<div dir="ltr"><div dir="ltr"><div>Hi Jeff.</div><div>I received the email from Suse and update the code.</div><div>Also I apply your patches.</div><div><br></div><div>Regards, <br></div><div>A.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno gio 30 dic 2021 alle ore 13:57 Jeff McKenna <<a href="mailto:jmckenna@gatewaygeomatics.com">jmckenna@gatewaygeomatics.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Forwarding, as I am not sure how many follow librttopo list....<br>
<br>
<br>
<br>
<br>
-------- Forwarded Message --------<br>
<br>
<br>
Hello list,<br>
<br>
I am a security engineer from the SUSE Linux security team.<br>
<br>
During an investigation of CVE-2017-18359 [0], I noticed that librttopo <br>
seems to share the affected code in PostGIS. After looking at PostGIS' <br>
bug issue [1] and the related changeset [2], I noticed that the affected <br>
function, `lwgeom_to_x3d3` [3], matches `rtgeom_to_x3d3` in librttopo <br>
[4], and the latter lacks the appropriate check for empty geometries. <br>
This is considered a remote DoS vulnerability. Could you please confirm <br>
if librttopo is vulnerable, and if so, patch accordingly? Thanks in advance.<br>
<br>
Best regards,<br>
<br>
Carlos<br>
<br>
[0] <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-18359" rel="noreferrer" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2017-18359</a><br>
[1] <a href="https://trac.osgeo.org/postgis/ticket/3704" rel="noreferrer" target="_blank">https://trac.osgeo.org/postgis/ticket/3704</a><br>
[2] <a href="https://trac.osgeo.org/postgis/changeset/15444" rel="noreferrer" target="_blank">https://trac.osgeo.org/postgis/changeset/15444</a><br>
[3] <br>
<a href="https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60" rel="noreferrer" target="_blank">https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60</a><br>
[4] <br>
<a href="https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62" rel="noreferrer" target="_blank">https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62</a><br>
<br>
-- <br>
Carlos López<br>
Jr. Security Engineer<br>
SUSE Software Solutions<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
postgis-devel mailing list<br>
<a href="mailto:postgis-devel@lists.osgeo.org" target="_blank">postgis-devel@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/postgis-devel" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/postgis-devel</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature">-----------------<br>Andrea Peri<br>. . . . . . . . . <br>qwerty àèìòù<br>-----------------<br></div></div>