Bug 2106334 (CVE-2021-41687)

Summary: CVE-2021-41687 dcmtk: a memory leak allows a DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: igor.raits, neuro-sig, troels
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-29 22:55:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2106335, 2106336    
Bug Blocks:    

Description Marian Rehak 2022-07-12 11:46:12 UTC 
The program malloc a heap memory for parsing data, but does not free it when error in parsing. Sending specific requests to the dcmqrdb program incur the memory leak. An attacker can use it to launch a DoS attack.

Reference:

https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb
Comment 1 Marian Rehak 2022-07-12 11:46:29 UTC 
Created dcmtk tracking bugs for this issue:

Affects: epel-all [bug 2106336]
Affects: fedora-all [bug 2106335]
Comment 2 Product Security DevOps Team 2022-08-29 22:55:51 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.