Jinsheng Ba

**Name of the Vulnerable Software and Affected Versions** Live555 versions 1.08 and earlier **Description** The issue is a memory leak in the AC3AudioStreamParser for AC3 files. **Recommendations** For versions 1.08 and earlier, consider updating to a version that fixes the memory leak issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Live555 versions prior to 1.09 **Description** The issue arises from improper handling of Matroska and Ogg files. Specifically, sending two successive RTSP SETUP commands for the same track can cause a Use-After-Free, leading to a daemon crash. **Recommendations** For versions prior to 1.09, update to version 1.09 or later to resolve the issue. As a temporary workaround, consider restricting access to RTSP SETUP commands for the same track to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DCMTK versions 3.6.6 and earlier **Description** The issue is related to a memory leak in the DCMTK library, which occurs when the program allocates heap memory for parsing data but fails to free it in case of parsing errors. This can be exploited by sending specific requests to the dcmqrdb program, allowing an attacker to launch a Denial of Service (DoS) attack. The vulnerability can be exploited remotely. **Recommendations** For DCMTK versions 3.6.6 and earlier, as a temporary workaround, consider restricting access to the dcmqrdb program to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DCMTK versions prior to 3.6.7 **Description** The issue is related to improper memory handling, where an object's memory is freed but its address is still used elsewhere in the program. This can lead to a double free condition when specific requests are sent to the dcmqrdb program, allowing an attacker to launch a denial-of-service (DoS) attack. **Recommendations** For DCMTK versions prior to 3.6.7, update to version 3.6.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the dcmqrdb program to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DCMTK versions 3.6.6 and earlier **Description** The issue is related to improper string copy handling in DCMTK. By sending specific requests to the `dcmqrdb` program, an attacker can cause the program to query its database and copy the result, even if the result is null, leading to a heap-based overflow. This can be exploited to launch a Denial of Service (DoS) attack. The vulnerability can be exploited by a remote attacker. **Recommendations** For DCMTK versions 3.6.6 and earlier, as a temporary workaround, consider restricting access to the `dcmqrdb` program to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DCMTK versions 3.6.6 and earlier **Description** The issue is related to improper memory handling in the DCMTK library, specifically with the global variable LST, which records allocated memory for storing file information but does not free it properly. This can lead to a memory leak when specific requests are sent to the dcmqrdb program, allowing an attacker to launch a denial-of-service (DoS) attack. **Recommendations** For DCMTK versions 3.6.6 and earlier, as a temporary workaround, consider restricting access to the dcmqrdb program to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.