#1136204 invesalius: CVE-2024-44825

Package:
src:invesalius
Source:
src:invesalius
Submitter:
Salvatore Bonaccorso
Date:
2026-05-14 20:19:02 UTC
Severity:
normal
Tags:
#1136204#5
Date:
2026-05-10 18:09:57 UTC
From:
To:
Hi,

The following vulnerability was published for invesalius.

CVE-2024-44825[0]:
| Directory Traversal vulnerability in Centro de Tecnologia da
| Informaco Renato Archer InVesalius3 v3.1.99995 allows attackers to
| write arbitrary files unto the system via a crafted .inv3 file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-44825
https://www.cve.org/CVERecord?id=CVE-2024-44825
[1] https://github.com/invesalius/invesalius3/commit/8b966260b3d9510e3ddc473aac4cc6578bab3aab

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1136204#10
Date:
2026-05-14 11:40:08 UTC
From:
To:
found 1136204 3.1.99998-7
thanks

Thanks for the report. I'm going to assume that version -7 is also
affected, so that -8 (recently uploaded) can propagate to testing
first.

Then I will try to apply the patch quoted above.

Thanks.
#1136204#17
Date:
2026-05-14 12:23:31 UTC
From:
To:
tags 1136204 help
thanks
over the current version:

Importing patch 8b966260b3d9510e3ddc473aac4cc6578bab3aab.patch
Applying patch 8b966260b3d9510e3ddc473aac4cc6578bab3aab.patch
patching file .gitignore
patching file invesalius/project.py
Hunk #1 FAILED at 31.
Hunk #2 succeeded at 481 with fuzz 1 (offset -20 lines).
Hunk #3 FAILED at 512.
Hunk #4 FAILED at 537.
3 out of 4 hunks FAILED -- rejects in file invesalius/project.py
Patch 8b966260b3d9510e3ddc473aac4cc6578bab3aab.patch does not apply (enforce with -f)
Patch 8b966260b3d9510e3ddc473aac4cc6578bab3aab.patch is not applied

In particular, the patch tries to modify this:

-    tar_filter = getattr(tarfile, "tar_filter", None)  # For python < 3.12
+    tar_filter = getattr(tarfile, "tar_filter", None)

but the Debian package in unstable does not have such line yet, so we would
need a yet-to-see amount of patches before [8b96626] for this to work.

I'm tagging this as "help" and Cc:ing Thiago (who created the package)
in the hope that he (or somebody else) can care about this.

Thanks.
#1136204#24
Date:
2026-05-14 12:35:09 UTC
From:
To:
Hmm, I got this bounce. Is the address valid at all?

<tfmoraes@cti.gov.br>: host 200.144.113.118[200.144.113.118] said: 550 5.1.1
    <tfmoraes@cti.gov.br>: Recipient address rejected: cti.gov.br (in reply to
    RCPT TO command)

Trying another known address for Thiago now.

Thanks.
#1136204#29
Date:
2026-05-14 20:06:17 UTC
From:
To:
Hi,

since Thiago's address was bouncing I'm hereby CCing other contacts.

Kind regards
    Andreas.

Am Thu, May 14, 2026 at 02:35:09PM +0200 schrieb Santiago Vila:
#1136204#34
Date:
2026-05-14 20:17:53 UTC
From:
To: