CVE-2019-25050

Name of the Vulnerable Software and Affected Versions GDAL versions 2.4.2 through 3.0.4

Description The issue is related to a stack-based buffer overflow in the netCDF component of the GDAL library, which can be exploited to gain access to confidential data, compromise data integrity, and cause a denial of service. The overflow occurs in the nc4 get att function, which is called from nc4 get att tc and nc get att text, as well as in the uffd cleanup function, called from netCDFDataset::~netCDFDataset.

Recommendations For GDAL versions 2.4.2 through 3.0.4, consider updating to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the nc4 get att and uffd cleanup functions until a patch is available. Avoid using the netCDFDataset class in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.