Bug 23824

Summary:	gdal new security issues fixed upstream in 2.3.x
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	geiger.david68210, lewyssmith, marja11, sysadmin-bugs, tarazed25
Version:	6	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA6-64-OK
Source RPM:	gdal-2.0.2-5.mga6.src.rpm	CVE:
Status comment:

Description David Walser 2018-11-08 19:23:35 CET

Fedora has issued an advisory on October 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F7UTCHIMQ32VOARS5O67QMCVHTYAPTMM/

David Walser 2018-11-08 20:00:00 CET

CC: (none) => geiger.david68210

Comment 1 Marja Van Waes 2018-11-08 23:04:48 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11

Comment 2 Marja Van Waes 2018-11-08 23:10:13 CET

(In reply to Marja Van Waes from comment #1)
> Assigning to all packagers collectively, since there is no registered
> maintainer for this package.

Now really assigning :-/

Assignee: bugsquad => pkg-bugs

Comment 3 David GEIGER 2018-11-09 19:07:46 CET

Fixed for mga6 updating to latest 2.3.2 release!

Comment 4 David Walser 2018-11-09 20:01:39 CET

Advisory:
========================

Updated gdal packages fix security vulnerability:

A flaw was found in gdal up to version 2.3.0. A Heap-buffer-overflow in
GTiffOddBitsBand::IReadBlock.

A flaw was found in gdal. A Heap-buffer-overflow in NITFRasterBand::Unpack.

A flaw was found in gdal up to version 2.3.0. An Index-out-of-bounds in
CPLErrorSetState.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F7UTCHIMQ32VOARS5O67QMCVHTYAPTMM/
========================

Updated packages in core/updates_testing:
========================
gdal-2.3.2-1.mga6
python2-gdal-2.3.2-1.mga6
python3-gdal-2.3.2-1.mga6
libgdal20-2.3.2-1.mga6
libgdal-devel-2.3.2-1.mga6
libgdal-static-devel-2.3.2-1.mga6

from gdal-2.3.2-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 5 Len Lawrence 2018-11-12 01:29:27 CET

Mageia 6, x86_64
Installed the core packages. python{2,3}-gdal packages were not available. They might be tools for scripting map-drawing commands.

$ urpmq --whatrequires lib64gdal20 | sort -u
gdal
grass
lib64gdal20
lib64gdal-devel
lib64openscenegraph130
lib64postgis5
mapnik
merkaartor
mysql-workbench
ncl
postgis
python-gdal
qgis
qgis-grass
qlandkartegt
qmapshack
simgear

Installed grass, which appears in the menus under Sciences as Grass70.
This crashes on invocation.
Run from the command-line it also fails to run.
$ grass70 -gui
Starting GRASS GIS...
ERROR: <wxpython> requested, but not available. Run GRASS in text mode (-text) or install missing package (usually 'grass-gui').
Exiting...

Package wxPython had been installed as a requirement.
$ locate -i grass | grep gui
shows a lot of files of this sort:
/usr/lib64/grass70/gui/wxpython/wxplot/scatter.pyc

So grass is no use for testing this.

gdal has numerous man entries for separate functions, like gdal_sieve, and appears to be a graphical toolkit.

The documentation on mapnik is extremely sparse. Not in the menus or accessible from the command-line.

merkaartor looks more promising. It has a gui which can be launched from the command-line. Looks like it can create layered map projections. Had a go. Added a bending road to the worksheet, an isolated roundabout, a rectangular building and then converted the road into a bridge hundreds of kilometres long.
Exercized the zoom function. Saved the "map" as untitled.mdc.
That was all run under strace which showed that the gdal20 library was being used.
$ grep gdal trace
open("/lib64/libgdal.so.20", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libgdal.so.20.0.2", O_RDONLY) = 3
open("/usr/lib64/libgdal.so.20.0.2", O_RDONLY) = 16

Shall run the updates tomorrow.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2018-11-12 18:22:45 CET

If we stick to the script, it is gdal specifically which needs to be tested.
$ urpmq --whatrequires gdal | sort -u
gdal
qgis
qmapshack

Updated the packages, including python2-gdal and python3-gdal.
Installed qgis.
Ran it with the filename of the crude map already generated by merkaartor in the hope that it would fit with qgis but it was ignored.  An advanced interface appeared for managing Geographic Information Systems data.  You would need a good tutorial to understand how to use it.  It appears to be a drawing tool, file, database and project manager all in one and includes a web search facility.  The help system points to API documentation at https://qgis.org/api/qgsquick.html which is aimed at mobile devices.

The Gui comes up OK and poking it does no harm.  Managed to raise a python console and typed some of the suggested help commands.

The API link gives a link to a demo application repository:https://github.com/lutraconsulting/qgis-quick-demo-app
 with instructions for building it and assumes that Qt Creator is available.
Altogether too ambitious for QA.

Checked merkaartor by importing the initial crude effort at a map.  There was a lot of graphical noise on the screen before it settled and displayed the untitled.mdc map.
That is about as far as we can go with this.  The software installs without trouble and applications dependent on gdal and libgdal at least launch with no obvious anomalies so it gets a 64-bit OK.

Whiteboard: (none) => MGA6-64-OK

Comment 7 Lewis Smith 2018-11-14 21:00:18 CET

Advisory from comment 4; no CVEs yet.
Thanks Len for your habitual determined testing. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2018-11-15 23:05:44 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0451.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED