Hi Seth,
There has been quite a bit of talk about the WEBP vulnerability, and I noticed
Tamas has updated the GISInternals buildkit [1] and Even patched the GDAL
builds [2].
As I understand it the vulnerability exploits user supplied images. Am I
correct in thinking that this will only be an issue for MapServer if Mapfiles
are setup to read images that could be created externally and then read by
MapServer in a RATER layer? Or could a layer using a WMS connection (cascaded
WMS) be affected? I guess in that case the external service would have to have
been compromised.
Yes reading through a cascaded WMS could be affected if all following
conditions are met:
- the WMS server returns a hostile WEBP image (or possibly a TIFF or
GeoPackage using the WebP codec), which implies that server has been
compromised or is hostile (if the server just uses a unpatched libwebp
to return WebP images, that should be safe). Note that having wms_format
or wms_formatlist listing only PNG or JPEG formats isn't a protection if
the server is hostile/compromised.
- GDAL and/or libtiff (on the machine running MapServer) have been built
with libwebp support
- the libwebp version used by GDAL/libtiff hasn't been patched for the
vulnerability
| Serving WEBP as an OUTPUTFORMAT I don't think should be affected?
That should be safe. The issue is on reading hostile WebP images.
Even
--
http://www.spatialys.com
My software is free, but my time generally not.
_______________________________________________
MapServer-dev mailing list
MapServer-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-dev
