Étienne Mollier pushed to branch master at Debian Med / dcmtk
Commits: 4cdc9b71 by Étienne Mollier at 2026-06-08T19:13:13+02:00 CVE-2026-10194.patch: new: fix CVE-2026-10194. Closes: #1139181 - - - - - e1a42b44 by Étienne Mollier at 2026-06-08T19:14:21+02:00 d/control: add myself to uploaders. - - - - - 10646038 by Étienne Mollier at 2026-06-08T19:48:40+02:00 d/changelog: ready for urgent upload to unstable. - - - - - 4 changed files: - debian/changelog - debian/control - + debian/patches/CVE-2026-10194.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,10 @@ +dcmtk (3.7.0+really3.7.0-5) unstable; urgency=high + + * CVE-2026-10194.patch: new: fix CVE-2026-10194. (Closes: #1139181) + * d/control: add myself to uploaders. + + -- Étienne Mollier <[email protected]> Mon, 08 Jun 2026 19:14:40 +0200 + dcmtk (3.7.0+really3.7.0-4) unstable; urgency=medium * Team upload. ===================================== debian/control ===================================== @@ -1,6 +1,8 @@ Source: dcmtk Maintainer: Debian Med Packaging Team <[email protected]> -Uploaders: Gert Wollny <[email protected]>, Mathieu Malaterre <[email protected]> +Uploaders: Gert Wollny <[email protected]>, + Mathieu Malaterre <[email protected]>, + Étienne Mollier <[email protected]> Section: science Build-Depends: cmake, debhelper-compat (= 13), ===================================== debian/patches/CVE-2026-10194.patch ===================================== @@ -0,0 +1,67 @@ +Description: Fixed remote heap buffer overflow in dcmqrscp. + Thanks to 'elp3pinill0' for the bug report, detailed + analysis, proof of concept and proposed fix. +Author: Marco Eichelberg <[email protected]> +Applied-Upstream: 0f78a4ef6f645ea5530166e445e5436a5de58e75 +Last-Update: 2026-05-04 +Bug: https://support.dcmtk.org/redmine/issues/1206 +Bug-Debian: https://bugs.debian.org/1139181 +Reviewed-By: Étienne Mollier <[email protected]> + +diff --git a/dcmqrdb/libsrc/dcmqrdbi.cc b/dcmqrdb/libsrc/dcmqrdbi.cc +index c91116a1c..ee308abe1 100644 +--- a/dcmqrdb/libsrc/dcmqrdbi.cc ++++ b/dcmqrdb/libsrc/dcmqrdbi.cc +@@ -1,6 +1,6 @@ + /* + * +- * Copyright (C) 1993-2025, OFFIS e.V. ++ * Copyright (C) 1993-2026, OFFIS e.V. + * All rights reserved. See COPYRIGHT file for details. + * + * This software and supporting documentation were developed by +@@ -2471,12 +2471,16 @@ OFCondition DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages(StudyDescRec + + DB_IdxInitLoop (&(handle_ -> idxCounter)) ; + while ( DB_IdxGetNext(&(handle_ -> idxCounter), &idxRec) == EC_Normal ) { +- if ( ! ( strncmp(idxRec. StudyInstanceUID, StudyUID, n) ) ) { +- +- StudyArray[nbimages]. idxCounter = handle_ -> idxCounter ; +- StudyArray[nbimages]. RecordedDate = idxRec. RecordedDate ; +- StudyArray[nbimages++]. ImageSize = idxRec. ImageSize ; +- } ++ if ( ! ( strncmp(idxRec. StudyInstanceUID, StudyUID, n) ) ) { ++ StudyArray[nbimages]. idxCounter = handle_ -> idxCounter ; ++ StudyArray[nbimages]. RecordedDate = idxRec. RecordedDate ; ++ StudyArray[nbimages++]. ImageSize = idxRec. ImageSize ; ++ if (nbimages == MAX_NUMBER_OF_IMAGES) { ++ // too many images in this study, bail out ++ DCMQRDB_ERROR("maximum number of images per study (" << MAX_NUMBER_OF_IMAGES << ") exceeded"); ++ return QR_EC_IndexDatabaseError; ++ } ++ } + } + + /** Sort the StudyArray in order to have the oldest images first +@@ -2563,6 +2567,8 @@ OFCondition DcmQueryRetrieveIndexDatabaseHandle::checkupinStudyDesc(StudyDescRec + s = matchStudyUIDInStudyDesc (pStudyDesc, StudyUID, + (int)(handle_ -> maxStudiesAllowed)) ; + ++ OFCondition cond; ++ + /** If Study already exists + */ + +@@ -2583,10 +2589,10 @@ OFCondition DcmQueryRetrieveIndexDatabaseHandle::checkupinStudyDesc(StudyDescRec + + RequiredSize = imageSize - + ( handle_ -> maxBytesPerStudy - pStudyDesc[s]. StudySize ) ; +- deleteOldestImages(pStudyDesc, s, StudyUID, RequiredSize) ; ++ cond = deleteOldestImages(pStudyDesc, s, StudyUID, RequiredSize) ; ++ if (cond.bad()) return cond; + } + +- + } + else { + #ifdef DEBUG ===================================== debian/patches/series ===================================== @@ -5,3 +5,4 @@ remove_version.patch skip-bigendian-roundtrip-failure.patch hurd.patch CVE-2026-5663.patch +CVE-2026-10194.patch View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/213f23d808e97458c73dd6689b35d3466c4cc556...10646038e055de77006f57a49558b52beee7b78e -- View it on GitLab: https://salsa.debian.org/med-team/dcmtk/-/compare/213f23d808e97458c73dd6689b35d3466c4cc556...10646038e055de77006f57a49558b52beee7b78e You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
_______________________________________________ debian-med-commit mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
