33930 – dcmtk new security issues CVE-2024-47796 and CVE-2024-52333

Bug 33930 - dcmtk new security issues CVE-2024-47796 and CVE-2024-52333

Summary: dcmtk new security issues CVE-2024-47796 and CVE-2024-52333

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-01-16 15:53 CET by Nicolas Salguero
Modified:	2025-01-20 21:02 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	dcmtk-3.6.8-3.mga10.src.rpm, dcmtk-3.6.7-4.2.mga9.src.rpm
CVE:	CVE-2024-47796, CVE-2024-52333
Status comment:	Patches available from upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-01-16 15:53:02 CET

openSUSE has issued an advisory on January 15:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JUKUCNFPV6HQLIZ5S6NYRJ4LAZYRZSXJ/

Comment 1 Nicolas Salguero 2025-01-16 15:58:14 CET

Fix for CVE-2024-47796: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6

Fix for CVE-2024-52333: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03

CVE: (none) => CVE-2024-47796, CVE-2024-52333
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => dcmtk-3.6.8-3.mga10.src.rpm, dcmtk-3.6.7-4.2.mga9.src.rpm
Status comment: (none) => Patches available from upstream ; maybe fixed upstream in 3.6.9

Comment 2 Nicolas Salguero 2025-01-16 16:01:57 CET

Version 3.6.9 does not contain the fixes.

Status comment: Patches available from upstream ; maybe fixed upstream in 3.6.9 => Patches available from upstream

Comment 3 David GEIGER 2025-01-17 10:02:42 CET

Fixed both mga9 and Cauldron!

Packages in 9/Core/Updates_testing repo:
=========================
dcmtk-3.6.7-4.3.mga9
libdcmtk-devel-3.6.7-4.3.mga9
libdcmtk17-3.6.7-4.3.mga9
lib64dcmtk-devel-3.6.7-4.3.mga9
lib64dcmtk17-3.6.7-4.3.mga9


From SRPMS
dcmtk-3.6.7-4.3.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs
CC: (none) => geiger.david68210
Version: Cauldron => 9

Comment 4 Herman Viaene 2025-01-17 15:38:55 CET

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues
urpmq --whatrequires-recursive lib64dcmtk17
lists a.o. olive and blender.
Tried first olive-editor under strace, but that crashed after some 20 seconds playing an imported mpg file. Strace shows access to the library at the very beginning (importing the mpg I guess), but this is not very satisfying as test.
Traced blender with better result, library is used and no crash manipulating an object.
Good for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2025-01-20 01:08:03 CET

The olive crash is disturbing, but I suppose it's a subject for a new bug. If it had crashed right away instead of waiting 20 seconds, I might not be as generous.

Validating, since it worked with Blender.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

katnatek 2025-01-20 20:09:09 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2025-01-20 21:02:32 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0017.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.