GHSA-q5fm-55c2-v6j9 – fiona

Package

Manager: pip
Name: fiona
Vulnerable Version: >=0 <1.10b1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Fiona affected by CVE-2023-45853 related to MiniZip madler-zlib ### Summary Vulnerability scan of fiona shows [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853). The vulnerability is in GDAL, a dependency of fiona. ### Details Fiona depends on GDAL and GDAL has a port of minizip. MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. The GDAL project has addressed the CVE in version 3.8.0. See https://lists.osgeo.org/pipermail/gdal-dev/2023-November/057881.html. The Fiona version 1.9.6 wheels on PyPI include GDAL version 3.6.4 and thus could be vulnerable. All of the Fiona 1.10 pre-release wheels in PyPI include GDAL version 3.8.4 and are not vulnerable. ### Impact Systems which use GDAL versions prior to 3.8.0 to open unchecked zip files, whether in combination with fiona or not, could be susceptible to buffer overflows.

Metadata

Created: 2024-07-16T19:32:45Z
Modified: 2024-08-21T22:30:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-q5fm-55c2-v6j9/GHSA-q5fm-55c2-v6j9.json
CWE IDs: ["CWE-1395", "CWE-190"]
Alternative ID: N/A
Finding: F111
Auto approve: 1