[postgis-devel] Fwd: [rttopo-dev] Empty geometry bug in PostGIS [DoS vulnerability]
Regina Obe
lr at pcorp.us
Mon Jan 3 14:38:32 PST 2022
Thanks Jeff,
I'll take a look at it later this week and patch.
Thanks,
Regina
> -----Original Message-----
> From: postgis-devel [mailto:postgis-devel-bounces at lists.osgeo.org] On
> Behalf Of Jeff McKenna
> Sent: Thursday, December 30, 2021 7:58 AM
> To: PostGIS Development Discussion <postgis-devel at lists.osgeo.org>
> Subject: [postgis-devel] Fwd: [rttopo-dev] Empty geometry bug in PostGIS
> [DoS vulnerability]
>
> Forwarding, as I am not sure how many follow librttopo list....
>
>
>
>
> -------- Forwarded Message --------
>
>
> Hello list,
>
> I am a security engineer from the SUSE Linux security team.
>
> During an investigation of CVE-2017-18359 [0], I noticed that librttopo seems
> to share the affected code in PostGIS. After looking at PostGIS'
> bug issue [1] and the related changeset [2], I noticed that the affected
> function, `lwgeom_to_x3d3` [3], matches `rtgeom_to_x3d3` in librttopo [4],
> and the latter lacks the appropriate check for empty geometries.
> This is considered a remote DoS vulnerability. Could you please confirm if
> librttopo is vulnerable, and if so, patch accordingly? Thanks in advance.
>
> Best regards,
>
> Carlos
>
> [0] https://nvd.nist.gov/vuln/detail/CVE-2017-18359
> [1] https://trac.osgeo.org/postgis/ticket/3704
> [2] https://trac.osgeo.org/postgis/changeset/15444
> [3]
> https://trac.osgeo.org/postgis/browser/trunk/liblwgeom/lwout_x3d.c?rev=1
> 5444#L60
> [4]
> https://git.osgeo.org/gitea/rttopo/librttopo/src/branch/master/src/rtout_x3
> d.c#L62
>
> --
> Carlos L pez
> Jr. Security Engineer
> SUSE Software Solutions
>
>
>
>
>
>
>
> _______________________________________________
> postgis-devel mailing list
> postgis-devel at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/postgis-devel
More information about the postgis-devel
mailing list