Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gdal_2: add patch for CVE-2019-17546 #111308

Closed
wants to merge 1 commit into from
Closed

gdal_2: add patch for CVE-2019-17546 #111308

wants to merge 1 commit into from

Conversation

dotlambda
Copy link
Member

Motivation for this change

fixes #90807
https://nvd.nist.gov/vuln/detail/CVE-2019-17546

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@dotlambda dotlambda added 1.severity: security 9.needs: port to stable A PR needs a backport to the stable release. labels Jan 30, 2021
@dotlambda dotlambda mentioned this pull request Jan 30, 2021
Merged
10 tasks
@ofborg ofborg bot requested a review from MarcWeber January 30, 2021 13:05
@risicle
Copy link
Contributor

risicle commented Jan 30, 2021

gdal 2.4.4 is available - should we just be bumping in master?

@dotlambda
Copy link
Member Author

gdal 2.4.4 is available - should we just be bumping in master?

Okay, what do we do on 20.09?

@dotlambda
Copy link
Member Author

dotlambda commented Jan 30, 2021
edited

@risicle Can you do the update to 2.4.4? I don't know anything about the patches that are applied in postPatch.

@dotlambda dotlambda closed this Jan 30, 2021
@dotlambda dotlambda deleted the CVE-2019-17546 branch January 30, 2021 13:23
@risicle
Copy link
Contributor

risicle commented Jan 30, 2021

Okay, what do we do on 20.09?

Patch.

Can you do the update to 2.4.4?

Perhaps. I'm a little limited in compute power at the moment and gdal is a beast to compile.

I don't know anything about the patches that are applied in postPatch.

Me neither but I'm sure they will complain loudly enough if they break.

@dotlambda
Copy link
Member Author

Me neither but I'm sure they will complain loudly enough if they break.

They do break. Otherwise I would just do the update.

@TredwellGit TredwellGit removed the 9.needs: port to stable A PR needs a backport to the stable release. label Aug 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@risicle risicle Awaiting requested review from risicle

@MarcWeber MarcWeber Awaiting requested review from MarcWeber

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 85: gdal-2.4.0: 1 advisory [8.8]
3 participants
@dotlambda @risicle @TredwellGit