| Summary: | dcmtk new security issues fixed upstream in 3.6.7 (CVE-2021-4168[7-9], CVE-2021-41690, CVE-2022-2119, CVE-2022-212[01]) plus CVE-2022-43272 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | dcmtk-3.6.6-5.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-08-30 23:47:35 CEST
David Walser
2022-08-30 23:47:46 CEST
Whiteboard:
(none) =>
MGA8TOO It sounds like there is a soname bump in 3.6.7, and they had to rebuild openimageio as a result: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WF2FCZOYXVZ4ETCHO62JWUP4D55UWJCV/ No particular packager evident for this, so another to assign globally. Assignee:
bugsquad =>
pkg-bugs Ubuntu has issued an advisory for this February 22: https://ubuntu.com/security/notices/USN-5882-1 It looks like all of the issues are fixed upstream in 3.6.7 except for CVE-2022-43272 which needs an additional patch. Severity:
normal =>
major Done for both Cauldron and mga8! CC:
(none) =>
geiger.david68210 Assigning to QA! Version:
Cauldron =>
8 Packages in 8/Core/Updates_testing: ====================== libdcmtk15-3.6.5-3.1.mga8 lib64dcmtk15-3.6.5-3.1.mga8 libdcmtk-devel-3.6.5-3.1.mga8 lib64dcmtk-devel-3.6.5-3.1.mga8 dcmtk-3.6.5-3.1.mga8 From SRPMS: dcmtk-3.6.5-3.1.mga8.src.rpm
David Walser
2023-03-09 17:45:23 CET
Whiteboard:
MGA8TOO =>
(none) MGA8-64 MATE on Acer Aspire 5253 No installation issues No wiki, no previous updates. Info on dcmtk reads "This is a collection of libraries ....." so tried to find something dependent on it. # urpmq --whatrequires dcmtk dcmtk lib64dcmtk-devel lib64dcmtk-devel # urpmq --whatrequires-recursive dcmtk dcmtk lib64dcmtk-devel lib64dcmtk-devel lib64openimageio-devel lib64openshadinglanguage1.10-devel So gave up and decided on OK on clean install. Whiteboard:
(none) =>
MGA8-64-OK I got a little farther than you, Herman, but not really enough to say so. I've learned recently that sometimes a recursive search on one of the "lib64" packages is more fruitful, so I tried "urpmq --whatrequires-recursive lib64dcmtk15" and came up with two possibilities: Blender and openimageio. The description tells me that dcmtk is used for manipulating DICOM files, used mostly with 3D medical images. I found some samples on the web, and tried to view them, first with Blender, then with iv, an image viewer that's part of openimageio. I failed with both, both before and after the update. Blender is a complex program, and learning how to use it effectively would be a career-building exercise, something I'm not ready to pursue. Also, there is an open bug about it crashing when attempting to export images, and I don't know if that would affect importing these images as well, so I can't trust it. Openimageio is a simpler command line interface, but still, being unfamiliar with working with 3D images, I strongly believe my failures with even that were due to user error. So I'm going to go with our clean installs, and validate. If this needs further testing, I'll need extensive hand-holding if I am to do it. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-03-11 00:29:05 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0083.html Status:
NEW =>
RESOLVED |