#1140693 trixie-pu: package dcmtk/3.6.9-5+deb13u2

Package:
release.debian.org
Source:
release.debian.org
Submitter:
Étienne Mollier
Date:
2026-06-24 17:15:02 UTC
Severity:
normal
Tags:
#1140693#5
Date:
2026-06-24 17:13:09 UTC
From:
To:
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: dcmtk@packages.debian.org
Control: affects -1 + src:dcmtk
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

[ Reason ]
dcmtk in trixie, including dcmtk 3.6.9-5+deb13u1 pending
publication via trixie-proposed-updates, is affected by
CVE-2026-12805.  See also important bug #1140562.

CVE-2026-12805 is an issue triaged as minor by the Debian
Security Team.  Hence, I offer to upload via stable-proposed-
updates channel instead of trixie-security.

[ Impact ]
If the upload is not granted, dcmtk in trixie will remain
affected by CVE-2026-12805.

[ Tests ]
The affected code did not include update of the test suite.
I had hoped to refer to upstream's ticket #1208 [1] in order to
check whether there were means to stress the change to the code,
but their issue tracker is down at the time of writing.  That
being written, I ensured that the change did not introduce
regressions in reverse dependencies in testing by running their
autopkgtest.

[1]: https://support.dcmtk.org/redmine/issues/1208

[ Risks ]
The overall change to the code consists in an effective single
line in a patch straight from upstream commit.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This update introduces the patch 0019-CVE-2026-12805.patch.  It
fixes the buffer overflow referenced under CVE-2026-12805 by
properly checking for ftell(3) error codes.

[ Other info ]
On unstable side, the change should make it to
forky tomorrow, as dcmtk's test suite and all reverse
dependencies autopkgtest were verified in working conditions,
which is encouraging.

This update follows up on dcmtk 3.6.9-5+deb13u1 uploaded to
trixie-proposed-update via #1139722, but which has not made it
to trixie yet.  It seemed saner to me to include a debdiff that
restarts from 3.6.9-5+deb13u1 rather than 3.6.9-5.  Hope that's
ok this way?

Have a nice day,  :)