CVE-2025-53644
86 views
Skip to first unread message
p.p...@synedra.com
Sep 12, 2025, 12:29:30 PMSep 12
to dcm4che
Hello Nicolas, Hello Gunter!
Since Dcm4che and Weasis depend on a forked version of OpenCV, I want to
a) make you aware, if you weren't already, and
a) make you aware, if you weren't already, and
b) ask you for an estimate on when we can expect a new version that includes the fix.
Also, can I reasonably expect an older version of Dcm4che to work with a newer version of the OpenCV binaries, or is such an approach doomed to fail anyway?
Cheers,
Patrick
Nicolas Roduit
Sep 18, 2025, 2:24:37 PMSep 18
to dcm4che
A quick status:
-
A new release that includes the corrective changes will be available soon.
-
I’m not a security expert, so it’s difficult for me to assess precisely how exploitable this is in the archive/your environment without running the POC. The critical factor is whether the vulnerable OpenCV decode-with-buffer code path is actually reachable from the way files are handled in your setup.
-
Because dcm4che/Weasis use a forked OpenCV and rely on specific JNI wrappers, mixing an older dcm4che version with newer OpenCV binaries is not recommended — it frequently breaks the wrapping/ABI and can cause runtime failures.
p.p...@synedra.com
Sep 23, 2025, 9:34:51 AMSep 23
to dcm4che
Thank you, Nicolas!
I can see you pushed a new version of the binaries [1] and weasis-core-img [2] (4.12.1). I assume the fix is included.
Dcm4Che still seems to depend on weasis-core-img-4.11.0. I guess the impatient (like me) can always compile dcm4che themselves. All the same, could you give us an estimate on when the fix will be incorporated to dcm4che, Gunter?
Cheers,
Patrick
Nicolas Roduit
Sep 23, 2025, 11:42:19 AMSep 23
to dcm4che
Reply all
Reply to author
Forward
0 new messages