Fluid Attacks Database

Description

netCDF in GDAL 2.4.2 through 3.0.4 has a stack-based buffer overflow in nc4_get_att (called from nc4_get_att_tc and nc_get_att_text) and in uffd_cleanup (called from netCDFDataset::~netCDFDataset and netCDFDataset::~netCDFDataset).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	gdal	>=0 <3.1.0+dfsg-1	3.1.0+dfsg-1
debian 12	gdal	>=0 <3.1.0+dfsg-1	3.1.0+dfsg-1
pypi	gdal	=2.4.2 \|\| =2.4.3 \|\| =2.4.4 \|\| =3.0.0 \|\| =3.0.1 \|\| =3.0.2 \|\| =3.0.3 \|\| =3.0.4 \|\| >=2.4.2 <3.1.0	3.1.0
debian 13	gdal	>=0 <3.1.0+dfsg-1	3.1.0+dfsg-1
debian 14	gdal	>=0 <3.1.0+dfsg-1	3.1.0+dfsg-1

Aliases

1. CVE-2019-250502. NVD-2019-250503. OSV-DEBIAN-2019-250504. OSV-2019-250505. OSV-PYSEC-2021-8886. GCVE-2019-250507. SECURITY-TRACKER-CVE-2019-25050

References

1. https://github.com/OSGeo/gdal/commit/767e3a56144f676ca738ef8f700e0e56035bd05a2. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2020-420.yaml3. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=151434. https://github.com/OSGeo/gdal/commit/27b9bf644bcf1208f7d6594bdd104cc8a8bb06465. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=151566. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2020-392.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.