[gdal-dev] Are ogr_geojson/libjson vulnerable to json-c CVEs?
Matvei Stefarov
MStefarov at esri.com
Wed Jul 28 00:28:28 PDT 2021
Hello! I am new to the list, I hope that this is the right place to ask.
GDAL's geojson driver uses libjson, which is a fork of json-c 0.11. There have been a couple security vulnerabilities patched in json-c since version 0.11. These vulnerabilities are:
- CVE-2013-6370 (buffer overflow if size_t is larger than int)
- CVE-2013-6371 (hash collision denial of service)
- CVE-2020-12762 (integer overflow and out-of-bounds write via a large JSON file)
The first two were patched in 0.12 by https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015, and the last was patched by https://github.com/json-c/json-c/commit/31243e4d1204ef78be34b0fcae73221eee6b83be. I don't see similar changes applied to GDAL's fork of libjson, so it might still be vulnerable.
I discovered this potential problem because my GDAL-based software was flagged as vulnerable by static analysis tools (https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html). This tool works likely detected the presence of json_c_version/json_c_version_num functions, which currently return 0.11.
So my questions are:
- Does GDAL appear to be vulnerable to these CVEs out-of-the-box?
- Would it be practical to build GDAL against a newer version of json-c instead of the bundled libjson -- or are there significant modifications in the fork?
Cheers,
Matvei Stefarov
More information about the gdal-dev
mailing list