Reinstate 0007-CVE-2024-47796.patch and 0008-CVE-2024-52333.patch.

These were not part of dcmtk 3.6.9 upstream and still apply.

Thanks: Salvatore Bonaccorso

diff --git a/debian/patches/0007-CVE-2024-47796.patch b/debian/patches/0007-CVE-2024-47796.patch
new file mode 100644 (file)
index 0000000..eda6129
--- /dev/null
+++ b/debian/patches/0007-CVE-2024-47796.patch
@@ -0,0 +1,32 @@
+Author: Joerg Riesmeier <dicom@jriesmeier.com>
+Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
+Bug-Debian: https://bugs.debian.org/1093043
+Reviewed-By: Étienne Mollier <emollier@debian.org>
+Last-Update: 2025-01-18
+Description:  Fixed issue rendering invalid monochrome image.
+ Fixed issue when rendering an invalid monochrome DICOM image where the
+ number of pixels stored does not match the expected number of pixels.
+ If the stored number is less than the expected number, the rest of the
+ pixel matrix for the intermediate representation was always filled with
+ the value 0. Under certain, very rare conditions, this could result in
+ memory problems reported by an Address Sanitizer (ASAN). Now, the rest
+ of the matrix is filled with the smallest possible value for the image.
+ .
+ Thanks to Emmanuel Tacheau from the Cisco Talos team
+ <vulndiscovery@external.cisco.com> for the original report, the sample
+ file (PoC) and further details. See TALOS-2024-2122 and CVE-2024-47796.
+
+--- dcmtk.orig/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
++++ dcmtk/dcmimgle/include/dcmtk/dcmimgle/dimoipxt.h
+@@ -72,9 +72,9 @@
+                 rescale(pixel);                     // "copy" or reference pixel data
+                 this->determineMinMax(OFstatic_cast(T3, this->Modality->getMinValue()), OFstatic_cast(T3, this->Modality->getMaxValue()));
+             }
+-            /* erase empty part of the buffer (= blacken the background) */
++            /* erase empty part of the buffer (= fill the background with the smallest possible value) */
+             if ((this->Data != NULL) && (this->InputCount < this->Count))
+-                OFBitmanipTemplate<T3>::zeroMem(this->Data + this->InputCount, this->Count - this->InputCount);
++                OFBitmanipTemplate<T3>::setMem(this->Data + this->InputCount, OFstatic_cast(T3, this->Modality->getAbsMinimum()), this->Count - this->InputCount);
+         }
+     }
+ 

diff --git a/debian/patches/0008-CVE-2024-52333.patch b/debian/patches/0008-CVE-2024-52333.patch
new file mode 100644 (file)
index 0000000..774f6be
--- /dev/null
+++ b/debian/patches/0008-CVE-2024-52333.patch
@@ -0,0 +1,48 @@
+Author: Joerg Riesmeier <dicom@jriesmeier.com>
+Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03
+Bug-Debian: https://bugs.debian.org/1093047
+Reviewed-By: Étienne Mollier <emollier@debian.org>
+Last-Update: 2025-01-18
+Description:  Added check to make sure: HighBit < BitsAllocated.
+ Added check to the image preprocessing to make sure that the value of
+ HighBit is always less than the value of BitsAllocated. Before, this
+ missing check could lead to memory corruption if an invalid combination
+ of values was retrieved from a malformed DICOM dataset.
+ .
+ Thanks to Emmanuel Tacheau from the Cisco Talos team
+ <vulndiscovery@external.cisco.com> for the report, sample file (PoC)
+ and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333.
+
+--- dcmtk.orig/dcmimgle/libsrc/diimage.cc
++++ dcmtk/dcmimgle/libsrc/diimage.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 1996-2024, OFFIS e.V.
++ *  Copyright (C) 1996-2025, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were developed by
+@@ -549,12 +549,18 @@
+     {
+         const unsigned long fsize = OFstatic_cast(unsigned long, Rows) * OFstatic_cast(unsigned long, Columns) *
+             OFstatic_cast(unsigned long, SamplesPerPixel);
+-        if ((BitsAllocated < 1) || (BitsStored < 1) || (BitsAllocated < BitsStored) ||
+-            (BitsStored > OFstatic_cast(Uint16, HighBit + 1)))
++        if ((BitsAllocated < 1) || (BitsStored < 1))
+         {
+             ImageStatus = EIS_InvalidValue;
+-            DCMIMGLE_ERROR("invalid values for 'BitsAllocated' (" << BitsAllocated << "), "
+-                << "'BitsStored' (" << BitsStored << ") and/or 'HighBit' (" << HighBit << ")");
++            DCMIMGLE_ERROR("invalid value(s) for 'BitsAllocated' (" << BitsAllocated << "), "
++                << "and/or 'BitsStored' (" << BitsStored << ")");
++            return;
++        }
++        else if ((BitsAllocated < BitsStored) || (BitsAllocated <= HighBit) || ((BitsStored - 1) > HighBit))
++        {
++            ImageStatus = EIS_InvalidValue;
++            DCMIMGLE_ERROR("invalid combination of values for 'BitsAllocated' (" << BitsAllocated << "), "
++                << "'BitsStored' (" << BitsStored << ") and 'HighBit' (" << HighBit << ")");
+             return;
+         }
+         else if ((evr == EVR_OB) && (BitsStored <= 8))

diff --git a/debian/patches/series b/debian/patches/series
index 8634d570eaca631b9d3e07ced333809e037e1784..1a228ac807eb6bd0460559d30f6ff56de13426e1 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
 #03_datadic_install.patch
 07_dont_export_all_executables.patch
 remove_version.patch
+0007-CVE-2024-47796.patch
+0008-CVE-2024-52333.patch