[gdal-dev] zlib vulnerability CVE-2018-25032 affecting GAL
Andrew C Aitchison
andrew at aitchison.me.uk
Thu Apr 7 04:53:52 PDT 2022
On Thu, 7 Apr 2022, Mateusz Loskot wrote:
> On Thu, 7 Apr 2022 at 12:29, prashanti seri <seri.prashanti at gmail.com> wrote:
>> Does zlib vulnerability CVE-2018-25032 affect GDAL as it uses this lib?
>
> Hints:
> https://github.com/OSGeo/gdal/blob/master/frmts/zlib/zlib.h#L40
> https://github.com/OSGeo/gdal/blob/patch/3.2.2.1/gdal/frmts/zlib/zlib.h#L40
> https://github.com/OSGeo/gdal/blob/release/3.4/gdal/frmts/zlib/zlib.h#L40
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
It has lain in wait 13 years before being found! The bug was introduced
in zlib 1.2.2.2, with the addition of the Z_FIXED option.
so I don't see how zlib 1.2.3 protects gdal from this bug.
I note that ubuntu zlib1g (1:1.2.11.dfsg-2ubuntu7.1) which was released on
Sat, 26 Mar 2022 fixes this.
> Hint on solution:
> https://gdal.org/build_hints.html#zlib
I agree that building with a known good zlib is a solution.
--
Andrew C. Aitchison Kendal, UK
andrew at aitchison.me.uk
More information about the gdal-dev
mailing list