Bugzilla – Bug 1153918
VUL-1: CVE-2019-17545: gdal: double free in OGRExpatRealloc in ogr/ogr_expat.cpp
Last modified: 2019-11-10 08:42:35 UTC
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in
ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
Hi Alexander, 42.3 is out of maintenance since at least already 6 months. Even 15.0 will be out of maintenance soon.
Now the situation is the following we have already 3.0.1 in the devel repository.
But main oss repo was not updated (I don't know why).
So one of the solution would be to update it with the update-oss channel, but I'm not sure it is the desire way.
I'm adding my fellow maintainer Martn to get its opinion.
Btw I'm traveling in France this week, so can't do that much.
Now 2.4.3 is released we can open update process more easily for 15.0 and 15.1
Who want to make it ?
Maintenance request created
need to be accepted
openSUSE-SU-2019:2466-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 1153918
CVE References: CVE-2019-17545
openSUSE Leap 15.1 (src): gdal-2.4.3-lp188.8.131.52
openSUSE Backports SLE-15-SP1 (src): gdal-2.4.3-bp184.108.40.206
15.0 is gdal 2.2 so safe.