diff --git a/.gitignore b/.gitignore index 87ed4c9..37ebc64 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,5 @@ gdalautotest-1.7.0.tar.gz /gdalautotest-3.3.1.tar.gz /gdal-3.3.2-fedora.tar.xz /gdalautotest-3.3.2.tar.gz +/gdalautotest-3.3.3.tar.gz +/gdal-3.3.3-fedora.tar.xz diff --git a/CVE-2021-45943.patch b/CVE-2021-45943.patch new file mode 100644 index 0000000..2b68da2 --- /dev/null +++ b/CVE-2021-45943.patch @@ -0,0 +1,25 @@ +diff -rupN gdal-3.3.2-fedora/frmts/pcidsk/sdk/segment/cpcidskbinarysegment.cpp gdal-3.3.2-fedora-new/frmts/pcidsk/sdk/segment/cpcidskbinarysegment.cpp +--- gdal-3.3.2-fedora/frmts/pcidsk/sdk/segment/cpcidskbinarysegment.cpp 2021-09-01 11:51:01.000000000 +0200 ++++ gdal-3.3.2-fedora-new/frmts/pcidsk/sdk/segment/cpcidskbinarysegment.cpp 2022-02-04 18:57:11.761058218 +0100 +@@ -31,6 +31,7 @@ + #include "pcidsk_exception.h" + #include "core/pcidsk_utils.h" + ++#include + #include + #include + #include +@@ -73,8 +74,12 @@ void CPCIDSKBinarySegment::Load() + if (loaded_) { + return; + } ++ if( data_size - 1024 > static_cast(std::numeric_limits::max()) ) ++ { ++ return ThrowPCIDSKException("too large data_size"); ++ } + +- seg_data.SetSize((int)data_size - 1024); ++ seg_data.SetSize((int)(data_size - 1024)); + + ReadFromFile(seg_data.buffer, 0, data_size - 1024); + diff --git a/gdal.spec b/gdal.spec index 01df4a2..830e08c 100644 --- a/gdal.spec +++ b/gdal.spec @@ -8,7 +8,7 @@ #TODO: Consider doxy patch from Suse, setting EXTRACT_LOCAL_CLASSES = NO # Tests can be of a different version -%global testversion 3.3.2 +%global testversion 3.3.3 %global run_tests 1 %global bashcompletiondir %(pkg-config --variable=compatdir bash-completion) @@ -43,7 +43,7 @@ %endif Name: gdal -Version: 3.3.2 +Version: 3.3.3 Release: 1%{?dist}%{?bootstrap:.%{bootstrap}.bootstrap} Summary: GIS file format library License: MIT @@ -78,6 +78,9 @@ Patch8: %{name}-gcc11.patch Patch9: gdal_no-diag-disable.patch # Fix build with autoconf 2.70 Patch10: gdal_autoconf270.patch +# Backport patch for CVE-2021-45943 +# https://github.com/OSGeo/gdal/pull/4944 +Patch11: CVE-2021-45943.patch BuildRequires: gcc @@ -641,6 +644,12 @@ popd #Or as before, using ldconfig %changelog +* Fri Feb 04 2022 Sandro Mani - 3.3.3-1 +- Update to 3.3.3 + +* Fri Feb 04 2022 Sandro Mani - 3.3.2-2 +- Backport patch for CVE-2021-45943 + * Tue Sep 07 2021 Sandro Mani - 3.3.2-1 - Update to 3.3.2 diff --git a/sources b/sources index 3305558..94b9643 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (gdal-3.3.2-fedora.tar.xz) = 7fd49081d2ee03603083d51357a615386b53ddc2c15592001c560b060d3b7162f0594b6c2a5b82654617877a4e960b9462d4fcb9fbda9d3e7d4b7c63361d34ca -SHA512 (gdalautotest-3.3.2.tar.gz) = e82f95ba3214bfcdb4d38f87d7ec57931bc44da96b0cf58e81dd90ef60adf0ef700d8f3bcef17a706afdbd87feb01c201cc7d43ea8832daecdc98d9f2880ddda +SHA512 (gdalautotest-3.3.3.tar.gz) = 942cc4a87653602e718f335bbdd80727475655e1e2a1993fda51df73a8ba5492c8fa365e0c3b61ee4a88d5044922065bf07247597798231d7e11a84249ed52b6 +SHA512 (gdal-3.3.3-fedora.tar.xz) = baed4740df4dc113c42041d71ab2857b567988cac2a0fade546931c3b2eff307685a14d07e39dc12cd1ef37faf4286a5ed1cf835ab201f3546c8963fcc57b261