Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1nNG00LTlxNGMtbWZ3Ns4AA98D

Fiona affected by CVE-2020-14152 related to madler-zlib

Summary

Vulnerability scan of fiona shows CVE-2020-14152. The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ).

Details

In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.

Impact

fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.

Permalink: https://github.com/advisories/GHSA-g4m4-9q4c-mfw6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNG00LTlxNGMtbWZ3Ns4AA98D
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: 17 days ago

CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Identifiers: GHSA-g4m4-9q4c-mfw6
References:

• https://github.com/Toblerity/Fiona/security/advisories/GHSA-g4m4-9q4c-mfw6
• https://nvd.nist.gov/vuln/detail/CVE-2020-14152
• https://github.com/libjpeg-turbo/libjpeg-turbo/issues/500
• https://github.com/OSGeo/gdal/commit/075480a3cba13c9dd2ab4e39e92d6147a6c98eca
• https://github.com/Toblerity/Fiona/commit/07708211726e276e22dedb9cd567b4f6a7b8c809
• https://github.com/libjpeg-turbo/libjpeg-turbo/commit/da2a27ef056a0179cbd80f9146e58b89403d9933
• https://github.com/advisories/GHSA-g4m4-9q4c-mfw6

Repository: https://github.com/Toblerity/Fiona
Blast Radius: 23.3

Affected Packages