[GHSA-8hmh-mhqv-7638] PartialBufferOutputStream2 in GeoServer before 1.6.1 and... #4585
Conversation
github-actions
bot
changed the base branch from
main
to
jodygarnett/advisory-improvement-4585
|
Many thanks! 👍 |
advisory-database
bot
merged commit 5efff65
into
jodygarnett/advisory-improvement-4585
|
Hi @jodygarnett! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
any idea on considering this just as bug rather than a security problem? Really it is a complaint about lack of a useful error message .... |
|
Well.... it actually wasn't in our database until I merged this PR. That said the appropriate way to go about getting it de-listed would be to reach out to the assigning CNA which looks to be mitre in this case They have a web form here https://cveform.mitre.org/ that you can file an issue with. If you'd like to give that a try and let me know how it goes we can either reflect their change (hopefully) or we can reconsider this advisory on our end independently. |
|
Thanks, I filled in the form we will see what happens. |
|
Response:
|
|
Bleh. Ok, so for the benefit of the historical record can you lay out the case for this not having any security impact? Looking at the issue https://osgeo-org.atlassian.net/browse/GEOS-1747 I see
Which I could read as a vector to expose program memory, but also it sounds like the buffer eventually gets fully flushed anyway. Can you expand on the implications here? Also if you have a fix commit or something that could be inspected that would be great. |
|
I will update the GEOS-1747 ticket to be clear there is no security impact; indeed just no information rather than a helpful failure :P The changes you have merged describing the maven package affected and so on to bring this up to modern norms still has value. |
|
Q: As a CNA to follow the policy on historical stuff do you need to revert this PR? |
|
My plan (so long as it does look like there is no security impact) is to withdraw the GHSA we have in our system. We have no control over the CVE itself, but by marking the GHSA as withdrawn will halt dependabot alerts. |
|
Nice, I support your plan. And I learned something :) |
|
Cool. So, I see the ticket is updated. One clarifying question; the buffer which gets flushed only ever has data which is intended to be flushed eventually anyway right? The early flush as described in the bug is only an issue because it's unclear to the caller/receiver that what they're getting is incomplete? |
|
Yes, this setting is part of the low-level “dispatcher” system which predates spring-framework and is unique for this application. For the majority of these geospatial XML protocols it is obvious that something is wrong because the xml stream that they are parsing gets cut off as they are receiving it. But when serving large geospatial datasets stream is required as the content will not all fit into memory at the same time… The service exception for these protocols is a different XML document. So if you have already started producing a document there is no good solutions. The partial buffer solution recommended is a good compromise, often a problem is visible within the first little bit of streaming. It is rare that some invalid data midway through the answer would cause a “service exception”. So the partial document is all information the requester expected to see, and was authorized to see, it is just the result is incomplete. |
|
Gotcha. Many thanks for the clarification. 👍 |
Updates
Comments
Updating the link to the geoserver issue tracker, adding maven ecosystem coordinates reflecting projects current best practices.