CVE-2024-52333: 
NixOS vulnerability analysis and mitigation

An improper array index validation vulnerability (CVE-2024-52333) was discovered in the determineMinMax functionality of OFFIS DCMTK 3.6.8. The vulnerability was discovered by Emmanuel Tacheau of Cisco Talos and publicly disclosed on January 13, 2025. DCMTK (DICOM Toolkit) is a collection of libraries and applications implementing the DICOM standard for medical imaging (Talos Report).

The vulnerability exists due to a lack of proper validation of array indices in the determineMinMax function. The issue occurs in the DiInputPixelTemplate::determineMinMax() function where there is no checking on the value corresponding to the pointer 'p' against the size allocated for the pointer 'q'. The vulnerability allows manipulation of the Count variable and modification of values derived from the p pointer, which can lead to memory corruption. The vulnerability has been assigned a CVSS v3.1 score of 8.4 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (Talos Report).

When exploited, this vulnerability can lead to an out-of-bounds write condition, potentially resulting in memory corruption or use-after-free scenarios. The impact is particularly severe as it can be triggered by processing a specially crafted DICOM file, potentially leading to arbitrary code execution (Talos Report).

The vulnerability has been patched in a commit that adds checks to ensure HighBit < BitsAllocated. Users are advised to update to the patched version of DCMTK. The fix was released on January 3, 2025 (DCMTK Commit).

The vulnerability was part of a larger disclosure of multiple vulnerabilities in OFFIS DCMTK, as reported in security blogs. The disclosure followed responsible vulnerability reporting practices, with vendor notification on December 16, 2024, followed by a patch release on January 3, 2025, and public disclosure on January 13, 2025 (Talos Blog).