[rttopo-dev] Empty geometry bug in PostGIS

Carlos López clopez at suse.de
Thu Dec 30 02:54:44 PST 2021


Hello list,

I am a security engineer from the SUSE Linux security team.

During an investigation of CVE-2017-18359 [0], I noticed that librttopo 
seems to share the affected code in PostGIS. After looking at PostGIS' 
bug issue [1] and the related changeset [2], I noticed that the affected 
function, `lwgeom_to_x3d3` [3], matches `rtgeom_to_x3d3` in librttopo 
[4], and the latter lacks the appropriate check for empty geometries. 
This is considered a remote DoS vulnerability. Could you please confirm 
if librttopo is vulnerable, and if so, patch accordingly? Thanks in advance.

Best regards,

Carlos

[0] https://nvd.nist.gov/vuln/detail/CVE-2017-18359
[1] https://trac.osgeo.org/postgis/ticket/3704
[2] https://trac.osgeo.org/postgis/changeset/15444
[3] 
https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60
[4] 
https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62

-- 
Carlos López
Jr. Security Engineer
SUSE Software Solutions



More information about the librttopo-dev mailing list