Apply security patches

- Fix TALOS-2024-1924, CVE-2024-22391 (RHBZ#2277288) - Fix TALOS-2024-1935, CVE-2024-22373 (RHBZ#2277292) - Fix TALOS-2024-1944, CVE-2024-25569 (RHBZ#2277296)
10 months ago · 8d8c36a199
parent 15686e9f2f
commit 8d8c36a199
4 changed files with 143 additions and 0 deletions
--- a/TALOS-2024-1924.patch
+++ b/TALOS-2024-1924.patch
@ -0,0 +1,63 @@
+From 21a793095ab3aecb794c56439873e5b181ea9d91 Mon Sep 17 00:00:00 2001
+From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
+Date: Wed, 21 Feb 2024 02:00:38 -0800
+Subject: [PATCH] Remove symptoms of TALOS-2024-1924
+
+
+diff --git a/Source/DataStructureAndEncodingDefinition/gdcmElement.h b/Source/DataStructureAndEncodingDefinition/gdcmElement.h
+index b49b093dc..15fb3a117 100644
+--- a/Source/DataStructureAndEncodingDefinition/gdcmElement.h
+++ b/Source/DataStructureAndEncodingDefinition/gdcmElement.h
+@@ -473,7 +473,7 @@ public:
+     assert( _is ); // Is stream valid ?
+     _is.read( reinterpret_cast<char*>(data+0), type_size);
+     for(unsigned long i=1; i<length; ++i) {
+-      assert( _is );
+      if( _is )
+       _is.read( reinterpret_cast<char*>(data+i), type_size );
+     }
+     //ByteSwap<T>::SwapRangeFromSwapCodeIntoSystem(data,
+@@ -489,7 +489,7 @@ public:
+     assert( _is ); // Is stream valid ?
+     _is.read( reinterpret_cast<char*>(data+0), type_size);
+     for(unsigned long i=1; i<length; ++i) {
+-      assert( _is );
+      if( _is )
+       _is.read( reinterpret_cast<char*>(data+i), type_size );
+     }
+     //ByteSwap<T>::SwapRangeFromSwapCodeIntoSystem(data,
+diff --git a/Source/MediaStorageAndFileFormat/gdcmLookupTable.cxx b/Source/MediaStorageAndFileFormat/gdcmLookupTable.cxx
+index 0d5a99c40..2c566923b 100644
+--- a/Source/MediaStorageAndFileFormat/gdcmLookupTable.cxx
+++ b/Source/MediaStorageAndFileFormat/gdcmLookupTable.cxx
+@@ -130,7 +130,10 @@ void LookupTable::SetLUT(LookupTableType type, const unsigned char *array,
+ 
+   if( !IncompleteLUT )
+     {
+-    assert( Internal->RGB.size() == 3*Internal->Length[type]*(BitSample/8) );
+    if( Internal->RGB.size() != 3*Internal->Length[type]*(BitSample/8) ) {
+      gdcmErrorMacro( "Invalid length for LUT data" );
+      return;
+    }
+     }
+   // Too funny: 05115014-mr-siemens-avanto-syngo-with-palette-icone.dcm
+   // There is pseudo PALETTE_COLOR LUT in the Icon, if one look carefully the LUT values
+diff --git a/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx b/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx
+index 9c30ff8b9..258a23c1f 100644
+--- a/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx
+++ b/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx
+@@ -306,8 +306,12 @@ static void DoIconImage(const DataSet& rootds, Pixmap& image)
+           unsigned long check =
+             (el_us3.GetValue(0) ? el_us3.GetValue(0) : 65536)
+             * el_us3.GetValue(2) / 8;
+-          assert( check == lut_raw->GetLength() || 2 * check == lut_raw->GetLength()
+-            || check + 1 == lut_raw->GetLength() ); (void)check;
+          if(!( check == lut_raw->GetLength() || 2 * check == lut_raw->GetLength()
+            || check + 1 == lut_raw->GetLength() )) {
+          gdcmErrorMacro( "Icon Sequence is invalid. Giving up" );
+          pixeldata.Clear();
+          return;
+	  }
+           }
+         else if( ds.FindDataElement( seglut ) )
+           {
--- a/TALOS-2024-1935.patch
+++ b/TALOS-2024-1935.patch
@ -0,0 +1,38 @@
+From 371c2d937e37b08a46eeb0628c553ce4608a45df Mon Sep 17 00:00:00 2001
+From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
+Date: Wed, 21 Feb 2024 02:18:35 -0800
+Subject: [PATCH] Remove symptoms from TALOS-2024-1935
+
+
+diff --git a/Source/MediaStorageAndFileFormat/gdcmImageChangeTransferSyntax.cxx b/Source/MediaStorageAndFileFormat/gdcmImageChangeTransferSyntax.cxx
+index fcb61e611..9457c5e9b 100644
+--- a/Source/MediaStorageAndFileFormat/gdcmImageChangeTransferSyntax.cxx
+++ b/Source/MediaStorageAndFileFormat/gdcmImageChangeTransferSyntax.cxx
+@@ -421,6 +421,7 @@ bool ImageChangeTransferSyntax::Change()
+     if( !b )
+       {
+       gdcmErrorMacro( "Error in getting buffer from input image." );
+      delete bv0;
+       return false;
+       }
+     pixeldata.SetValue( *bv0 );
+diff --git a/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx b/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx
+index 10ac23cca..430a24a87 100644
+--- a/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx
+++ b/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx
+@@ -826,8 +826,13 @@ std::pair<char *, size_t> JPEG2000Codec::DecodeByStreamsCommon(char *dummy_buffe
+ 
+     // ELSCINT1_JP2vsJ2K.dcm
+     // -> prec = 12, bpp = 0, sgnd = 0
+-    //assert( wr == Dimensions[0] );
+-    //assert( hr == Dimensions[1] );
+    if( wr != Dimensions[0] || hr != Dimensions[1] ) {
+	    gdcmErrorMacro("Invalid dimension");
+	    delete[] raw;
+    opj_destroy_codec(dinfo);
+  opj_image_destroy(image);
+    return std::pair<char*,size_t>(nullptr,0);
+    }
+     if( comp->sgnd != PF.GetPixelRepresentation() )
+       {
+       PF.SetPixelRepresentation( (uint16_t)comp->sgnd );
--- a/TALOS-2024-1944.patch
+++ b/TALOS-2024-1944.patch
@ -0,0 +1,36 @@
+From dda17aa8d5939e4e255ebba67aacf34b09d88692 Mon Sep 17 00:00:00 2001
+From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
+Date: Wed, 21 Feb 2024 02:44:55 -0800
+Subject: [PATCH] Remove symptoms from TALOS-2024-1944
+
+
+diff --git a/Source/MediaStorageAndFileFormat/gdcmRAWCodec.cxx b/Source/MediaStorageAndFileFormat/gdcmRAWCodec.cxx
+index 19f739399..46392461e 100644
+--- a/Source/MediaStorageAndFileFormat/gdcmRAWCodec.cxx
+++ b/Source/MediaStorageAndFileFormat/gdcmRAWCodec.cxx
+@@ -112,9 +112,7 @@ bool RAWCodec::DecodeBytes(const char* inBytes, size_t inBufferLength,
+   if(!r) return false;
+ 
+   std::string str = os.str();
+-  //std::string::size_type check = str.size();//unused
+ 
+-  
+   if( this->GetPixelFormat() == PixelFormat::UINT12 ||
+       this->GetPixelFormat() == PixelFormat::INT12 )
+     {
+@@ -135,7 +133,14 @@ bool RAWCodec::DecodeBytes(const char* inBytes, size_t inBufferLength,
+     // DermaColorLossLess.dcm
+     //assert (check == inOutBufferLength || check == inOutBufferLength + 1);
+     // problem with: SIEMENS_GBS_III-16-ACR_NEMA_1.acr
+-    memcpy(outBytes, str.c_str(), inOutBufferLength);
+    size_t len = str.size();
+    if( inOutBufferLength <= len )
+      memcpy(outBytes, str.c_str(), inOutBufferLength);
+    else
+    {
+      gdcmWarningMacro( "Requesting too much data. Truncating result" );
+      memcpy(outBytes, str.c_str(), len);
+    }
+     }
+ 
+   return r;
--- a/gdcm.spec
+++ b/gdcm.spec
@ -20,6 +20,12 @@ Patch1: 0001-3.0.1-Use-copyright.patch
 Patch2: 0002-Fix-export-variables.patch
 # Python 3.13: Replace deprecated PyEval_CallObject()
 Patch3:     https://github.com/malaterre/GDCM/pull/171.patch
+# TALOS-2024-1924: https://bugzilla.redhat.com/show_bug.cgi?id=2277288
+Patch4:     TALOS-2024-1924.patch
+# TALOS-2024-1935: https://bugzilla.redhat.com/show_bug.cgi?id=2277292
+Patch5:     TALOS-2024-1935.patch
+# TALOS-2024-1944: https://bugzilla.redhat.com/show_bug.cgi?id=2277296
+Patch6:    TALOS-2024-1944.patch

 BuildRequires:  CharLS-devel >= 2.0
 BuildRequires:  cmake