Your message dated Sun, 05 May 2024 20:42:20 +0000
with message-id <e1s3ige-005ipy...@fasolo.debian.org>
and subject line Bug#1070387: fixed in gdcm 3.0.24-1
has caused the Debian Bug report #1070387,
regarding gdcm: CVE-2024-25569 CVE-2024-22373 CVE-2024-22391
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1070387: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070387
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gdcm
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for gdcm.
These are fixed in 3.0.24:
CVE-2024-25569[0]:
| An out-of-bounds read vulnerability exists in the
| RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot
| DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of-
| bounds read. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944
CVE-2024-22373[1]:
| An out-of-bounds write vulnerability exists in the
| JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu
| Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can
| lead to a heap buffer overflow. An attacker can provide a malicious
| file to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935
CVE-2024-22391[2]:
| A heap-based buffer overflow vulnerability exists in the
| LookupTable::SetLUT functionality of Mathieu Malaterre Grassroot
| DICOM 3.0.23. A specially crafted malformed file can lead to memory
| corruption. An attacker can provide a malicious file to trigger this
| vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-25569
https://www.cve.org/CVERecord?id=CVE-2024-25569
[1] https://security-tracker.debian.org/tracker/CVE-2024-22373
https://www.cve.org/CVERecord?id=CVE-2024-22373
[2] https://security-tracker.debian.org/tracker/CVE-2024-22391
https://www.cve.org/CVERecord?id=CVE-2024-22391
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: gdcm
Source-Version: 3.0.24-1
Done: Étienne Mollier <emoll...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gdcm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1070...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <emoll...@debian.org> (supplier of updated gdcm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 May 2024 16:45:36 +0200
Source: gdcm
Architecture: source
Version: 3.0.24-1
Distribution: unstable
Urgency: high
Maintainer: Debian Med Packaging Team
<debian-med-packag...@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emoll...@debian.org>
Closes: 1070387
Changes:
gdcm (3.0.24-1) unstable; urgency=high
.
* Team upload.
* d/watch: fix scan broken by github release page changes.
This switches to git mode, to stabilise to ls-remote "API".
* New upstream version 3.0.24
This version addresses CVE-2024-22373, CVE-2024-22391 and CVE-2024-25569.
Closes: #1070387
* 02_fixhurd.patch: unfuzz.
* Deleted 6631a74c39145b71dedcbe07c43bd6b1631b100d.patch.
It is applied upstream.
* d/control: declare compliance to standards version 4.7.0.
* d/libgdcm-tools.lintian-overrides: refresh mismatched override.
* d/libvtkgdcm-9.1t64.lintian-overrides: update mismatched override.
* d/libgdcm3.0t64.lintian-overrides: remove mismatched override.
* d/copyright: remove superfluous file patterns.
* d/watch: single out tag v3.1.0 upstream.
Checksums-Sha1:
62c45338fc8721d107e052b0fe1ea6980195759a 3726 gdcm_3.0.24-1.dsc
e66cd70d0dc8f813f8dc1d90e23ebeab6aa81cd7 2613432 gdcm_3.0.24.orig.tar.xz
21eae7cdac92769eb2203a0e96d228c5e1492c18 278280 gdcm_3.0.24-1.debian.tar.xz
Checksums-Sha256:
158cd0312d82dd99a7dc6aa6487d8448942d80ce8d19ff1c5a647fcd73177dfe 3726
gdcm_3.0.24-1.dsc
9e76f70262b7fe019cd06001022b7aa53f4aa4a7e070f71d8e3b13fe99c36028 2613432
gdcm_3.0.24.orig.tar.xz
fb262db4bfe7d52f0c23a03b234706ada88cf950e3528be9e732f69e14d8e143 278280
gdcm_3.0.24-1.debian.tar.xz
Files:
0079c9be6c4281d47b4cc2ac00e578be 3726 libs optional gdcm_3.0.24-1.dsc
8127469f4d2d45e54d4c3fad7f92650c 2613432 libs optional gdcm_3.0.24.orig.tar.xz
d7bc16f09cdda67f62c1920d8409d2a6 278280 libs optional
gdcm_3.0.24-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmY34FAUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdrSURAAxkR1lyCdnIM8+0lrIzy3TAacLjp7
6MynqM7OkU1hst7iTFR0OgMv5EfWCZcdjq/4ui0fqgi/ebVGAejsmDtulo2YDvIo
zSwUpESxj5Dfybim9tcqIkwJPb6batO5CM68MkuD7aUZLJrKdBRUetc1W/GlVWwV
sUuapwyz+CVhjC/7Yl8wj/36LJwxQd/ldrwPBPKO23aRf3KJegXRj1LGP8KOz0hu
MCCEUTF6gvFn2R1SZ8awRFT7RzYiCjYDXambTGsJ6qlaX7YRbcxizMN1HPSN853U
c/9Db2J+3BbJeqWod8OjX1PgZyF6D9aqMow0EWDX1BIQy98khNh4m8oeJqnR4uuv
zGW1GvgtZOxvAITtiO4mlFgoxLGLjqA7ApmMEi8sW3sfIRkxIqIX4s2VYF57e2t1
OOJ/C4t/U//ernp6IZVR4NVWuIzlRMyR1kPZwGXFkAXJDBJ/fSIUJOBRWSNkzfIM
IS7reGacWlBmqF/qwyY0O8TVoBPCe67mdCMCPqhTfvqYF0nyjkTOJOsjjsUNCddB
e/1TXsKE7P1GtpjqMsi9ijSyLtZpxMHgpZM08wyMkUGlUOxIqNR+f2iqyijL/JBu
Q5m348VcHSt8xI0VKvVkX+13jGGnQfPQJmTVjGhRpD59KwCF5e8+amaiPGeJwIkh
xY8KoUNkJ7RWMq4=
=qTpZ
-----END PGP SIGNATURE-----
pgpOdD2MVavTf.pgp
Description: PGP signature
--- End Message ---
