[gdal-dev] zlib vulnerability CVE-2018-25032 affecting GAL

Greg Troxel gdt at lexort.com
Thu Apr 7 06:08:23 PDT 2022


Even Rouault <even.rouault at spatialys.com> writes:

> Most GDAL binary distributions don't use that internal copy but the
> external zlib library provided by the operating system / distribution
> channel.

I realize you are accomodating people who can somehow get and build gdal
sources but can't first install zlib, but from the packaging viewpoint
having included copies is a bad thing.  Yes, it shouldn't get used, but
if a dependency isn't declared it would be hidden or not provided and
then be used anyway.

I therefore think it would be good to consider removing the vendored
copies, or at least requiring explicit config to turn them on.  (I just
looked in the sources for how to build and didn't find it in README.  I
know I have figured out how to build and this isn't a request for help,
but in terms of the cmake migration the instructions are missing.)  It
looks like internal will just be used if zlib is not found.

I wonder if it's still really necessary/helpful to have included libs
like zlib.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20220407/473348d7/attachment.sig>


More information about the gdal-dev mailing list