Hi folks, I've arrived at the gdal mailing list after reading the security policy[1] on the GitHub repository, but then decided that this is as much a question as it is a bug, so I'm following the issue template comment advice[2] to post here.
The Common Portability Library within gdal includes some code derived from minizip / Info-ZIP, and while investigating Debian bug #1054290 I've been trying to figure out where else code affected by vulnerability CVE-2023-45853 could exist. Could a maintainer confirm whether the affected section of code[3] in gdal/CPL is vulnerable too? If so, there is a fix[4] from the zlib repository (that hosts minizip) that may be straightforward to apply - and I think that'd be license-compatible to cherry-pick but that's probably worth confirming. Thanks, James _______________________________________________ gdal-dev mailing list gdal-dev@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/gdal-dev
