Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 699838 (CVE-2019-17545)

Summary: <sci-libs/gdal-3.0.4-r1: double free in OGRExpatRealloc in ogr/ogr_expat.cpp (CVE-2019-17545)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: leio, sci-geosciences, tb
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178
See Also: https://bugs.gentoo.org/show_bug.cgi?id=708826
https://bugs.gentoo.org/show_bug.cgi?id=707320
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 706146, 706442, 707516, 716928    
Bug Blocks: 708828    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 16:51:23 UTC
CVE-2019-17545 (https://nvd.nist.gov/vuln/detail/CVE-2019-17545):
  GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in
  ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
Comment 1 Thomas Deutschmann gentoo-dev 2019-11-11 16:53:01 UTC
Upstream patch: https://github.com/OSGeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb
Comment 2 Mart Raudsepp gentoo-dev 2020-04-10 09:21:13 UTC
gdal-3.0.4-r1 requires >=sci-libs/proj-6.0.0:= while gdal-3.0.4-r1[ogdi] requires sci-libs/ogdi, which requires <sci-libs/proj-6.0.0:=

This is no good
Comment 3 Larry the Git Cow gentoo-dev 2020-04-10 11:31:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=064fcfbe59e7d0b0519994cc434a597fc3f97d32

commit 064fcfbe59e7d0b0519994cc434a597fc3f97d32
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-04-10 11:14:33 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-04-10 11:30:49 +0000

    sci-libs/ogdi: 4.1.0 version bump
    
    Bug: https://bugs.gentoo.org/699838
    Closes: https://bugs.gentoo.org/706190
    Package-Manager: Portage-2.3.98, Repoman-2.3.22
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sci-libs/ogdi/Manifest                       |  1 +
 sci-libs/ogdi/files/ogdi-4.1.0-subdirs.patch | 24 +++++++++++
 sci-libs/ogdi/ogdi-4.1.0.ebuild              | 60 ++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2020-04-11 06:14:14 UTC
Unable to check for sanity:

> no match for package: dev-python/ijson-2.4
Comment 5 Mart Raudsepp gentoo-dev 2020-04-11 09:19:32 UTC
arm64 stable
Comment 6 NATTkA bot gentoo-dev 2020-04-11 09:56:46 UTC
Unable to check for sanity:

> no match for package: dev-python/ijson-2.4
Comment 7 NATTkA bot gentoo-dev 2020-04-11 16:20:50 UTC
Unable to check for sanity:

> no match for package: dev-python/ijson-2.4
Comment 8 NATTkA bot gentoo-dev 2020-04-12 18:53:08 UTC
All sanity-check issues have been resolved
Comment 9 NATTkA bot gentoo-dev 2020-04-12 19:29:13 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 10 Larry the Git Cow gentoo-dev 2020-04-13 09:21:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f343fdd68ff4def7e6083fa14258b14867e04e4

commit 7f343fdd68ff4def7e6083fa14258b14867e04e4
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-04-12 21:38:48 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-04-13 09:21:29 +0000

    sci-libs/gdal: Drop 2.4.1-r1 and 2.4.3
    
    Bug: https://bugs.gentoo.org/699838
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sci-libs/gdal/Manifest                             |   2 -
 sci-libs/gdal/files/gdal-2.2.3-bashcomp-path.patch |  12 -
 sci-libs/gdal/files/gdal-2.4.1-poppler-0.75.patch  | 148 ----------
 sci-libs/gdal/files/gdal-2.4.1-poppler-0.76.patch  |  24 --
 sci-libs/gdal/files/gdal-2.4.1-poppler-0.82.patch  |  53 ----
 .../gdal/files/gdal-2.4.1-poppler-0.83-1.patch     |  27 --
 .../gdal/files/gdal-2.4.1-poppler-0.83-2.patch     |  42 ---
 sci-libs/gdal/files/gdal-2.4.1-swig-4.patch        | 115 --------
 sci-libs/gdal/gdal-2.4.1-r1.ebuild                 | 322 ---------------------
 sci-libs/gdal/gdal-2.4.3.ebuild                    | 319 --------------------
 10 files changed, 1064 deletions(-)
Comment 11 Andreas Sturmlechner gentoo-dev 2020-04-13 09:25:14 UTC
Security cleanup done.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-05-04 01:17:49 UTC
Downgraded.