Bug#1103839: marked as done (gdal: CVE-2025-29480)

[Debian Bug Tracking System]

Your message dated Wed, 14 May 2025 17:40:05 +0200
with message-id <2edb333f-191c-4137-b744-99af83c1b...@xs4all.nl>
and subject line Re: Bug#1103839: gdal: CVE-2025-29480
has caused the Debian Bug report #1103839,
regarding gdal: CVE-2025-29480
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1103839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103839
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: gdal
Version: 3.10.2+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/OSGeo/gdal/issues/12188
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for gdal.

CVE-2025-29480[0]:
| Buffer Overflow vulnerability in gdal 3.10.2 allows a local attacker
| to cause a denial of service via the OGRSpatialReference::Release
| function.

There was a report at [1] but it is unclear if it was reported
upstream and if newer version fix the issue, maybe you have some
additional information? if so might you please add it to [2] as well?


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-29480
    https://www.cve.org/CVERecord?id=CVE-2025-29480
[1] https://github.com/lmarch2/poc/blob/main/gdal/gdal.md
[2] https://github.com/OSGeo/gdal/issues/12188

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

notfound 1103839 gdal/3.10.2+dfsg-1
thanks

On 4/22/25 5:16 AM, Sebastiaan Couwenberg wrote:

On 4/21/25 9:35 PM, Salvatore Bonaccorso wrote:

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

[...]
[2] https://github.com/OSGeo/gdal/issues/12188

There is nothing I can do as long as there is no fix available.

Upstream closed the issue as they cannot reproduce it and the reporter is 
unresponsive.

Closing this is as well.

Kind Regards,

Bas

--
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

--- End Message ---