#1123589 gdcm: CVE-2025-48429

Package:
src:gdcm
Source:
src:gdcm
Submitter:
Salvatore Bonaccorso
Date:
2026-06-26 16:41:02 UTC
Severity:
normal
Tags:
#1123589#5
Date:
2025-12-18 11:18:45 UTC
From:
To:
Hi,

The following vulnerability was published for gdcm.

CVE-2025-48429[0]:
| An out-of-bounds read vulnerability exists in the
| RLECodec::DecodeByStreams functionality of Grassroot DICOM 3.024. A
| specially crafted DICOM file can lead to leaking heap data. An
| attacker can provide a malicious file to trigger this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-48429
https://www.cve.org/CVERecord?id=CVE-2025-48429
[1] https://talosintelligence.com/vulnerability_reports/TALOS-2025-2214

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1123589#8
Date:
2026-06-19 13:04:45 UTC
From:
To:
Hello,

Bug #1123589 in gdcm reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/med-team/gdcm/-/commit/5c0fdae82049734a2c1cf099a2d6d97732f48b5a
------------------------------------------------------------------------
Non-maintainer upload by the LTS Team.

* Non-maintainer upload by the LTS Team.
* CVE-2025-11266: Avoid out-of-bounds vulnerability. The issue
  unsigned integer underflow in buffer indexing (Closes: #1122862).
* CVE-2025-52582: Add patch to prevent overlay extraction in case of
  malformed overlay or image information (Closes: #1123576).
* CVE-2025-48429: Add patch to refactor the RLE header to ensure it
  conforms to the DICOM standard (Closes: #1123589).
* CVE-2025-53618 and CVE-2025-53619: Add patch to add a frame size
  check to ensure that the provided data corresponds to the buffer
  size (Closes: #1123587).
* CVE-2026-3650: Add patch to reject Value Length exceeding stream
  size (Closes: #1132042).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1123589
#1123589#13
Date:
2026-06-26 16:08:04 UTC
From:
To:
Hello,

Bug #1123589 in gdcm reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/med-team/gdcm/-/commit/ba4f49b61bb8cf0e4d19d58680734e5b3d3561c9
------------------------------------------------------------------------
Fix several CVEs

* CVE-2025-11266: Avoid out-of-bounds vulnerability. The issue
  unsigned integer underflow in buffer indexing (Closes: #1122862).
* CVE-2025-52582: Add patch to prevent overlay extraction in case of
  malformed overlay or image information (Closes: #1123576).
* CVE-2025-48429: Add patch to refactor the RLE header to ensure it
  conforms to the DICOM standard (Closes: #1123589).
* CVE-2025-53618 and CVE-2025-53619: Add patch to add a frame size
  check to ensure that the provided data corresponds to the buffer
  size (Closes: #1123587).
* CVE-2026-3650: Add patch to reject Value Length exceeding stream
  size (Closes: #1132042).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1123589
#1123589#18
Date:
2026-06-26 16:38:35 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
gdcm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1123589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Arias <eamanu@debian.org> (supplier of updated gdcm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 26 Jun 2026 11:48:10 -0300
Source: gdcm
Architecture: source
Version: 3.0.24-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Emmanuel Arias <eamanu@debian.org>
Closes: 1122862 1123576 1123587 1123589 1132042
Changes:
 gdcm (3.0.24-11) unstable; urgency=medium
 .
   * Team Upload.
   * CVE-2025-11266: Avoid out-of-bounds vulnerability. The issue
     was triggered during parsing of a malformed DICOM file containing
     encapsulated PixelData fragments. This vulnerability leads to a
     segmentation fault caused by an out-of-bounds memory access due to
     unsigned integer underflow in buffer indexing (Closes: #1122862).
   * CVE-2025-52582: Add patch to prevent overlay extraction in case of
     malformed overlay or image information (Closes: #1123576).
   * CVE-2025-48429: Add patch to refactor the RLE header to ensure it
     conforms to the DICOM standard (Closes: #1123589).
   * CVE-2025-53618 and CVE-2025-53619: Add patch to add a frame size
     check to ensure that the provided data corresponds to the buffer
     size (Closes: #1123587).
   * CVE-2026-3650: Add patch to reject Value Length exceeding stream
     size (Closes: #1132042).
Checksums-Sha1:
 d4e6d7b9e1991d12d48b4ffa6e106423b67a9bea 3158 gdcm_3.0.24-11.dsc
 74f318bac9412e6eea2eb6ed5422de3c18ddd305 288552 gdcm_3.0.24-11.debian.tar.xz
 5bef56fd576fbeffad2ff354642cdb174e4d10c8 34392 gdcm_3.0.24-11_amd64.buildinfo
Checksums-Sha256:
 d3cd3b72f49d8697d1d7d4153d044ce08163846c2f05286e30c3695c07eb92da 3158 gdcm_3.0.24-11.dsc
 81457d4be7404392b86e1a20878fd536f0a20cb5ae0bc72d7d74ef07ce49ba88 288552 gdcm_3.0.24-11.debian.tar.xz
 4440f47afbf7cf9ce9001ba1cdabc19c73a46b44cd74a9d2d6414928f7199247 34392 gdcm_3.0.24-11_amd64.buildinfo
Files:
 81c4738566b381c33ea3826bea4abdae 3158 libs optional gdcm_3.0.24-11.dsc
 bbdfc6923a5f0f9fddf407fcfdd5d204 288552 libs optional gdcm_3.0.24-11.debian.tar.xz
 85fc2d3227a3f87a596748bdeed7830a 34392 libs optional gdcm_3.0.24-11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmo+pRoSHGVhbWFudUBk
ZWJpYW4ub3JnAAoJEPqd7F3hHGPxqggP/0AP+F4VgjyjCtILgSEC30yFDkwwEoq+
XCtcz2N9WEP9ZzCPmKGNkgwngE/HJMM5D981B1IWe1btkgPobYA2r9pYg1tnpoGQ
3gJBgFQ9l/SWKp7vbsJDCamxBHyTlJo8KMqJqThhpBePxTgUDz5NDNuDpKMFtWEO
jRBOHo4aOhZwQLdci05YYZ1K+dO6cv+uxhuF6+YyhUwpaNuAN84cIwF8sQfRu54Y
3WeI1rA+xvu4rSlO6VWrnhuhL0uuEOVyculK90luPko2yoe6+BkNwYbBn0/u0iBM
vOBwKXqm0LYvjL28R6t/CyklDDHWm4wxwJBooDBZWCmlA/bNNu3nHipDAr4iMjWX
i9NP/sQ7ASUM5xs7TTgNm0vrXMbS6HNEleCqPO8QSfGk+YvGc/ucln8KBslJ1auc
IYnWiJqf4o34hHuRn0M7bl4sXVGFQA6zvR/2pYF/Sh/TFqGAOjEBlJeZfyYsBJnc
/ohehLENQvONvwQGzGasen2qMYdownjeWFqiNa3NoPZ4N/bnAPisP8veQZBJuUTK
LD1xoy86OrnpsOhW5riC8JZBn5UNYk/3JNZJtFpWciszqKr/Q8AIrTC2MtPpCmqO
9ZrnWoWvKd3iaHAGfhrewEpEAgVt0UYomGBeioY/TPL8SDUdV/wXBpEyzlq4S1aH
nL7yuaj9V4Iz
=60wI
-----END PGP SIGNATURE-----