Hi, The following vulnerability was published for dcmtk. CVE-2025-14607[0]: | A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by | this issue is the function DcmByteString::makeDicomByteString of the | file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The | manipulation results in memory corruption. The attack can be | launched remotely. Upgrading to version 3.7.0 can resolve this | issue. The patch is identified as | 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the | affected component. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-14607 https://www.cve.org/CVERecord?id=CVE-2025-14607 [1] https://support.dcmtk.org/redmine/issues/1184 [2] https://github.com/DCMTK/dcmtk/commit/4c0e5c10079392c594d6a7abd95dd78ac0aa556a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hi, I have prepared security updates for bookworm and trixie and could also fix unstable via targeted patches. I would rather not package a new upstream release though. I believe the release team would be in favor of addressing these issues in unstable and testing first before I am going to fix bookworm and trixie. What do you think? Regards, Markus
Hi Markus, I rediscovered work in progress staging in a directory on my machine to proceed to a dcmtk upstream upgrade in unstable. I've never finished, probably due to running into other duties AFK. I'm not sure how much work is left to have the package into an uploadable state. I'm okay with rebasing my work on top of your NMU/Team upload with targeted changes, so that getting the newer upstream release does not go in the way of shipping the necessary security patches. Thanks for your help with fixing the security issues of dcmtk in stable release! Have a nice day, :)
Hi Étienne, Am Dienstag, dem 10.02.2026 um 23:27 +0100 schrieb Étienne Mollier: If you have already started to work on a new upstream release, then I suggest to continue this path because I assume users prefer that anyway in unstable or testing. Version 3.7.0 includes the fixes for these two CVE. If you won't have the time to upload a new upstream version in February then I can prepare a NMU with two targeted patches based on the current version in unstable. We don't need to rebase your work though because, like I said, the new upstream version will fix the problem anyway. Cheers, Markus
Hi Markus Thank you for your thoughts, I had some time today and put it to contribution to finish the upgrade work to version 3.7.0. The remaining was thankfully "limited" to copyright review. I have a last build pending completion and will upload soon to unstable. Have a nice day, :)
We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1122926@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <emollier@debian.org> (supplier of updated dcmtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 11 Feb 2026 18:32:36 +0100
Source: dcmtk
Architecture: source
Version: 3.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emollier@debian.org>
Closes: 1060677 1122926 1123584
Changes:
dcmtk (3.7.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 3.7.0: fixes CVE-2025-14607 and CVE-2025-14841.
(Closes: #1122926, #1123584, #1060677)
* d/copyright: refresh following new upstream release.
* *-CVE-*.patch: delete: all security issues are fixed upstream.
* 07_dont_export_all_executables.patch: unfuzz.
* d/control: drop redundant Priority: optional.
* d/control: declare compliance to standards version 4.7.3.
* d/dcmtk-doc.doc-base: update upstream version.
Checksums-Sha1:
e3b409c0e4de84250863c272847aba62a97c5701 2525 dcmtk_3.7.0-1.dsc
3bac9e77e3e835ebaced6fd4bdb1c27ae331bfe0 9442410 dcmtk_3.7.0.orig.tar.gz
1e9399d5657abf219b5fa25eb5f05e7923df3379 28384 dcmtk_3.7.0-1.debian.tar.xz
Checksums-Sha256:
a7250853350aae8e93d11cd9359a19ad7b1df12b58bf5f618b6025c4b956123d 2525 dcmtk_3.7.0-1.dsc
5828bac45e98d7196048b6282a8a10d8eed5881b56112490ad78575eeae8cc1d 9442410 dcmtk_3.7.0.orig.tar.gz
05885ab3ffebde280eabf096abefda5c3a9126d0f7576bf3daab66d839e4852a 28384 dcmtk_3.7.0-1.debian.tar.xz
Files:
91e0ccfc074b843b190c921ab470e385 2525 science optional dcmtk_3.7.0-1.dsc
4a234ea24e142db5190a67e98cb89c9a 9442410 science optional dcmtk_3.7.0.orig.tar.gz
5c33ab17ae09e07ac4f48d7eb78de48a 28384 science optional dcmtk_3.7.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmmM1M4UHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdpT5hAAqrindqTiaTyn593EdrcJtQD5lEf5
kHtQl7BBFKLia9Z5xNl0XX65DqXzlF18UaPqLNgWA4Bo88XUwgqo2DRi8EiPh686
nwVkgGl+ESB+HOl53r4tryHAtjDX2bXgTcsbcYluftAcNVeUe+eJjhKCWgz7VROu
bz0aNVtdz7bl1kcV4834ao1OKasYie8uA5uR/5YyrKN8dIou0+huQlCCJcozRTh9
slVeg81BmFzjdlJGfLXpSWdRNEmdyObThYY6vrkdo+bPFEBMsLMmg6u4zimDypq6
NrcYN6JCc/E/kr6UWKypadsTQqZtby0vs7EA0zPD6VF8ebTgELpwPLculWTK9HuW
J/SO1xXBPblJrpInXP2js5dCJ6MT2dRH70MPk5KlzXkOfDGahbXAXDpArZSW5jra
a6b9xpfdPwWIxysjBsSJ+zu6NUPGNxwowQQIviSxRbKiHj4J71Ty59J4zooNYRP0
DFeG8/kElaO6VxmJM6aP8uM7Dw6/1/HJrElszhikvIapVe01regM74kJ8ozKR088
R29rWwEmhf2XDt0RKzmGyIF8bg1CWwt6ph3Fb5KTBsVsQUKVbAJkmp5PdAXjr8n3
KEBqRhyP7yOSFxi3nf4j81XnDkLIgwTmGxV4nc5EWJ3Zjd9SjLlbUMHvXPmgnOLT
LLK+d6iDRKvFKIs=
=eTyi
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1122926@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <emollier@debian.org> (supplier of updated dcmtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 18 Feb 2026 21:22:40 +0100
Source: dcmtk
Binary: dcmtk dcmtk-data dcmtk-dbgsym dcmtk-doc libdcmtk-dev libdcmtk20 libdcmtk20-dbgsym
Architecture: source all amd64
Version: 3.7.0+really3.7.0-0+exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emollier@debian.org>
Description:
dcmtk - OFFIS DICOM toolkit command line utilities
dcmtk-data - OFFIS DICOM toolkit data files
dcmtk-doc - OFFIS DICOM toolkit documentation
libdcmtk-dev - OFFIS DICOM toolkit development libraries and headers
libdcmtk20 - OFFIS DICOM toolkit runtime libraries
Closes: 1060677 1122926 1123584
Changes:
dcmtk (3.7.0+really3.7.0-0+exp1) experimental; urgency=medium
.
* Team upload
* d/rules: guard against accidental ABI breakages.
* New upstream version 3.7.0: fixes CVE-2025-14607 and CVE-2025-14841.
(Closes: #1122926, #1123584, #1060677)
* d/*: soname bump to libdcmtk20.
* d/control: libdcmtk20 replaces libdcmtk19.
* skip-bigendian-roundtrip-failure.patch: new: skip test failure on s390x.
The correction is work in progress upstream.
Checksums-Sha1:
23f4eea99985c8ce9a778b4df3db516054e742bf 2518 dcmtk_3.7.0+really3.7.0-0+exp1.dsc
672d038c18aa5d9dc0dbb60297e39829f02ea3d0 9447031 dcmtk_3.7.0+really3.7.0.orig.tar.gz
b033bbf700cffd3237065d059ab9994c0c97454a 29168 dcmtk_3.7.0+really3.7.0-0+exp1.debian.tar.xz
65ae516e38edd84750725eef8ce7e7d70362be5d 299848 dcmtk-data_3.7.0+really3.7.0-0+exp1_all.deb
275185c90b5633862c688739746366d6c92d7081 4787076 dcmtk-dbgsym_3.7.0+really3.7.0-0+exp1_amd64.deb
ec09bd9bdec0acca01905b760d72374e5d7b4fd3 9735764 dcmtk-doc_3.7.0+really3.7.0-0+exp1_all.deb
701e469cf8746f18367feb2af8edde102446b51c 12363 dcmtk_3.7.0+really3.7.0-0+exp1_amd64.buildinfo
85db569310280d559061903c15d784951d541b91 900216 dcmtk_3.7.0+really3.7.0-0+exp1_amd64.deb
c8c608281cadbc6270d4a39d9424401485269de7 1079512 libdcmtk-dev_3.7.0+really3.7.0-0+exp1_amd64.deb
d80a3b5285af0fda8c91d5aa6db826fe981b07fc 59270680 libdcmtk20-dbgsym_3.7.0+really3.7.0-0+exp1_amd64.deb
f4c60c6aafa3c88e2c73f5413c9744ceea391664 5857792 libdcmtk20_3.7.0+really3.7.0-0+exp1_amd64.deb
Checksums-Sha256:
e0f3b897bef2e5418940806b7c415bf8bf7615b74eee8e11add2f03e4a2670df 2518 dcmtk_3.7.0+really3.7.0-0+exp1.dsc
dd140c703d6a35810ec2d2eebc0efd7d1dfc0b87a1dc21589ac3d9b0b6fc4719 9447031 dcmtk_3.7.0+really3.7.0.orig.tar.gz
c40f807cca5d93ad5c2d1470fdc9ab051b26214edce3a395314454f04e3dfb73 29168 dcmtk_3.7.0+really3.7.0-0+exp1.debian.tar.xz
7c1571e139208439c5feb9c802af2907ac4c8546c43e574393aa6e313fb39fa8 299848 dcmtk-data_3.7.0+really3.7.0-0+exp1_all.deb
78ac820f381919c0846d0aecd677a7ece52e9e5a1362a22aef628d022d792b4c 4787076 dcmtk-dbgsym_3.7.0+really3.7.0-0+exp1_amd64.deb
c68e94a53bcc67b80379c1a0f0ab845c895e493eb2e9d1f14bfbb05c0a27b96e 9735764 dcmtk-doc_3.7.0+really3.7.0-0+exp1_all.deb
d568d0e047d106f2fd2702de2a1cb982dc7bd84c186c6f312b090e9846a7acfb 12363 dcmtk_3.7.0+really3.7.0-0+exp1_amd64.buildinfo
e8b5733fcdb9a41d9a0f2c621a9673569a5e5a071371860fa9a4f42320652396 900216 dcmtk_3.7.0+really3.7.0-0+exp1_amd64.deb
38dcdb666a1a5d6ed7662285568d6fccc9194169a7fdc0a2c79ee92e6e8aa3b2 1079512 libdcmtk-dev_3.7.0+really3.7.0-0+exp1_amd64.deb
33f947028bfdcd82de63a79fbf69bdfc26ec719c226ab531fc34d0f2e98c75ba 59270680 libdcmtk20-dbgsym_3.7.0+really3.7.0-0+exp1_amd64.deb
e230b3f0e01df72f21fa2ab6f107e7bab27bd54be11a6e6c2566506dcaca4e95 5857792 libdcmtk20_3.7.0+really3.7.0-0+exp1_amd64.deb
Files:
17e745a2369624b244aa8d79e940271d 2518 science optional dcmtk_3.7.0+really3.7.0-0+exp1.dsc
a3a33dd6a008498d2b084fef29a4fd7d 9447031 science optional dcmtk_3.7.0+really3.7.0.orig.tar.gz
3ecc7eb09085052b4ccd4de154e90153 29168 science optional dcmtk_3.7.0+really3.7.0-0+exp1.debian.tar.xz
4e8f8ade69400f1340d448174d19e7da 299848 science optional dcmtk-data_3.7.0+really3.7.0-0+exp1_all.deb
1a45c40dcda6b94e471fe1eb3e07e777 4787076 debug optional dcmtk-dbgsym_3.7.0+really3.7.0-0+exp1_amd64.deb
e7c1e1f89d85bf9950cbff261d7b718b 9735764 doc optional dcmtk-doc_3.7.0+really3.7.0-0+exp1_all.deb
21ddacc4bedc1499603cec8bba45fb38 12363 science optional dcmtk_3.7.0+really3.7.0-0+exp1_amd64.buildinfo
322d90703a5d82a598c9b50b65ef63a0 900216 science optional dcmtk_3.7.0+really3.7.0-0+exp1_amd64.deb
3e6745dc0158e241daa232e1d44fa18c 1079512 libdevel optional libdcmtk-dev_3.7.0+really3.7.0-0+exp1_amd64.deb
b4523121a9b2238ad9231da2a7e74eb7 59270680 debug optional libdcmtk20-dbgsym_3.7.0+really3.7.0-0+exp1_amd64.deb
aa69951395fb80f6b0e6bacd48992f64 5857792 libs optional libdcmtk20_3.7.0+really3.7.0-0+exp1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmmWMWgUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdpqixAAj2w3pnJ8Aa7NHFF6N6bRhw/G4M8e
+APsm+F0Po3AHDbL0ubpYevBofw6kB8o84PUjsjMChNrj+0CkTp+VhUeK2+0FqKt
sHlemMtOG9pVWWzGIOCusVVpPcIwObC3UWsQkP2nr9TapRzMeaJiuxmAAQcGcIfb
CnqRylVvJR2FQt0GyDUyvMDPXv9iu5ONCf31N9an9DMeO16ZF868chagUSasZcvE
Sh7brlxCx5hiLYOd8appnB5H7lS+evUGM62HkbH+sfGyb0rKjDdEMqQTvrDaqBOE
IrgPcwR6YDR3ttrVre0xwVKyWlC6imoYUlGuo1SS2Z73Gx318hhQ9Y7CaN4GXDl5
lsfYrI7IFCjRPpmVDyACC/DAcj5PZOKuz46bg3887jcoXEXZ950o9saQazT5MbJd
k+30r5gUXsAfhqXq8I1Jh+3HxoeoVzID7oWvHwlIvZkDdZccTbASuUIF52sIFBXk
NvuCTL06WDd2dV4VybAVi3GqdLuFmc01iOka/2oKZL5UCdkN+1MkFb2n7Mg37U+4
x9Ve5Eg4KUUZY40GOwwhRKnTXgwCc13eakC51xyn+zTsRM/R4cEsD/mhFgia736F
+GkZcriPIE2hJSX0zVwK95vEqbttYtzG3Mke3UIskS/nruAPnS/m/9PP0rf3jisq
ySPjQQSI7+6b1Ok=
=Mhuv
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1122926@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <emollier@debian.org> (supplier of updated dcmtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 10 Apr 2026 19:41:34 +0200
Source: dcmtk
Architecture: source
Version: 3.7.0+really3.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emollier@debian.org>
Closes: 1060677 1122926 1123584
Changes:
dcmtk (3.7.0+really3.7.0-1) unstable; urgency=medium
.
* Team upload.
* Migrate from experimental to unstable after the Go for transition.
* d/copyright: provide working links to the AFPL.
The original link from the legal text broke some time ago.
The AFPL does not have to apply in that context anyways.
* skip-bigendian-roundtrip-failure.patch: short form BTS URI.
* d/u/metadata: eprint → Eprint.
* d/control: drop libdcmtk20 breaking and replacing libdcmtk19.
After examination of the situation, the stanza was needed against the
faulty 3.7.0-1, but it is not needed on 3.7.0+really3.6.9-1.
.
dcmtk (3.7.0+really3.7.0-0+exp1) experimental; urgency=medium
.
* Team upload
* d/rules: guard against accidental ABI breakages.
* New upstream version 3.7.0: fixes CVE-2025-14607 and CVE-2025-14841.
(Closes: #1122926, #1123584, #1060677)
* d/*: soname bump to libdcmtk20.
* d/control: libdcmtk20 replaces libdcmtk19.
* skip-bigendian-roundtrip-failure.patch: new: skip test failure on s390x.
The correction is work in progress upstream.
Checksums-Sha1:
85d4790d46a05b954e7128ad1280dbe48b88ca83 2621 dcmtk_3.7.0+really3.7.0-1.dsc
b80179d26960e925cdf26f730a579ea88835952d 29408 dcmtk_3.7.0+really3.7.0-1.debian.tar.xz
Checksums-Sha256:
d7fa016badc333fb9f3b95e140674eb19ca26cf39174887969db204cc56e4ca9 2621 dcmtk_3.7.0+really3.7.0-1.dsc
ee42c8124469a5b15f131298e499cec5295e573e85e308b6ea05efcf53966bae 29408 dcmtk_3.7.0+really3.7.0-1.debian.tar.xz
Files:
70fb747f4200d8795592405cbd4bb56a 2621 science optional dcmtk_3.7.0+really3.7.0-1.dsc
bfbf75426975e91617e24c49fcffc079 29408 science optional dcmtk_3.7.0+really3.7.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmnZPM0UHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdrodw/8Duuwm+y0UEOYJi8G3aL8EEu9sZ7r
ZIQL0Fl+p2juy4B7a3fgZF5NWKxtIZXtlWhlF9l8plQb/Z3etfkEAXyhyZ8B+rKT
AoEJmdH63AHU6ADxjXOAHyUF/NXIL7jl9uRNlaqSpkUXHOfxhbnter0npN5GuXzs
07dOlmDhSjJLf1JIVuIGpRdg3F/BJuZVEAGbrOZrhsdoFVxEqSBlKRprnYRip+Wd
syzTjMB0IS5JWSxO5XVG1jYDVOTd3UBcYz6yrjer+ExmqjwK3NjMyxzw3y0jMVKv
XYuvzPCdg0BjsVWrVH9a4gyznCg0pPeUBNqx+cOkayQQDOGTq+oPmldLjKOcKSiK
lmjxF1O31ryLi1iA4Qe9JQim+tSh6k6sgfUGZ2THF2n3uc/0kr/LMZEvAZmPaOVl
TZepRk1Y7G0OetJqa2K/w+4XKqhJwYFLyCoxJjhJeep0q97F+5qX3PSb8W23l8zE
3r5EFtIbOld0QKP2IZCYtBKwtRIsXJElldT4QfI/xlWajkdqQfyLNJg7Z6wiz1y+
j9Ngz9cw4jn3JAOJCws0JFk/VCkst6JPgA2OXbL+PzFg5/yqDcLQYh4jLLp/fPoF
x5U2GPIcHLgiym67doC7DcK6vvhzzTFBZqfPuJZjZ0CJ8Crz8hWrBwqL9hCQkw9c
igC6CcV8u/SN3WI=
=2dDl
-----END PGP SIGNATURE-----