Bug#884365: hdf5: CVE-2017-17505 CVE-2017-17506 CVE-2017-17507 CVE-2017-17508 CVE-2017-17509

Salvatore Bonaccorso carnil at debian.org
Thu Dec 6 22:38:51 GMT 2018 

Control: clone 884365 -1
Control: retitle 884365 hdf5: CVE-2017-17505 CVE-2017-17506 CVE-2017-17508 CVE-2017-17509
Control: retitle -1 hdf5: CVE-2017-17507
Control: fixed 884365 1.10.2+repack-1~exp1

Hi Gilles!

On Thu, Dec 06, 2018 at 11:02:17PM +0100, Gilles Filippini wrote:
> On Thu, 14 Dec 2017 16:17:51 +0100 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Source: hdf5
> > Version: 1.8.13+docs-1
> > Severity: important
> > Tags: security upstream
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for hdf5, the POCs are
> > found at [5]. Apart of CVE-2017-17509, all are confirmed back to
> > 1.8.13+decs-15+deb8u1, still decided to collect that CVE as well in
> > this bug, but we can split up by affected version. Not sure as well if
> > the issues have been reported to upstream.
> > 
> > CVE-2017-17505[0]:
> > | In HDF5 1.10.1, there is a NULL pointer dereference in the function
> > | H5O_pline_decode in the H5Opline.c file in libhdf5.a. For example,
> > | h5dump would crash when someone opens a crafted hdf5 file.
> > 
> > CVE-2017-17506[1]:
> > | In HDF5 1.10.1, there is an out of bounds read vulnerability in the
> > | function H5Opline_pline_decode in H5Opline.c in libhdf5.a. For example,
> > | h5dump would crash when someone opens a crafted hdf5 file.
> > 
> > CVE-2017-17507[2]:
> > | In HDF5 1.10.1, there is an out of bounds read vulnerability in the
> > | function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example,
> > | h5dump would crash when someone opens a crafted hdf5 file.
> > 
> > CVE-2017-17508[3]:
> > | In HDF5 1.10.1, there is a divide-by-zero vulnerability in the function
> > | H5T_set_loc in the H5T.c file in libhdf5.a. For example, h5dump would
> > | crash when someone opens a crafted hdf5 file.
> > 
> > CVE-2017-17509[4]:
> > | In HDF5 1.10.1, there is an out of bounds write vulnerability in the
> > | function H5G__ent_decode_vec in H5Gcache.c in libhdf5.a. For example,
> > | h5dump would crash or possibly have unspecified other impact someone
> > | opens a crafted hdf5 file.
> 
> CVE-2017-17505, CVE-2017-17506, CVE-2017-17508 and CVE-2017-17509 are
> fixed in upstream release 1.10.2 [1].
> 
> Regarding CVE-2017-17507, upstream release notes for release 1.10.2
> states [1]:
> > NOTE: The HDF5 C library cannot produce such a file. This condition
> >       should only occur in a corrupt (or deliberately altered) file
> >       or a file created by third-party software.
> >
> > THE HDF GROUP WILL NOT FIX THIS BUG AT THIS TIME
> >
> > Fixing this problem would involve updating the publicly visible
> > H5T_conv_t function pointer typedef and versioning the API calls
> > which use it. We normally only modify the public API during
> > major releases, so this bug will not be fixed at this time.
> >
> > (DER - 2018/02/26, HDFFV-10356)

Ack, thanks for this update. So let's split the bug into two, to track
CVE-2017-17507 separately for when upstream will fix it (which
involves an ABI change if I understood correctly).

Regards,
Salvatore

More information about the Pkg-grass-devel mailing list