[gdal-dev] Question: CPL minizip affected by CVE-2023-45853?
James Addison
jay at jp-hosting.net
Fri Nov 3 08:17:42 PDT 2023
Hi folks,
I've arrived at the gdal mailing list after reading the security
policy[1] on the GitHub repository, but then decided that this is as
much a question as it is a bug, so I'm following the issue template
comment advice[2] to post here.
The Common Portability Library within gdal includes some code derived
from minizip / Info-ZIP, and while investigating Debian bug #1054290
I've been trying to figure out where else code affected by
vulnerability CVE-2023-45853 could exist.
Could a maintainer confirm whether the affected section of code[3] in
gdal/CPL is vulnerable too? If so, there is a fix[4] from the zlib
repository (that hosts minizip) that may be straightforward to apply -
and I think that'd be license-compatible to cherry-pick but that's
probably worth confirming.
Thanks,
James
More information about the gdal-dev
mailing list