Security update for dcmtk SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:0053-1 Final 1 1 2025-02-06T12:02:04Z current 2025-02-06T12:02:04Z 2025-02-06T12:02:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dcmtk This update for dcmtk fixes the following issues: Update to 3.6.9. See DOCS/CHANGES.368 for the full list of changes Security issues fixed: - CVE-2024-27628: Fixed buffer overflow via the EctEnhancedCT method (boo#1227235) - CVE-2024-34508: Fixed a segmentation fault via an invalid DIMSE message (boo#1223925) - CVE-2024-34509: Fixed segmentation fault via an invalid DIMSE message (boo#1223943) - CVE-2024-47796: Fixed out-of-bounds write due to improper array index validation in the nowindow functionality (boo#1235810) - CVE-2024-52333: Fixed out-of-bounds write due to improper array index validation in the determineMinMax functionality (boo#1235811) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2025-53 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WGCW42LVEP5RLYCJ2ZF4ZZWGFA4Y2VOK/ E-Mail link for openSUSE-SU-2025:0053-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223925 SUSE Bug 1223925 https://bugzilla.suse.com/1223943 SUSE Bug 1223943 https://bugzilla.suse.com/1227235 SUSE Bug 1227235 https://bugzilla.suse.com/1235810 SUSE Bug 1235810 https://bugzilla.suse.com/1235811 SUSE Bug 1235811 https://www.suse.com/security/cve/CVE-2024-27628/ SUSE CVE CVE-2024-27628 page https://www.suse.com/security/cve/CVE-2024-34508/ SUSE CVE CVE-2024-34508 page https://www.suse.com/security/cve/CVE-2024-34509/ SUSE CVE CVE-2024-34509 page https://www.suse.com/security/cve/CVE-2024-47796/ SUSE CVE CVE-2024-47796 page https://www.suse.com/security/cve/CVE-2024-52333/ SUSE CVE CVE-2024-52333 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 dcmtk-3.6.9-bp156.4.3.1 dcmtk-devel-3.6.9-bp156.4.3.1 libdcmtk19-3.6.9-bp156.4.3.1 dcmtk-3.6.9-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 dcmtk-devel-3.6.9-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 libdcmtk19-3.6.9-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 dcmtk-3.6.9-bp156.4.3.1 as a component of openSUSE Leap 15.6 dcmtk-devel-3.6.9-bp156.4.3.1 as a component of openSUSE Leap 15.6 libdcmtk19-3.6.9-bp156.4.3.1 as a component of openSUSE Leap 15.6 Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to execute arbitrary code via the EctEnhancedCT method component. CVE-2024-27628 SUSE Package Hub 15 SP6:dcmtk-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:dcmtk-devel-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:libdcmtk19-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-devel-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:libdcmtk19-3.6.9-bp156.4.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WGCW42LVEP5RLYCJ2ZF4ZZWGFA4Y2VOK/ https://www.suse.com/security/cve/CVE-2024-27628.html CVE-2024-27628 https://bugzilla.suse.com/1227235 SUSE Bug 1227235 dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. CVE-2024-34508 SUSE Package Hub 15 SP6:dcmtk-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:dcmtk-devel-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:libdcmtk19-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-devel-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:libdcmtk19-3.6.9-bp156.4.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WGCW42LVEP5RLYCJ2ZF4ZZWGFA4Y2VOK/ https://www.suse.com/security/cve/CVE-2024-34508.html CVE-2024-34508 https://bugzilla.suse.com/1223925 SUSE Bug 1223925 dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. CVE-2024-34509 SUSE Package Hub 15 SP6:dcmtk-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:dcmtk-devel-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:libdcmtk19-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-devel-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:libdcmtk19-3.6.9-bp156.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WGCW42LVEP5RLYCJ2ZF4ZZWGFA4Y2VOK/ https://www.suse.com/security/cve/CVE-2024-34509.html CVE-2024-34509 https://bugzilla.suse.com/1223943 SUSE Bug 1223943 An improper array index validation vulnerability exists in the nowindow functionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. CVE-2024-47796 SUSE Package Hub 15 SP6:dcmtk-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:dcmtk-devel-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:libdcmtk19-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-devel-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:libdcmtk19-3.6.9-bp156.4.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WGCW42LVEP5RLYCJ2ZF4ZZWGFA4Y2VOK/ https://www.suse.com/security/cve/CVE-2024-47796.html CVE-2024-47796 https://bugzilla.suse.com/1235810 SUSE Bug 1235810 An improper array index validation vulnerability exists in the determineMinMax functionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. CVE-2024-52333 SUSE Package Hub 15 SP6:dcmtk-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:dcmtk-devel-3.6.9-bp156.4.3.1 SUSE Package Hub 15 SP6:libdcmtk19-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:dcmtk-devel-3.6.9-bp156.4.3.1 openSUSE Leap 15.6:libdcmtk19-3.6.9-bp156.4.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WGCW42LVEP5RLYCJ2ZF4ZZWGFA4Y2VOK/ https://www.suse.com/security/cve/CVE-2024-52333.html CVE-2024-52333 https://bugzilla.suse.com/1235811 SUSE Bug 1235811