Bug 1201178 – VUL-0: CVE-2021-41687: dcmtk: the program malloc a heap memory for parsing data, but does not free it when error in parsing

Bug 1201178 - (CVE-2021-41687) VUL-0: CVE-2021-41687: dcmtk: the program malloc a heap memory for parsing data, but does not free it when error in parsing

(CVE-2021-41687)
Summary:	VUL-0: CVE-2021-41687: dcmtk: the program malloc a heap memory for parsing da...

Status:	NEW

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor (vote)
Target Milestone:	---
Assigned To:	E-mail List
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/335776/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-07-04 12:51 UTC by Alexander Bergmann
Modified:	2023-01-04 06:43 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2022-07-04 12:51:10 UTC

CVE-2021-41687

DCMTK through 3.6.6 does not handle memory free properly. The program malloc a
heap memory for parsing data, but does not free it when error in parsing.
Sending specific requests to the dcmqrdb program incur the memory leak. An
attacker can use it to launch a DoS attack.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41687
https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb
https://github.com/DCMTK/dcmtk
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41687