Project

General

Profile

Activity

From 2026-06-04 to 2026-07-03

Today

14:32 Bug #1246 (Resolved): SYSS-2026-049: Integer overflow in RLE encoder size check
Fixed with commit 7e9a836672baad9e3b03fcde160d5e16de681bd5 Michael Onken
12:42 Bug #1246 (Resolved): SYSS-2026-049: Integer overflow in RLE encoder size check
As reported by Matthias Deeg (SySS GmbH):
h1. SYSS-2026-049 — Integer overflow in RLE encoder size check
|_. Fi...
Michael Onken
14:32 Bug #1244 (Resolved): SYSS-2026-047: Path traversal in dcmsend --read-from-dicomdir
Fixed with commit 225ff1e0e42efcac64a5275e8f06ade14ca509b5 Michael Onken
12:39 Bug #1244 (Resolved): SYSS-2026-047: Path traversal in dcmsend --read-from-dicomdir
As reported by Matthias Deeg (SySS GmbH):
h1. SYSS-2026-047 — Path traversal in dcmsend --read-from-dicomdir
|_...
Michael Onken
14:32 Bug #1243 (Resolved): SYSS-2026-046: Integer overflow in DICOMDIR PGM icon loading
Fixed with commit 534e146b672ccd13d1a2b134ef623840e775396a Michael Onken
12:28 Bug #1243 (Resolved): SYSS-2026-046: Integer overflow in DICOMDIR PGM icon loading
As reported by Matthias Deeg (SySS GmbH):
h1. SYSS-2026-046 — Integer overflow in DICOMDIR PGM icon loading
|_....
Michael Onken
11:16 Bug #1242 (Closed): Out-of-bounds read decoding 3-component JPEG-LS images
Fixed with commit 4c84db4702249593d2fb7f9bc3c90bc7185ababb. Michael Onken
10:46 Bug #1242 (Closed): Out-of-bounds read decoding 3-component JPEG-LS images
As reported by quellsec.dev:
h2. Summary
Heap out-of-bounds read in CharLS TransformLine: the SOS scan uses the...
Michael Onken
11:15 Bug #1241 (Closed): Double free of palette color LUT
Closed with commit 99bae4afd570be5f8167dc1d5f48932c00e7346e. Michael Onken
10:40 Bug #1241 (Closed): Double free of palette color LUT
As reported by quellsec.dev:
h1. DCMTK: double-free of palette-color LUT data in IODPaletteColorLUTModule::checkDa...
Michael Onken
11:14 Bug #1240 (Closed): Heap buffer overflow in multi-frame overlay conversion.
Fixed with commit d0a6f8afaecc676dfc8e36a0ee1a729455a7f74f. Michael Onken
10:36 Bug #1240 (Closed): Heap buffer overflow in multi-frame overlay conversion.
As reported by quellsec.dev:
h2. Summary
@DiOverlayPlane::create6xxx3000Data@ sizes its output buffer as a sing...
Michael Onken
11:12 Bug #1239 (Closed): Out of bounds access into Lookup Table on big endian machines
Fixed with commit 87cccaa50770a00169cf59ec18c63d42175a8d1d. Michael Onken
10:26 Bug #1239 (Closed): Out of bounds access into Lookup Table on big endian machines
As reported by quellsec.dev:
h2. Summary
On big-endian hosts, @DiLookupTable::checkTable@ expands an 8-bit-allo...
Michael Onken
11:11 Bug #1238 (Closed): Out-of-bounds read in JPEG-LS scan header parsing
Fixed in commit 345572c45a3767ed25b15c8cf11d4e711cd3d348 Michael Onken
10:18 Bug #1238 (Closed): Out-of-bounds read in JPEG-LS scan header parsing
Issue as reported by quellsec.dev:
h2. Summary
The bundled CharLS JPEG-LS decoder reads an attacker-controlled ...
Michael Onken
11:10 Bug #1237 (Closed): DcmRLECodecDecoder::decodeFrame() out of bounds access
Michael Onken
11:09 Bug #1237: DcmRLECodecDecoder::decodeFrame() out of bounds access
Fixed in commit 2846f2914a6132d58c8e35d4337fccc0e52e3fe7. Michael Onken
10:08 Bug #1237 (Closed): DcmRLECodecDecoder::decodeFrame() out of bounds access
h2. Summary
@DcmRLECodecDecoder::decodeFrame@ reads one byte before a heap allocation when the last RLE stripe dec...
Michael Onken

2026-07-02

22:27 Bug #1236 (Closed): Out of bounds read in dcmqrdb's deleteOldestImages() method
Michael Onken
22:26 Bug #1236: Out of bounds read in dcmqrdb's deleteOldestImages() method
Closed by commit bd8163. Michael Onken

2026-06-26

07:57 Bug #1233 (Closed): Access-control gap in dcmqrscp
Michael Onken
07:56 Bug #1227 (Closed): Fix potential heap overflow with DNS resolve result
Michael Onken
07:56 Bug #1229 (Closed): Heap Overflow in DB_DuplicateElement (dcmqrdb)
Michael Onken
07:56 Bug #1228 (Closed): Heap overflow when computing PDU length + safety margin
Michael Onken
07:56 Bug #1230 (Closed): Potential DoS via mutlipe User Identity Negotiation sub-items
Michael Onken
07:56 Bug #1231 (Closed): Out-of-bounds read in OFStandard::sanitizeFilename()
Michael Onken
07:55 Bug #1232 (Closed): Potential NUL-termination missing in use of strncpy
Michael Onken
07:55 Bug #1234 (Closed): Remote unauthenticated memory-leak DoS in parseAssociate() presentation-context error path
Michael Onken
07:55 Bug #1235 (Closed): Stack buffer overflow in dcmqrscp QR Level handling
Michael Onken

2026-06-22

22:22 Bug #1236 (Closed): Out of bounds read in dcmqrdb's deleteOldestImages() method
As reported by Yuxiao Yan:
|_. File |@dcmqrdb/libsrc/dcmqrdbi.cc@ |
|_. Function |@DcmQueryRetrieveIndexDatabaseH...
Michael Onken
20:52 Bug #1235: Stack buffer overflow in dcmqrscp QR Level handling
Fixed with commit 34fa53. Michael Onken
20:50 Bug #1235 (Closed): Stack buffer overflow in dcmqrscp QR Level handling
Stack overflow as reported by Yuxiao Yan:
h1. Vulnerability Summary
In `DcmQueryRetrieveIndexDatabaseHandle::...
Michael Onken
20:46 Bug #1234: Remote unauthenticated memory-leak DoS in parseAssociate() presentation-context error path
Closed with commit 688a16. Michael Onken
15:18 Bug #1234 (Closed): Remote unauthenticated memory-leak DoS in parseAssociate() presentation-context error path
As reported by Yuxiao Yan:
== Summary ==
When parseAssociate() (dcmnet/libsrc/dulparse.cc) fails while pars...
Michael Onken
15:14 Bug #1233: Access-control gap in dcmqrscp
Closed by commit 696abc. Michael Onken
15:03 Bug #1233 (Closed): Access-control gap in dcmqrscp
As reported by Yuxiao Yan:
Tested version
--------------
- Upstream git, commit 5708ba6c (cloned 2026-06-11)....
Michael Onken

2026-06-19

17:26 Bug #1232: Potential NUL-termination missing in use of strncpy
Fixed in commit 782c652. Michael Onken
17:20 Bug #1232 (Closed): Potential NUL-termination missing in use of strncpy
As reported by Arash Ale Ebrahim:
Summary
-------
The internal getString() helper used by every DIMSE command pa...
Michael Onken
17:26 Bug #1231: Out-of-bounds read in OFStandard::sanitizeFilename()
Fixed in commit e1f914 (and older commit e3878d). Michael Onken
17:17 Bug #1231 (Closed): Out-of-bounds read in OFStandard::sanitizeFilename()
As reported by Arash Ale Ebrahim:
The OFString overload of sanitizeFilename iterates by length() — not until NUL —...
Michael Onken
17:24 Bug #1230: Potential DoS via mutlipe User Identity Negotiation sub-items
Fixed with commit e61270. Michael Onken
17:11 Bug #1230 (Closed): Potential DoS via mutlipe User Identity Negotiation sub-items
As reported by Arash Ale Ebrahim:
The DUL parser allows an A-ASSOCIATE-RQ PDU to contain multiple User Identity N...
Michael Onken
16:39 Bug #1226 (Closed): Unbound recursion in DSRDocumentTreeNode::readXML()
Marco Eichelberg
14:25 Bug #1228: Heap overflow when computing PDU length + safety margin
Fixed with commit 537815. Michael Onken
13:09 Bug #1228 (Closed): Heap overflow when computing PDU length + safety margin
Fix potential heap overflow that could occur if the safety margin of 100 bytes added to the expected PDU length goes ... Michael Onken
14:23 Bug #1229: Heap Overflow in DB_DuplicateElement (dcmqrdb)
Fixed with commit b2d33e. Michael Onken
13:16 Bug #1229 (Closed): Heap Overflow in DB_DuplicateElement (dcmqrdb)
Using an int instead of size_t for computing the size of a buffer can make the int overflow and therefore create a mu... Michael Onken
14:23 Bug #1227: Fix potential heap overflow with DNS resolve result
Fixed with commit 63b0ba. Michael Onken
12:59 Bug #1227 (Closed): Fix potential heap overflow with DNS resolve result
Bug reported by Dominik Blain:
An attacker controlling a PTR DNS record can overflow a 260-byte stack buffer on ev...
Michael Onken
10:29 Bug #1082 (Closed): Possible memory leak in DcmDataset copy constructor
Marco Eichelberg

2026-06-17

18:20 Bug #1221: Out-of-bounds read in bundled IJG JPEG Huffman decoder
This issue was also reported on 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin. It has been register... Marco Eichelberg
17:53 Bug #1226: Unbound recursion in DSRDocumentTreeNode::readXML()
Closed by commit #9057782f9.
Marco Eichelberg
17:51 Bug #1226 (Closed): Unbound recursion in DSRDocumentTreeNode::readXML()
Currently, the XML to DICOM SR parser relies on a depth gate in libxml2 to prevent unbound recursion when reading a m... Marco Eichelberg
17:46 Bug #1224 (Closed): xml2dcm parseDataSet / parseSequence mutual recursion
Marco Eichelberg
16:52 Bug #1225 (Closed): json2dcm readValue JSON SQ unbounded recursion
Closed by commit #cf955e64c. Marco Eichelberg

2026-06-16

18:25 Bug #1225: json2dcm readValue JSON SQ unbounded recursion
Reported 2026-05-19 by Arjun Basnet, Senior Security Researcher, Securin. Marco Eichelberg
18:24 Bug #1225: json2dcm readValue JSON SQ unbounded recursion
This issue has been registered as CVE-2026-44037. Marco Eichelberg
18:24 Bug #1225 (Closed): json2dcm readValue JSON SQ unbounded recursion
@DcmJsonReaderBase::readValue()@ recurses via @DcmJsonReaderBase::parseSequence()@ on SQ JSON value items with no dep... Marco Eichelberg
18:15 Bug #1224: xml2dcm parseDataSet / parseSequence mutual recursion
Closed by commit #87f256d73.
Marco Eichelberg
18:12 Bug #1224 (Closed): xml2dcm parseDataSet / parseSequence mutual recursion
@DcmXMLParseHelper::parseDataSet()@ at xml2dcm.cc:618 calls @parseSequence()@ for every @<sequence>@ element. @parseS... Marco Eichelberg

2026-06-12

11:59 Bug #1221 (Closed): Out-of-bounds read in bundled IJG JPEG Huffman decoder
Michael Onken
11:59 Bug #1222 (Closed): Out-of-bounds read in CharLS JPEG-LS EndScan()
Michael Onken
11:59 Bug #1223 (Closed): Out-of-bounds read in CharLS JPEG-LS QuantizeGratient()
Michael Onken

2026-06-11

07:40 Bug #1223: Out-of-bounds read in CharLS JPEG-LS QuantizeGratient()
Fixed with commit b6691c7a0fdfd261c20c2509c2ac16966bd37763 Michael Onken
07:40 Bug #1222: Out-of-bounds read in CharLS JPEG-LS EndScan()
Fixed with commit b818c19720bd3c5c273f7c0578fef3990333af22 Michael Onken
07:39 Bug #1221: Out-of-bounds read in bundled IJG JPEG Huffman decoder
Fixed with commit d6ae1bc8d5b9ae9c7300013c8c85cc2ea0fd8cf5. Michael Onken

2026-06-10

11:16 Bug #1223 (Closed): Out-of-bounds read in CharLS JPEG-LS QuantizeGratient()
DCMTK's bundled CharLS JPEG-LS library (dcmjpls/libcharls) performs an out-of-bounds heap read in its near-lossless d... Michael Onken
11:15 Bug #1222 (Closed): Out-of-bounds read in CharLS JPEG-LS EndScan()
DCMTK's bundled CharLS JPEG-LS library (dcmjpls/libcharls) performs an out-of-bounds heap read when finishing decode ... Michael Onken
11:13 Bug #1221 (Closed): Out-of-bounds read in bundled IJG JPEG Huffman decoder
DCMTK's bundled IJG JPEG library (dcmjpeg/libijg8, and the identical libijg12/libijg16 copies) contains a Huffman-tab... Michael Onken

2026-06-05

18:32 Bug #1205 (Closed): Building of a single shared library fails
Closed by commit #37bbe0f81. Marco Eichelberg
11:08 Feature #1220 (New): Use of DcmDate/Time/DateTime instead of OFDate/Time/DateTime
In various places in DCMTK the classes OFDate/Time/DateTime are used to retrieve the current data or time in DICOM fo... Marco Eichelberg
 

Also available in: Atom