vendor:
Grassroots DICOM (GDCM) Library
by:
Stelios Tsampas
10
CVSS
CRITICAL
Integer Overflow
Integer Overflow
CWE
Product Name: Grassroots DICOM (GDCM) Library
Affected Version From: 2.6.2000
Affected Version To: 2.6.2001
Patch Exists: YES
Related CWE: CVE-2015-8396
CPE: gdcm
Platforms Tested:
2015
Integer Overflow Vulnerability in Grassroots DICOM (GDCM) Library
GDCM versions 2.6.0 and 2.6.1 are prone to an integer overflow vulnerability which leads to a buffer overflow and potentially to remote code execution. The vulnerability is triggered by the exposed function gdcm::ImageRegionReader::ReadIntoBuffer, which copies DICOM image data to a buffer. ReadIntoBuffer fails to detect the occurrence of an integer overflow, which leads to a buffer overflow later on in the code.
Mitigation:
Upgrade all GDCM installations to the latest stable release (version 2.6.2)