34120 – dcmtk new security issue CVE-2025-2357

Bug 34120 - dcmtk new security issue CVE-2025-2357

Summary: dcmtk new security issue CVE-2025-2357

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-03-19 15:19 CET by Nicolas Salguero
Modified:	2025-03-26 04:44 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	dcmtk-3.6.7-4.4.mga9.src.rpm
CVE:	CVE-2025-2357
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-03-19 15:19:31 CET

openSUSE has issued an advisory on March 18:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4KKPT4TUWSBKUZJOLDBLHRTKHRBW4RIQ/

Upstream fix: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=3239a791542e1ea433d23aaa9e0a05a532ffabff

Nicolas Salguero 2025-03-19 15:21:08 CET

CVE: (none) => CVE-2025-2357
Status comment: (none) => Patch available from upstream and openSUSE
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => dcmtk-3.6.9-3.mga10.src.rpm, dcmtk-3.6.7-4.4.mga9.src.rpm

Comment 1 Lewis Smith 2025-03-20 21:38:36 CET

Thank you for the patch ref. I think this is the actual patch:
https://git.dcmtk.org/?p=dcmtk.git;a=patch;h=3239a791542e1ea433d23aaa9e0a05a532ffabff

Another SRPM clearly done by DavidG, so assigning thus. Another patch was applied quite recently.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2025-03-24 15:08:05 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

DCMTK dcmjpls JPEG-LS Decoder memory corruption. (CVE-2025-2357)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4KKPT4TUWSBKUZJOLDBLHRTKHRBW4RIQ/
========================

Updated packages in core/updates_testing:
========================
dcmtk-3.6.7-4.5.mga9
lib(64)dcmtk17-3.6.7-4.5.mga9
lib(64)dcmtk-devel-3.6.7-4.5.mga9

from SRPM:
dcmtk-3.6.7-4.5.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 9
Source RPM: dcmtk-3.6.9-3.mga10.src.rpm, dcmtk-3.6.7-4.4.mga9.src.rpm => dcmtk-3.6.7-4.4.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Status comment: Patch available from upstream and openSUSE => (none)

katnatek 2025-03-24 18:59:13 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2025-03-25 11:22:33 CET

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues
Ref bug 33930
Using olive-editor to import an .mpg and an .avi file and use these in the Sequence Viewer. Both work OK.
Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2025-03-25 16:22:22 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2025-03-26 04:44:22 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0117.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.