diff --git a/0019-bugfix-for-CVE-2024-52333.patch b/0019-bugfix-for-CVE-2024-52333.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f074dcdf227624b2ccdc2210404402f707de4f5 --- /dev/null +++ b/0019-bugfix-for-CVE-2024-52333.patch @@ -0,0 +1,55 @@ +From 03e851b0586d05057c3268988e180ffb426b2e03 Mon Sep 17 00:00:00 2001 +From: Joerg Riesmeier +Date: Fri, 3 Jan 2025 16:08:44 +0100 +Subject: [PATCH] Added check to make sure: HighBit < BitsAllocated. + +Added check to the image preprocessing to make sure that the value of +HighBit is always less than the value of BitsAllocated. Before, this +missing check could lead to memory corruption if an invalid combination +of values was retrieved from a malformed DICOM dataset. + +Thanks to Emmanuel Tacheau from the Cisco Talos team + for the report, sample file (PoC) +and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333. +--- + dcmimgle/libsrc/diimage.cc | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/dcmimgle/libsrc/diimage.cc b/dcmimgle/libsrc/diimage.cc +index 480235e3b..1827ac68b 100644 +--- a/dcmimgle/libsrc/diimage.cc ++++ b/dcmimgle/libsrc/diimage.cc +@@ -1,6 +1,6 @@ + /* + * +- * Copyright (C) 1996-2024, OFFIS e.V. ++ * Copyright (C) 1996-2025, OFFIS e.V. + * All rights reserved. See COPYRIGHT file for details. + * + * This software and supporting documentation were developed by +@@ -549,12 +549,18 @@ void DiImage::convertPixelData() + { + const unsigned long fsize = OFstatic_cast(unsigned long, Rows) * OFstatic_cast(unsigned long, Columns) * + OFstatic_cast(unsigned long, SamplesPerPixel); +- if ((BitsAllocated < 1) || (BitsStored < 1) || (BitsAllocated < BitsStored) || +- (BitsStored > OFstatic_cast(Uint16, HighBit + 1))) ++ if ((BitsAllocated < 1) || (BitsStored < 1)) + { + ImageStatus = EIS_InvalidValue; +- DCMIMGLE_ERROR("invalid values for 'BitsAllocated' (" << BitsAllocated << "), " +- << "'BitsStored' (" << BitsStored << ") and/or 'HighBit' (" << HighBit << ")"); ++ DCMIMGLE_ERROR("invalid value(s) for 'BitsAllocated' (" << BitsAllocated << "), " ++ << "and/or 'BitsStored' (" << BitsStored << ")"); ++ return; ++ } ++ else if ((BitsAllocated < BitsStored) || (BitsAllocated <= HighBit) || ((BitsStored - 1) > HighBit)) ++ { ++ ImageStatus = EIS_InvalidValue; ++ DCMIMGLE_ERROR("invalid combination of values for 'BitsAllocated' (" << BitsAllocated << "), " ++ << "'BitsStored' (" << BitsStored << ") and 'HighBit' (" << HighBit << ")"); + return; + } + else if ((evr == EVR_OB) && (BitsStored <= 8)) +-- +2.39.2 + diff --git a/dcmtk.spec b/dcmtk.spec index 89c5ff1b35c672eca1b0dc7f8c30d59e810d48e3..bf302f23d1bccf848ecbfcd52c075ab3593641df 100644 --- a/dcmtk.spec +++ b/dcmtk.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global abi_version 19 @@ -35,6 +35,7 @@ Patch: 0016-Update-JpegLsEncode-for-CharLS-2.patch %endif Patch: 0017-Increase-sleep-for-tests.patch Patch: 0018-chore-undo-changes-to-standard-dirs.patch +Patch: 0019-bugfix-for-CVE-2024-52333.patch BuildRequires: gcc BuildRequires: gcc-c++ @@ -236,6 +237,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}/wlistdb/OFFIS/lockfile %{_libdir}/libofstd.so %changelog +* Wed Jul 16 2025 tomcruiseqi - 3.6.9-2 +- Fix CVE-2024-52333 + * Thu Jun 12 2025 mgb01105731 - 3.6.9-1 - Update to 3.6.9 to fix CVE-2024-52333 CVE-2024-34509 CVE-2024-27628 - Delete patch as CVE-2022-43272 fixed in 3.6.9