We have an application which uses the vector data capabilities of the ogr/gdal libraries. During a security scan, we found that libtiff - used by GDAL - has the following vulnerability:
Vulnerability Details : CVE-2022-3970 A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
Since we have no use of the raster capabilities of GDAL (and we are highly unlikely to actually invoke libtiff), I was looking for a way to recompile GDAL without this dependency.
I was looking here:
https://gdal.org/development/building_from_source.html
Specifically at the section for enabling/disabling drivers:
https://gdal.org/development/building_from_source.html#cmake-package-dependent-options
And there is a way to disable the TIFF driver:
https://gdal.org/development/building_from_source.html#tiff
However, it appears that gdal has an internal copy of libtiff, and that TIFF support is needed for GTIFF support, which cannot be disabled:
"Note:
"The following GDAL drivers cannot be disabled: VRT, DERIVED, GTiff, COG, HFA, MEM. The following OGR drivers cannot be disabled: “ESRI Shapefile”, “MapInfo File”, OGR_VRT, Memory, KML, GeoJSON, GeoJSONSeq, ESRIJSON, TopoJSON."
Note that the tools we use from GDAL are limited to ogr2ogr and ogrinfo; no raster usage; we are actually really using only the OGR portion of GDAL, I believe.
SO: can I get rid of the libtiff dependency, to get rid of the security scan warning? Or is this a fundamental part of GDAL that can't be simply dropped?
The full built version of the GDAL has the libtiff dependency, and failed our security scan. I was looking for insight in how to get a version that doesn't have this dependency. We are using ubuntu linux.
[EDIT] Furthermore, we are just using ogr2ogr - which are vector data tools as part of the GDAL package; I suspect they don't depend on libtiff. Would there be a way to get a package with only ogr2ogr with minimal dependencies?