On Thu, 7 Apr 2022, Mateusz Loskot wrote:
On Thu, 7 Apr 2022 at 12:29, prashanti seri <[email protected]> wrote:
Does zlib vulnerability CVE-2018-25032 affect GDAL as it uses this lib?
Hints:
https://github.com/OSGeo/gdal/blob/master/frmts/zlib/zlib.h#L40
https://github.com/OSGeo/gdal/blob/patch/3.2.2.1/gdal/frmts/zlib/zlib.h#L40
https://github.com/OSGeo/gdal/blob/release/3.4/gdal/frmts/zlib/zlib.h#L40
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
It has lain in wait 13 years before being found! The bug was introduced
in zlib 1.2.2.2, with the addition of the Z_FIXED option.
so I don't see how zlib 1.2.3 protects gdal from this bug.
I note that ubuntu zlib1g (1:1.2.11.dfsg-2ubuntu7.1) which was released on
Sat, 26 Mar 2022 fixes this.
Hint on solution:
https://gdal.org/build_hints.html#zlib
I agree that building with a known good zlib is a solution.
--
Andrew C. Aitchison Kendal, UK
[email protected]
_______________________________________________
gdal-dev mailing list
[email protected]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
