From: Étienne Mollier Date: Wed, 19 Feb 2025 20:54:09 +0000 (+0100) Subject: 0009-CVE-2025-25475.patch: new: fix CVE-2025-25475. X-Git-Tag: archive/raspbian/3.6.9-4+rpi1^2~14 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b50ef7d1e65c53c3a7c612efb686f16d41f0e45b;p=dcmtk.git 0009-CVE-2025-25475.patch: new: fix CVE-2025-25475. Closes: #1098373 --- diff --git a/debian/patches/0009-CVE-2025-25475.patch b/debian/patches/0009-CVE-2025-25475.patch new file mode 100644 index 00000000..8f2ff86f --- /dev/null +++ b/debian/patches/0009-CVE-2025-25475.patch @@ -0,0 +1,35 @@ +commit bffa3e9116abb7038b432443f16b1bd390e80245 +Author: Marco Eichelberg +Date: Thu Jan 23 15:51:21 2025 +0100 + + Fixed issue with invalid RLE compressed DICOM images. + + Fixed issue when processing an RLE compressed image where the RLE header + contains an invalid stripe size. + + Thanks to Ding zhengzheng for the report + and the sample file (PoC). + +--- dcmtk.orig/dcmdata/libsrc/dcrleccd.cc ++++ dcmtk/dcmdata/libsrc/dcrleccd.cc +@@ -1,6 +1,6 @@ + /* + * +- * Copyright (C) 2002-2024, OFFIS e.V. ++ * Copyright (C) 2002-2025, OFFIS e.V. + * All rights reserved. See COPYRIGHT file for details. + * + * This software and supporting documentation were developed by +@@ -348,6 +348,12 @@ + } /* while */ + + // last fragment for this RLE stripe ++ if (inputBytes + byteOffset > fragmentLength) ++ { ++ DCMDATA_ERROR("stream size in RLE header is wrong"); ++ inputBytes = fragmentLength-byteOffset; ++ } ++ + result = rledecoder.decompress(rleData + byteOffset, OFstatic_cast(size_t, inputBytes)); + + // special handling for zero pad byte at the end of the RLE stream diff --git a/debian/patches/series b/debian/patches/series index 1a228ac8..4f2b8243 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ remove_version.patch 0007-CVE-2024-47796.patch 0008-CVE-2024-52333.patch +0009-CVE-2025-25475.patch