Serious security issues with DCMTK?

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
marcus
Posts: 9
Joined: Tue, 2004-11-09, 13:54

Serious security issues with DCMTK?

#1 Post by marcus » Tue, 2004-11-09, 14:06

I've noticed that the latest version of DCMTK is linked against libpng-1.2.5 and openssl-0.9.7d. From their web sites it appears that these versions of the libraries have security issues, does this mean that DCMTK software that has not been updated will also be vulnerable?

The relevant security warnings are on these pages:
http://www.libpng.org/pub/png/libpng.html
http://www.openssl.org/

Jörg Riesmeier
ICSMED DICOM Services
ICSMED DICOM Services
Posts: 2217
Joined: Fri, 2004-10-29, 21:38
Location: Oldenburg, Germany

Re: Serious security issues with DCMTK?

#2 Post by Jörg Riesmeier » Tue, 2004-11-09, 21:39

marcus wrote:does this mean that DCMTK software that has not been updated will also be vulnerable?
Though I did not check the websites very intensively it seems to me that the PNG issue only applies to the import of malformed PNG images. Since DCMTK (as of version 3.5.3) does only export PNG files there should be no risk.

With regard to OpenSSL it seems that mainly versions prior to 0.9.7d are affected by "severe" security issues (see http://www.openssl.org/news/secadv_20040317.txt ).

Of course, you always have the possibility to compile the DCMTK tools on your own. The binary packages are merely provided for the convenience of our users.

Jörg

marcus
Posts: 9
Joined: Tue, 2004-11-09, 13:54

Re: Serious security issues with DCMTK?

#3 Post by marcus » Tue, 2004-11-09, 21:45

Thanks for the reassurance :)
Marcus

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest