DLA-4227-1

Details

CVE-2025-25472 CVE-2025-25474 CVE-2025-25475 Debian Bug : 1017743 1098373 1098374 1100724

Multiple vulnerabilities were fixed in dcmtk an OFFIS DICOM toolkit.

CVE-2022-2119/CVE-2022-2120

Path traversal issues were found, allowing an attacker
to write DICOM files into arbitrary directories under
controlled names. This could allow remote code execution.

CVE-2024-47796

An improper array index validation vulnerability exists
in the nowindow functionality.
A specially crafted DICOM file can lead to an out-of-bounds write.

CVE-2025-2357

An issue was found in the dcmjpls JPEG-LS Decoder.
The manipulation leads to memory corruption.

CVE-2025-25472

A buffer overflow was found that cause a Denial of Service
(DoS) via a crafted DCM file.

CVE-2025-25474

A buffer overflow was found via the component 
dcmimgle/diinpxt.h

CVE-2025-25475

A NULL pointer dereference was found in the component /libsrc/dcrleccd.cc

Affected Packages

dcmtk

Debian 11

Fixed in:

3.6.5-1+deb11u4

References

ADVISORY

https://security-tracker.debian.org/tracker/DLA-4227-1