Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830370 (CVE-2021-45943) - <sci-libs/gdal-3.4.1: heap buffer overflow
Summary: <sci-libs/gdal-3.4.1: heap buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2021-45943
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 830589
Blocks:
  Show dependency tree
 
Reported: 2022-01-01 02:09 UTC by Sam James
Modified: 2022-10-31 02:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 02:09:17 UTC 
CVE-2021-45943 (https://github.com/OSGeo/gdal/pull/4944):

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 04:36:09 UTC 
It looks like 3.4.1 will be soon.
Comment 2 Larry the Git Cow gentoo-dev 2022-01-04 11:34:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=188fd670f4bf39726bc0468d7d21fa4f6b666b22

commit 188fd670f4bf39726bc0468d7d21fa4f6b666b22
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-04 11:34:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-04 11:34:40 +0000

    sci-libs/gdal: add 3.4.1
    
    Bug: https://bugs.gentoo.org/830370
    Signed-off-by: Sam James <sam@gentoo.org>

 sci-libs/gdal/Manifest          |   1 +
 sci-libs/gdal/gdal-3.4.1.ebuild | 323 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 324 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-28 15:59:18 UTC 
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2022-02-05 20:46:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9ffd278f8fe238387a6c34cc3697aa6a4db5a5a

commit c9ffd278f8fe238387a6c34cc3697aa6a4db5a5a
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-02-05 20:27:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-02-05 20:40:47 +0000

    sci-libs/gdal: Cleanup vulnerable 3.3.3 and 3.4.0
    
    Bug: https://bugs.gentoo.org/830370
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sci-libs/gdal/Manifest          |   2 -
 sci-libs/gdal/gdal-3.3.3.ebuild | 317 ---------------------------------------
 sci-libs/gdal/gdal-3.4.0.ebuild | 323 ----------------------------------------
 3 files changed, 642 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-06 17:48:01 UTC 
Thanks!
Comment 6 Andrew Ammerlaan gentoo-dev 2022-10-21 11:22:27 UTC 
3.5.0 and 3.5.2 are the only versions we have in ::gentoo at the moment, can this be closed?
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 14:40:22 UTC 
(In reply to Andrew Ammerlaan from comment #6)
> 3.5.0 and 3.5.2 are the only versions we have in ::gentoo at the moment, can
> this be closed?

We'd like to GLSA.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:23:07 UTC 
GLSA request filed.
Comment 9 Larry the Git Cow gentoo-dev 2022-10-31 01:41:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c4dc0365a64e57602af2af1995c69dadce7e6b29

commit c4dc0365a64e57602af2af1995c69dadce7e6b29
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:10:36 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-15 ] GDAL: Heap Buffer Overflow
    
    Bug: https://bugs.gentoo.org/830370
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-15.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:56 UTC 
GLSA released, all done!