Hi James,
thanks for the notice. GDAL copy has diverged a bit, but I've just
managed to apply the upstream fix per
https://github.com/OSGeo/gdal/pull/8658
Even
Le 03/11/2023 à 16:17, James Addison via gdal-dev a écrit :
Hi folks,
I've arrived at the gdal mailing list after reading the security
policy[1] on the GitHub repository, but then decided that this is as
much a question as it is a bug, so I'm following the issue template
comment advice[2] to post here.
The Common Portability Library within gdal includes some code derived
from minizip / Info-ZIP, and while investigating Debian bug #1054290
I've been trying to figure out where else code affected by
vulnerability CVE-2023-45853 could exist.
Could a maintainer confirm whether the affected section of code[3] in
gdal/CPL is vulnerable too? If so, there is a fix[4] from the zlib
repository (that hosts minizip) that may be straightforward to apply -
and I think that'd be license-compatible to cherry-pick but that's
probably worth confirming.
Thanks,
James
_______________________________________________
gdal-dev mailing list
gdal-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/gdal-dev
--
http://www.spatialys.com
My software is free, but my time generally not.
_______________________________________________
gdal-dev mailing list
gdal-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/gdal-dev
