Bug 30256 - gdal new security issue CVE-2021-45943
Summary: gdal new security issue CVE-2021-45943
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-04-07 18:22 CEST by David Walser
Modified: 2022-04-09 23:21 CEST (History)
5 users (show)

See Also:
Source RPM: gdal-3.1.3-7.1.mga8.src.rpm
CVE: CVE-2021-45943
Status comment:


Attachments

Description David Walser 2022-04-07 18:22:22 CEST
Fedora has issued an advisory on April 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P23E4DEHY5FJCR5VJ46I6TO32DT7Y3T4/

The issue is fixed upstream in 3.4.1.

The issue description in the RedHat bug makes it sound like the issue was introduced in 3.3.0, but Fedora patched 3.2.2 in this update, so 3.1.3 may also be affected.
Comment 1 Lewis Smith 2022-04-07 20:37:50 CEST
Updates to this SRPM have been done by various people, so assigning this one globally.

We have the following versions since 3.1.3 in Cauldron:
3.2.2, 3.3.0, 3.3.1, 3.3.3, 3.4.0, 3.4.1, 3.4.2.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-04-08 11:39:29 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment). (CVE-2021-45943)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45943
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P23E4DEHY5FJCR5VJ46I6TO32DT7Y3T4/
========================

Updated packages in core/updates_testing:
========================
gdal-3.1.3-7.2.mga8
lib(64)gdal27-3.1.3-7.2.mga8
lib(64)gdal-devel-3.1.3-7.2.mga8
python3-gdal-3.1.3-7.2.mga8

from SRPM:
gdal-3.1.3-7.2.mga8.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-45943

Comment 3 Herman Viaene 2022-04-08 14:54:53 CEST
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Ref bug 25809 Comment 9 for testing:
Created smal navigation file meierhoek.mdc by drawing some waypoints in merkaartor and saved the file, reopened it to be sure all was there: OK
further commands:
$ gdalinfo --version
GDAL 3.1.3, released 2020/09/01

$ gdalsrsinfo meierhoek.mdc

PROJ.4 : +proj=longlat +datum=WGS84 +no_defs

OGC WKT2:2018 :
GEOGCRS["WGS 84",
    DATUM["World Geodetic System 1984",
        ELLIPSOID["WGS 84",6378137,298.257223563,
            LENGTHUNIT["metre",1]]],
    PRIMEM["Greenwich",0,
        ANGLEUNIT["degree",0.0174532925199433]],
    CS[ellipsoidal,2],
        AXIS["latitude",north,
            ORDER[1],
            ANGLEUNIT["degree",0.0174532925199433]],
        AXIS["longitude",east,
            ORDER[2],
            ANGLEUNIT["degree",0.0174532925199433]],
    ID["EPSG",4326]]

$ ogrinfo meierhoek.mdc
INFO: Open of `meierhoek.mdc'
      using driver `OSM' successful.
1: points (Point)
2: lines (Line String)
3: multilinestrings (Multi Line String)
4: multipolygons (Multi Polygon)
5: other_relations (Geometry Collection)
Looks all good to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-04-09 00:20:33 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-04-09 20:02:06 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-04-09 23:21:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0137.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.