[rttopo-dev] Empty geometry bug in PostGIS

Jeff McKenna jmckenna at gatewaygeomatics.com
Wed Feb 23 11:04:23 PST 2022 

I think security fix calls for a librttopo 1.1.1 release (or 1.2.0). 
Ticket filed: https://git.osgeo.org/gitea/rttopo/librttopo/issues/39

-jeff




On 2021-12-31 11:06 a.m., Andrea Peri wrote:
> Hi, thx for email.
> I apply the patch to repo.
> 
> Best Regards,
> Andrea Peri.
> 
> 
> Il giorno gio 30 dic 2021 alle ore 12:22 Carlos López <clopez at suse.de 
> <mailto:clopez at suse.de>> ha scritto:
> 
>     Hello list,
> 
>     I am a security engineer from the SUSE Linux security team.
> 
>     During an investigation of CVE-2017-18359 [0], I noticed that librttopo
>     seems to share the affected code in PostGIS. After looking at PostGIS'
>     bug issue [1] and the related changeset [2], I noticed that the
>     affected
>     function, `lwgeom_to_x3d3` [3], matches `rtgeom_to_x3d3` in librttopo
>     [4], and the latter lacks the appropriate check for empty geometries.
>     This is considered a remote DoS vulnerability. Could you please confirm
>     if librttopo is vulnerable, and if so, patch accordingly? Thanks in
>     advance.
> 
>     Best regards,
> 
>     Carlos
> 
>     [0] https://nvd.nist.gov/vuln/detail/CVE-2017-18359
>     <https://nvd.nist.gov/vuln/detail/CVE-2017-18359>
>     [1] https://trac.osgeo.org/postgis/ticket/3704
>     <https://trac.osgeo.org/postgis/ticket/3704>
>     [2] https://trac.osgeo.org/postgis/changeset/15444
>     <https://trac.osgeo.org/postgis/changeset/15444>
>     [3]
>     https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60
>     <https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60>
>     [4]
>     https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62
>     <https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62>
> 
>     -- 
>     Carlos López
>     Jr. Security Engineer
>     SUSE Software Solutions
> 
>     _______________________________________________
>     librttopo-dev mailing list
>     librttopo-dev at lists.osgeo.org <mailto:librttopo-dev at lists.osgeo.org>
>     https://lists.osgeo.org/mailman/listinfo/librttopo-dev
>     <https://lists.osgeo.org/mailman/listinfo/librttopo-dev>
> 
> 
> 
-- 
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/

More information about the librttopo-dev mailing list