Source: gdal X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerabilities were published for gdal. CVE-2026-8084[0]: | A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This | vulnerability affects the function memmove of the file | frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File | Handler. This manipulation causes out-of-bounds read. The attack is | restricted to local execution. The exploit has been publicly | disclosed and may be utilized. Upgrading to version 3.13.0RC1 is | able to resolve this issue. Patch name: | a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected | component is advised. https://github.com/OSGeo/gdal/issues/14378 https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1) CVE-2026-8086[1]: | A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This | issue affects the function SWnentries of the file frmts/hdf4/hdf- | eos/SWapi.c. Such manipulation of the argument DimensionName leads | to heap-based buffer overflow. The attack must be carried out | locally. The exploit is publicly available and might be used. | Upgrading to version 3.12.4RC1 is capable of addressing this issue. | The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. | It is advisable to upgrade the affected component. https://github.com/OSGeo/gdal/issues/14356 https://github.com/OSGeo/gdal/pull/14361 https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636 (v3.12.4RC1) CVE-2026-8087[2]: | A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. | Impacted is the function GDnentries of the file frmts/hdf4/hdf- | eos/GDapi.c. Performing a manipulation of the argument DataFieldName | results in heap-based buffer overflow. The attack must be initiated | from a local position. The exploit has been released to the public | and may be used for attacks. Upgrading to version 3.13.0RC1 is | recommended to address this issue. The patch is named | 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the | affected component. https://github.com/OSGeo/gdal/issues/14363 https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b (v3.13.0RC1) CVE-2026-8088[3]: | A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The | affected element is the function GDfieldinfo of the file | frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to | out-of-bounds read. The attack needs to be launched locally. The | exploit has been made available to the public and could be used for | attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this | issue. This patch is called | a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component | should be upgraded. https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1) https://github.com/OSGeo/gdal/issues/14379 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-8084 https://www.cve.org/CVERecord?id=CVE-2026-8084 [1] https://security-tracker.debian.org/tracker/CVE-2026-8086 https://www.cve.org/CVERecord?id=CVE-2026-8086 [2] https://security-tracker.debian.org/tracker/CVE-2026-8087 https://www.cve.org/CVERecord?id=CVE-2026-8087 [3] https://security-tracker.debian.org/tracker/CVE-2026-8088 https://www.cve.org/CVERecord?id=CVE-2026-8088 Please adjust the affected versions in the BTS as needed.
