Control: tags 1082875 + patch Control: tags 1082875 + pending Dear maintainer,
I've prepared an NMU for invesalius (versioned as 3.1.99998-7.1) and uploaded it to DELAYED/1. Please feel free to tell me if I should cancel it. cu Adrian
diffstat for invesalius-3.1.99998 invesalius-3.1.99998 changelog | 7 ++++ patches/0001-Removed-eval-from-dicom.py-820.patch | 34 ++++++++++++++++++++++ patches/series | 1 3 files changed, 42 insertions(+) diff -Nru invesalius-3.1.99998/debian/changelog invesalius-3.1.99998/debian/changelog --- invesalius-3.1.99998/debian/changelog 2025-02-16 15:50:44.000000000 +0200 +++ invesalius-3.1.99998/debian/changelog 2026-05-07 12:33:58.000000000 +0300 @@ -1,3 +1,10 @@ +invesalius (3.1.99998-7.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2024-42845: eval injection in DICOM reader (Closes: #1082875) + + -- Adrian Bunk <[email protected]> Thu, 07 May 2026 12:33:58 +0300 + invesalius (3.1.99998-7) unstable; urgency=medium * Team upload. diff -Nru invesalius-3.1.99998/debian/patches/0001-Removed-eval-from-dicom.py-820.patch invesalius-3.1.99998/debian/patches/0001-Removed-eval-from-dicom.py-820.patch --- invesalius-3.1.99998/debian/patches/0001-Removed-eval-from-dicom.py-820.patch 1970-01-01 02:00:00.000000000 +0200 +++ invesalius-3.1.99998/debian/patches/0001-Removed-eval-from-dicom.py-820.patch 2026-05-07 12:33:32.000000000 +0300 @@ -0,0 +1,34 @@ +From 9f3257b9488ca1ca85827028606ffb7bce44648c Mon Sep 17 00:00:00 2001 +From: Thiago Franco de Moraes <[email protected]> +Date: Mon, 5 Aug 2024 10:41:11 -0300 +Subject: Removed eval from dicom.py (#820) + +--- + invesalius/reader/dicom.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/invesalius/reader/dicom.py b/invesalius/reader/dicom.py +index 4aba9c7f..f68ba56f 100644 +--- a/invesalius/reader/dicom.py ++++ b/invesalius/reader/dicom.py +@@ -443,7 +443,7 @@ class Parser: + except (KeyError): + return "" + if data: +- return [eval(value) for value in data.split("\\")] ++ return [float(value) for value in data.split("\\")] + return "" + + def GetImageLocation(self): +@@ -456,7 +456,7 @@ class Parser: + """ + data = self.data_image[str(0x020)][str(0x1041)] + if data: +- return eval(data) ++ return float(data) + return "" + + def GetImageOffset(self): +-- +2.47.3 + diff -Nru invesalius-3.1.99998/debian/patches/series invesalius-3.1.99998/debian/patches/series --- invesalius-3.1.99998/debian/patches/series 2025-02-16 15:50:44.000000000 +0200 +++ invesalius-3.1.99998/debian/patches/series 2026-05-07 12:33:57.000000000 +0300 @@ -7,3 +7,4 @@ python3.13 fix-my-types.patch workaround-dropped-inner1d.patch +0001-Removed-eval-from-dicom.py-820.patch
