Bug 1153918 - (CVE-2019-17545) VUL-1: CVE-2019-17545: gdal: double free in OGRExpatRealloc in ogr/ogr_expat.cpp
VUL-1: CVE-2019-17545: gdal: double free in OGRExpatRealloc in ogr/ogr_expat.cpp
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.1
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Bruno Friedmann
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-10-14 12:26 UTC by Alexander Bergmann
Modified: 2019-11-10 08:42 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-10-14 12:26:23 UTC

GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in
ogr/ogr_expat.cpp when the 10MB threshold is exceeded.

Comment 1 Bruno Friedmann 2019-10-15 06:41:31 UTC
Hi Alexander, 42.3 is out of maintenance since at least already 6 months. Even 15.0 will be out of maintenance soon.

Now the situation is the following we have already 3.0.1 in the devel repository.
But main oss repo was not updated (I don't know why).

So one of the solution would be to update it with the update-oss channel, but I'm not sure it is the desire way.

I'm adding my fellow maintainer Martn to get its opinion.
Btw I'm traveling in France this week, so can't do that much.
Comment 2 Bruno Friedmann 2019-11-04 12:40:10 UTC
Now 2.4.3 is released we can open update process more easily for 15.0 and 15.1

Who want to make it ?
Comment 3 Bruno Friedmann 2019-11-04 18:03:20 UTC
Maintenance request created 

need to be accepted
Comment 4 Swamp Workflow Management 2019-11-09 20:11:33 UTC
openSUSE-SU-2019:2466-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1153918
CVE References: CVE-2019-17545
Sources used:
openSUSE Leap 15.1 (src):    gdal-2.4.3-lp151.3.3.1
openSUSE Backports SLE-15-SP1 (src):    gdal-2.4.3-bp151.4.3.1
Comment 5 Bruno Friedmann 2019-11-10 08:42:35 UTC
15.0 is gdal 2.2 so safe.