Your message dated Fri, 8 May 2026 15:21:15 +0200
with message-id <[email protected]>
and subject line Re: Bug#1135997: gdal: CVE-2026-8084 CVE-2026-8086
CVE-2026-8087 CVE-2026-8088
has caused the Debian Bug report #1135997,
regarding gdal: CVE-2026-8084 CVE-2026-8086 CVE-2026-8087 CVE-2026-8088
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135997: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135997
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gdal
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for gdal.
CVE-2026-8084[0]:
| A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This
| vulnerability affects the function memmove of the file
| frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File
| Handler. This manipulation causes out-of-bounds read. The attack is
| restricted to local execution. The exploit has been publicly
| disclosed and may be utilized. Upgrading to version 3.13.0RC1 is
| able to resolve this issue. Patch name:
| a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected
| component is advised.
https://github.com/OSGeo/gdal/issues/14378
https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c
(v3.13.0RC1)
CVE-2026-8086[1]:
| A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This
| issue affects the function SWnentries of the file frmts/hdf4/hdf-
| eos/SWapi.c. Such manipulation of the argument DimensionName leads
| to heap-based buffer overflow. The attack must be carried out
| locally. The exploit is publicly available and might be used.
| Upgrading to version 3.12.4RC1 is capable of addressing this issue.
| The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636.
| It is advisable to upgrade the affected component.
https://github.com/OSGeo/gdal/issues/14356
https://github.com/OSGeo/gdal/pull/14361
https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636
(v3.12.4RC1)
CVE-2026-8087[2]:
| A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4.
| Impacted is the function GDnentries of the file frmts/hdf4/hdf-
| eos/GDapi.c. Performing a manipulation of the argument DataFieldName
| results in heap-based buffer overflow. The attack must be initiated
| from a local position. The exploit has been released to the public
| and may be used for attacks. Upgrading to version 3.13.0RC1 is
| recommended to address this issue. The patch is named
| 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the
| affected component.
https://github.com/OSGeo/gdal/issues/14363
https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b
(v3.13.0RC1)
CVE-2026-8088[3]:
| A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The
| affected element is the function GDfieldinfo of the file
| frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to
| out-of-bounds read. The attack needs to be launched locally. The
| exploit has been made available to the public and could be used for
| attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this
| issue. This patch is called
| a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component
| should be upgraded.
https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c
(v3.13.0RC1)
https://github.com/OSGeo/gdal/issues/14379
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8084
https://www.cve.org/CVERecord?id=CVE-2026-8084
[1] https://security-tracker.debian.org/tracker/CVE-2026-8086
https://www.cve.org/CVERecord?id=CVE-2026-8086
[2] https://security-tracker.debian.org/tracker/CVE-2026-8087
https://www.cve.org/CVERecord?id=CVE-2026-8087
[3] https://security-tracker.debian.org/tracker/CVE-2026-8088
https://www.cve.org/CVERecord?id=CVE-2026-8088
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
tags 1135997 upstream
fixed 1135997 gdal/3.13.0~rc1+dfsg-1~exp1
thanks
On 5/8/26 3:08 PM, Moritz Mühlenhoff wrote:
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Too late for that as gdal (3.13.0+dfsg-1~exp1) entered the archive before this
issue was created, and RC1 which includes the fixed for these issues a few days
ago.
Please adjust the affected versions in the BTS as needed.
I suspect these will be no-dsa issues, so I'm doubtful about the use of that.
Kind Regards,
Bas
--
PGP Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
--- End Message ---
