Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2022:10145-1
Final
1
1
2022-10-12T15:35:24Z
current
2022-10-12T15:35:24Z
2022-10-12T15:35:24Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer
This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the following issues:
Changes in gdcm:
- rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. BrĂ¼ns)
- version 3.0.18
no changelog
- version 3.0.12
* support for poppler 22.03 added
Changes in orthanc-gdcm:
- changed dependency gdcm-libgdcm3_0 -> libgdcm3_0
Changes in orthanc:
- version 1.11.2
* Added support for RGBA64 images in tools/create-dicom and /preview
* New configuration 'MaximumStorageMode' to choose between recyling of
old patients (default behavior) and rejection of new incoming data when
the MaximumStorageSize has been reached.
* New sample plugin: 'DelayedDeletion' that will delete files from disk
asynchronously to speed up deletion of large studies.
* Lua: new 'SetHttpTimeout' function
* Lua: new 'OnHeartBeat' callback called at regular interval provided that
you have configured 'LuaHeartBeatPeriod' > 0.
* 'ExtraMainDicomTags' configuration now accepts Dicom Sequences. Sequences are
stored in a dedicated new metadata 'MainDicomSequences'. This should improve
DicomWeb QIDO-RS and avoid warnings like 'Accessing Dicom tags from storage when
accessing series : 0040,0275'.
Main dicom sequences can now be returned in 'MainDicomTags' and in 'RequestedTags'.
* Fix the 'Never' option of the 'StorageAccessOnFind' that was sill accessing
files (bug introduced in 1.11.0).
* Fix the Storage Cache for compressed files (bug introduced in 1.11.1).
* Fix the storage cache that was not used by the Plugin SDK. This fixes the
DicomWeb plugin '/rendered' route performance issues.
* DelayedDeletion plugin: Fix leaking of symbols
* SQLite now closes and deletes WAL and SHM files on exit. This should improve
handling of SQLite DB over network drives.
* Fix static compilation of boost 1.69 on Ubuntu 22.04
* Upgraded dependencies for static builds:
- boost 1.80.0
- dcmtk 3.6.7 (fixes CVE-2022-2119 and CVE-2022-2120)
- openssl 3.0.5
* Housekeeper plugin: Fix resume of previous processing
* Added missing MOVEPatientRootQueryRetrieveInformationModel in
DicomControlUserConnection::SetupPresentationContexts()
* Improved HttpClient error logging (add method + url)
* API version upgraded to 18
* /system is now reporting 'DatabaseServerIdentifier'
* Added an Asynchronous mode to /modalities/../move.
* 'RequestedTags' option can now include DICOM sequences.
* New function in the SDK: 'OrthancPluginGetDatabaseServerIdentifier'
* DicomMap::ParseMainDicomTags has been deprecated -> retrieve 'full' tags
and use DicomMap::FromDicomAsJson instead
Changes in orthanc-webviewer:
- version 2.8
* Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart
Kurutac, NCC Group)
* framework190.diff removed (covered in actual version)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
openSUSE-2022-10145
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OTK3TBM5PVZQBCMNB7R6KN74EKSALYHH/
E-Mail link for openSUSE-SU-2022:10145-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://www.suse.com/security/cve/CVE-2022-2119/
SUSE CVE CVE-2022-2119 page
https://www.suse.com/security/cve/CVE-2022-2120/
SUSE CVE CVE-2022-2120 page
SUSE Package Hub 15 SP4
openSUSE Leap 15.4
gdcm-3.0.19-bp154.2.5.1
gdcm-applications-3.0.19-bp154.2.5.1
gdcm-devel-3.0.19-bp154.2.5.1
gdcm-examples-3.0.19-bp154.2.5.1
libgdcm3_0-3.0.19-bp154.2.5.1
libsocketxx1_2-3.0.19-bp154.2.5.1
orthanc-1.11.2-bp154.2.3.1
orthanc-devel-1.11.2-bp154.2.3.1
orthanc-doc-1.11.2-bp154.2.3.1
orthanc-gdcm-1.5-bp154.2.3.1
orthanc-source-1.11.2-bp154.2.3.1
orthanc-webviewer-2.8-bp154.2.3.1
python3-gdcm-3.0.19-bp154.2.5.1
gdcm-3.0.19-bp154.2.5.1 as a component of SUSE Package Hub 15 SP4
gdcm-applications-3.0.19-bp154.2.5.1 as a component of SUSE Package Hub 15 SP4
gdcm-devel-3.0.19-bp154.2.5.1 as a component of SUSE Package Hub 15 SP4
gdcm-examples-3.0.19-bp154.2.5.1 as a component of SUSE Package Hub 15 SP4
libgdcm3_0-3.0.19-bp154.2.5.1 as a component of SUSE Package Hub 15 SP4
libsocketxx1_2-3.0.19-bp154.2.5.1 as a component of SUSE Package Hub 15 SP4
orthanc-1.11.2-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4
orthanc-devel-1.11.2-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4
orthanc-doc-1.11.2-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4
orthanc-gdcm-1.5-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4
orthanc-source-1.11.2-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4
orthanc-webviewer-2.8-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4
python3-gdcm-3.0.19-bp154.2.5.1 as a component of SUSE Package Hub 15 SP4
gdcm-3.0.19-bp154.2.5.1 as a component of openSUSE Leap 15.4
gdcm-applications-3.0.19-bp154.2.5.1 as a component of openSUSE Leap 15.4
gdcm-devel-3.0.19-bp154.2.5.1 as a component of openSUSE Leap 15.4
gdcm-examples-3.0.19-bp154.2.5.1 as a component of openSUSE Leap 15.4
libgdcm3_0-3.0.19-bp154.2.5.1 as a component of openSUSE Leap 15.4
libsocketxx1_2-3.0.19-bp154.2.5.1 as a component of openSUSE Leap 15.4
orthanc-1.11.2-bp154.2.3.1 as a component of openSUSE Leap 15.4
orthanc-devel-1.11.2-bp154.2.3.1 as a component of openSUSE Leap 15.4
orthanc-doc-1.11.2-bp154.2.3.1 as a component of openSUSE Leap 15.4
orthanc-gdcm-1.5-bp154.2.3.1 as a component of openSUSE Leap 15.4
orthanc-source-1.11.2-bp154.2.3.1 as a component of openSUSE Leap 15.4
orthanc-webviewer-2.8-bp154.2.3.1 as a component of openSUSE Leap 15.4
python3-gdcm-3.0.19-bp154.2.5.1 as a component of openSUSE Leap 15.4
OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.
CVE-2022-2119
SUSE Package Hub 15 SP4:gdcm-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:gdcm-applications-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:gdcm-devel-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:gdcm-examples-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:libgdcm3_0-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:libsocketxx1_2-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:orthanc-1.11.2-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-devel-1.11.2-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-doc-1.11.2-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-gdcm-1.5-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-source-1.11.2-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-webviewer-2.8-bp154.2.3.1
SUSE Package Hub 15 SP4:python3-gdcm-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:gdcm-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:gdcm-applications-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:gdcm-devel-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:gdcm-examples-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:libgdcm3_0-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:libsocketxx1_2-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:orthanc-1.11.2-bp154.2.3.1
openSUSE Leap 15.4:orthanc-devel-1.11.2-bp154.2.3.1
openSUSE Leap 15.4:orthanc-doc-1.11.2-bp154.2.3.1
openSUSE Leap 15.4:orthanc-gdcm-1.5-bp154.2.3.1
openSUSE Leap 15.4:orthanc-source-1.11.2-bp154.2.3.1
openSUSE Leap 15.4:orthanc-webviewer-2.8-bp154.2.3.1
openSUSE Leap 15.4:python3-gdcm-3.0.19-bp154.2.5.1
critical
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OTK3TBM5PVZQBCMNB7R6KN74EKSALYHH/
https://www.suse.com/security/cve/CVE-2022-2119.html
CVE-2022-2119
https://bugzilla.suse.com/1208637
SUSE Bug 1208637
OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.
CVE-2022-2120
SUSE Package Hub 15 SP4:gdcm-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:gdcm-applications-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:gdcm-devel-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:gdcm-examples-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:libgdcm3_0-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:libsocketxx1_2-3.0.19-bp154.2.5.1
SUSE Package Hub 15 SP4:orthanc-1.11.2-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-devel-1.11.2-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-doc-1.11.2-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-gdcm-1.5-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-source-1.11.2-bp154.2.3.1
SUSE Package Hub 15 SP4:orthanc-webviewer-2.8-bp154.2.3.1
SUSE Package Hub 15 SP4:python3-gdcm-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:gdcm-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:gdcm-applications-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:gdcm-devel-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:gdcm-examples-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:libgdcm3_0-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:libsocketxx1_2-3.0.19-bp154.2.5.1
openSUSE Leap 15.4:orthanc-1.11.2-bp154.2.3.1
openSUSE Leap 15.4:orthanc-devel-1.11.2-bp154.2.3.1
openSUSE Leap 15.4:orthanc-doc-1.11.2-bp154.2.3.1
openSUSE Leap 15.4:orthanc-gdcm-1.5-bp154.2.3.1
openSUSE Leap 15.4:orthanc-source-1.11.2-bp154.2.3.1
openSUSE Leap 15.4:orthanc-webviewer-2.8-bp154.2.3.1
openSUSE Leap 15.4:python3-gdcm-3.0.19-bp154.2.5.1
critical
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OTK3TBM5PVZQBCMNB7R6KN74EKSALYHH/
https://www.suse.com/security/cve/CVE-2022-2120.html
CVE-2022-2120
https://bugzilla.suse.com/1208638
SUSE Bug 1208638