search

geopandas / pyogrio

Vectorized vector I/O using OGR
https://pyogrio.readthedocs.io
MIT License
272 stars 22 forks source link

Security Address #311

Closed SCH227 closed 11 months ago

SCH227 commented 11 months ago

Hello!

I may have found a security issue in latest version of pyogrio. Following responsible disclosure, is there an email or other private channel where I could share the details? Thank you

brendan-ward commented 11 months ago

Is this related to Fiona #1298 and originating from a vulnerability in libwebp as described in rasterio #2924?

We should probably provide instructions for reporting security issues; I don't see anything listed in the broader GeoPandas documentation. For now you can report it directly to me (bcward@astutespruce.com).

SCH227 commented 11 months ago

No, I sent it by email. I recommend adding a SECURITY.md file in your repo so reporters have clear instructions on how to handle disclosures. Thank you for your awesome project!

brendan-ward commented 11 months ago

This is related to libcurl linked in via GDAL as part of our wheel-building infrastructure. Crossref curl #12026, details forthcoming on 10/11/2023. Since the pre-notification of the vulnerability is public, no issues publicly disclosing that much here.