Ankur Sinha wrote on 2019/09/13 23:07:
Hello,
A CVE[1] in dcmtk was fixed in 3.6.4 which is in F31+. F29 and F30 are
still at 3.6.2 however, and need updating. This includes a soname bump
([2] vs [3]), though, so dependent packages will also need to be rebuilt
and pushed as updates all at once.
sudo dnf repoquery --source --whatrequires 'libdcm*(64bit)'
[sudo] password for asinha:
Last metadata expiration check: 0:53:07 ago on Fri 13 Sep 2019 14:07:55 BST.
OpenImageIO-2.0.7-1.fc30.src.rpm
OpenImageIO-2.0.9-1.fc30.src.rpm
aeskulap-0.2.2-0.37.beta2.fc30.src.rpm
ctk-0.1-0.10.20171224git71799c2.fc29.src.rpm
dcmtk-3.6.2-4.fc29.src.rpm
gtatool-2.2.0-11.fc28.src.rpm
gtatool-2.2.3-1.fc30.src.rpm
orthanc-1.5.4-1.fc30.src.rpm
They all build correctly in F31 with the new version, so I do not expect
any build failures. Could I please solicit the help of a proven-packager
to rebuild them all in F29/F30 and push combined updates please?
If you maintain any of these packages and have any concerns, please let
us know.
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1732222
[2]
https://koji.fedoraproject.org/koji/rpminfo?rpmID=14644638
[3]
https://koji.fedoraproject.org/koji/rpminfo?rpmID=18968192
Well, actually some google search result is that the actual fix seems
https://github.com/commontk/DCMTK/commit/40917614e
and the tracker is
https://support.dcmtk.org/redmine/issues/858
ref:
https://nvd.nist.gov/vuln/detail/CVE-2019-1010228
So it seems if the above patch only can be applied, no rebuild is
needed.
Regards,
Mamoru