[Debian-med-packaging] Bug#1077369: Bug#1077369: xmedcon: CVE-2024-29421

[Étienne Mollier]

Control: found -1 0.23.0-gtk3+dfsg-1
Control: found -1 0.16.3+dfsg-1

Hi Salvatore,

Salvatore Bonaccorso, on 2024-07-28:
> The following vulnerability was published for xmedcon.
> 
> CVE-2024-29421[0]:
> | xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer
> | Overflow via libs/dicom/basic.c which allows an attacker to execute
> | arbitrary code.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2024-29421
>     https://www.cve.org/CVERecord?id=CVE-2024-29421

Thanks for the notice, update in sid is on her way, if not there
already.  I think that I isolated the relevant change upstream.
That would be:

-------8<--------------8<--------------8<--------------8<-------
--- a/libs/dicom/basic.c
+++ b/libs/dicom/basic.c
@@ -401,6 +401,16 @@ int dicom_load(VR vr)
   if (element.vr==SQ || element.length==0xFFFFFFFF)
     return 0;
 
+  /* eNlf: - simply prevent length values that will overflow  */
+  /* eNlf: when we sum with an extra 4 bytes; thus preventing */
+  /* eNlf: a heap overflow due to a small value at malloc()   */
+  /* eNlf: notified by Spike Reply Cyber Security Team        */
+  if (element.length > (0xFFFFFFFF - 4)) {
+    dicom_log(ERROR,"Unsupported element length");
+    dicom_close();
+    return -4;
+  }
+
   if (element.group==0xFFFE)
     if (!element.encapsulated)
       return 0;
@@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
   if (element.vr==SQ || element.length==0xFFFFFFFF)
     return 0;
 
+  /* eNlf: prevent overflowed value - see dicom_load() */
+  if (element.length > (0xFFFFFFFF - 4)) {
+    dicom_log(ERROR,"Unsupported element length");
+    dicom_close();
+    return -4;
+  }
+
   if (element.group==0xFFFE)
     if (!element.encapsulated)
       return 0;
------->8-------------->8-------------->8-------------->8-------

It applies without fuzz to the version in bookworm and even in
bullseye.  From quick attempt the patch didn't interfere with
normal operation of the program (although I don't really have
much to give it to eat, so I may not have stressed the affected
code path).  If that makes sense, I can liaise with the release
team for the next point release in August, or do you prefer we
proceed to a security upgrade earlier?  (I guess not, given the
"Minor issue" in the notes I see in the security tracker web
page, but asking just in case.)

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier at debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/1, please excuse my verbosity
   `-    on air: Tony Levin - Dog One
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240728/1dab4fc6/attachment-0001.sig>