Опубликовано: 16 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 7.1
Описание
Fiona affected by CVE-2020-14152 related to madler-zlib
Summary
Vulnerability scan of fiona shows CVE-2020-14152. The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ).
Details
In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.
Impact
fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.
Ссылки
- https://github.com/Toblerity/Fiona/security/advisories/GHSA-g4m4-9q4c-mfw6
- https://nvd.nist.gov/vuln/detail/CVE-2020-14152
- https://github.com/libjpeg-turbo/libjpeg-turbo/issues/500
- https://github.com/OSGeo/gdal/commit/075480a3cba13c9dd2ab4e39e92d6147a6c98eca
- https://github.com/Toblerity/Fiona/commit/07708211726e276e22dedb9cd567b4f6a7b8c809
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/da2a27ef056a0179cbd80f9146e58b89403d9933
Пакеты
Наименование
fiona
pip
Затронутые версииВерсия исправления
< 1.10b2
1.10b2
8.7 High
CVSS4
7.1 High
CVSS3
Дефекты
CWE-400
8.7 High
CVSS4
7.1 High
CVSS3
Дефекты
CWE-400