Bug 33798 - dcmtk new security issue CVE-2024-27628
Summary: dcmtk new security issue CVE-2024-27628
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-11-25 15:43 CET by Nicolas Salguero
Modified: 2024-11-27 21:00 CET (History)
3 users (show)

See Also:
Source RPM: dcmtk-3.6.7-4.1.mga9.src.rpm
CVE: CVE-2024-27628
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2024-11-25 15:44:05 CET

Source RPM: (none) => dcmtk-3.6.8-2.mga10.src.rpm, dcmtk-3.6.7-4.1.mga9.src.rpm
Status comment: (none) => Patch available from upstream ans openSUSE
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-27628

Nicolas Salguero 2024-11-25 15:46:20 CET

Status comment: Patch available from upstream ans openSUSE => Patch available from upstream and openSUSE

Comment 1 David GEIGER 2024-11-25 16:22:37 CET 
Cauldron already contains this upstream patch:

Patch2: 0001-Fixed-possible-overflows-when-allocating-memory.patch

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
CC: (none) => geiger.david68210

Comment 2 Nicolas Salguero 2024-11-27 10:17:33 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to execute arbitrary code via the EctEnhancedCT method component. (CVE-2024-27628)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/U3LXLFP2Q7LBLGBNWEPO3O2ZZ2JPCYEU/
========================

Updated packages in core/updates_testing:
========================
dcmtk-3.6.7-4.2.mga9
lib(64)dcmtk17-3.6.7-4.2.mga9
lib(64)dcmtk-devel-3.6.7-4.2.mga9

from SRPM:
dcmtk-3.6.7-4.2.mga9.src.rpm

Source RPM: dcmtk-3.6.8-2.mga10.src.rpm, dcmtk-3.6.7-4.1.mga9.src.rpm => dcmtk-3.6.7-4.1.mga9.src.rpm
Status: NEW => ASSIGNED
Status comment: Patch available from upstream and openSUSE => (none)
Assignee: bugsquad => qa-bugs

katnatek 2024-11-27 17:00:08 CET

Keywords: (none) => advisory

Comment 3 katnatek 2024-11-27 17:27:54 CET 
RH x86_64

installing lib64dcmtk17-3.6.7-4.2.mga9.x86_64.rpm dcmtk-3.6.7-4.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64dcmtk17          ##################################################################################################
      2/2: dcmtk                 ##################################################################################################
      1/2: removing dcmtk-3.6.7-4.1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64dcmtk17-3.6.7-4.1.mga9.x86_64
                                 ##################################################################################################

strace blender shows

openat(AT_FDCWD, "/lib64/libdcmimage.so.17", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libdcmimgle.so.17", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libdcmdata.so.17", O_RDONLY|O_CLOEXEC) = 3

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-11-27 17:51:50 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-11-27 21:00:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0380.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.