-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2024-3094 (aka "xz hackdoor") and GDAL and pyogrio's wheels #382
Comments
Looks like we need to wait for at least GDAL 3.8.5 to land in vcpkg to update wheels because 3.8.4 coincides with the compromised version of According to the logs, it is indeed pulling in (wheels are building again against the older |
The github repo of xz was enabled again last night, so in general the vcpkg builds should work again. vcpkg already reverted the libzma port back to a non-compromised version, so using a recent vcpkg version should be fine for us. Although given GDAL just released 3.8.5, it would indeed be nice to wait until that is included in vcpkg and update our wheel build to have the latest GDAL. |
Updating to GDAL 3.8.5 in #392 |
Also see GDAL's messsage about it: https://lists.osgeo.org/pipermail/gdal-dev/2024-March/058792.html
liblzma
is included in our binary wheels through the vcpkg build of GDAL (although it should typically not be used through pyogrio usage, given GDAL only uses it for raster drivers AFAIK)>But to be very explicit here: our wheels don't included the comprised versions.
Our last GDAL / vcpkg update was e6e6e42, and so that is from before the affected versions were released (the wheels currently being built main contain liblzma 5.4.4)
One consequence though is that our wheels building is failing right now, because github has taken down the repos, and so the vcpkg build script that tries to fetch those sources fails (microsoft/vcpkg#37839)
The text was updated successfully, but these errors were encountered: