group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 2081100] Re: Regression: CVE-2021-41687 introduces a segmentation fault on storescu

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Matthew Ruffell <2081100@xxxxxxxxxxxxxxxxxx>
Date: Sun, 06 Jul 2025 08:42:24 -0000
Reply-to: Bug 2081100 <2081100@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
** Summary changed:

- Segmentation fault after installing ubuntu 20.04 security update  3.6.4-2.1ubuntu0.1
+ Regression: CVE-2021-41687 introduces a segmentation fault on storescu

** Description changed:

- Dear package maintainers of dcmtk, libdcmtk14, libdcmtk-dev,
+ [Impact]
  
- Today, we have applied the latest update 3.6.4-2.1ubuntu0.1. See details https://ubuntu.pkgs.org/20.04/ubuntu-updates-universe-arm64/libdcmtk14_3.6.4-2.1ubuntu0.1_arm64.deb.html
- '
- When running the dcmtk tool storescu, sending data is performed correctly, but the tool crashes. The last 3 lines of the command line output are:
- I: Received Store Response (Success)
- I: Releasing Association
+ The patch for CVE-2021-41687, below:
+ 
+ commit a9697dfeb672b0b9412c00c7d36d801e27ec85cb
+ Author: Michael Onken <onken@xxxxxxxxxxxxxxxxxxx>
+ Date:  Sat Oct 2 00:29:56 2021 +0200
+ Subject: Fixed poss. NULL pointer dereference/double free.
+ Link: https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb
+ 
+ takes two very similar functions:
+ 
+ dcmnet/libsrc/assoc.cc
+ static void destroyPresentationContextList(LST_HEAD ** lst)
+ 
+ dcmnet/libsrc/dulfsm.cc
+ void destroyPresentationContextList(LST_HEAD ** l)
+ 
+ which have suspiciously similar names, suspiciously similar signatures, and
+ suspiciously close functionalities, and merges them into a single, new
+ implementation:
+ 
+ dcmnet/libsrc/helpers.cc
+ void destroyPresentationContextList(LST_HEAD ** l)
+ 
+ which is pretty much the one from dcmnet/libsrc/dulfsm.cc.
+ 
+ The problem is, they do very different things, and introduce a segmentation
+ fault any time ASC_destroyAssociationParameters() is called.
+ 
+ This breaks storescp, and there are no workarounds.
+ 
+ Affected versions:
+ focal 3.6.4-2.1ubuntu0.1
+ bionic 3.6.2-3ubuntu0.1~esm2
+ xenial 3.6.1~20150924-5ubuntu0.1~esm2
+ 
+ [Testcase]
+ 
+ $ sudo apt install dcmtk
+ 
+ Download a test .dcm image from:
+ https://support.dcmtk.org/redmine/projects/dcmtk/wiki/DICOM_images
+ 
+ Open two terminals. On one. run:
+ $ storescp 1437
  Segmentation fault (core dumped)
  
- According to our analysis, the code crashes when function
- ASC_destroyAssociation(...) is called.
+ and on the other:
+ $ dcmsend localhost 1437 rp_test.dcm
+ Segmentation fault (core dumped)
  
- If I downgrade to package version 3.6.4-2.1build2, everything works
- fine.
+ Both processes will segmentation fault after the file has been
+ transmitted.
  
- Could you please investigate this issue?
+ If you install test packages from the following ppa:
  
- Bye,
- Andreas Zolnay
+ https://launchpad.net/~mruffell/+archive/ubuntu/sf413845-test
+ 
+ The segmentation faults will no longer occur.
+ 
+ [Where problems can occur]
+ 
+ We are correcting multiple function calls to point back to the old 
+ implementation that it used to use before the changes were made. This function
+ does have a new name, and there are risks that some functions will slip through
+ the cracks, as the previous function calls have an identical name as another
+ function that has an incorrect implementation.
+ 
+ If a regression were to occur, it would likely cause a segmentation fault and
+ crash, leading to a loss of service. Given that dcmtk is for medical imaging,
+ reliability is one of the most important things this software needs to deliver.
+ 
+ [Other info]
+ 
+ The issue was fixed by:
+ 
+ commit 32ae3e5137e5a52f61a8dc9186f2539226794217
+ Author: Michael Onken <onken@xxxxxxxxxxxxxxxxxxx>
+ Date:  Sat Oct 9 22:10:43 2021 +0200
+ Subject: Fixed bug introduced in a9697d.
+ Link: https://github.com/DCMTK/dcmtk/commit/32ae3e5137e5a52f61a8dc9186f2539226794217
+ 
+ This patch pretty much restores the implementation from dcmnet/libsrc/assoc.cc
+ and gives it a new name:
+ 
+ dcmnet/libsrc/assoc.cc
+ void destroyDULParamPresentationContextList(LST_HEAD ** lst)
+ 
+ noble has the patch in a point release, jammy has the patch as part of 
+ CVE-2021-41687. focal, bionic and xenial need this patch.

** Also affects: ubuntu-pro
   Importance: Undecided
       Status: New

** Also affects: ubuntu-pro/20.04
   Importance: Undecided
       Status: New

** Also affects: ubuntu-pro/16.04
   Importance: Undecided
       Status: New

** Also affects: ubuntu-pro/18.04
   Importance: Undecided
       Status: New

** Changed in: dcmtk (Ubuntu Xenial)
       Status: New => Won't Fix

** Changed in: dcmtk (Ubuntu Bionic)
       Status: New => Won't Fix

** Changed in: dcmtk (Ubuntu Focal)
       Status: New => Won't Fix

** Changed in: ubuntu-pro/16.04
   Importance: Undecided => Medium

** Changed in: ubuntu-pro/16.04
       Status: New => In Progress

** Changed in: ubuntu-pro/16.04
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Changed in: ubuntu-pro/18.04
   Importance: Undecided => Medium

** Changed in: ubuntu-pro/18.04
       Status: New => In Progress

** Changed in: ubuntu-pro/18.04
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Changed in: ubuntu-pro/20.04
   Importance: Undecided => Medium

** Changed in: ubuntu-pro/20.04
       Status: New => In Progress

** Changed in: ubuntu-pro/20.04
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2081100

Title:
  Regression: CVE-2021-41687 introduces a segmentation fault on storescu

Status in Ubuntu Pro:
  In Progress
Status in Ubuntu Pro 16.04 series:
  In Progress
Status in Ubuntu Pro 18.04 series:
  In Progress
Status in Ubuntu Pro 20.04 series:
  In Progress
Status in dcmtk package in Ubuntu:
  Confirmed
Status in dcmtk source package in Xenial:
  Won't Fix
Status in dcmtk source package in Bionic:
  Won't Fix
Status in dcmtk source package in Focal:
  Won't Fix
Status in dcmtk source package in Jammy:
  Fix Released
Status in dcmtk source package in Noble:
  Fix Released

Bug description:
  [Impact]

  The patch for CVE-2021-41687, below:

  commit a9697dfeb672b0b9412c00c7d36d801e27ec85cb
  Author: Michael Onken <onken@xxxxxxxxxxxxxxxxxxx>
  Date:  Sat Oct 2 00:29:56 2021 +0200
  Subject: Fixed poss. NULL pointer dereference/double free.
  Link: https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

  takes two very similar functions:

  dcmnet/libsrc/assoc.cc
  static void destroyPresentationContextList(LST_HEAD ** lst)

  dcmnet/libsrc/dulfsm.cc
  void destroyPresentationContextList(LST_HEAD ** l)

  which have suspiciously similar names, suspiciously similar signatures, and
  suspiciously close functionalities, and merges them into a single, new
  implementation:

  dcmnet/libsrc/helpers.cc
  void destroyPresentationContextList(LST_HEAD ** l)

  which is pretty much the one from dcmnet/libsrc/dulfsm.cc.

  The problem is, they do very different things, and introduce a segmentation
  fault any time ASC_destroyAssociationParameters() is called.

  This breaks storescp, and there are no workarounds.

  Affected versions:
  focal 3.6.4-2.1ubuntu0.1
  bionic 3.6.2-3ubuntu0.1~esm2
  xenial 3.6.1~20150924-5ubuntu0.1~esm2

  [Testcase]

  $ sudo apt install dcmtk

  Download a test .dcm image from:
  https://support.dcmtk.org/redmine/projects/dcmtk/wiki/DICOM_images

  Open two terminals. On one. run:
  $ storescp 1437
  Segmentation fault (core dumped)

  and on the other:
  $ dcmsend localhost 1437 rp_test.dcm
  Segmentation fault (core dumped)

  Both processes will segmentation fault after the file has been
  transmitted.

  If you install test packages from the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf413845-test

  The segmentation faults will no longer occur.

  [Where problems can occur]

  We are correcting multiple function calls to point back to the old 
  implementation that it used to use before the changes were made. This function
  does have a new name, and there are risks that some functions will slip through
  the cracks, as the previous function calls have an identical name as another
  function that has an incorrect implementation.

  If a regression were to occur, it would likely cause a segmentation fault and
  crash, leading to a loss of service. Given that dcmtk is for medical imaging,
  reliability is one of the most important things this software needs to deliver.

  [Other info]

  The issue was fixed by:

  commit 32ae3e5137e5a52f61a8dc9186f2539226794217
  Author: Michael Onken <onken@xxxxxxxxxxxxxxxxxxx>
  Date:  Sat Oct 9 22:10:43 2021 +0200
  Subject: Fixed bug introduced in a9697d.
  Link: https://github.com/DCMTK/dcmtk/commit/32ae3e5137e5a52f61a8dc9186f2539226794217

  This patch pretty much restores the implementation from dcmnet/libsrc/assoc.cc
  and gives it a new name:

  dcmnet/libsrc/assoc.cc
  void destroyDULParamPresentationContextList(LST_HEAD ** lst)

  noble has the patch in a point release, jammy has the patch as part of 
  CVE-2021-41687. focal, bionic and xenial need this patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-pro/+bug/2081100/+subscriptions