Fluid Attacks Database

Description

GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	gdal	>=0 <3.4.1+dfsg-1	3.4.1+dfsg-1
debian 11	gdal	=3.2.2+dfsg-2 \|\| =3.2.2+dfsg-2+deb11u1 \|\| >=0 <3.2.2+dfsg-2+deb11u2	3.2.2+dfsg-2+deb11u2
debian 12	gdal	>=0 <3.4.1+dfsg-1	3.4.1+dfsg-1
debian 14	gdal	>=0 <3.4.1+dfsg-1	3.4.1+dfsg-1
pypi	gdal	=3.3.0 \|\| =3.3.1 \|\| =3.3.2 \|\| =3.3.3 \|\| =3.4.0 \|\| >=3.3.0 <3.4.1	3.4.1

Aliases

1. CVE-2021-459432. NVD-2021-459433. OSV-DEBIAN-2021-459434. OSV-2021-459435. OSV-PYSEC-2022-430656. GCVE-2021-459437. SECURITY-TRACKER-CVE-2021-459438. lists.debian.org9. DEBIAN-dsa-523910. lists.debian.org11. security.gentoo.org

References

1. https://github.com/OSGeo/gdal/pull/49442. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yaml3. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=419934. https://github.com/OSGeo/gdal/commit/1ca6a3e5168c200763fa46d8aa7e698d0b757e7e5. https://www.oracle.com/security-alerts/cpujul2022.html6. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBPJGXY7IYY65NVJBLP3RONXE7ZBVCNU/7. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P23E4DEHY5FJCR5VJ46I6TO32DT7Y3T4/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.