Bug 1016171 – VUL-1: CVE-2015-8979: DCMTK: remote stack buffer overflow [ZSL-2016-5384]

Bug 1016171 - (CVE-2015-8979) VUL-1: CVE-2015-8979: DCMTK: remote stack buffer overflow [ZSL-2016-5384]

(CVE-2015-8979)
Summary:	VUL-1: CVE-2015-8979: DCMTK: remote stack buffer overflow [ZSL-2016-5384]

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE 42.3

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	E-Mail List
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-12-17 16:38 UTC by Mikhail Kasimov
Modified:	2020-01-13 10:10 UTC (History)
CC List:	10 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2016-12-17 16:38:40 UTC

Reference: http://seclists.org/oss-sec/2016/q4/700
======================================================
"At several places in the code a wrong length of ACSE data structures
received over the network can cause overflows or underflows when processing
those data structures. Related checks have been added at various places in
order to prevent such (possible) attacks. Thanks to Kevin Basista for the
report."The bug will indeed affect all DCMTK-based server applications that
accept incoming DICOM network connections that are using the dcmtk-3.6.0
and earlier versions. Developers are advised to apply the
patched-DCMTK-3.6.1_20160216 fix commit from Dec 14,
2015.

[1] http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5384.php
[2] https://bugs.gentoo.org/show_bug.cgi?id=602918

======================================================

Due to https://software.opensuse.org/package/dcmtk 3.6.0 is being in use.

From [1]:

PoC: http://zeroscience.mk/codes/storescp_bof.txt

Fix: https://github.com/commontk/DCMTK/commit/1b6bb76

Comment 1 Swamp Workflow Management 2016-12-17 23:00:43 UTC

bugbot adjusting priority

Comment 2 Mikhail Kasimov 2016-12-18 09:53:29 UTC

http://seclists.org/oss-sec/2016/q4/702 :
============================================================================
We did not see an efficient way to represent
1b6bb76073a0601b85e90d5b1a5f0c80efe9e7f8 as a set of independent
exploitable vulnerabilities. Thus, we are assigning one CVE ID for all
of the vulnerability information in the above three references. The
information all seems to be related to mishandling of "wrong length of
ACSE data structures received over the network" (typically a long
string sent to TCP port 4242).

Use CVE-2015-8979.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
============================================================================

Comment 3 Andreas Stieger 2018-04-10 09:06:15 UTC

I believe this still affects Leap 42.3.

Comment 4 Christophe Giboudeaux 2020-01-13 10:10:04 UTC

The supported Leap versions have the fix.