Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Link to GDAL security thread #50

Open
rsbivand opened this issue Jul 29, 2021 · 2 comments
Open

Link to GDAL security thread #50

rsbivand opened this issue Jul 29, 2021 · 2 comments

Comments

@rsbivand
Copy link
Member

rsbivand commented Jul 29, 2021

This thread https://lists.osgeo.org/pipermail/gdal-dev/2021-July/054470.html (based on https://lists.osgeo.org/pipermail/gdal-dev/2021-July/054466.html) has implications for packagers of GDAL, including packages with GDAL as a system requirement.

This particular case is for JSON, but Bob Rudis' @hrbrmstr blog remains relevant: https://rud.is/b/2018/02/16/pym-js-library-vulnerability-in-widgetframe-package/. When something upstream needs fixing, it is potentially important to know their policies, and GDAL's looks like being caveat emptor unless funding is forthcoming for alternatives.

Strictly, this is an "included source" problem, where the geojson OGR driver bundles an old version of json-c source, and uses it if libjson-c is not available (configure.ac line 4777). Defensively, the Windows and MacOS binary builds might need to provide the patched binaries of libjson-c (current F34 0.14-8), 0.15 latest. But this may mean that driver-specific tweaks are lost (see thread). Ideas?

@rsbivand
Copy link
Member Author

rsbivand commented Aug 2, 2021

@rsbivand
Copy link
Member Author

See also the starting of a mailing list here:

https://github.com/geopython/pygeoapi/blob/master/SECURITY.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant