From: Étienne Mollier <emollier@debian.org>
Date: Wed, 19 Feb 2025 20:20:38 +0000 (+0100)
Subject: Reinstate 0007-CVE-2024-47796.patch and 0008-CVE-2024-52333.patch.
X-Git-Tag: archive/raspbian/3.6.9-4+rpi1^2~15
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=369133cd6a20ae3b31693dadcd91772899605f6d;p=dcmtk.git

Reinstate 0007-CVE-2024-47796.patch and 0008-CVE-2024-52333.patch.

These were not part of dcmtk 3.6.9 upstream and still apply.

Thanks: Salvatore Bonaccorso
---

diff --git a/debian/patches/0007-CVE-2024-47796.patch b/debian/patches/0007-CVE-2024-47796.patch
new file mode 100644
index 00000000..eda61292
--- /dev/null
+++ b/debian/patches/0007-CVE-2024-47796.patch
@@ -0,0 +1,32 @@
+Author: Joerg Riesmeier <dicom@jriesmeier.com>
+Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
+Bug-Debian: https://bugs.debian.org/1093043
+Reviewed-By: Étienne Mollier <emollier@debian.org>
+Last-Update: 2025-01-18
+Description:  Fixed issue rendering invalid monochrome image.
+ Fixed issue when rendering an invalid monochrome DICOM image where the
+ number of pixels stored does not match the expected number of pixels.
+ If the stored number is less than the expected number, the rest of the
+ pixel matrix for the intermediate representation was always filled with
+ the value 0. Under certain, very rare conditions, this could result in
+ memory problems reported by an Address Sanitizer (ASAN). Now, the rest
+ of the matrix is filled with the smallest possible value for the image.
+ .
+ Thanks to Emmanuel Tacheau from the Cisco Talos team
+ <vulndiscovery@external.cisco.com> for the original report, the sample
+ file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.
+
+--- dcmtk.orig/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
++++ dcmtk/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
+@@ -72,9 +72,9 @@
+                 rescale(pixel);                     // "copy" or reference pixel data
+                 this->determineMinMax(OFstatic_cast(T3, this->Modality->getMinValue()), OFstatic_cast(T3, this->Modality->getMaxValue()));
+             }
+-            /* erase empty part of the buffer (= blacken the background) */
++            /* erase empty part of the buffer (= fill the background with the smallest possible value) */
+             if ((this->Data != NULL) && (this->InputCount < this->Count))
+-                OFBitmanipTemplate<T3>::zeroMem(this->Data + this->InputCount, this->Count - this->InputCount);
++                OFBitmanipTemplate<T3>::setMem(this->Data + this->InputCount, OFstatic_cast(T3, this->Modality->getAbsMinimum()), this->Count - this->InputCount);
+         }
+     }
+ 
diff --git a/debian/patches/0008-CVE-2024-52333.patch b/debian/patches/0008-CVE-2024-52333.patch
new file mode 100644
index 00000000..774f6bea
--- /dev/null
+++ b/debian/patches/0008-CVE-2024-52333.patch
@@ -0,0 +1,48 @@
+Author: Joerg Riesmeier <dicom@jriesmeier.com>
+Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03
+Bug-Debian: https://bugs.debian.org/1093047
+Reviewed-By: Étienne Mollier <emollier@debian.org>
+Last-Update: 2025-01-18
+Description:  Added check to make sure: HighBit < BitsAllocated.
+ Added check to the image preprocessing to make sure that the value of
+ HighBit is always less than the value of BitsAllocated. Before, this
+ missing check could lead to memory corruption if an invalid combination
+ of values was retrieved from a malformed DICOM dataset.
+ .
+ Thanks to Emmanuel Tacheau from the Cisco Talos team
+ <vulndiscovery@external.cisco.com> for the report, sample file (PoC)
+ and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333.
+
+--- dcmtk.orig/dcmimgle/libsrc/diimage.cc
++++ dcmtk/dcmimgle/libsrc/diimage.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 1996-2024, OFFIS e.V.
++ *  Copyright (C) 1996-2025, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were developed by
+@@ -549,12 +549,18 @@
+     {
+         const unsigned long fsize = OFstatic_cast(unsigned long, Rows) * OFstatic_cast(unsigned long, Columns) *
+             OFstatic_cast(unsigned long, SamplesPerPixel);
+-        if ((BitsAllocated < 1) || (BitsStored < 1) || (BitsAllocated < BitsStored) ||
+-            (BitsStored > OFstatic_cast(Uint16, HighBit + 1)))
++        if ((BitsAllocated < 1) || (BitsStored < 1))
+         {
+             ImageStatus = EIS_InvalidValue;
+-            DCMIMGLE_ERROR("invalid values for 'BitsAllocated' (" << BitsAllocated << "), "
+-                << "'BitsStored' (" << BitsStored << ") and/or 'HighBit' (" << HighBit << ")");
++            DCMIMGLE_ERROR("invalid value(s) for 'BitsAllocated' (" << BitsAllocated << "), "
++                << "and/or 'BitsStored' (" << BitsStored << ")");
++            return;
++        }
++        else if ((BitsAllocated < BitsStored) || (BitsAllocated <= HighBit) || ((BitsStored - 1) > HighBit))
++        {
++            ImageStatus = EIS_InvalidValue;
++            DCMIMGLE_ERROR("invalid combination of values for 'BitsAllocated' (" << BitsAllocated << "), "
++                << "'BitsStored' (" << BitsStored << ") and 'HighBit' (" << HighBit << ")");
+             return;
+         }
+         else if ((evr == EVR_OB) && (BitsStored <= 8))
diff --git a/debian/patches/series b/debian/patches/series
index 8634d570..1a228ac8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
 #03_datadic_install.patch
 07_dont_export_all_executables.patch
 remove_version.patch
+0007-CVE-2024-47796.patch
+0008-CVE-2024-52333.patch