Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: dcmtk@packages.debian.org
Control: affects -1 + src:dcmtk
User: release.debian.org@packages.debian.org
Usertags: pu
Greetings Stable Release Managers,
[ Reason ]
dcmtk in trixie is currently affected by several security
issues, namely:
* CVE-2025-9732, described in #1113993,
* CVE-2025-14607, described in #1122926,
* CVE-2026-5663, described in #1133001,
* CVE-2025-14841, described in #1123584 and
* CVE-2026-10194, described in #1139181.
They are all sorted as low-priority security issues, hence not
coordinating directly with the Security Team. Yet having them
fixed in the next stable release might be welcome.
[ Impact ]
If the update is not approved, then dcmtk will continue being
affected by the above items.
[ Tests ]
I have ensured that the patches have caused no regressions in
trixie using tests like piuparts and the embedded autopkgtest.
I have also ensured that the reverse dependencies were not being
affected by a regression in their autopkgtest if I introduce the
patched library.
[ Risks ]
Changes brought to the code are not trivial to me, but I'm
neither imaging specialist nor security specialist (or at least
don't consider myself as such). Besides, mitigation of
CVE-2025-9732 required an amendment upstream (see upstream
commit 3de96da6c), which materializes here as patches
0013-CVE-2025-9732.patch and 0014-CVE-2025-9732b.patch. That
being written, all the changes are part of the current dcmtk
3.7.0+really3.7.0-5 available in unstable and forky.
I have also been mindful to make sure that the changes minimize
alterations to the ABI. Apart perhaps from the introduction of
a new constant static variable for listing admissible characters
in sanitized file names, there should not be any breakage.
Finally, all patches applied with minimal fuzz. The only
rejects were caused by delta in changes to copyright years
upstream.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
0013-CVE-2025-9732.patch imports upstream commit 7ad81d69b,
initially fixing CVE-2025-9732.
0014-CVE-2025-9732b.patch imports upstream commit 3de96da6c,
which amends the previous patch with a fix needed for proper
operation of the library.
0015-CVE-2025-14607.patch imports upstream commit 4c0e5c100,
fixing CVE-2025-14607 by ensuring zero termination beyond the
end of the string, necessary under certain conditions.
0016-CVE-2026-5663.patch imports upstream commit edbb085e4,
fixing CVE-2026-5663 by making sure file names are converted to
a safe subset of characters before processing.
0017-CVE-2025-14841.patch imports upstream commit ffb1a4a37,
fixing CVE-2025-14841 by applying proper checks to ensure the
pointer causing potential crashes is not NULL, or proceed
appropriately.
0018-CVE-2026-10194.patch imports upstream commit 0f78a4ef6,
fixing CVE-2026-10194 about a heap buffer overflow.
Have a nice day, :)