#1140562 dcmtk: CVE-2026-12805

Package:
src:dcmtk
Source:
src:dcmtk
Submitter:
Salvatore Bonaccorso
Date:
2026-06-22 22:07:02 UTC
Severity:
normal
Tags:
#1140562#5
Date:
2026-06-22 19:01:12 UTC
From:
To:
Hi,

The following vulnerability was published for dcmtk.

CVE-2026-12805[0]:
| A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected
| element is the function XMLNode::parseFile in the library
| ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-
| based buffer overflow. The attack may be performed from remote. The
| exploit has been published and may be used. This patch is called
| 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to
| apply a patch to resolve this issue. The vendor was contacted early,
| responded in a very professional manner and quickly released a fixed
| version of the affected product.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-12805
https://www.cve.org/CVERecord?id=CVE-2026-12805
[1] https://support.dcmtk.org/redmine/issues/1208
[2] https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d4b3815c0987840a983160bfc671fef63a3105b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1140562#10
Date:
2026-06-22 19:41:12 UTC
From:
To:
Upstream issue #1208:
indicates that among other versions, 3.6.7 and 3.6.9 are
affected.  Quoting upstream:

Have a nice day,  :)
#1140562#19
Date:
2026-06-22 21:33:45 UTC
From:
To:
Hello,

Bug #1140562 in dcmtk reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/med-team/dcmtk/-/commit/7b857e61e8303634d6327d93e3499558f63d636b
This patch fixes a risk of buffer overflow by ensuring negative error
codes in XMLNode::parseFile are properly handled, as well a NULL
values.

Closes: #1140562
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140562
#1140562#26
Date:
2026-06-22 22:04:33 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140562@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Étienne Mollier <emollier@debian.org> (supplier of updated dcmtk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 22 Jun 2026 22:22:11 +0200
Source: dcmtk
Architecture: source
Version: 3.7.0+really3.7.0-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emollier@debian.org>
Closes: 1140562
Changes:
 dcmtk (3.7.0+really3.7.0-6) unstable; urgency=medium
 .
   * CVE-2026-12805.patch: new: fix CVE-2026-12805.
     This patch fixes a risk of buffer overflow by ensuring negative error
     codes in XMLNode::parseFile are properly handled, as well a NULL
     values. (Closes: #1140562)
Checksums-Sha1:
 7b870dcbbec5cf8d8629f1090d71f8aa068d3127 2709 dcmtk_3.7.0+really3.7.0-6.dsc
 970ebe2981579f861efd94981342c35e56165507 34032 dcmtk_3.7.0+really3.7.0-6.debian.tar.xz
Checksums-Sha256:
 8bc9051256f77ce918e05ff4206214512859d12961f528c596795a70555a584b 2709 dcmtk_3.7.0+really3.7.0-6.dsc
 89721128877f1e0c59c1bdf8641b749c48c3e3d0bd6d87a25393b88ae1ba8690 34032 dcmtk_3.7.0+really3.7.0-6.debian.tar.xz
Files:
 938ecfb5b8ef3442a19ee7a8a052f4ff 2709 science optional dcmtk_3.7.0+really3.7.0-6.dsc
 91b96d32ac6b898e7a963be219f86613 34032 science optional dcmtk_3.7.0+really3.7.0-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmo5ql8UHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdq7vg/+IWtqhGCZckHP4nKJzC54fwYCxq6z
/uVDlJ8TtVSuRmkp949JeKjSKGHn3fTBxVlAsRSmxKo/nKetkzjeQFqf81EQ+M+e
h0wZxETYdY3i0k639WQzOvD9ElxWfI9A5U15UZOU0NgYZxCDvpp5Iq7Xtv2+nEP4
vFN98FlqLDavtqJF0jdPWmUogJY57ST5F2+jrJ+HpRNGJZrX/8PNpZKZb9r4oUx0
pcCC4/yZfr8Y9ZGndawgi2coXs/SE0kRSQCUKK7h/sDenlb8yPn81qfBdlMpnCDE
BFCcSjNklIgRwRj+4Obh0hra4QLhT29goJHzTOml2+2Ck1fOJsck5IF/ZNDL/LJG
JDnM0IJwgmdvw64O3W32Uyn4TsYRzu8o6/G4ZmSmbGwx7bP53kFil7QSdIWEtTW8
UwNw6N6vG7hRCTf6UqMydfVpIC9lP9JT4LnzK0upubue/NQ0XYeNQ9ngemKTXStw
ODBtQI+w1k7kCw5kaOi/52IncRN8bgNQOUBJQIbDibfinVXp+D/pUUpDK2+B4eXb
2ZWHFiV1QnLMP/uAGFBYItxHHN6t42d+KBGj0+g8ckGPziqYk61UdvX4ay7dFKx/
fwqFIon2a+f1YVtm0zE6UkKowRquJc6nlCw8UlA60d0NV4PRmx0MNZXLnYv2V3ch
5s/G2AAkjXsu7/E=
=dQuH
-----END PGP SIGNATURE-----