CVE-2022-0699 A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 and older releases

The vendor has confirmed that there are no active attacks against this issue. Users are advised to upgrade to the latest release. CVE-2017-9832 - Double-free in shp_setup() in shp.c of shapelib 1.5.0 and older releases allows an attacker to cause a denial of service or have other unspecified impact via control over shp_setup(). The vendor has confirmed that there are no active attacks against this issue. Users are advised to upgrade to the latest release. CVE-2017-9833 - An issue was discovered with the handling of the XSLT functions in contrib/shxsl/shpsort.c in shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over shp_setup() in shp.c. The vendor has confirmed that there are no active attacks against this issue. Users are advised to upgrade to the latest release. CVE-2017-9834 - An issue was discovered with the handling of the XSLT functions in contrib/shxsl/shpsort.c in shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over shp_setup() in shp.c. The vendor has confirmed that there are no active attacks against this issue. Users are

FAQ

Q: Why should I upgrade to 1.5.0?
A: The vendor has confirmed that there are no active attacks against this issue. Users are advised to upgrade to the latest release.

Products and versions affected

This advisory covers the following versions of shapelib:

1.5.0 - 1.5.4
1.6.0 - 1.6.5
1.8.0 - 1.8.3
1.9.0

XXE: XML External Entity Attachment

An XXE vulnerability allows an attacker to exploit an external entity that is not linked to the XML document and in particular, the location of the external entity is not specified.
If the XXE vulnerability occurs while processing a request, this may result in a denial of service or allow the attacker to access information outside of what should be accessible.

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 05:16:00 UTC

References

• https://github.com/OSGeo/shapelib/issues/39
• https://github.com/OSGeo/shapelib/commit/c75b9281a5b9452d92e1682bdfe6019a13ed819f
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0699