Version in base suite: 1.9.2+really1.9.1+dfsg-1

Base version: orthanc_1.9.2+really1.9.1+dfsg-1
Target version: orthanc_1.9.2+really1.9.1+dfsg-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/orthanc/orthanc_1.9.2+really1.9.1+dfsg-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/orthanc/orthanc_1.9.2+really1.9.1+dfsg-1+deb11u1.dsc

 changelog                    |   14 +++++
 patches/cve-2023-33466.patch |  115 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 130 insertions(+)

diff -Nru orthanc-1.9.2+really1.9.1+dfsg/debian/changelog orthanc-1.9.2+really1.9.1+dfsg/debian/changelog
--- orthanc-1.9.2+really1.9.1+dfsg/debian/changelog	2021-06-04 20:03:18.000000000 +0000
+++ orthanc-1.9.2+really1.9.1+dfsg/debian/changelog	2023-07-19 14:48:56.000000000 +0000
@@ -1,3 +1,17 @@
+orthanc (1.9.2+really1.9.1+dfsg-1+deb11u1) bullseye-security; urgency=high
+
+  * Team upload.
+  * cve-2023-33466.patch: disable file system writes.
+    This patch backports the option RestApiWriteToFileSystemEnabled to
+    Orthanc in Debian bullseye.  This allows delivering Orthanc without
+    being vulnerable to arbitrary writes to the file system by
+    authenticated users, referenced as CVE-2023-33466.  The legacy and
+    vulnerable behaviour can be restored by setting the variable
+    RestApiWriteToFileSystemEnabled to true in /etc/orthanc/orthanc.json.
+    (Closes: #1040597)
+
+ -- Étienne Mollier <emollier@debian.org>  Wed, 19 Jul 2023 16:48:56 +0200
+
 orthanc (1.9.2+really1.9.1+dfsg-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru orthanc-1.9.2+really1.9.1+dfsg/debian/patches/cve-2023-33466.patch orthanc-1.9.2+really1.9.1+dfsg/debian/patches/cve-2023-33466.patch
--- orthanc-1.9.2+really1.9.1+dfsg/debian/patches/cve-2023-33466.patch	1970-01-01 00:00:00.000000000 +0000
+++ orthanc-1.9.2+really1.9.1+dfsg/debian/patches/cve-2023-33466.patch	2023-07-19 14:48:56.000000000 +0000
@@ -0,0 +1,115 @@
+Description: New configuration option 'RestApiWriteToFileSystemEnabled'
+ This is a backport from upstream patch with minimal changes to address
+ the CVE-2023-33466 efficiently while giving a knob to allow the legacy
+ behaviour.
+
+Author: Alain Mazy <am@osimis.io>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040597
+Applied-Upstream: https://hg.orthanc-server.com/orthanc/rev/f8f1c4a9a216#
+Reviewed-by: Étienne Mollier <emollier@debian.org>
+Last-Update: 2023-07-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- orthanc.orig/OrthancServer/Resources/Configuration.json
++++ orthanc/OrthancServer/Resources/Configuration.json
+@@ -679,6 +679,11 @@
+   // with Orthanc 1.5.8, this URI is disabled by default for security.
+   "ExecuteLuaEnabled" : false,
+ 
++  // Whether the Rest API can write to the filesystem (e.g. in 
++  // /instances/../export route). Starting with Orthanc 1.12.0, 
++  // this URI is disabled by default for security.
++  "RestApiWriteToFileSystemEnabled": false,
++
+   // Set the timeout while serving HTTP requests by the embedded Web
+   // server, in seconds. This corresponds to option
+   // "request_timeout_ms" of Mongoose/Civetweb. It will set the socket
+--- orthanc.orig/OrthancServer/Sources/OrthancRestApi/OrthancRestResources.cpp
++++ orthanc/OrthancServer/Sources/OrthancRestApi/OrthancRestResources.cpp
+@@ -397,7 +397,12 @@
+       call.GetDocumentation()
+         .SetTag("Instances")
+         .SetSummary("Write DICOM onto filesystem")
+-        .SetDescription("Write the DICOM file onto the filesystem where Orthanc is running")
++        .SetDescription("Write the DICOM file onto the filesystem where Orthanc is running.  This is insecure for "
++                        "Orthanc servers that are remotely accessible since one could overwrite any system file.  "
++                        "Since Orthanc 1.12.0, this route is disabled by default and can be enabled thanks to "
++                        "the `RestApiWriteToFileSystemEnabled` configuration.")
++        .AddRequestType(MimeType_PlainText, "The Lua script to be executed")
++
+         .SetUriArgument("id", "Orthanc identifier of the DICOM instance of interest")
+         .AddRequestType(MimeType_PlainText, "Target path on the filesystem");
+       return;
+@@ -405,6 +410,14 @@
+ 
+     ServerContext& context = OrthancRestApi::GetContext(call);
+ 
++    if (!context.IsRestApiWriteToFileSystemEnabled())
++    {
++      LOG(ERROR) << "The URI /instances/../export is disallowed for security, "
++                 << "check your configuration option `RestApiWriteToFileSystemEnabled`";
++      call.GetOutput().SignalError(HttpStatus_403_Forbidden);
++      return;
++    }
++
+     std::string publicId = call.GetUriComponent("id", "");
+ 
+     std::string dicom;
+--- orthanc.orig/OrthancServer/Sources/ServerContext.cpp
++++ orthanc/OrthancServer/Sources/ServerContext.cpp
+@@ -303,6 +303,7 @@
+     metricsRegistry_(new MetricsRegistry),
+     isHttpServerSecure_(true),
+     isExecuteLuaEnabled_(false),
++    isRestApiWriteToFileSystemEnabled_(false),
+     overwriteInstances_(false),
+     dcmtkTranscoder_(new DcmtkTranscoder),
+     isIngestTranscoding_(false),
+--- orthanc.orig/OrthancServer/Sources/ServerContext.h
++++ orthanc/OrthancServer/Sources/ServerContext.h
+@@ -213,6 +213,7 @@
+     std::unique_ptr<MetricsRegistry>  metricsRegistry_;
+     bool isHttpServerSecure_;
+     bool isExecuteLuaEnabled_;
++    bool isRestApiWriteToFileSystemEnabled_;
+     bool overwriteInstances_;
+ 
+     std::unique_ptr<StorageCommitmentReports>  storageCommitmentReports_;
+@@ -436,6 +437,16 @@
+       return isExecuteLuaEnabled_;
+     }
+ 
++    void SetRestApiWriteToFileSystemEnabled(bool enabled)
++    {
++      isRestApiWriteToFileSystemEnabled_ = enabled;
++    }
++
++    bool IsRestApiWriteToFileSystemEnabled() const
++    {
++      return isRestApiWriteToFileSystemEnabled_;
++    }
++
+     void SetOverwriteInstances(bool overwrite)
+     {
+       overwriteInstances_ = overwrite;
+--- orthanc.orig/OrthancServer/Sources/main.cpp
++++ orthanc/OrthancServer/Sources/main.cpp
+@@ -1073,6 +1073,18 @@
+         LOG(WARNING) << "Remote LUA script execution is disabled";
+       }
+ 
++      if (lock.GetConfiguration().GetBooleanParameter("RestApiWriteToFileSystemEnabled", false))
++      {
++        context.SetRestApiWriteToFileSystemEnabled(true);
++        LOG(WARNING) << "====> Your Rest API can write to the FileSystem.  Review your configuration option \"RestApiWriteToFileSystemEnabled\". "
++                     << "Your setup is POSSIBLY INSECURE <====";
++      }
++      else
++      {
++        context.SetRestApiWriteToFileSystemEnabled(false);
++        LOG(WARNING) << "Rest API can not write to the file system.";
++      }
++
+       if (lock.GetConfiguration().GetBooleanParameter("WebDavEnabled", true))
+       {
+         const bool allowDelete = lock.GetConfiguration().GetBooleanParameter("WebDavDeleteAllowed", false);
diff -Nru orthanc-1.9.2+really1.9.1+dfsg/debian/patches/series orthanc-1.9.2+really1.9.1+dfsg/debian/patches/series
--- orthanc-1.9.2+really1.9.1+dfsg/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ orthanc-1.9.2+really1.9.1+dfsg/debian/patches/series	2023-07-19 14:48:56.000000000 +0000
@@ -0,0 +1 @@
+cve-2023-33466.patch