Register | Log in

gdal

Choose email to subscribe with

general

source: gdal (main)
version: 3.13.1+dfsg-1
maintainer: Debian GIS Project (archive) (DMD)
uploaders: Francesco Paolo Lovergine [DMD] – Bas Couwenberg [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.2.2+dfsg-2+deb11u2
o-o-sec: 3.2.2+dfsg-2+deb11u2
oldstable: 3.6.2+dfsg-1
stable: 3.10.3+dfsg-1
testing: 3.13.1+dfsg-1
unstable: 3.13.1+dfsg-1

versioned links

3.2.2+dfsg-2+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.2+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.10.3+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.13.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gdal-bin
gdal-data
gdal-plugins
libgdal-dev
libgdal39
python3-gdal

action needed

8 security issues in bullseye high

There are 8 open security issues in bullseye.

8 important issues:

CVE-2026-4738: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal (frmts/zlib/contrib/infback9 modules). This vulnerability is associated with program files inftree9.C‎. This issue affects gdal: before 3.11.0.
CVE-2026-8084: A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised.
CVE-2026-8086: A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 3.12.4RC1 is capable of addressing this issue. The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade the affected component.
CVE-2026-8087: A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component.
CVE-2026-8088: A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
CVE-2026-8212: A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded.
CVE-2026-8213: A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component.
CVE-2026-49014: In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. The attacker embeds the exploit as an oversized geometry attribute in a crafted NetCDF file. This achieves arbitrary code execution on the server running GDAL. This is in frmts/netcdf/netcdfsg.cpp.

Created: 2026-04-12 Last update: 2026-06-10 05:00

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-21 Last update: 2026-03-21 05:01

8 low-priority security issues in trixie low

There are 8 open security issues in trixie.

8 issues left for the package maintainer to handle:

CVE-2026-4738: (needs triaging) Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal (frmts/zlib/contrib/infback9 modules). This vulnerability is associated with program files inftree9.C‎. This issue affects gdal: before 3.11.0.
CVE-2026-8084: (needs triaging) A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised.
CVE-2026-8086: (needs triaging) A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 3.12.4RC1 is capable of addressing this issue. The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade the affected component.
CVE-2026-8087: (needs triaging) A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component.
CVE-2026-8088: (needs triaging) A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
CVE-2026-8212: (needs triaging) A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded.
CVE-2026-8213: (needs triaging) A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component.
CVE-2026-49014: (needs triaging) In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. The attacker embeds the exploit as an oversized geometry attribute in a crafted NetCDF file. This achieves arbitrary code execution on the server running GDAL. This is in frmts/netcdf/netcdfsg.cpp.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-12 Last update: 2026-06-10 05:00

8 low-priority security issues in bookworm low

There are 8 open security issues in bookworm.

8 issues left for the package maintainer to handle:

CVE-2026-4738: (needs triaging) Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal (frmts/zlib/contrib/infback9 modules). This vulnerability is associated with program files inftree9.C‎. This issue affects gdal: before 3.11.0.
CVE-2026-8084: (needs triaging) A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised.
CVE-2026-8086: (needs triaging) A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 3.12.4RC1 is capable of addressing this issue. The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade the affected component.
CVE-2026-8087: (needs triaging) A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component.
CVE-2026-8088: (needs triaging) A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded.
CVE-2026-8212: (needs triaging) A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded.
CVE-2026-8213: (needs triaging) A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component.
CVE-2026-49014: (needs triaging) In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. The attacker embeds the exploit as an oversized geometry attribute in a crafted NetCDF file. This achieves arbitrary code execution on the server running GDAL. This is in frmts/netcdf/netcdfsg.cpp.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-12 Last update: 2026-06-10 05:00

testing migrations

This package will soon be part of the auto-hdf5 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-xerces-c transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2026-06-10] gdal 3.13.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-06-05] Accepted gdal 3.13.1+dfsg-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-06-01] Accepted gdal 3.13.1~rc1+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-05-28] gdal 3.13.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-05-23] Accepted gdal 3.13.0+dfsg-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-05-08] Accepted gdal 3.13.0+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-05-05] Accepted gdal 3.13.0~rc2+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-05-04] Accepted gdal 3.13.0~rc1+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-04-22] Accepted gdal 3.13.0~beta2+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-04-16] Accepted gdal 3.13.0~beta1+dfsg-1~exp1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2026-03-29] gdal 3.12.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-03-20] Accepted gdal 3.12.3+dfsg-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-03-18] Accepted gdal 3.12.3~rc2+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-03-17] Accepted gdal 3.12.3~rc1+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-02-20] gdal 3.12.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-02-09] Accepted gdal 3.12.2+dfsg-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-02-03] Accepted gdal 3.12.2~rc1+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-12-24] gdal 3.12.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-12-18] Accepted gdal 3.12.1+dfsg-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-12-12] Accepted gdal 3.12.1~rc1+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-15] gdal 3.12.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-11-10] Accepted gdal 3.12.0+dfsg-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-08] Accepted gdal 3.12.0+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-03] Accepted gdal 3.12.0~rc1+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-10-21] Accepted gdal 3.12.0~beta1+dfsg-1~exp1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2025-09-17] gdal 3.11.4+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-09-11] Accepted gdal 3.11.4+dfsg-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-09-04] Accepted gdal 3.11.4~rc1+dfsg-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-08-29] gdal 3.11.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-08-22] Accepted gdal 3.11.3+dfsg-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)

1
2

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 4)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.12.2+dfsg-1build2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing