Skip to content

fix(deps): upgrade GDAL 3.9.2 → 3.13.x — CVE-2026-8087 (HIGH 7.8), CVE-2026-8088, CVE-2026-8212 #58

Description

@mgmachado

Current State: Dependency exception

Description

Alerts: Dependabot alerts 33, 34, 38
Severity: HIGH 7.8 (NIST NVD, CVE-2026-8087) / Medium for others — Dependabot rates all three LOW, but NIST disagrees on CVE-2026-8087
Component: hastelib/pyproject.toml, docker/imageryprep/requirements.txt

Vulnerabilities

Three memory-safety bugs in GDAL 3.9.2:

Alert CVE NIST Severity Description
34 CVE-2026-8087 HIGH 7.8 Heap-based buffer overflow in HDF4/EOS GDnentries
33 CVE-2026-8088 Medium 5.5 Out-of-bounds read in GDfieldinfo
38 CVE-2026-8212 Medium 5.5 Out-of-bounds read in SWSDfldsrch

All three are file-parsing vulnerabilities. HASTE uses GDAL throughout hastelib to read satellite imagery (GeoTIFF, COG, HDF4-EOS) sourced from external providers. A malicious file delivered via imagery provider API could trigger these in the imageryprep pipeline or Azure Functions.

Fix

Upgrade GDAL from 3.9.2 to 3.13.x.

⚠️ HASTE uses a custom-built manylinux wheel

GDAL is not installable from PyPI — HASTE builds and hosts its own wheel at an Azure Blob URL. This is not a simple version bump.

Required steps:

  • Build GDAL-3.13.x-cp311-cp311-manylinux_2_17_x86_64.whl (see existing build process)
  • Upload new wheel to the HASTE binaries blob container (researchlabwuopendata.blob.core.windows.net/haste-binaries/)
  • Update the wheel URL in docker/imageryprep/requirements.txt
  • Update the pin in hastelib/pyproject.toml
  • Run full geospatial regression tests (imagery read/write, COG generation, reprojection, damage assessment pipeline)
  • Author an ADR in spec/architecture/decisions/ documenting the wheel build process

Owner: GIS Agent + Backend Dev Agent

Interim mitigations (until upgrade is complete)

  • Ensure all imagery input is received from authenticated, known-good provider APIs only
  • Consider adding magic-byte pre-validation before passing files to GDAL

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions