Bug 1016171 (CVE-2015-8979)

Summary: VUL-1: CVE-2015-8979: DCMTK: remote stack buffer overflow [ZSL-2016-5384]
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: E-Mail List <opensuse-kde-bugs>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: alarrosa, astieger, christophe, ctrippe, dmueller, hrvoje.senjan, lbeltrame, meissner, tittiatcoke, wbauer
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 42.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2016-12-17 16:38:40 UTC
Reference: http://seclists.org/oss-sec/2016/q4/700
======================================================
"At several places in the code a wrong length of ACSE data structures
received over the network can cause overflows or underflows when processing
those data structures. Related checks have been added at various places in
order to prevent such (possible) attacks. Thanks to Kevin Basista for the
report."The bug will indeed affect all DCMTK-based server applications that
accept incoming DICOM network connections that are using the dcmtk-3.6.0
and earlier versions. Developers are advised to apply the
patched-DCMTK-3.6.1_20160216 fix commit from Dec 14,
2015.

[1] http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5384.php
[2] https://bugs.gentoo.org/show_bug.cgi?id=602918

======================================================

Due to https://software.opensuse.org/package/dcmtk 3.6.0 is being in use.

From [1]:

PoC: http://zeroscience.mk/codes/storescp_bof.txt

Fix: https://github.com/commontk/DCMTK/commit/1b6bb76
Comment 1 Swamp Workflow Management 2016-12-17 23:00:43 UTC
bugbot adjusting priority
Comment 2 Mikhail Kasimov 2016-12-18 09:53:29 UTC
http://seclists.org/oss-sec/2016/q4/702 :
============================================================================
We did not see an efficient way to represent
1b6bb76073a0601b85e90d5b1a5f0c80efe9e7f8 as a set of independent
exploitable vulnerabilities. Thus, we are assigning one CVE ID for all
of the vulnerability information in the above three references. The
information all seems to be related to mishandling of "wrong length of
ACSE data structures received over the network" (typically a long
string sent to TCP port 4242).

Use CVE-2015-8979.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
============================================================================
Comment 3 Andreas Stieger 2018-04-10 09:06:15 UTC
I believe this still affects Leap 42.3.
Comment 4 Christophe Giboudeaux 2020-01-13 10:10:04 UTC
The supported Leap versions have the fix.