From b50ef7d1e65c53c3a7c612efb686f16d41f0e45b Mon Sep 17 00:00:00 2001 From: =?utf8?q?=C3=89tienne=20Mollier?= Date: Wed, 19 Feb 2025 21:54:09 +0100 Subject: [PATCH] 0009-CVE-2025-25475.patch: new: fix CVE-2025-25475. Closes: #1098373 --- debian/patches/0009-CVE-2025-25475.patch | 35 ++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 36 insertions(+) create mode 100644 debian/patches/0009-CVE-2025-25475.patch diff --git a/debian/patches/0009-CVE-2025-25475.patch b/debian/patches/0009-CVE-2025-25475.patch new file mode 100644 index 00000000..8f2ff86f --- /dev/null +++ b/debian/patches/0009-CVE-2025-25475.patch @@ -0,0 +1,35 @@ +commit bffa3e9116abb7038b432443f16b1bd390e80245 +Author: Marco Eichelberg +Date: Thu Jan 23 15:51:21 2025 +0100 + + Fixed issue with invalid RLE compressed DICOM images. + + Fixed issue when processing an RLE compressed image where the RLE header + contains an invalid stripe size. + + Thanks to Ding zhengzheng for the report + and the sample file (PoC). + +--- dcmtk.orig/dcmdata/libsrc/dcrleccd.cc ++++ dcmtk/dcmdata/libsrc/dcrleccd.cc +@@ -1,6 +1,6 @@ + /* + * +- * Copyright (C) 2002-2024, OFFIS e.V. ++ * Copyright (C) 2002-2025, OFFIS e.V. + * All rights reserved. See COPYRIGHT file for details. + * + * This software and supporting documentation were developed by +@@ -348,6 +348,12 @@ + } /* while */ + + // last fragment for this RLE stripe ++ if (inputBytes + byteOffset > fragmentLength) ++ { ++ DCMDATA_ERROR("stream size in RLE header is wrong"); ++ inputBytes = fragmentLength-byteOffset; ++ } ++ + result = rledecoder.decompress(rleData + byteOffset, OFstatic_cast(size_t, inputBytes)); + + // special handling for zero pad byte at the end of the RLE stream diff --git a/debian/patches/series b/debian/patches/series index 1a228ac8..4f2b8243 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ remove_version.patch 0007-CVE-2024-47796.patch 0008-CVE-2024-52333.patch +0009-CVE-2025-25475.patch -- 2.30.2