Advisory: Vulnerability in assoc negotiation (DCMTK 3.6.0)

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1225
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Advisory: Vulnerability in assoc negotiation (DCMTK 3.6.0)

#1 Post by Marco Eichelberg » Wed, 2016-12-14, 18:08

This is an advisory to users of DCMTK 3.6.0 and earlier: A vulnerability has been discovered in the association negotiation code that can be abused to cause a buffer overflow. This may cause the application to crash or to possibly execute malicious code provided by the caller). The issue, which is located in dcmnet/libsrc/dulparse.cc, has been fixed by commit 1b6bb76 on Dec 14, 2015. User who want to fix this vulnerability while continuing to use DCMTK 3.6.0 are advised to back-port this commit to their DCMTK 3.6.0 source tree, which is straightforward.

Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 1 guest