Raspbian automatic forward porter [Sat, 28 Feb 2026 06:47:55 +0000 (06:47 +0000)]
Merge version 3.6.9-6+rpi1 and 3.7.0+really3.6.9-1 to produce 3.7.0+really3.6.9-1+rpi1
Étienne Mollier [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
Declare fast forward from 3.7.0-1
[dgit --quilt=gbp --overwrite]
Joerg Riesmeier [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
Fixed issue with commit
7ad81d69b.
Applied-Upstream:
3de96da6cd66b1af7224561c568bc3de50cd1398
Last-Update: 2025-08-18
Reviewed-By: Étienne Mollier <emollier@debian.org>
Fixed an issue with recently committed changes that fix a problem with
invalid YBR_FULL images
Gbp-Pq: Name 0014-CVE-2025-9732.patch
Joerg Riesmeier [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
Fixed issue with invalid "YBR_FULL" DICOM images.
Applied-Upstream:
7ad81d69b19714936e18ea5fc74edaeb9f021ce7
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-08-15
Fixed an issue when processing an invalid DICOM image with a Photometric
Interpretation of "YBR_FULL" and a Planar Configuration of "1" where
the number of pixels stored does not match the expected number of pixels
(much too less). Now, the pixel data of such an image is not processed
at all, but an empty image (black pixels) is created instead. The user
is warned about this by an appropriate log message.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0013-CVE-2025-9732.patch
Marco Eichelberg [Mon, 3 Mar 2025 10:33:18 +0000 (11:33 +0100)]
Fixed segfault in JPEG-LS decoder.
X-Git-Url: http://git.dcmtk.org/?p=dcmtk.git;a=commitdiff_plain;h=
3239a791542e1ea433d23aaa9e0a05a532ffabff;hp=
92fc86e9e8d0808880bcc82e25982b2a61323cb8
Fixed segfault in JPEG-LS decoder.
Fixed a bug in the JPEG-LS decoder that led to a segmentation fault if invalid
input data was processed, due to insufficient validation of input data.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
This closes DCMTK issue #1155.
Gbp-Pq: Name 0012-CVE-2025-2357.patch
Debian Med Packaging Team [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
CVE-2025-25472
commit
410ffe2019b9db6a8f4036daac742a6f5e4d36c2
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date: Fri Jan 17 17:53:50 2025 +0100
Fixed another issue with invalid mono images.
Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
In this case, only a single pixel is processed, but the pixel matrix is
much larger. Filling the rest of the pixel matrix with the smallest
possible value for the image is not working because of an optimized
memory usage (value would be out of range). Now, the pixel value to be
used is double-checked before it is actually filled into the "background"
of the image.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0011-CVE-2025-25472.patch
Debian Med Packaging Team [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
CVE-2025-25474
commit
1d205bcd307164c99e0d4bbf412110372658d847
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date: Tue Jan 21 11:12:28 2025 +0100
Fixed another issue with invalid DICOM images.
Fixed issue when processing an invalid DICOM image where the number of
pixels stored does not match the expected number of pixels (too less)
and the combination of BitsAllocated and BitsStored is really unusual
(e.g. 1 bit stored, but 52 bits allocated). In cases where the last
pixel (e.g. a single bit) does not fit into the buffer of the input
pixel data, a buffer overflow occurred on the heap. Now, the last entry
of the buffer is filled with the smallest possible value (e.g. 0 in case
of unsigned data).
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0010-CVE-2025-25474.patch
Debian Med Packaging Team [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
CVE-2025-25475
commit
bffa3e9116abb7038b432443f16b1bd390e80245
Author: Marco Eichelberg <eichelberg@offis.de>
Date: Thu Jan 23 15:51:21 2025 +0100
Fixed issue with invalid RLE compressed DICOM images.
Fixed issue when processing an RLE compressed image where the RLE header
contains an invalid stripe size.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0009-CVE-2025-25475.patch
Joerg Riesmeier [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
Added check to make sure: HighBit < BitsAllocated.
Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=
03e851b0586d05057c3268988e180ffb426b2e03
Bug-Debian: https://bugs.debian.org/
1093047
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-01-18
Added check to the image preprocessing to make sure that the value of
HighBit is always less than the value of BitsAllocated. Before, this
missing check could lead to memory corruption if an invalid combination
of values was retrieved from a malformed DICOM dataset.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the report, sample file (PoC)
and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333.
Gbp-Pq: Name 0008-CVE-2024-52333.patch
Joerg Riesmeier [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
Fixed issue rendering invalid monochrome image.
Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=
89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
Bug-Debian: https://bugs.debian.org/
1093043
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-01-18
Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
If the stored number is less than the expected number, the rest of the
pixel matrix for the intermediate representation was always filled with
the value 0. Under certain, very rare conditions, this could result in
memory problems reported by an Address Sanitizer (ASAN). Now, the rest
of the matrix is filled with the smallest possible value for the image.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the original report, the sample
file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.
Gbp-Pq: Name 0007-CVE-2024-47796.patch
Mathieu Malaterre [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
Remove version
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/
1098944
Last-Update: 2025-03-21
Gbp-Pq: Name remove_version.patch
Gert Wollny [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
Don't add executables to cmake exports
Bug-Debian: https://bugs.debian.org/803304
Forwarded: not-needed
CMake exports are used by other packages that compile
and link against dcmtk. Because Debian moves some of
these executables and also dosn't install the test
executables, this import may fail leading to failure
to configure the according package.
===================================================================
Gbp-Pq: Name 07_dont_export_all_executables.patch
Jürgen Salk [Thu, 12 Feb 2026 18:47:48 +0000 (19:47 +0100)]
The original maintainer Jürgen Salk applied
Forwarded: not-needed
a set of patches to the original code. This file contains
changes to C++ code
Gbp-Pq: Name 01_dcmtk_3.6.0-1.patch
Étienne Mollier [Thu, 12 Feb 2026 18:52:41 +0000 (19:52 +0100)]
d/changelog: rollback to 3.6.9 due to abi breakage.
Étienne Mollier [Wed, 11 Feb 2026 17:32:36 +0000 (18:32 +0100)]
Make fast forward from 3.6.9-6
[dgit --quilt=gbp]
Mathieu Malaterre [Wed, 11 Feb 2026 17:32:36 +0000 (18:32 +0100)]
Remove version
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/
1098944
Last-Update: 2025-03-21
Gbp-Pq: Name remove_version.patch
Gert Wollny [Wed, 11 Feb 2026 17:32:36 +0000 (18:32 +0100)]
Don't add executables to cmake exports
Bug-Debian: https://bugs.debian.org/803304
Forwarded: not-needed
CMake exports are used by other packages that compile
and link against dcmtk. Because Debian moves some of
these executables and also dosn't install the test
executables, this import may fail leading to failure
to configure the according package.
Gbp-Pq: Name 07_dont_export_all_executables.patch
Jürgen Salk [Wed, 11 Feb 2026 17:32:36 +0000 (18:32 +0100)]
The original maintainer Jürgen Salk applied
Forwarded: not-needed
a set of patches to the original code. This file contains
changes to C++ code
Gbp-Pq: Name 01_dcmtk_3.6.0-1.patch
Étienne Mollier [Wed, 11 Feb 2026 18:03:16 +0000 (19:03 +0100)]
d/changelog: ready for upload to unstable.
Étienne Mollier [Wed, 11 Feb 2026 17:32:11 +0000 (18:32 +0100)]
d/dcmtk-doc.doc-base: update upstream version.
Étienne Mollier [Wed, 11 Feb 2026 17:30:53 +0000 (18:30 +0100)]
Revert "d/dcmtk-doc.doc-base: fix hardwired version number."
This reverts commit
bad4aff296a7c0909b46e1d8a4c81f36c0f6f219.
Étienne Mollier [Wed, 11 Feb 2026 16:50:27 +0000 (17:50 +0100)]
d/copyright: refresh following new upstream release.
Raspbian automatic forward porter [Wed, 28 Jan 2026 19:30:53 +0000 (19:30 +0000)]
Merge version 3.6.9-5+rpi1 and 3.6.9-6 to produce 3.6.9-6+rpi1
Étienne Mollier [Tue, 30 Dec 2025 21:00:58 +0000 (22:00 +0100)]
d/dcmtk-doc.doc-base: fix hardwired version number.
Étienne Mollier [Tue, 30 Dec 2025 20:36:53 +0000 (21:36 +0100)]
d/control: declare compliance to standards version 4.7.3.
Étienne Mollier [Tue, 30 Dec 2025 20:31:32 +0000 (21:31 +0100)]
d/changelog: initialise appropriately.
Étienne Mollier [Tue, 30 Dec 2025 20:31:00 +0000 (21:31 +0100)]
d/control: drop redundant Priority: optional.
Étienne Mollier [Tue, 30 Dec 2025 20:26:59 +0000 (21:26 +0100)]
07_dont_export_all_executables.patch: unfuzz.
Étienne Mollier [Tue, 30 Dec 2025 20:26:13 +0000 (21:26 +0100)]
*-CVE-*.patch: delete: all security issues are fixed upstream.
Étienne Mollier [Tue, 30 Dec 2025 19:53:42 +0000 (20:53 +0100)]
d/copyright: document new file o/i/d/o/ofjsmn.h.
Étienne Mollier [Tue, 30 Dec 2025 19:44:30 +0000 (20:44 +0100)]
d/copyright: bump upstream copyright year.
Étienne Mollier [Thu, 18 Dec 2025 21:30:47 +0000 (22:30 +0100)]
Update upstream source from tag 'upstream/3.7.0'
Update to upstream version '3.7.0'
with Debian dir
612b2dd5f1ee8f9e2aca579885ed44dd04f7e738
Étienne Mollier [Thu, 18 Dec 2025 21:30:06 +0000 (22:30 +0100)]
New upstream version 3.7.0
Étienne Mollier [Wed, 10 Dec 2025 21:34:28 +0000 (22:34 +0100)]
d/changelog: ready for upload to unstable.
Étienne Mollier [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
Declare fast forward from 3.6.9-5
[dgit --quilt=gbp --overwrite]
Joerg Riesmeier [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
Fixed issue with commit
7ad81d69b.
Applied-Upstream:
3de96da6cd66b1af7224561c568bc3de50cd1398
Last-Update: 2025-08-18
Reviewed-By: Étienne Mollier <emollier@debian.org>
Fixed an issue with recently committed changes that fix a problem with
invalid YBR_FULL images
Gbp-Pq: Name 0014-CVE-2025-9732.patch
Joerg Riesmeier [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
Fixed issue with invalid "YBR_FULL" DICOM images.
Applied-Upstream:
7ad81d69b19714936e18ea5fc74edaeb9f021ce7
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-08-15
Fixed an issue when processing an invalid DICOM image with a Photometric
Interpretation of "YBR_FULL" and a Planar Configuration of "1" where
the number of pixels stored does not match the expected number of pixels
(much too less). Now, the pixel data of such an image is not processed
at all, but an empty image (black pixels) is created instead. The user
is warned about this by an appropriate log message.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0013-CVE-2025-9732.patch
Marco Eichelberg [Mon, 3 Mar 2025 10:33:18 +0000 (11:33 +0100)]
Fixed segfault in JPEG-LS decoder.
X-Git-Url: http://git.dcmtk.org/?p=dcmtk.git;a=commitdiff_plain;h=
3239a791542e1ea433d23aaa9e0a05a532ffabff;hp=
92fc86e9e8d0808880bcc82e25982b2a61323cb8
Fixed segfault in JPEG-LS decoder.
Fixed a bug in the JPEG-LS decoder that led to a segmentation fault if invalid
input data was processed, due to insufficient validation of input data.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
This closes DCMTK issue #1155.
Gbp-Pq: Name 0012-CVE-2025-2357.patch
Debian Med Packaging Team [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
CVE-2025-25472
commit
410ffe2019b9db6a8f4036daac742a6f5e4d36c2
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date: Fri Jan 17 17:53:50 2025 +0100
Fixed another issue with invalid mono images.
Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
In this case, only a single pixel is processed, but the pixel matrix is
much larger. Filling the rest of the pixel matrix with the smallest
possible value for the image is not working because of an optimized
memory usage (value would be out of range). Now, the pixel value to be
used is double-checked before it is actually filled into the "background"
of the image.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0011-CVE-2025-25472.patch
Debian Med Packaging Team [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
CVE-2025-25474
commit
1d205bcd307164c99e0d4bbf412110372658d847
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date: Tue Jan 21 11:12:28 2025 +0100
Fixed another issue with invalid DICOM images.
Fixed issue when processing an invalid DICOM image where the number of
pixels stored does not match the expected number of pixels (too less)
and the combination of BitsAllocated and BitsStored is really unusual
(e.g. 1 bit stored, but 52 bits allocated). In cases where the last
pixel (e.g. a single bit) does not fit into the buffer of the input
pixel data, a buffer overflow occurred on the heap. Now, the last entry
of the buffer is filled with the smallest possible value (e.g. 0 in case
of unsigned data).
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0010-CVE-2025-25474.patch
Debian Med Packaging Team [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
CVE-2025-25475
commit
bffa3e9116abb7038b432443f16b1bd390e80245
Author: Marco Eichelberg <eichelberg@offis.de>
Date: Thu Jan 23 15:51:21 2025 +0100
Fixed issue with invalid RLE compressed DICOM images.
Fixed issue when processing an RLE compressed image where the RLE header
contains an invalid stripe size.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0009-CVE-2025-25475.patch
Joerg Riesmeier [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
Added check to make sure: HighBit < BitsAllocated.
Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=
03e851b0586d05057c3268988e180ffb426b2e03
Bug-Debian: https://bugs.debian.org/
1093047
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-01-18
Added check to the image preprocessing to make sure that the value of
HighBit is always less than the value of BitsAllocated. Before, this
missing check could lead to memory corruption if an invalid combination
of values was retrieved from a malformed DICOM dataset.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the report, sample file (PoC)
and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333.
Gbp-Pq: Name 0008-CVE-2024-52333.patch
Joerg Riesmeier [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
Fixed issue rendering invalid monochrome image.
Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=
89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
Bug-Debian: https://bugs.debian.org/
1093043
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-01-18
Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
If the stored number is less than the expected number, the rest of the
pixel matrix for the intermediate representation was always filled with
the value 0. Under certain, very rare conditions, this could result in
memory problems reported by an Address Sanitizer (ASAN). Now, the rest
of the matrix is filled with the smallest possible value for the image.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the original report, the sample
file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.
Gbp-Pq: Name 0007-CVE-2024-47796.patch
Mathieu Malaterre [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
Remove version
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/
1098944
Last-Update: 2025-03-21
Gbp-Pq: Name remove_version.patch
Gert Wollny [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
Don't add executables to cmake exports
Bug-Debian: https://bugs.debian.org/803304
Forwarded: not-needed
CMake exports are used by other packages that compile
and link against dcmtk. Because Debian moves some of
these executables and also dosn't install the test
executables, this import may fail leading to failure
to configure the according package.
===================================================================
Gbp-Pq: Name 07_dont_export_all_executables.patch
Jürgen Salk [Wed, 10 Dec 2025 21:34:17 +0000 (22:34 +0100)]
The original maintainer Jürgen Salk applied
Forwarded: not-needed
a set of patches to the original code. This file contains
changes to C++ code
Gbp-Pq: Name 01_dcmtk_3.6.0-1.patch
Étienne Mollier [Wed, 10 Dec 2025 21:33:50 +0000 (22:33 +0100)]
d/libdcmtk19.lintian-overrides: fix typo caught by lintian.
Étienne Mollier [Wed, 10 Dec 2025 21:32:44 +0000 (22:32 +0100)]
d/control: declare compliance to standards version 4.7.2.
Étienne Mollier [Wed, 10 Dec 2025 21:31:44 +0000 (22:31 +0100)]
d/control: drop redundant Rules-Requires-Root: no.
Étienne Mollier [Wed, 10 Dec 2025 21:31:17 +0000 (22:31 +0100)]
d/watch: convert to v5 Github template.
Étienne Mollier [Wed, 10 Dec 2025 21:30:02 +0000 (22:30 +0100)]
d/changelog: unrelease to bring a few more changes.
Étienne Mollier [Wed, 10 Dec 2025 21:28:56 +0000 (22:28 +0100)]
d/changelog: ready for upload to unstable.
Étienne Mollier [Wed, 10 Dec 2025 21:27:34 +0000 (22:27 +0100)]
d/patches/*-CVE-2025-9732.patch: new.
These changes pulled from dcmtk upstream address CVE-2025-9732.
Closes: #1113993
Étienne Mollier [Wed, 10 Dec 2025 21:05:28 +0000 (22:05 +0100)]
d/rules: cleanup a stray "noname" file.
Closes: #1122403
Raspbian automatic forward porter [Thu, 1 May 2025 02:35:22 +0000 (03:35 +0100)]
Merge version 3.6.9-4+rpi1 and 3.6.9-5 to produce 3.6.9-5+rpi1
Mathieu Malaterre [Fri, 21 Mar 2025 11:45:55 +0000 (12:45 +0100)]
d/changelog: Upload 3.6.9-5 to unstable
Mathieu Malaterre [Fri, 21 Mar 2025 11:39:29 +0000 (12:39 +0100)]
documentation: Spring cleanups. Closes: #
1095639
Mathieu Malaterre [Fri, 21 Mar 2025 11:38:06 +0000 (12:38 +0100)]
0012-CVE-2025-2357.patch: new: fix CVE-2025-2357.
Closes: #1100724
Mathieu Malaterre [Fri, 21 Mar 2025 11:34:51 +0000 (12:34 +0100)]
d/control: relax dependency on dcmtk-data. Closes: #
1098944
Mathieu Malaterre [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
Record dcmtk (3.6.9-5) in archive suite sid
Mathieu Malaterre [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
Merge dcmtk (3.6.9-5) import into refs/heads/workingbranch
Marco Eichelberg [Mon, 3 Mar 2025 10:33:18 +0000 (11:33 +0100)]
Fixed segfault in JPEG-LS decoder.
X-Git-Url: http://git.dcmtk.org/?p=dcmtk.git;a=commitdiff_plain;h=
3239a791542e1ea433d23aaa9e0a05a532ffabff;hp=
92fc86e9e8d0808880bcc82e25982b2a61323cb8
Fixed segfault in JPEG-LS decoder.
Fixed a bug in the JPEG-LS decoder that led to a segmentation fault if invalid
input data was processed, due to insufficient validation of input data.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
This closes DCMTK issue #1155.
Gbp-Pq: Name 0012-CVE-2025-2357.patch
Debian Med Packaging Team [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
CVE-2025-25472
commit
410ffe2019b9db6a8f4036daac742a6f5e4d36c2
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date: Fri Jan 17 17:53:50 2025 +0100
Fixed another issue with invalid mono images.
Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
In this case, only a single pixel is processed, but the pixel matrix is
much larger. Filling the rest of the pixel matrix with the smallest
possible value for the image is not working because of an optimized
memory usage (value would be out of range). Now, the pixel value to be
used is double-checked before it is actually filled into the "background"
of the image.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0011-CVE-2025-25472.patch
Debian Med Packaging Team [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
CVE-2025-25474
commit
1d205bcd307164c99e0d4bbf412110372658d847
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date: Tue Jan 21 11:12:28 2025 +0100
Fixed another issue with invalid DICOM images.
Fixed issue when processing an invalid DICOM image where the number of
pixels stored does not match the expected number of pixels (too less)
and the combination of BitsAllocated and BitsStored is really unusual
(e.g. 1 bit stored, but 52 bits allocated). In cases where the last
pixel (e.g. a single bit) does not fit into the buffer of the input
pixel data, a buffer overflow occurred on the heap. Now, the last entry
of the buffer is filled with the smallest possible value (e.g. 0 in case
of unsigned data).
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0010-CVE-2025-25474.patch
Debian Med Packaging Team [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
CVE-2025-25475
commit
bffa3e9116abb7038b432443f16b1bd390e80245
Author: Marco Eichelberg <eichelberg@offis.de>
Date: Thu Jan 23 15:51:21 2025 +0100
Fixed issue with invalid RLE compressed DICOM images.
Fixed issue when processing an RLE compressed image where the RLE header
contains an invalid stripe size.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0009-CVE-2025-25475.patch
Joerg Riesmeier [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
Added check to make sure: HighBit < BitsAllocated.
Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=
03e851b0586d05057c3268988e180ffb426b2e03
Bug-Debian: https://bugs.debian.org/
1093047
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-01-18
Added check to the image preprocessing to make sure that the value of
HighBit is always less than the value of BitsAllocated. Before, this
missing check could lead to memory corruption if an invalid combination
of values was retrieved from a malformed DICOM dataset.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the report, sample file (PoC)
and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333.
Gbp-Pq: Name 0008-CVE-2024-52333.patch
Joerg Riesmeier [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
Fixed issue rendering invalid monochrome image.
Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=
89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
Bug-Debian: https://bugs.debian.org/
1093043
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-01-18
Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
If the stored number is less than the expected number, the rest of the
pixel matrix for the intermediate representation was always filled with
the value 0. Under certain, very rare conditions, this could result in
memory problems reported by an Address Sanitizer (ASAN). Now, the rest
of the matrix is filled with the smallest possible value for the image.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the original report, the sample
file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.
Gbp-Pq: Name 0007-CVE-2024-47796.patch
Mathieu Malaterre [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
Remove version
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/
1098944
Last-Update: 2025-03-21
Gbp-Pq: Name remove_version.patch
Gert Wollny [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
Don't add executables to cmake exports
Bug-Debian: https://bugs.debian.org/803304
Forwarded: not-needed
CMake exports are used by other packages that compile
and link against dcmtk. Because Debian moves some of
these executables and also dosn't install the test
executables, this import may fail leading to failure
to configure the according package.
===================================================================
Gbp-Pq: Name 07_dont_export_all_executables.patch
Jürgen Salk [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
The original maintainer Jürgen Salk applied
Forwarded: not-needed
a set of patches to the original code. This file contains
changes to C++ code
Gbp-Pq: Name 01_dcmtk_3.6.0-1.patch
Mathieu Malaterre [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
dcmtk (3.6.9-5) unstable; urgency=medium
* d/control: relax dependency on dcmtk-data. Closes: #
1098944
* 0012-CVE-2025-2357.patch: new: fix CVE-2025-2357. (Closes: #
1100724)
* documentation: Spring cleanups. Closes: #
1095639
[dgit import unpatched dcmtk 3.6.9-5]
Mathieu Malaterre [Fri, 21 Mar 2025 11:45:44 +0000 (12:45 +0100)]
Import dcmtk_3.6.9-5.debian.tar.xz
[dgit import tarball dcmtk 3.6.9-5 dcmtk_3.6.9-5.debian.tar.xz]
Raspbian automatic forward porter [Fri, 7 Mar 2025 04:12:06 +0000 (04:12 +0000)]
Merge version 3.6.8-6+rpi1 and 3.6.9-4 to produce 3.6.9-4+rpi1
Étienne Mollier [Wed, 19 Feb 2025 21:31:16 +0000 (22:31 +0100)]
d/changelog: ready for upload to unstable.
Étienne Mollier [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
Declare fast forward from 3.6.9-3
[dgit --quilt=gbp --overwrite]
Debian Med Packaging Team [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
CVE-2025-25472
commit
410ffe2019b9db6a8f4036daac742a6f5e4d36c2
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date: Fri Jan 17 17:53:50 2025 +0100
Fixed another issue with invalid mono images.
Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
In this case, only a single pixel is processed, but the pixel matrix is
much larger. Filling the rest of the pixel matrix with the smallest
possible value for the image is not working because of an optimized
memory usage (value would be out of range). Now, the pixel value to be
used is double-checked before it is actually filled into the "background"
of the image.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0011-CVE-2025-25472.patch
Debian Med Packaging Team [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
CVE-2025-25474
commit
1d205bcd307164c99e0d4bbf412110372658d847
Author: Joerg Riesmeier <dicom@jriesmeier.com>
Date: Tue Jan 21 11:12:28 2025 +0100
Fixed another issue with invalid DICOM images.
Fixed issue when processing an invalid DICOM image where the number of
pixels stored does not match the expected number of pixels (too less)
and the combination of BitsAllocated and BitsStored is really unusual
(e.g. 1 bit stored, but 52 bits allocated). In cases where the last
pixel (e.g. a single bit) does not fit into the buffer of the input
pixel data, a buffer overflow occurred on the heap. Now, the last entry
of the buffer is filled with the smallest possible value (e.g. 0 in case
of unsigned data).
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0010-CVE-2025-25474.patch
Debian Med Packaging Team [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
CVE-2025-25475
commit
bffa3e9116abb7038b432443f16b1bd390e80245
Author: Marco Eichelberg <eichelberg@offis.de>
Date: Thu Jan 23 15:51:21 2025 +0100
Fixed issue with invalid RLE compressed DICOM images.
Fixed issue when processing an RLE compressed image where the RLE header
contains an invalid stripe size.
Thanks to Ding zhengzheng <xiaozheng.ding399@gmail.com> for the report
and the sample file (PoC).
Gbp-Pq: Name 0009-CVE-2025-25475.patch
Joerg Riesmeier [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
Added check to make sure: HighBit < BitsAllocated.
Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=
03e851b0586d05057c3268988e180ffb426b2e03
Bug-Debian: https://bugs.debian.org/
1093047
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-01-18
Added check to the image preprocessing to make sure that the value of
HighBit is always less than the value of BitsAllocated. Before, this
missing check could lead to memory corruption if an invalid combination
of values was retrieved from a malformed DICOM dataset.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the report, sample file (PoC)
and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333.
Gbp-Pq: Name 0008-CVE-2024-52333.patch
Joerg Riesmeier [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
Fixed issue rendering invalid monochrome image.
Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=
89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
Bug-Debian: https://bugs.debian.org/
1093043
Reviewed-By: Étienne Mollier <emollier@debian.org>
Last-Update: 2025-01-18
Fixed issue when rendering an invalid monochrome DICOM image where the
number of pixels stored does not match the expected number of pixels.
If the stored number is less than the expected number, the rest of the
pixel matrix for the intermediate representation was always filled with
the value 0. Under certain, very rare conditions, this could result in
memory problems reported by an Address Sanitizer (ASAN). Now, the rest
of the matrix is filled with the smallest possible value for the image.
Thanks to Emmanuel Tacheau from the Cisco Talos team
<vulndiscovery@external.cisco.com> for the original report, the sample
file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.
Gbp-Pq: Name 0007-CVE-2024-47796.patch
Mathieu Malaterre [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
Remove version
Forwarded: not-needed
Last-Update: 2023-11-06
Gbp-Pq: Name remove_version.patch
Gert Wollny [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
Don't add executables to cmake exports
Bug-Debian: https://bugs.debian.org/803304
Forwarded: not-needed
CMake exports are used by other packages that compile
and link against dcmtk. Because Debian moves some of
these executables and also dosn't install the test
executables, this import may fail leading to failure
to configure the according package.
===================================================================
Gbp-Pq: Name 07_dont_export_all_executables.patch
Jürgen Salk [Wed, 19 Feb 2025 21:30:57 +0000 (22:30 +0100)]
The original maintainer Jürgen Salk applied
Forwarded: not-needed
a set of patches to the original code. This file contains
changes to C++ code
Gbp-Pq: Name 01_dcmtk_3.6.0-1.patch
Étienne Mollier [Wed, 19 Feb 2025 21:30:36 +0000 (22:30 +0100)]
0011-CVE-2025-25472.patch: new: fix CVE-2025-25472.
Étienne Mollier [Wed, 19 Feb 2025 21:29:40 +0000 (22:29 +0100)]
d/changelog: unrelease.
Étienne Mollier [Wed, 19 Feb 2025 20:57:06 +0000 (21:57 +0100)]
d/changelog: ready for upload to unstable.
Étienne Mollier [Wed, 19 Feb 2025 20:54:45 +0000 (21:54 +0100)]
0010-CVE-2025-25474.patch: new: fix CVE-2025-25474.
Closes: #1098374
Étienne Mollier [Wed, 19 Feb 2025 20:54:09 +0000 (21:54 +0100)]
0009-CVE-2025-25475.patch: new: fix CVE-2025-25475.
Closes: #1098373
Étienne Mollier [Wed, 19 Feb 2025 20:20:38 +0000 (21:20 +0100)]
Reinstate 0007-CVE-2024-47796.patch and 0008-CVE-2024-52333.patch.
These were not part of dcmtk 3.6.9 upstream and still apply.
Thanks: Salvatore Bonaccorso
Mathieu Malaterre [Tue, 18 Feb 2025 11:05:49 +0000 (12:05 +0100)]
d/changelog: Upload 3.6.9-3 to unstable
Mathieu Malaterre [Tue, 18 Feb 2025 11:05:41 +0000 (12:05 +0100)]
Record dcmtk (3.6.9-3) in archive suite sid
Record that
3.6.9-3 Import of source package
should be treated as descended from
3.6.8-6 dgit client's archive history view
Mathieu Malaterre [Tue, 18 Feb 2025 11:05:41 +0000 (12:05 +0100)]
Remove version
Forwarded: not-needed
Last-Update: 2023-11-06
Gbp-Pq: Name remove_version.patch
Gert Wollny [Tue, 18 Feb 2025 11:05:41 +0000 (12:05 +0100)]
Don't add executables to cmake exports
Bug-Debian: https://bugs.debian.org/803304
Forwarded: not-needed
CMake exports are used by other packages that compile
and link against dcmtk. Because Debian moves some of
these executables and also dosn't install the test
executables, this import may fail leading to failure
to configure the according package.
===================================================================
Gbp-Pq: Name 07_dont_export_all_executables.patch
Jürgen Salk [Tue, 18 Feb 2025 11:05:41 +0000 (12:05 +0100)]
The original maintainer Jürgen Salk applied
Forwarded: not-needed
a set of patches to the original code. This file contains
changes to C++ code
Gbp-Pq: Name 01_dcmtk_3.6.0-1.patch
Mathieu Malaterre [Tue, 18 Feb 2025 11:05:41 +0000 (12:05 +0100)]
dcmtk (3.6.9-3) unstable; urgency=medium
* d/patches: Remove old unused patches
* d/doc: Make sure to reference 3.6.9 path
* d/watch: Properly watch upstream on github
[dgit import unpatched dcmtk 3.6.9-3]
Mathieu Malaterre [Tue, 18 Feb 2025 11:05:41 +0000 (12:05 +0100)]
Import dcmtk_3.6.9-3.debian.tar.xz
[dgit import tarball dcmtk 3.6.9-3 dcmtk_3.6.9-3.debian.tar.xz]
Mathieu Malaterre [Tue, 18 Feb 2025 11:05:01 +0000 (12:05 +0100)]
d/watch: Properly watch upstream on github
Mathieu Malaterre [Tue, 18 Feb 2025 11:03:39 +0000 (12:03 +0100)]
d/doc: Make sure to reference 3.6.9 path
Mathieu Malaterre [Tue, 18 Feb 2025 11:03:04 +0000 (12:03 +0100)]
d/patches: Remove old unused patches
Mathieu Malaterre [Tue, 11 Feb 2025 07:12:57 +0000 (08:12 +0100)]
d/changelog: Upload 3.6.9-2 to experimental
projects / dcmtk.git / log