From jmckenna at gatewaygeomatics.com Wed Feb 23 11:04:23 2022 From: jmckenna at gatewaygeomatics.com (Jeff McKenna) Date: Wed, 23 Feb 2022 15:04:23 -0400 Subject: [rttopo-dev] Empty geometry bug in PostGIS In-Reply-To: References: <8b446813-f4ea-9f6b-db35-04c0e233d496@suse.de> Message-ID: <54539ecc-42c9-fc64-1470-8a37ad3092f2@gatewaygeomatics.com> I think security fix calls for a librttopo 1.1.1 release (or 1.2.0). Ticket filed: https://git.osgeo.org/gitea/rttopo/librttopo/issues/39 -jeff On 2021-12-31 11:06 a.m., Andrea Peri wrote: > Hi, thx for email. > I apply the patch to repo. > > Best Regards, > Andrea Peri. > > > Il giorno gio 30 dic 2021 alle ore 12:22 Carlos L?pez > ha scritto: > > Hello list, > > I am a security engineer from the SUSE Linux security team. > > During an investigation of CVE-2017-18359 [0], I noticed that librttopo > seems to share the affected code in PostGIS. After looking at PostGIS' > bug issue [1] and the related changeset [2], I noticed that the > affected > function, `lwgeom_to_x3d3` [3], matches `rtgeom_to_x3d3` in librttopo > [4], and the latter lacks the appropriate check for empty geometries. > This is considered a remote DoS vulnerability. Could you please confirm > if librttopo is vulnerable, and if so, patch accordingly? Thanks in > advance. > > Best regards, > > Carlos > > [0] https://nvd.nist.gov/vuln/detail/CVE-2017-18359 > > [1] https://trac.osgeo.org/postgis/ticket/3704 > > [2] https://trac.osgeo.org/postgis/changeset/15444 > > [3] > https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60 > > [4] > https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62 > > > -- > Carlos L?pez > Jr. Security Engineer > SUSE Software Solutions > > _______________________________________________ > librttopo-dev mailing list > librttopo-dev at lists.osgeo.org > https://lists.osgeo.org/mailman/listinfo/librttopo-dev > > > > -- Jeff McKenna GatewayGeo: Developers of MS4W, MapServer Consulting and Training co-founder of FOSS4G http://gatewaygeo.com/ From jmckenna at gatewaygeomatics.com Wed Feb 23 12:06:47 2022 From: jmckenna at gatewaygeomatics.com (Jeff McKenna) Date: Wed, 23 Feb 2022 16:06:47 -0400 Subject: [rttopo-dev] Empty geometry bug in PostGIS In-Reply-To: <54539ecc-42c9-fc64-1470-8a37ad3092f2@gatewaygeomatics.com> References: <8b446813-f4ea-9f6b-db35-04c0e233d496@suse.de> <54539ecc-42c9-fc64-1470-8a37ad3092f2@gatewaygeomatics.com> Message-ID: Actually Andrea, your patch introduces the lwgeom_is_empty() function from PostGIS, so (therefore) all of the existing build steps break (as previously librttopo only required GEOS). So, I'm assuming now that all of the build scripts inside the librttopo repository must also be updated as part of your patch? -jeff On 2022-02-23 3:04 p.m., Jeff McKenna wrote: > I think security fix calls for a librttopo 1.1.1 release (or 1.2.0). > Ticket filed: https://git.osgeo.org/gitea/rttopo/librttopo/issues/39 > > -jeff > > > > > On 2021-12-31 11:06 a.m., Andrea Peri wrote: >> Hi, thx for email. >> I apply the patch to repo. >> >> Best Regards, >> Andrea Peri. >> >> >> Il giorno gio 30 dic 2021 alle ore 12:22 Carlos L?pez > > ha scritto: >> >> ??? Hello list, >> >> ??? I am a security engineer from the SUSE Linux security team. >> >> ??? During an investigation of CVE-2017-18359 [0], I noticed that >> librttopo >> ??? seems to share the affected code in PostGIS. After looking at >> PostGIS' >> ??? bug issue [1] and the related changeset [2], I noticed that the >> ??? affected >> ??? function, `lwgeom_to_x3d3` [3], matches `rtgeom_to_x3d3` in librttopo >> ??? [4], and the latter lacks the appropriate check for empty geometries. >> ??? This is considered a remote DoS vulnerability. Could you please >> confirm >> ??? if librttopo is vulnerable, and if so, patch accordingly? Thanks in >> ??? advance. >> >> ??? Best regards, >> >> ??? Carlos >> >> ??? [0] https://nvd.nist.gov/vuln/detail/CVE-2017-18359 >> ??? >> ??? [1] https://trac.osgeo.org/postgis/ticket/3704 >> ??? >> ??? [2] https://trac.osgeo.org/postgis/changeset/15444 >> ??? >> ??? [3] >> >> https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60 >> >> >> >> >> ??? [4] >> >> https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62 >> >> >> >> >> >> ??? -- ??? Carlos L?pez >> ??? Jr. Security Engineer >> ??? SUSE Software Solutions >> >> ??? _______________________________________________ >> ??? librttopo-dev mailing list >> ??? librttopo-dev at lists.osgeo.org >> ??? https://lists.osgeo.org/mailman/listinfo/librttopo-dev >> ??? >> >> >> -- Jeff McKenna GatewayGeo: Developers of MS4W, MapServer Consulting and Training co-founder of FOSS4G http://gatewaygeo.com/