Bug 1201215 - (CVE-2017-18359) VUL-0: CVE-2017-18359: librttopo: denial of service in rtgeom_to_x3d3()
VUL-0: CVE-2017-18359: librttopo: denial of service in rtgeom_to_x3d3()
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Bruno Friedmann
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-07-05 07:41 UTC by Carlos López
Modified: 2022-07-06 13:17 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Carlos López 2022-07-05 07:43:26 UTC
This CVE was assigned to an issue in PostGIS, but librttopo shares the same code. I asked MITRE for a new CVE but they ignored the request.

Comment 2 Bruno Friedmann 2022-07-05 12:39:56 UTC
Hello Carlos,

Don't we have postgis 3.2.1 ?

2.3.3 is such an oldies I hope nobody is still using it.
Comment 3 Carlos López 2022-07-05 12:45:52 UTC
(In reply to Bruno Friedmann from comment #2)
> Don't we have postgis 3.2.1 ?
> 2.3.3 is such an oldies I hope nobody is still using it.

The code in librttopo has the same bug, even in the newer versions:

$ osc co openSUSE:Factory librttopo
$ cd openSUSE:Factory/librttopo
$ quilt setup librttopo.spec
$ grep -FA8 "rtgeom_to_x3d3(" librttopo/src/rtout_x3d.c
rtgeom_to_x3d3(const RTCTX *ctx, const RTGEOM *geom, char *srs, int precision, int opts, const char *defid)
  int type = geom->type;

  switch (type)
    return asx3d3_point(ctx, (RTPOINT*)geom, srs, precision, opts, defid);

The code above is missing the check added in the patch in comment #1.
Comment 5 Bruno Friedmann 2022-07-05 13:21:41 UTC
Sorry for the confusion, you shouldn't have talk about postgis :-)
Ok the proposed patch is not enough alone it also need additionnal fixes
present in 

Fixes will goes first to Application:Geo then Factory.
Once in they will be proposed to Backport.
Comment 6 Bruno Friedmann 2022-07-05 14:03:18 UTC
SR to Factory done
SR to Maintenance done
Comment 7 Swamp Workflow Management 2022-07-06 13:17:25 UTC
openSUSE-SU-2022:10042-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201215
CVE References: CVE-2017-18359
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    librttopo-1.1.0-bp154.2.3.1