[rttopo-dev] Empty geometry bug in PostGIS

Jeff McKenna jmckenna at gatewaygeomatics.com
Wed Feb 23 12:06:47 PST 2022 

Actually Andrea, your patch introduces the lwgeom_is_empty() function 
from PostGIS, so (therefore) all of the existing build steps break (as 
previously librttopo only required GEOS).  So, I'm assuming now that all 
of the build scripts inside the librttopo repository must also be 
updated as part of your patch?

-jeff



On 2022-02-23 3:04 p.m., Jeff McKenna wrote:
> I think security fix calls for a librttopo 1.1.1 release (or 1.2.0). 
> Ticket filed: https://git.osgeo.org/gitea/rttopo/librttopo/issues/39
> 
> -jeff
> 
> 
> 
> 
> On 2021-12-31 11:06 a.m., Andrea Peri wrote:
>> Hi, thx for email.
>> I apply the patch to repo.
>>
>> Best Regards,
>> Andrea Peri.
>>
>>
>> Il giorno gio 30 dic 2021 alle ore 12:22 Carlos López <clopez at suse.de 
>> <mailto:clopez at suse.de>> ha scritto:
>>
>>     Hello list,
>>
>>     I am a security engineer from the SUSE Linux security team.
>>
>>     During an investigation of CVE-2017-18359 [0], I noticed that 
>> librttopo
>>     seems to share the affected code in PostGIS. After looking at 
>> PostGIS'
>>     bug issue [1] and the related changeset [2], I noticed that the
>>     affected
>>     function, `lwgeom_to_x3d3` [3], matches `rtgeom_to_x3d3` in librttopo
>>     [4], and the latter lacks the appropriate check for empty geometries.
>>     This is considered a remote DoS vulnerability. Could you please 
>> confirm
>>     if librttopo is vulnerable, and if so, patch accordingly? Thanks in
>>     advance.
>>
>>     Best regards,
>>
>>     Carlos
>>
>>     [0] https://nvd.nist.gov/vuln/detail/CVE-2017-18359
>>     <https://nvd.nist.gov/vuln/detail/CVE-2017-18359>
>>     [1] https://trac.osgeo.org/postgis/ticket/3704
>>     <https://trac.osgeo.org/postgis/ticket/3704>
>>     [2] https://trac.osgeo.org/postgis/changeset/15444
>>     <https://trac.osgeo.org/postgis/changeset/15444>
>>     [3]
>>     
>> https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60 
>>
>>     
>> <https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=15444#L60> 
>>
>>     [4]
>>     
>> https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62 
>>
>>     
>> <https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3d.c#L62> 
>>
>>
>>     --     Carlos López
>>     Jr. Security Engineer
>>     SUSE Software Solutions
>>
>>     _______________________________________________
>>     librttopo-dev mailing list
>>     librttopo-dev at lists.osgeo.org <mailto:librttopo-dev at lists.osgeo.org>
>>     https://lists.osgeo.org/mailman/listinfo/librttopo-dev
>>     <https://lists.osgeo.org/mailman/listinfo/librttopo-dev>
>>
>>
>>


-- 
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/

More information about the librttopo-dev mailing list