Bugzilla – Bug 1153918
VUL-1: CVE-2019-17545: gdal: double free in OGRExpatRealloc in ogr/ogr_expat.cpp
Last modified: 2019-11-10 08:42:35 UTC
CVE-2019-17545 GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded. References: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17545 https://github.com/OSGeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb
Hi Alexander, 42.3 is out of maintenance since at least already 6 months. Even 15.0 will be out of maintenance soon. Now the situation is the following we have already 3.0.1 in the devel repository. But main oss repo was not updated (I don't know why). So one of the solution would be to update it with the update-oss channel, but I'm not sure it is the desire way. I'm adding my fellow maintainer Martn to get its opinion. Btw I'm traveling in France this week, so can't do that much.
Now 2.4.3 is released we can open update process more easily for 15.0 and 15.1 https://trac.osgeo.org/gdal/wiki/Release/2.4.3-News Who want to make it ?
Maintenance request created https://build.opensuse.org/request/show/745248 need to be accepted
openSUSE-SU-2019:2466-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1153918 CVE References: CVE-2019-17545 Sources used: openSUSE Leap 15.1 (src): gdal-2.4.3-lp151.3.3.1 openSUSE Backports SLE-15-SP1 (src): gdal-2.4.3-bp151.4.3.1
15.0 is gdal 2.2 so safe.