[Debian-med-packaging] Bug#1074483: dcmtk: CVE-2024-27628
Adrian Bunk
bunk at debian.org
Mon Jul 8 10:16:18 BST 2024
Control: tags -1 patch
On Sat, Jun 29, 2024 at 04:44:43PM +0200, Salvatore Bonaccorso wrote:
>...
> The following vulnerability was published for dcmtk.
>
> CVE-2024-27628[0]:
> | Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to
> | execute arbitrary code via the EctEnhancedCT method component.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-27628
> https://www.cve.org/CVERecord?id=CVE-2024-27628
> [1] https://support.dcmtk.org/redmine/issues/1108
> [2] https://github.com/DCMTK/dcmtk/commit/ec52e99e1e33fc39810560421c0833b02da567b3
>...
Attached is this patch for 3.6.8 (no conflicts during rebasing).
The new test fails without the fix and passes with the fix,
no regressions during the build test.
The actual code fix is pretty small (and not ABI breaking),
most of the patch is test code.
cu
Adrian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fixed-possible-overflows-when-allocating-memory.patch
Type: text/x-diff
Size: 27465 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240708/af7090bc/attachment-0001.patch>
More information about the Debian-med-packaging
mailing list