Hi,

The following vulnerability was published for dcmtk.

CVE-2025-9732[0]:
| A vulnerability was identified in DCMTK up to 3.6.9. This affects an
| unknown function in the library
| dcmimage/include/dcmtk/dcmimage/diybrpxt.h of the component dcm2img.
| Such manipulation leads to memory corruption. Local access is
| required to approach this attack. The name of the patch is
| 7ad81d69b. It is best practice to apply a patch to resolve this
| issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-9732
https://www.cve.org/CVERecord?id=CVE-2025-9732
[1] https://github.com/DCMTK/dcmtk/commit/7ad81d69b19714936e18ea5fc74edaeb9f021ce7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Dear all,

Please note hat the following commit is also needed, as it fixes an issue with commit 7ad81d6:

https://github.com/DCMTK/dcmtk/commit/3de96da6cd66b1af7224561c568bc3de50cd1398

Regards,
Jörg


Source: dcmtk
Version: 3.6.9-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for dcmtk.

CVE-2025-9732[0]:
| A vulnerability was identified in DCMTK up to 3.6.9. This affects an
| unknown function in the library
| dcmimage/include/dcmtk/dcmimage/diybrpxt.h of the component dcm2img.
| Such manipulation leads to memory corruption. Local access is
| required to approach this attack. The name of the patch is
| 7ad81d69b. It is best practice to apply a patch to resolve this
| issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-9732
https://www.cve.org/CVERecord?id=CVE-2025-9732
[1] https://github.com/DCMTK/dcmtk/commit/7ad81d69b19714936e18ea5fc74edaeb9f021ce7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hi Jörg,

Thanks for pointing that out, I have updated our security-tracker
metadata on it.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1113993@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Étienne Mollier <emollier@debian.org> (supplier of updated dcmtk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 10 Dec 2025 22:34:17 +0100
Source: dcmtk
Architecture: source
Version: 3.6.9-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emollier@debian.org>
Closes: 1113993 1122403
Changes:
 dcmtk (3.6.9-6) unstable; urgency=medium
 .
   * Team upload.
   * d/rules: cleanup a stray "noname" file. (Closes: #1122403)
   * d/patches/*-CVE-2025-9732.patch: new.
     These changes pulled from dcmtk upstream address CVE-2025-9732.
     (Closes: #1113993)
   * d/watch: convert to v5 Github template.
   * d/control: drop redundant Rules-Requires-Root: no.
   * d/control: declare compliance to standards version 4.7.2.
   * d/libdcmtk19.lintian-overrides: fix typo caught by lintian.
Checksums-Sha1:
 6203b402172eebe675cb959f02a978b0861f857c 2525 dcmtk_3.6.9-6.dsc
 9923c7251e6ad19a2515d944150db359e480ecb2 35568 dcmtk_3.6.9-6.debian.tar.xz
Checksums-Sha256:
 6866b07c984b76cd9d3a41106ffb869ecd9ec0a09e32ae3db27c2e6a3279781c 2525 dcmtk_3.6.9-6.dsc
 e95ec0316ab63b4a7aaaf9d5c47a57f1181ce5dc86aa0ce9035384472c242d41 35568 dcmtk_3.6.9-6.debian.tar.xz
Files:
 8deab45ca0e5570f0a6690d6f004ea59 2525 science optional dcmtk_3.6.9-6.dsc
 28f27d30f477fac24cc679a9222049d0 35568 science optional dcmtk_3.6.9-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmk56u0UHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdo67xAAh6wEFVKfAvHZ82BiEJHcXZx1sxpc
yeRw/wg3WL1LoXfU5N1hM83PnkVyr22BZ2Q8A4FJdapH4SkWw1dnmWzRP9I+m5hK
me7QAg/0GmMOFxIK2N2WoTI3AJOb8hKTWH9u1BMS6PS8fS9pSJ9JIqrhVVbHy3iP
UkfKStp2th3L/VfufogRYHaksPNpsSvmeOjdvqqD7niC7qGAnkR3VT7jdYq9OpuB
Q9w63yA+M6qeA5RdmiN0SACHuvV2h4ascZhY+NiYbCxa6eEGveRieiLhl7EbXdbC
qqzqiy/b9vrWgo42fF3bJsRkRQTluuvbOocA6ePRgDGum0BAnqyX+JiSapKwdwsB
QyxAopEUQA/k03tb5XjBF833nEmAJoi0/cXrFzQ600OB3psIVOyOR863c7iyjvJc
Qq51yY1LqW3x17ueqXcLp/oLUzJf3E/ssDO9e6IoeAk1iN1mSKLbGhshlHf0iytU
FbZ2tcetrG+10LUmNKZV/14CCS+xFcBcnDydTqReDr8MHp04LL3Tf4TCjXKJch/W
bVNCFbMDU5QwPiN3ZDB8vBehEo6GYT8QrX4Y8sfY9GcjSzSM60R/hlwpuXfENr/w
yOHyd6SE3UHvmoVsAD5x4Xk22iuiM6XwwOIgpiNBBkddOUi64KeInZxND2MJs8og
Dr+XgmUccGI1Vp0=
=qsDL
-----END PGP SIGNATURE-----