Bug 1201215 - (CVE-2017-18359) VUL-0: CVE-2017-18359: librttopo: denial of service in rtgeom_to_x3d3()
(CVE-2017-18359)
VUL-0: CVE-2017-18359: librttopo: denial of service in rtgeom_to_x3d3()
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Bruno Friedmann
Security Team bot
https://smash.suse.de/issue/223749/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-05 07:41 UTC by Carlos López
Modified: 2022-07-06 13:17 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Carlos López 2022-07-05 07:43:26 UTC
This CVE was assigned to an issue in PostGIS, but librttopo shares the same code. I asked MITRE for a new CVE but they ignored the request.

Fix:
https://gitlab.com/rttopo/rttopo/-/commit/2a9cc526b1da8ea58422ed0158f57dabd82c498d
Comment 2 Bruno Friedmann 2022-07-05 12:39:56 UTC
Hello Carlos,

Don't we have postgis 3.2.1 ?

2.3.3 is such an oldies I hope nobody is still using it.
Comment 3 Carlos López 2022-07-05 12:45:52 UTC
(In reply to Bruno Friedmann from comment #2)
> Don't we have postgis 3.2.1 ?
> 
> 2.3.3 is such an oldies I hope nobody is still using it.

The code in librttopo has the same bug, even in the newer versions:

```
$ osc co openSUSE:Factory librttopo
$ cd openSUSE:Factory/librttopo
$ quilt setup librttopo.spec
$ grep -FA8 "rtgeom_to_x3d3(" librttopo/src/rtout_x3d.c
rtgeom_to_x3d3(const RTCTX *ctx, const RTGEOM *geom, char *srs, int precision, int opts, const char *defid)
{
  int type = geom->type;

  switch (type)
  {
  case RTPOINTTYPE:
    return asx3d3_point(ctx, (RTPOINT*)geom, srs, precision, opts, defid);
```

The code above is missing the check added in the patch in comment #1.
Comment 5 Bruno Friedmann 2022-07-05 13:21:41 UTC
Sorry for the confusion, you shouldn't have talk about postgis :-)
Ok the proposed patch is not enough alone it also need additionnal fixes
present in 
https://git.osgeo.org/gitea/rttopo/librttopo/pulls/41/files

Fixes will goes first to Application:Geo then Factory.
Once in they will be proposed to Backport.
Comment 6 Bruno Friedmann 2022-07-05 14:03:18 UTC
SR to Factory done
SR to Maintenance done
https://build.opensuse.org/request/show/986877
Comment 7 Swamp Workflow Management 2022-07-06 13:17:25 UTC
openSUSE-SU-2022:10042-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201215
CVE References: CVE-2017-18359
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    librttopo-1.1.0-bp154.2.3.1