[gdal-dev] Question: CPL minizip affected by CVE-2023-45853?

Even Rouault even.rouault at spatialys.com
Fri Nov 3 08:44:17 PDT 2023


Hi James,

thanks for the notice. GDAL copy has diverged a bit, but I've just 
managed to apply the upstream fix per 
https://github.com/OSGeo/gdal/pull/8658

Even

Le 03/11/2023 à 16:17, James Addison via gdal-dev a écrit :
> Hi folks,
>
> I've arrived at the gdal mailing list after reading the security
> policy[1] on the GitHub repository, but then decided that this is as
> much a question as it is a bug, so I'm following the issue template
> comment advice[2] to post here.
>
> The Common Portability Library within gdal includes some code derived
> from minizip / Info-ZIP, and while investigating Debian bug #1054290
> I've been trying to figure out where else code affected by
> vulnerability CVE-2023-45853 could exist.
>
> Could a maintainer confirm whether the affected section of code[3] in
> gdal/CPL is vulnerable too?  If so, there is a fix[4] from the zlib
> repository (that hosts minizip) that may be straightforward to apply -
> and I think that'd be license-compatible to cherry-pick but that's
> probably worth confirming.
>
> Thanks,
> James
> _______________________________________________
> gdal-dev mailing list
> gdal-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/gdal-dev

-- 
http://www.spatialys.com
My software is free, but my time generally not.



More information about the gdal-dev mailing list