Your message dated Sun, 05 May 2024 20:42:20 +0000 with message-id <e1s3ige-005ipy...@fasolo.debian.org> and subject line Bug#1070387: fixed in gdcm 3.0.24-1 has caused the Debian Bug report #1070387, regarding gdcm: CVE-2024-25569 CVE-2024-22373 CVE-2024-22391 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1070387: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070387 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gdcm X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gdcm. These are fixed in 3.0.24: CVE-2024-25569[0]: | An out-of-bounds read vulnerability exists in the | RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of- | bounds read. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944 CVE-2024-22373[1]: | An out-of-bounds write vulnerability exists in the | JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu | Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can | lead to a heap buffer overflow. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935 CVE-2024-22391[2]: | A heap-based buffer overflow vulnerability exists in the | LookupTable::SetLUT functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted malformed file can lead to memory | corruption. An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25569 https://www.cve.org/CVERecord?id=CVE-2024-25569 [1] https://security-tracker.debian.org/tracker/CVE-2024-22373 https://www.cve.org/CVERecord?id=CVE-2024-22373 [2] https://security-tracker.debian.org/tracker/CVE-2024-22391 https://www.cve.org/CVERecord?id=CVE-2024-22391 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: gdcm Source-Version: 3.0.24-1 Done: Étienne Mollier <emoll...@debian.org> We believe that the bug you reported is fixed in the latest version of gdcm, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1070...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Étienne Mollier <emoll...@debian.org> (supplier of updated gdcm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 05 May 2024 16:45:36 +0200 Source: gdcm Architecture: source Version: 3.0.24-1 Distribution: unstable Urgency: high Maintainer: Debian Med Packaging Team <debian-med-packag...@lists.alioth.debian.org> Changed-By: Étienne Mollier <emoll...@debian.org> Closes: 1070387 Changes: gdcm (3.0.24-1) unstable; urgency=high . * Team upload. * d/watch: fix scan broken by github release page changes. This switches to git mode, to stabilise to ls-remote "API". * New upstream version 3.0.24 This version addresses CVE-2024-22373, CVE-2024-22391 and CVE-2024-25569. Closes: #1070387 * 02_fixhurd.patch: unfuzz. * Deleted 6631a74c39145b71dedcbe07c43bd6b1631b100d.patch. It is applied upstream. * d/control: declare compliance to standards version 4.7.0. * d/libgdcm-tools.lintian-overrides: refresh mismatched override. * d/libvtkgdcm-9.1t64.lintian-overrides: update mismatched override. * d/libgdcm3.0t64.lintian-overrides: remove mismatched override. * d/copyright: remove superfluous file patterns. * d/watch: single out tag v3.1.0 upstream. Checksums-Sha1: 62c45338fc8721d107e052b0fe1ea6980195759a 3726 gdcm_3.0.24-1.dsc e66cd70d0dc8f813f8dc1d90e23ebeab6aa81cd7 2613432 gdcm_3.0.24.orig.tar.xz 21eae7cdac92769eb2203a0e96d228c5e1492c18 278280 gdcm_3.0.24-1.debian.tar.xz Checksums-Sha256: 158cd0312d82dd99a7dc6aa6487d8448942d80ce8d19ff1c5a647fcd73177dfe 3726 gdcm_3.0.24-1.dsc 9e76f70262b7fe019cd06001022b7aa53f4aa4a7e070f71d8e3b13fe99c36028 2613432 gdcm_3.0.24.orig.tar.xz fb262db4bfe7d52f0c23a03b234706ada88cf950e3528be9e732f69e14d8e143 278280 gdcm_3.0.24-1.debian.tar.xz Files: 0079c9be6c4281d47b4cc2ac00e578be 3726 libs optional gdcm_3.0.24-1.dsc 8127469f4d2d45e54d4c3fad7f92650c 2613432 libs optional gdcm_3.0.24.orig.tar.xz d7bc16f09cdda67f62c1920d8409d2a6 278280 libs optional gdcm_3.0.24-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmY34FAUHGVtb2xsaWVy QGRlYmlhbi5vcmcACgkQeTz2fo8NEdrSURAAxkR1lyCdnIM8+0lrIzy3TAacLjp7 6MynqM7OkU1hst7iTFR0OgMv5EfWCZcdjq/4ui0fqgi/ebVGAejsmDtulo2YDvIo zSwUpESxj5Dfybim9tcqIkwJPb6batO5CM68MkuD7aUZLJrKdBRUetc1W/GlVWwV sUuapwyz+CVhjC/7Yl8wj/36LJwxQd/ldrwPBPKO23aRf3KJegXRj1LGP8KOz0hu MCCEUTF6gvFn2R1SZ8awRFT7RzYiCjYDXambTGsJ6qlaX7YRbcxizMN1HPSN853U c/9Db2J+3BbJeqWod8OjX1PgZyF6D9aqMow0EWDX1BIQy98khNh4m8oeJqnR4uuv zGW1GvgtZOxvAITtiO4mlFgoxLGLjqA7ApmMEi8sW3sfIRkxIqIX4s2VYF57e2t1 OOJ/C4t/U//ernp6IZVR4NVWuIzlRMyR1kPZwGXFkAXJDBJ/fSIUJOBRWSNkzfIM IS7reGacWlBmqF/qwyY0O8TVoBPCe67mdCMCPqhTfvqYF0nyjkTOJOsjjsUNCddB e/1TXsKE7P1GtpjqMsi9ijSyLtZpxMHgpZM08wyMkUGlUOxIqNR+f2iqyijL/JBu Q5m348VcHSt8xI0VKvVkX+13jGGnQfPQJmTVjGhRpD59KwCF5e8+amaiPGeJwIkh xY8KoUNkJ7RWMq4= =qTpZ -----END PGP SIGNATURE-----pgpOdD2MVavTf.pgp
Description: PGP signature
--- End Message ---