Bugzilla – Bug 1201215
VUL-0: CVE-2017-18359: librttopo: denial of service in rtgeom_to_x3d3()
Last modified: 2022-07-06 13:17:25 UTC
PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows remote attackers to cause a denial of service via crafted ST_AsX3D function input, as demonstrated by an abnormal server termination for "SELECT ST_AsX3D('LINESTRING EMPTY');" because empty geometries are mishandled.
This CVE was assigned to an issue in PostGIS, but librttopo shares the same code. I asked MITRE for a new CVE but they ignored the request.
Don't we have postgis 3.2.1 ?
2.3.3 is such an oldies I hope nobody is still using it.
(In reply to Bruno Friedmann from comment #2)
> Don't we have postgis 3.2.1 ?
> 2.3.3 is such an oldies I hope nobody is still using it.
The code in librttopo has the same bug, even in the newer versions:
$ osc co openSUSE:Factory librttopo
$ cd openSUSE:Factory/librttopo
$ quilt setup librttopo.spec
$ grep -FA8 "rtgeom_to_x3d3(" librttopo/src/rtout_x3d.c
rtgeom_to_x3d3(const RTCTX *ctx, const RTGEOM *geom, char *srs, int precision, int opts, const char *defid)
int type = geom->type;
return asx3d3_point(ctx, (RTPOINT*)geom, srs, precision, opts, defid);
The code above is missing the check added in the patch in comment #1.
Sorry for the confusion, you shouldn't have talk about postgis :-)
Ok the proposed patch is not enough alone it also need additionnal fixes
Fixes will goes first to Application:Geo then Factory.
Once in they will be proposed to Backport.
SR to Factory done
SR to Maintenance done
openSUSE-SU-2022:10042-1: An update that fixes one vulnerability is now available.
Category: security (important)
Bug References: 1201215
CVE References: CVE-2017-18359
openSUSE Backports SLE-15-SP4 (src): librttopo-1.1.0-bp22.214.171.124