Brilliant - thank you, Even!
On Fri, 3 Nov 2023 at 15:44, Even Rouault <even.roua...@spatialys.com> wrote: > > Hi James, > > thanks for the notice. GDAL copy has diverged a bit, but I've just > managed to apply the upstream fix per > https://github.com/OSGeo/gdal/pull/8658 > > Even > > Le 03/11/2023 à 16:17, James Addison via gdal-dev a écrit : > > Hi folks, > > > > I've arrived at the gdal mailing list after reading the security > > policy[1] on the GitHub repository, but then decided that this is as > > much a question as it is a bug, so I'm following the issue template > > comment advice[2] to post here. > > > > The Common Portability Library within gdal includes some code derived > > from minizip / Info-ZIP, and while investigating Debian bug #1054290 > > I've been trying to figure out where else code affected by > > vulnerability CVE-2023-45853 could exist. > > > > Could a maintainer confirm whether the affected section of code[3] in > > gdal/CPL is vulnerable too? If so, there is a fix[4] from the zlib > > repository (that hosts minizip) that may be straightforward to apply - > > and I think that'd be license-compatible to cherry-pick but that's > > probably worth confirming. > > > > Thanks, > > James > > _______________________________________________ > > gdal-dev mailing list > > gdal-dev@lists.osgeo.org > > https://lists.osgeo.org/mailman/listinfo/gdal-dev > > -- > http://www.spatialys.com > My software is free, but my time generally not. > _______________________________________________ gdal-dev mailing list gdal-dev@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/gdal-dev