<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<h3>

Salvatore Bonaccorso pushed to branch master

at <a href="https://salsa.debian.org/security-tracker-team/security-tracker">Debian Security Tracker / security-tracker</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://salsa.debian.org/security-tracker-team/security-tracker/commit/8dcdd070dcff5d9a79cdb7b0cecb712326c25620">8dcdd070</a></strong>

<div>

<span>by Salvatore Bonaccorso</span>

<i>at 2018-12-06T22:31:51Z</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Four CVEs for hdf5 issues fixed in unstable

CVE-2017-17505, CVE-2017-17506, CVE-2017-17508 and CVE-2017-17509 are

fixed in upstream release 1.10.2.

https://confluence.hdfgroup.org/display/support/HDF5+1.10.2

And thus included in the 1.10.4+repack-1 upload to unstable.

For CVE-2017-17507 upstrema does not plan to fix the bug:

    - If an HDF5 file contains a malformed compound datatype with a

      suitably large offset, the type conversion code can run off

      the end of the type conversion buffer, causing a segmentation

      fault.

      This issue was reported to The HDF Group as issue #CVE-2017-17507.

          https://security-tracker.debian.org/tracker/CVE-2017-17506

          https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-17506

      NOTE: The HDF5 C library cannot produce such a file. This condition

            should only occur in a corrupt (or deliberately altered) file

            or a file created by third-party software.

      THE HDF GROUP WILL NOT FIX THIS BUG AT THIS TIME

      Fixing this problem would involve updating the publicly visible

      H5T_conv_t function pointer typedef and versioning the API calls

      which use it. We normally only modify the public API during

      major releases, so this bug will not be fixed at this time.

      (DER - 2018/02/26, HDFFV-10356)

</pre>

</li>

</ul>

<h4>1 changed file:</h4>

<ul>

<li class="file-stats">

<a href="#4716ef5aa8f2742228ba3b3633215c8b808565e3">

data/CVE/list

</a>

</li>

</ul>

<h4>Changes:</h4>

<li id="4716ef5aa8f2742228ba3b3633215c8b808565e3">

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/commit/8dcdd070dcff5d9a79cdb7b0cecb712326c25620#4716ef5aa8f2742228ba3b3633215c8b808565e3"><strong>data/CVE/list</strong></a>

<hr>

No preview for this file type

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777777;">

—

<br>

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/commit/8dcdd070dcff5d9a79cdb7b0cecb712326c25620">View it on GitLab</a>.

<br>

You're receiving this email because of your account on salsa.debian.org.

If you'd like to receive fewer emails, you can

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Commit","url":"https://salsa.debian.org/security-tracker-team/security-tracker/commit/8dcdd070dcff5d9a79cdb7b0cecb712326c25620"}}</script>

</p>

</div>

</body>

</html>