Bug 30790 - dcmtk new security issues fixed upstream in 3.6.7 (CVE-2021-4168[7-9], CVE-2021-41690, CVE-2022-2119, CVE-2022-212[01]) plus CVE-2022-43272
Summary: dcmtk new security issues fixed upstream in 3.6.7 (CVE-2021-4168[7-9], CVE-20...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-08-30 23:47 CEST by David Walser
Modified: 2023-03-11 20:01 CET (History)
5 users (show)

See Also:
Source RPM: dcmtk-3.6.6-5.mga9.src.rpm
Status comment:


Description David Walser 2022-08-30 23:47:35 CEST
Fedora has issued an advisory today (August 30):

It's not clear what the issues are, and the upstream changes for 3.6.7 are here:

Mageia 8 is also affected.
David Walser 2022-08-30 23:47:46 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-08-30 23:48:27 CEST
It sounds like there is a soname bump in 3.6.7, and they had to rebuild openimageio as a result:
Comment 2 Lewis Smith 2022-08-31 08:40:58 CEST
No particular packager evident for this, so another to assign globally.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2023-02-23 18:33:50 CET
Ubuntu has issued an advisory for this February 22:

It looks like all of the issues are fixed upstream in 3.6.7 except for CVE-2022-43272 which needs an additional patch.

Severity: normal => major
Status comment: (none) => Patches available from Ubuntu
Summary: dcmtk new security issue(s) fixed upstream in 3.6.7 => dcmtk new security issues fixed upstream in 3.6.7 (CVE-2021-4168[7-9], CVE-2021-41690, CVE-2022-2119, CVE-2022-212[01]) plus CVE-2022-43272

Comment 4 David GEIGER 2023-03-07 18:26:09 CET
Done for both Cauldron and mga8!

CC: (none) => geiger.david68210

Comment 5 David GEIGER 2023-03-09 17:41:19 CET
Assigning to QA!

Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs

Comment 6 David GEIGER 2023-03-09 17:43:41 CET
Packages in 8/Core/Updates_testing:

David Walser 2023-03-09 17:45:23 CET

Whiteboard: MGA8TOO => (none)
Status comment: Patches available from Ubuntu => (none)

Comment 7 Herman Viaene 2023-03-10 09:52:16 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues
No wiki, no  previous updates. Info on dcmtk reads "This is a collection of libraries ....." so tried to find something dependent on it.
# urpmq --whatrequires  dcmtk
# urpmq --whatrequires-recursive  dcmtk
So gave up and decided on OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2023-03-10 18:00:18 CET
I got a little farther than you, Herman, but not really enough to say so.

I've learned recently that sometimes a recursive search on one of the "lib64" packages is more fruitful, so I tried "urpmq --whatrequires-recursive lib64dcmtk15" and came up with two possibilities: Blender and openimageio.

The description tells me that dcmtk is used for manipulating DICOM files, used mostly with 3D medical images. I found some samples on the web, and tried to view them, first with Blender, then with iv, an image viewer that's part of openimageio. I failed with both, both before and after the update.

Blender is a complex program, and learning how to use it effectively would be a career-building exercise, something I'm not ready to pursue. Also, there is an open bug about it crashing when attempting to export images, and I don't know if that would affect importing these images as well, so I can't trust it.

Openimageio is a simpler command line interface, but still, being unfamiliar with working with 3D images, I strongly believe my failures with even that were due to user error.

So I'm going to go with our clean installs, and validate. If this needs further testing, I'll need extensive hand-holding if I am to do it.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-11 00:29:05 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2023-03-11 20:01:55 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.