Bug 25809

Summary: gdal new security issue CVE-2019-17545
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, eric.gerbier, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: gdal-2.4.2-3.mga8.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 26122    

Description David Walser 2019-12-03 20:57:30 CET 
openSUSE has issued an advisory on November 9:
https://lists.opensuse.org/opensuse-updates/2019-11/msg00046.html

The issue is fixed upstream in 2.4.3.

Mageia 7 is also affected.
David Walser 2019-12-03 20:57:38 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2019-12-05 08:19:42 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-12-05 15:44:57 CET 
Advisory:
========================

Updated gdal packages fix security vulnerability:

Double free vulnerability in OGRExpatRealloc (CVE-2019-17545).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17545
https://lists.opensuse.org/opensuse-updates/2019-11/msg00046.html
========================

Updated packages in core/updates_testing:
========================
gdal-2.4.3-1.mga7
python2-gdal-2.4.3-1.mga7
python3-gdal-2.4.3-1.mga7
libgdal20-2.4.3-1.mga7
libgdal-devel-2.4.3-1.mga7
libgdal-static-devel-2.4.3-1.mga7

from gdal-2.4.3-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2019-12-10 14:34:39 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref to bug 23824 Comment 5, I installed merkaartor (tx to Mercator aka Geeraard De Cremer from Rupelmonde - Flanders)
at CLI:
$ merkaartor 
****  "2019-12-10T12:12:49"  -- Starting  "Merkaartor 0.18.3"
------- "using Qt version 5.12.6 (built with 5.12.2)"
------- "using PROJ4 version 6.0.0"
------- "using GDAL version 2.4.1"
and some more. I cpuld draw a liitle and save the file, so that should be OK.
But trying to run one of the commands from the gdal package gives trouble.
Ref to https://medium.com/planet-stories/a-gentle-introduction-to-gdal-part-1-a3253eb96082
at CLI:

$ gdalinfo --version
/usr/bin/gdalinfo: error: '/usr/bin/.libs/gdalinfo' does not exist

Sounds awkward to me.

CC: (none) => herman.viaene

Comment 4 Brian Rockwell 2019-12-17 00:22:37 CET 
I agree - Herman, I'm setting the feedback request.

Probably just an object or reference in the wrong directory.

Whiteboard: (none) => feedback
CC: (none) => brtians1

David Walser 2020-01-14 20:07:36 CET

Whiteboard: feedback => (none)
Assignee: qa-bugs => geiger.david68210
CC: (none) => qa-bugs
Status comment: (none) => Update built but gdalinfo command is broken

Comment 5 David GEIGER 2020-01-23 09:09:00 CET 
Hmmm! yes strange this issue! and we have this problem for a while apparently.

The gdalinfo script says:

#!/usr/bin/sh

# gdalinfo - temporary wrapper script for .libs/gdalinfo
# Generated by libtool (GNU libtool) 2.4.6
#
# The gdalinfo program cannot be directly executed until all the libtool
# libraries that it depends on are installed.
#
# This wrapper script should never be moved out of the build directory.
# If it is, it will not operate correctly.

# Sed substitution that helps us do robust quoting.  It backslashifies
# metacharacters that are still active within double-quoted strings.




The real problem is that gdalinfo should be a binary and not just a script.

I tried locally to find what is going wrong but without success.
Comment 6 eric gerbier 2020-01-23 13:48:36 CET 
I have an answer : the problems comes first from the install target in the makefile for apps directory

$ diff -u apps/GNUmakefile.orig apps/GNUmakefile
--- apps/GNUmakefile.orig	2020-01-23 13:43:42.990620775 +0100
+++ apps/GNUmakefile	2020-01-23 11:35:46.774852333 +0100
@@ -216,6 +216,8 @@
 
 install: default
 	for f in $(BIN_LIST) ; do $(INSTALL) $$f $(DESTDIR)$(INST_BIN) ; done
+	mkdir -p $(DESTDIR)$(INST_BIN)/.libs
+	for f in $(BIN_LIST) ; do $(INSTALL) .libs/$$f $(DESTDIR)$(INST_BIN)/.libs ; done
 	$(INSTALL_DATA) gdal_utils.h $(DESTDIR)$(INST_INCLUDE)
 	$(INSTALL) gdal-config-inst $(DESTDIR)$(INST_BIN)/gdal-config

this will install also the real binaries in .libs directory

the second change will be in gdal spec file :

diff -u gdal.spec.orig gdal.spec
--- gdal.spec.orig	2020-01-23 13:45:44.543398861 +0100
+++ gdal.spec	2020-01-23 13:45:52.873589247 +0100
@@ -256,7 +256,6 @@
 %doc NEWS VERSION
 %{_datadir}/gdal
 %{_bindir}/*
-%{_bindir}/.libs/*
 %{_mandir}/man1/*
 %{_datadir}/bash-completion/completions/*
 %exclude %{_bindir}/gdal-config

this will include the real binaries in rpm package

CC: (none) => eric.gerbier

Comment 7 Lewis Smith 2020-01-23 20:34:25 CET 
The issue from comment 3 onward is now the subject of its own bug 26122.
Setting this bug as depending on that; and that as blocking this.

CC: (none) => lewyssmith
Depends on: (none) => 26122

David Walser 2020-01-23 21:45:21 CET

Depends on: 26122 => (none)
Blocks: (none) => 26122

Comment 8 David Walser 2020-01-24 01:52:31 CET 
Thanks Eric!  Fixed package uploaded by David.

gdal-2.4.3-1.1.mga7
python2-gdal-2.4.3-1.1.mga7
python3-gdal-2.4.3-1.1.mga7
libgdal20-2.4.3-1.1.mga7
libgdal-devel-2.4.3-1.1.mga7
libgdal-static-devel-2.4.3-1.1.mga7

from gdal-2.4.3-1.1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: qa-bugs => (none)
Status comment: Update built but gdalinfo command is broken => (none)

Lewis Smith 2020-01-25 09:41:36 CET

CC: lewyssmith => (none)

Comment 9 Herman Viaene 2020-01-28 14:18:24 CET 
Tested new version with merkaartor: I could loa a map, draw a route on it,save the file, reopen the file and see all is there.
Not very successfull at rasping what all the gdal commands are for, but none of them showed the error as before.Two with some success:
$ gdalinfo --version
GDAL 2.4.3, released 2019/10/28
$ gdalsrsinfo meierhoek.mdc (the ile I created with merkaartor

PROJ.4 : +proj=longlat +datum=WGS84 +no_defs 

OGC WKT :
GEOGCS["WGS 84",
    DATUM["WGS_1984",
        SPHEROID["WGS 84",6378137,298.257223563,
            AUTHORITY["EPSG","7030"]],
        AUTHORITY["EPSG","6326"]],
    PRIMEM["Greenwich",0,
        AUTHORITY["EPSG","8901"]],
    UNIT["degree",0.0174532925199433,
        AUTHORITY["EPSG","9122"]],
    AUTHORITY["EPSG","4326"]]
This might make more sense to someone else as to me, but at least there is no immediate problem cropping up.
And
$ ogrinfo meierhoek.mdc 
INFO: Open of `meierhoek.mdc'
      using driver `OSM' successful.
1: points (Point)
2: lines (Line String)
3: multilinestrings (Multi Line String)
4: multipolygons (Multi Polygon)
5: other_relations (Geometry Collection)

Whiteboard: (none) => MGA7-64-OK

Comment 10 David Walser 2020-01-28 18:28:49 CET 
Advisory:
========================

Updated gdal packages fix security vulnerability:

Double free vulnerability in OGRExpatRealloc (CVE-2019-17545).

Also, the gdalinfo command, which had been built incorrectly, has been fixed.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17545
https://lists.opensuse.org/opensuse-updates/2019-11/msg00046.html
https://bugs.mageia.org/show_bug.cgi?id=25809
https://bugs.mageia.org/show_bug.cgi?id=26122
Comment 11 Thomas Andrews 2020-01-29 22:32:50 CET 
Validating this much, anyway. Advisory in Comment 10

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 12 Thomas Backlund 2020-01-30 18:36:51 CET 
in reality this package install is broken by design...

installing stuff in ".libs" under %{_bindir} is just broken...

It should be properly fixed atleast in cauldron...

Keywords: (none) => advisory
CC: (none) => tmb

Comment 13 Mageia Robot 2020-01-30 19:29:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0068.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED