830370 – (CVE-2021-45943) <sci-libs/gdal-3.4.1: heap buffer overflow

Bug 830370 (CVE-2021-45943) - <sci-libs/gdal-3.4.1: heap buffer overflow

Summary: <sci-libs/gdal-3.4.1: heap buffer overflow

Status:	RESOLVED FIXED

Alias:	CVE-2021-45943

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	830589
Blocks:
	Show dependency tree

Reported:	2022-01-01 02:09 UTC by Sam James
Modified:	2022-10-31 02:18 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-01-01 02:09:17 UTC

CVE-2021-45943 (https://github.com/OSGeo/gdal/pull/4944):

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

Comment 1 Sam James archtester

2022-01-01 04:36:09 UTC

It looks like 3.4.1 will be soon.

Comment 2 Larry the Git Cow gentoo-dev

2022-01-04 11:34:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=188fd670f4bf39726bc0468d7d21fa4f6b666b22

commit 188fd670f4bf39726bc0468d7d21fa4f6b666b22
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-04 11:34:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-04 11:34:40 +0000

    sci-libs/gdal: add 3.4.1
    
    Bug: https://bugs.gentoo.org/830370
    Signed-off-by: Sam James <sam@gentoo.org>

 sci-libs/gdal/Manifest          |   1 +
 sci-libs/gdal/gdal-3.4.1.ebuild | 323 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 324 insertions(+)

Comment 3 John Helmert III archtester

2022-01-28 15:59:18 UTC

Please cleanup

Comment 4 Larry the Git Cow gentoo-dev

2022-02-05 20:46:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9ffd278f8fe238387a6c34cc3697aa6a4db5a5a

commit c9ffd278f8fe238387a6c34cc3697aa6a4db5a5a
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-02-05 20:27:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-02-05 20:40:47 +0000

    sci-libs/gdal: Cleanup vulnerable 3.3.3 and 3.4.0
    
    Bug: https://bugs.gentoo.org/830370
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sci-libs/gdal/Manifest          |   2 -
 sci-libs/gdal/gdal-3.3.3.ebuild | 317 ---------------------------------------
 sci-libs/gdal/gdal-3.4.0.ebuild | 323 ----------------------------------------
 3 files changed, 642 deletions(-)

Comment 5 John Helmert III archtester

2022-02-06 17:48:01 UTC

Thanks!

Comment 6 Nowa Ammerlaan gentoo-dev

2022-10-21 11:22:27 UTC

3.5.0 and 3.5.2 are the only versions we have in ::gentoo at the moment, can this be closed?

Comment 7 John Helmert III archtester

2022-10-21 14:40:22 UTC

(In reply to Andrew Ammerlaan from comment #6)
> 3.5.0 and 3.5.2 are the only versions we have in ::gentoo at the moment, can
> this be closed?

We'd like to GLSA.

Comment 8 John Helmert III archtester

2022-10-21 17:23:07 UTC

GLSA request filed.

Comment 9 Larry the Git Cow gentoo-dev

2022-10-31 01:41:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c4dc0365a64e57602af2af1995c69dadce7e6b29

commit c4dc0365a64e57602af2af1995c69dadce7e6b29
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:10:36 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-15 ] GDAL: Heap Buffer Overflow
    
    Bug: https://bugs.gentoo.org/830370
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-15.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

Comment 10 John Helmert III archtester

2022-10-31 02:18:56 UTC

GLSA released, all done!