Summary
Vulnerability scan of fiona shows CVE-2020-14152. The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ).
Details
In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.
Impact
fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.
References
Summary
Vulnerability scan of fiona shows CVE-2020-14152. The vulnerability is in libjpeg, a transitive dependency of fiona (via GDAL and PROJ).
Details
In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.
Impact
fiona will not open JPEG files and is not vulnerable to attack in that way. fiona might be vulnerable to malformed PROJ grid files using JPEG compression. No such vulnerability or compromise has been demonstrated.
References