[Debian-med-packaging] Bug#1077369: Bug#1077369: xmedcon: CVE-2024-29421
Salvatore Bonaccorso
carnil at debian.org
Mon Jul 29 08:39:36 BST 2024
Hi,
On Sun, Jul 28, 2024 at 11:17:03PM +0200, Étienne Mollier wrote:
> Control: found -1 0.23.0-gtk3+dfsg-1
> Control: found -1 0.16.3+dfsg-1
>
> Hi Salvatore,
>
> Salvatore Bonaccorso, on 2024-07-28:
> > The following vulnerability was published for xmedcon.
> >
> > CVE-2024-29421[0]:
> > | xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer
> > | Overflow via libs/dicom/basic.c which allows an attacker to execute
> > | arbitrary code.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-29421
> > https://www.cve.org/CVERecord?id=CVE-2024-29421
>
> Thanks for the notice, update in sid is on her way, if not there
> already. I think that I isolated the relevant change upstream.
> That would be:
>
> -------8<--------------8<--------------8<--------------8<-------
> --- a/libs/dicom/basic.c
> +++ b/libs/dicom/basic.c
> @@ -401,6 +401,16 @@ int dicom_load(VR vr)
> if (element.vr==SQ || element.length==0xFFFFFFFF)
> return 0;
>
> + /* eNlf: - simply prevent length values that will overflow */
> + /* eNlf: when we sum with an extra 4 bytes; thus preventing */
> + /* eNlf: a heap overflow due to a small value at malloc() */
> + /* eNlf: notified by Spike Reply Cyber Security Team */
> + if (element.length > (0xFFFFFFFF - 4)) {
> + dicom_log(ERROR,"Unsupported element length");
> + dicom_close();
> + return -4;
> + }
> +
> if (element.group==0xFFFE)
> if (!element.encapsulated)
> return 0;
> @@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
> if (element.vr==SQ || element.length==0xFFFFFFFF)
> return 0;
>
> + /* eNlf: prevent overflowed value - see dicom_load() */
> + if (element.length > (0xFFFFFFFF - 4)) {
> + dicom_log(ERROR,"Unsupported element length");
> + dicom_close();
> + return -4;
> + }
> +
> if (element.group==0xFFFE)
> if (!element.encapsulated)
> return 0;
> ------->8-------------->8-------------->8-------------->8-------
>
> It applies without fuzz to the version in bookworm and even in
> bullseye. From quick attempt the patch didn't interfere with
> normal operation of the program (although I don't really have
> much to give it to eat, so I may not have stressed the affected
> code path). If that makes sense, I can liaise with the release
> team for the next point release in August, or do you prefer we
> proceed to a security upgrade earlier? (I guess not, given the
> "Minor issue" in the notes I see in the security tracker web
> page, but asking just in case.)
Yes correct, an update via the upcoming point release is enough for
this issue! Thanks for taking care of it!
> Have a nice day, :)
I wish the same to you!
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list