Bugzilla – Bug 1016171
VUL-1: CVE-2015-8979: DCMTK: remote stack buffer overflow [ZSL-2016-5384]
Last modified: 2020-01-13 10:10:04 UTC
"At several places in the code a wrong length of ACSE data structures
received over the network can cause overflows or underflows when processing
those data structures. Related checks have been added at various places in
order to prevent such (possible) attacks. Thanks to Kevin Basista for the
report."The bug will indeed affect all DCMTK-based server applications that
accept incoming DICOM network connections that are using the dcmtk-3.6.0
and earlier versions. Developers are advised to apply the
patched-DCMTK-3.6.1_20160216 fix commit from Dec 14,
Due to https://software.opensuse.org/package/dcmtk 3.6.0 is being in use.
bugbot adjusting priority
We did not see an efficient way to represent
1b6bb76073a0601b85e90d5b1a5f0c80efe9e7f8 as a set of independent
exploitable vulnerabilities. Thus, we are assigning one CVE ID for all
of the vulnerability information in the above three references. The
information all seems to be related to mishandling of "wrong length of
ACSE data structures received over the network" (typically a long
string sent to TCP port 4242).
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
I believe this still affects Leap 42.3.
The supported Leap versions have the fix.