From 237485bbafd12418e71741e787c349d7547877a7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?=C3=89tienne=20Mollier?= Date: Sat, 18 Jan 2025 16:00:29 +0100 Subject: [PATCH] 0008-CVE-2024-52333.patch: new. This patch addresses CVE-2024-52333. Closes: #1093047 --- debian/patches/0008-CVE-2024-52333.patch | 48 ++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 49 insertions(+) create mode 100644 debian/patches/0008-CVE-2024-52333.patch diff --git a/debian/patches/0008-CVE-2024-52333.patch b/debian/patches/0008-CVE-2024-52333.patch new file mode 100644 index 00000000..3f8a2466 --- /dev/null +++ b/debian/patches/0008-CVE-2024-52333.patch @@ -0,0 +1,48 @@ +Author: Joerg Riesmeier +Forwarded: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03 +Bug-Debian: https://bugs.debian.org/1093047 +Reviewed-By: Étienne Mollier +Last-Update: 2025-01-18 +Description: Added check to make sure: HighBit < BitsAllocated. + Added check to the image preprocessing to make sure that the value of + HighBit is always less than the value of BitsAllocated. Before, this + missing check could lead to memory corruption if an invalid combination + of values was retrieved from a malformed DICOM dataset. + . + Thanks to Emmanuel Tacheau from the Cisco Talos team + for the report, sample file (PoC) + and detailed analysis. See TALOS-2024-2121 and CVE-2024-52333. + +--- dcmtk.orig/dcmimgle/libsrc/diimage.cc ++++ dcmtk/dcmimgle/libsrc/diimage.cc +@@ -1,6 +1,6 @@ + /* + * +- * Copyright (C) 1996-2021, OFFIS e.V. ++ * Copyright (C) 1996-2025, OFFIS e.V. + * All rights reserved. See COPYRIGHT file for details. + * + * This software and supporting documentation were developed by +@@ -548,12 +548,18 @@ + { + const unsigned long fsize = OFstatic_cast(unsigned long, Rows) * OFstatic_cast(unsigned long, Columns) * + OFstatic_cast(unsigned long, SamplesPerPixel); +- if ((BitsAllocated < 1) || (BitsStored < 1) || (BitsAllocated < BitsStored) || +- (BitsStored > OFstatic_cast(Uint16, HighBit + 1))) ++ if ((BitsAllocated < 1) || (BitsStored < 1)) + { + ImageStatus = EIS_InvalidValue; +- DCMIMGLE_ERROR("invalid values for 'BitsAllocated' (" << BitsAllocated << "), " +- << "'BitsStored' (" << BitsStored << ") and/or 'HighBit' (" << HighBit << ")"); ++ DCMIMGLE_ERROR("invalid value(s) for 'BitsAllocated' (" << BitsAllocated << "), " ++ << "and/or 'BitsStored' (" << BitsStored << ")"); ++ return; ++ } ++ else if ((BitsAllocated < BitsStored) || (BitsAllocated <= HighBit) || ((BitsStored - 1) > HighBit)) ++ { ++ ImageStatus = EIS_InvalidValue; ++ DCMIMGLE_ERROR("invalid combination of values for 'BitsAllocated' (" << BitsAllocated << "), " ++ << "'BitsStored' (" << BitsStored << ") and 'HighBit' (" << HighBit << ")"); + return; + } + else if ((evr == EVR_OB) && (BitsStored <= 8)) diff --git a/debian/patches/series b/debian/patches/series index 5f44bf76..5d6221f5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -18,3 +18,4 @@ da5370947226783ce3548bf1e5b7112fac70de46.patch 0005-Fixed-DcmDecimalString-unit-tests.patch 0006-Fixed-possible-overflows-when-allocating-memory.patch 0007-CVE-2024-47796.patch +0008-CVE-2024-52333.patch -- 2.30.2