Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 11 Jan 2016 10:16:46 +0200
From: Stelios Tsampas <>
Subject: CVE-2015-8397: GDCM out-of-bounds read in JPEGLSCodec::DecodeExtent

Grassroots DICOM (GDCM) is a C++ library for processing DICOM medical
It provides routines to view and manipulate a wide range of image formats
and can be accessed through many popular programming languages like Python,
C#, Java and PHP.

GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to
an out-of-bounds read vulnerability due to missing checks. The vulnerability
occurs during the decoding of JPEG-LS images when the dimensions of the
embedded JPEG-LS image (as specified in the JPEG headers) are smaller than
the ones of the selected region (set by gdcm::ImageRegionReader::SetRegion
and usually based on DICOM header values).

More information about this vulnerability can be found at

The GDCM project has released version 2.6.2 that addresses this issue.
It is advised to upgrade all GDCM installations to the latest stable

Disclosure Timeline
CVE assignment:    December 2nd, 2015
Vendor Contact:    December 4th, 2015
Vendor Patch Release: December 23rd, 2015
Public Disclosure: January 11th, 2016


Stelios Tsampas

IT Security Researcher

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.