#1133001 dcmtk: CVE-2026-5663

Package:
src:dcmtk
Source:
src:dcmtk
Submitter:
Salvatore Bonaccorso
Date:
2026-06-12 19:01:03 UTC
Severity:
normal
Tags:
#1133001#5
Date:
2026-04-08 18:38:15 UTC
From:
To:
Hi,

The following vulnerability was published for dcmtk.

CVE-2026-5663[0]:
| A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This
| impacts the function executeOnReception/executeOnEndOfStudy of the
| file dcmnet/apps/storescp.cc of the component storescp. Performing a
| manipulation results in os command injection. Remote exploitation of
| the attack is possible. The patch is named
| edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the
| recommended action to fix this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-5663
https://www.cve.org/CVERecord?id=CVE-2026-5663
[1] https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1133001#8
Date:
2026-06-03 19:13:48 UTC
From:
To:
Hello,

Bug #1133001 in dcmtk reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/med-team/dcmtk/-/commit/449d8d60f851bf804b3d4361c62389270ac2844f
This change introduces guardrails to prevent risks of shell code
injection.

Closes: #1133001
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1133001
#1133001#15
Date:
2026-06-04 04:04:02 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1133001@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Étienne Mollier <emollier@debian.org> (supplier of updated dcmtk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 03 Jun 2026 21:54:21 +0200
Source: dcmtk
Architecture: source
Version: 3.7.0+really3.7.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emollier@debian.org>
Closes: 1133001
Changes:
 dcmtk (3.7.0+really3.7.0-3) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Pino Toscano ]
   * d/patches/hurd.patch: new, fix the build on GNU/Hurd.
 .
   [ Étienne Mollier ]
   * CVE-2026-5663.patch: new: fix CVE-2026-5663.
     This change introduces guardrails to prevent risks of shell code
     injection. (Closes: #1133001)
   * CVE-2026-10528-partial.patch: new: fix needed by orthanc.
     This patch introduce the part of the mitigation against CVE-2026-10528
     affecting orthanc that needs to be applied on the side of dcmtk.  See
     also Debian bug #1138713.
Checksums-Sha1:
 a912ac97babd6d3be9b5583bf02bbfee1740a77a 2669 dcmtk_3.7.0+really3.7.0-3.dsc
 2a944aa00856f2c78c720844f89f33106929a361 41284 dcmtk_3.7.0+really3.7.0-3.debian.tar.xz
Checksums-Sha256:
 c84feadadfd8dad5e57395ee3ed7dde4a06b057eca09ec3d87e6dded5712d7e2 2669 dcmtk_3.7.0+really3.7.0-3.dsc
 1af665a84c05b1132e7362e17fbc0c291d9bc6ce8c52e90a7d9acb9d1d0bb7d2 41284 dcmtk_3.7.0+really3.7.0-3.debian.tar.xz
Files:
 22cfb8b218efbfd5b91887bcd62ebdd1 2669 science optional dcmtk_3.7.0+really3.7.0-3.dsc
 aff3c2e783fb0b392614c9a6bb2cd5e9 41284 science optional dcmtk_3.7.0+really3.7.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmog83UUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdo3KQ//S46tKck2mpDmxhUALq78EHnJtFwJ
GdY0SvLZ/qLp39NDVYuhOWDKl8wiEzvRIrwkanLKHYXcCtWPzY50aas9E9tYhXzi
L84eJJeredAq5zYIIYjogVPjOonQRr2F3FAyWMLOXLDu5khdXULdr1yqF0NzVRhI
n+QbeK3uOsAHl9uz/H2IlaFLbJYuJeaFMwZmqKN+9DLdGMllNeIODwtqaHMayaoB
naE6Q7u+In9A4GtoNpjnQZY1fAj9EMeHoCJljcUdJ0hahLuVtS7Rwzf/fYwNt0NW
LTtCk0Q4XwZXEe4pgpmV/L/BsECyC6lKPxQXTg7NDGFUGIoMEWdQn0TUBPWnEcR/
p5z0GmZ2RW8fud/Yj1BnlGVrh05VbFxremew14CkRmInZnWc8roDUuBbnnOSkoX6
fhiKkKXHM4vORQ29626Cae6SG/QU61uP8PIEvnEIiDTpjbbji69TZh+869J399ld
QZO/4Qw0Ewu9amJEsxDzOd1zrL2cYMaW+v6JB15oSRe5WGJMUZIV8sC0Eiv5W4am
tj591iYMpJtDd6vvHoAEy7vJ43IAMKq65zT4T0Zg34tN2EtEJZYGcvD3J/ymTwU4
wn0hFKx+juZiu9kTJGq2Pzd+61Wz4iztEn/FfK2G+DQIpsYdPnKW/iNPUMyLJkEe
5LtmNgYPKQ3L6pk=
=5cEv
-----END PGP SIGNATURE-----