From a20c38184f5de2c08dcac8efb1e4c5764ca4fc9c Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Fri, 4 Jul 2025 13:47:42 +0800
Subject: [PATCH] [CVE] CVE-2024-34508

to #20097
add patch to fix CVE-2024-34508
Project: TC2024080204
Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
---
 1-bugfix-for-CVE-2024-34508.patch | 95 +++++++++++++++++++++++++++++++
 dcmtk.spec                        |  6 +-
 2 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 1-bugfix-for-CVE-2024-34508.patch

diff --git a/1-bugfix-for-CVE-2024-34508.patch b/1-bugfix-for-CVE-2024-34508.patch
new file mode 100644
index 0000000..f998f82
--- /dev/null
+++ b/1-bugfix-for-CVE-2024-34508.patch
@@ -0,0 +1,95 @@
+From c78e434c0c5f9d932874f0b17a8b4ce305ca01f5 Mon Sep 17 00:00:00 2001
+From: Marco Eichelberg <dicom@offis.de>
+Date: Wed, 13 Mar 2024 17:15:58 +0100
+Subject: [PATCH] Fixed two segmentation faults.
+
+Fixed two segmentations faults that could occur while processing an
+invalid incoming DIMSE message due to insufficient error handling
+causing a de-referenced NULL pointer.
+
+Thanks to Nils Bars <nils.bars@rub.de> for the bug report and sample files.
+
+This closes DCMTK issue #1114.
+---
+ dcmdata/libsrc/dcelem.cc |  9 ++++++++-
+ dcmnet/libsrc/dimcmd.cc  | 33 ++++++++++++++++++---------------
+ 2 files changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/dcmdata/libsrc/dcelem.cc b/dcmdata/libsrc/dcelem.cc
+index 1524904be9..3b9cc2bf7e 100644
+--- a/dcmdata/libsrc/dcelem.cc
++++ b/dcmdata/libsrc/dcelem.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 1994-2023, OFFIS e.V.
++ *  Copyright (C) 1994-2024, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were developed by
+@@ -717,6 +717,13 @@ OFCondition DcmElement::loadValue(DcmInputStream *inStream)
+             if (isStreamNew)
+                 delete readStream;
+         }
++        else
++        {
++            errorFlag = EC_InvalidStream; // incomplete dataset read from stream
++            DCMDATA_ERROR("DcmElement: " << getTagName() << " " << getTag()
++                << " larger (" << getLengthField() << ") than remaining bytes ("
++                << getTransferredBytes() << ") in file, premature end of stream");
++        }
+     }
+     /* return result value */
+     return errorFlag;
+diff --git a/dcmnet/libsrc/dimcmd.cc b/dcmnet/libsrc/dimcmd.cc
+index 6dca39546d..ffd225f4b9 100644
+--- a/dcmnet/libsrc/dimcmd.cc
++++ b/dcmnet/libsrc/dimcmd.cc
+@@ -1,6 +1,6 @@
+ /*
+  *
+- *  Copyright (C) 1994-2022, OFFIS e.V.
++ *  Copyright (C) 1994-2024, OFFIS e.V.
+  *  All rights reserved.  See COPYRIGHT file for details.
+  *
+  *  This software and supporting documentation were partly developed by
+@@ -205,22 +205,25 @@ getString(DcmDataset *obj, DcmTagKey t, char *s, int maxlen, OFBool *spacePadded
+             return parseErrorWithMsg("dimcmd:getString: string too small", t);
+         } else {
+             ec =  elem->getString(aString);
+-            strncpy(s, aString, maxlen);
+-            if (spacePadded)
++            if (ec.good())
+             {
+-                /* before we remove leading and tailing spaces we want to know
+-                 * whether the string is actually space padded. Required to communicate
+-                 * with dumb peers which send space padded UIDs and fail if they
+-                 * receive correct UIDs back.
+-                 *
+-                 * This test can only detect space padded strings if
+-                 * dcmEnableAutomaticInputDataCorrection is false; otherwise the padding
+-                 * has already been removed by dcmdata at this stage.
+-                 */
+-                size_t s_len = strlen(s);
+-                if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse;
++                strncpy(s, aString, maxlen);
++                if (spacePadded)
++                {
++                    /* before we remove leading and tailing spaces we want to know
++                     * whether the string is actually space padded. Required to communicate
++                     * with dumb peers which send space padded UIDs and fail if they
++                     * receive correct UIDs back.
++                     *
++                     * This test can only detect space padded strings if
++                     * dcmEnableAutomaticInputDataCorrection is false; otherwise the padding
++                     * has already been removed by dcmdata at this stage.
++                     */
++                    size_t s_len = strlen(s);
++                    if ((s_len > 0)&&(s[s_len-1] == ' ')) *spacePadded = OFTrue; else *spacePadded = OFFalse;
++                }
++                DU_stripLeadingAndTrailingSpaces(s);
+             }
+-            DU_stripLeadingAndTrailingSpaces(s);
+         }
+     }
+     return (ec.good())? ec : DIMSE_PARSEFAILED;
diff --git a/dcmtk.spec b/dcmtk.spec
index 89c5ff1..0b99005 100644
--- a/dcmtk.spec
+++ b/dcmtk.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 %global abi_version 19
 
@@ -35,6 +35,7 @@ Patch:      0016-Update-JpegLsEncode-for-CharLS-2.patch
 %endif
 Patch:      0017-Increase-sleep-for-tests.patch
 Patch:      0018-chore-undo-changes-to-standard-dirs.patch
+Patch1: 1-bugfix-for-CVE-2024-34508.patch
 
 BuildRequires: gcc
 BuildRequires: gcc-c++
@@ -236,6 +237,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}/wlistdb/OFFIS/lockfile
 %{_libdir}/libofstd.so
 
 %changelog
+* Fri Jul 04 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 3.6.9-2
+- Fix CVE-2024-34508
+
 * Thu Jun 12 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 3.6.9-1
 - Update to 3.6.9 to fix CVE-2024-52333 CVE-2024-34509 CVE-2024-27628
 - Delete patch as CVE-2022-43272 fixed in 3.6.9
-- 
Gitee