51 | 51 | * Drivers depending on third-party libraries whose code has been embedded in GDAL. Binary builds might rely on the internal version, or the external version. If using the internal version, they might use an obsolete version of the third-party library that might contain known vulnerabilities. Potentially concerned drivers are GTiff (libtiff, libgeotiff), PNG (libpng), GIF (giflib), JPEG (libjpeg), PCRaster (libcsf), GeoJSON (libjson-c), MapInfo File (MITAB lib), AVCBin/AVCE00 (AVCE00 lib). An internal version of ZLib is also contained in GDAL sources. Packagers of GDAL are recommanded to use the external version of the libraries when possible (might be impractical with libtiff due to the libtiff 4.X vs libtiff 3.X issue), so that security upgrades of those dependencies benefit to GDAL. |
52 | 52 | * Drivers using GDALOpen() or OGROpen() internally cause other drivers to be used (and their possible flows exploited), without it being obvious at first sight. VRT, MBTiles, KMLSuperOverlay, RasterLite, PDF, RPFTOC, RS2, WMS, WCS, WFS, ... are such drivers. |