Apply security patches

- Fix TALOS-2024-1924, CVE-2024-22391 (RHBZ#2277288) - Fix TALOS-2024-1935, CVE-2024-22373 (RHBZ#2277292) - Fix TALOS-2024-1944, CVE-2024-25569 (RHBZ#2277296)
10 months ago · 8d8c36a199
parent 15686e9f2f
commit 8d8c36a199
4 changed files with 143 additions and 0 deletions
--- a/TALOS-2024-1924.patch
+++ b/TALOS-2024-1924.patch
@ -0,0 +1,63 @@
 From 21a793095ab3aecb794c56439873e5b181ea9d91 Mon Sep 17 00:00:00 2001
 From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
 Date: Wed, 21 Feb 2024 02:00:38 -0800
 Subject: [PATCH] Remove symptoms of TALOS-2024-1924
 diff --git a/Source/DataStructureAndEncodingDefinition/gdcmElement.h b/Source/DataStructureAndEncodingDefinition/gdcmElement.h
 index b49b093dc..15fb3a117 100644
 --- a/Source/DataStructureAndEncodingDefinition/gdcmElement.h
 +++ b/Source/DataStructureAndEncodingDefinition/gdcmElement.h
@@ -473,7 +473,7 @@ public:
     assert( _is ); // Is stream valid ?
     _is.read( reinterpret_cast<char*>(data+0), type_size);
     for(unsigned long i=1; i<length; ++i) {
 -      assert( _is );
 +      if( _is )
       _is.read( reinterpret_cast<char*>(data+i), type_size );
     }
     //ByteSwap<T>::SwapRangeFromSwapCodeIntoSystem(data,
@@ -489,7 +489,7 @@ public:
     assert( _is ); // Is stream valid ?
     _is.read( reinterpret_cast<char*>(data+0), type_size);
     for(unsigned long i=1; i<length; ++i) {
 -      assert( _is );
 +      if( _is )
       _is.read( reinterpret_cast<char*>(data+i), type_size );
     }
     //ByteSwap<T>::SwapRangeFromSwapCodeIntoSystem(data,
 diff --git a/Source/MediaStorageAndFileFormat/gdcmLookupTable.cxx b/Source/MediaStorageAndFileFormat/gdcmLookupTable.cxx
 index 0d5a99c40..2c566923b 100644
 --- a/Source/MediaStorageAndFileFormat/gdcmLookupTable.cxx
 +++ b/Source/MediaStorageAndFileFormat/gdcmLookupTable.cxx
@@ -130,7 +130,10 @@ void LookupTable::SetLUT(LookupTableType type, const unsigned char *array,
   if( !IncompleteLUT )
     {
 -    assert( Internal->RGB.size() == 3*Internal->Length[type]*(BitSample/8) );
 +    if( Internal->RGB.size() != 3*Internal->Length[type]*(BitSample/8) ) {
 +      gdcmErrorMacro( "Invalid length for LUT data" );
 +      return;
 +    }
     }
   // Too funny: 05115014-mr-siemens-avanto-syngo-with-palette-icone.dcm
   // There is pseudo PALETTE_COLOR LUT in the Icon, if one look carefully the LUT values
 diff --git a/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx b/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx
 index 9c30ff8b9..258a23c1f 100644
 --- a/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx
 +++ b/Source/MediaStorageAndFileFormat/gdcmPixmapReader.cxx
@@ -306,8 +306,12 @@ static void DoIconImage(const DataSet& rootds, Pixmap& image)
           unsigned long check =
             (el_us3.GetValue(0) ? el_us3.GetValue(0) : 65536)
             * el_us3.GetValue(2) / 8;
 -          assert( check == lut_raw->GetLength() || 2 * check == lut_raw->GetLength()
 -            || check + 1 == lut_raw->GetLength() ); (void)check;
 +          if(!( check == lut_raw->GetLength() || 2 * check == lut_raw->GetLength()
 +            || check + 1 == lut_raw->GetLength() )) {
 +          gdcmErrorMacro( "Icon Sequence is invalid. Giving up" );
 +          pixeldata.Clear();
 +          return;
 +	  }
           }
         else if( ds.FindDataElement( seglut ) )
           {
--- a/TALOS-2024-1935.patch
+++ b/TALOS-2024-1935.patch
@ -0,0 +1,38 @@
 From 371c2d937e37b08a46eeb0628c553ce4608a45df Mon Sep 17 00:00:00 2001
 From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
 Date: Wed, 21 Feb 2024 02:18:35 -0800
 Subject: [PATCH] Remove symptoms from TALOS-2024-1935
 diff --git a/Source/MediaStorageAndFileFormat/gdcmImageChangeTransferSyntax.cxx b/Source/MediaStorageAndFileFormat/gdcmImageChangeTransferSyntax.cxx
 index fcb61e611..9457c5e9b 100644
 --- a/Source/MediaStorageAndFileFormat/gdcmImageChangeTransferSyntax.cxx
 +++ b/Source/MediaStorageAndFileFormat/gdcmImageChangeTransferSyntax.cxx
@@ -421,6 +421,7 @@ bool ImageChangeTransferSyntax::Change()
     if( !b )
       {
       gdcmErrorMacro( "Error in getting buffer from input image." );
 +      delete bv0;
       return false;
       }
     pixeldata.SetValue( *bv0 );
 diff --git a/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx b/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx
 index 10ac23cca..430a24a87 100644
 --- a/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx
 +++ b/Source/MediaStorageAndFileFormat/gdcmJPEG2000Codec.cxx
@@ -826,8 +826,13 @@ std::pair<char *, size_t> JPEG2000Codec::DecodeByStreamsCommon(char *dummy_buffe
     // ELSCINT1_JP2vsJ2K.dcm
     // -> prec = 12, bpp = 0, sgnd = 0
 -    //assert( wr == Dimensions[0] );
 -    //assert( hr == Dimensions[1] );
 +    if( wr != Dimensions[0] || hr != Dimensions[1] ) {
 +	    gdcmErrorMacro("Invalid dimension");
 +	    delete[] raw;
 +    opj_destroy_codec(dinfo);
 +  opj_image_destroy(image);
 +    return std::pair<char*,size_t>(nullptr,0);
 +    }
     if( comp->sgnd != PF.GetPixelRepresentation() )
       {
       PF.SetPixelRepresentation( (uint16_t)comp->sgnd );
--- a/TALOS-2024-1944.patch
+++ b/TALOS-2024-1944.patch
@ -0,0 +1,36 @@
 From dda17aa8d5939e4e255ebba67aacf34b09d88692 Mon Sep 17 00:00:00 2001
 From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
 Date: Wed, 21 Feb 2024 02:44:55 -0800
 Subject: [PATCH] Remove symptoms from TALOS-2024-1944
 diff --git a/Source/MediaStorageAndFileFormat/gdcmRAWCodec.cxx b/Source/MediaStorageAndFileFormat/gdcmRAWCodec.cxx
 index 19f739399..46392461e 100644
 --- a/Source/MediaStorageAndFileFormat/gdcmRAWCodec.cxx
 +++ b/Source/MediaStorageAndFileFormat/gdcmRAWCodec.cxx
@@ -112,9 +112,7 @@ bool RAWCodec::DecodeBytes(const char* inBytes, size_t inBufferLength,
   if(!r) return false;
   std::string str = os.str();
 -  //std::string::size_type check = str.size();//unused
 -  
   if( this->GetPixelFormat() == PixelFormat::UINT12 ||
       this->GetPixelFormat() == PixelFormat::INT12 )
     {
@@ -135,7 +133,14 @@ bool RAWCodec::DecodeBytes(const char* inBytes, size_t inBufferLength,
     // DermaColorLossLess.dcm
     //assert (check == inOutBufferLength || check == inOutBufferLength + 1);
     // problem with: SIEMENS_GBS_III-16-ACR_NEMA_1.acr
 -    memcpy(outBytes, str.c_str(), inOutBufferLength);
 +    size_t len = str.size();
 +    if( inOutBufferLength <= len )
 +      memcpy(outBytes, str.c_str(), inOutBufferLength);
 +    else
 +    {
 +      gdcmWarningMacro( "Requesting too much data. Truncating result" );
 +      memcpy(outBytes, str.c_str(), len);
 +    }
     }
   return r;
--- a/gdcm.spec
+++ b/gdcm.spec
@ -20,6 +20,12 @@ Patch1: 0001-3.0.1-Use-copyright.patch
 Patch2: 0002-Fix-export-variables.patch
 # Python 3.13: Replace deprecated PyEval_CallObject()
 Patch3:     https://github.com/malaterre/GDCM/pull/171.patch
 # TALOS-2024-1924: https://bugzilla.redhat.com/show_bug.cgi?id=2277288
 Patch4:     TALOS-2024-1924.patch
 # TALOS-2024-1935: https://bugzilla.redhat.com/show_bug.cgi?id=2277292
 Patch5:     TALOS-2024-1935.patch
 # TALOS-2024-1944: https://bugzilla.redhat.com/show_bug.cgi?id=2277296
 Patch6:    TALOS-2024-1944.patch
 BuildRequires:  CharLS-devel >= 2.0
 BuildRequires:  cmake