[gdal-dev] Question: CPL minizip affected by CVE-2023-45853?

James Addison jay at jp-hosting.net
Fri Nov 3 09:03:46 PDT 2023


Brilliant - thank you, Even!

On Fri, 3 Nov 2023 at 15:44, Even Rouault <even.rouault at spatialys.com> wrote:
>
> Hi James,
>
> thanks for the notice. GDAL copy has diverged a bit, but I've just
> managed to apply the upstream fix per
> https://github.com/OSGeo/gdal/pull/8658
>
> Even
>
> Le 03/11/2023 à 16:17, James Addison via gdal-dev a écrit :
> > Hi folks,
> >
> > I've arrived at the gdal mailing list after reading the security
> > policy[1] on the GitHub repository, but then decided that this is as
> > much a question as it is a bug, so I'm following the issue template
> > comment advice[2] to post here.
> >
> > The Common Portability Library within gdal includes some code derived
> > from minizip / Info-ZIP, and while investigating Debian bug #1054290
> > I've been trying to figure out where else code affected by
> > vulnerability CVE-2023-45853 could exist.
> >
> > Could a maintainer confirm whether the affected section of code[3] in
> > gdal/CPL is vulnerable too?  If so, there is a fix[4] from the zlib
> > repository (that hosts minizip) that may be straightforward to apply -
> > and I think that'd be license-compatible to cherry-pick but that's
> > probably worth confirming.
> >
> > Thanks,
> > James
> > _______________________________________________
> > gdal-dev mailing list
> > gdal-dev at lists.osgeo.org
> > https://lists.osgeo.org/mailman/listinfo/gdal-dev
>
> --
> http://www.spatialys.com
> My software is free, but my time generally not.
>


More information about the gdal-dev mailing list