedcon-0.23.0-gtk3+dfsg/debian/patches/series	2024-08-07 17:51:22.000000000 +0200
+++ xmedcon-0.23.0-gtk3+dfsg/debian/patches/series	2025-03-22 19:57:11.000000000 +0100
@@ -3,3 +3,4 @@
 cross.patch
 typos.patch
 CVE-2024-29421.patch
+CVE-2025-2581.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---
Reply to: