[Git][security-tracker-team/security-tracker][master] All the hdf5 issues are DoS class vulnerabilities and marked as no-dsa for...

Ola Lundqvist opal at debian.org
Thu Oct 24 14:42:05 BST 2019 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e821dc95 by Ola Lundqvist at 2019-10-24T13:41:42Z
All the hdf5 issues are DoS class vulnerabilities and marked as no-dsa for buster and stretch. There is no need to fix it for jessie in this case and historically it has not been done for this package either. Marking the CVEs as ignored and removing from dla-needed.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -28453,12 +28453,14 @@ CVE-2019-9152 (An issue was discovered in the HDF HDF5 1.10.4 library. There is
 	- hdf5 <unfixed>
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul8
 	NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10719
 CVE-2019-9151 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...)
 	- hdf5 <unfixed>
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul7
 	NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10718
 CVE-2019-9150 (Mailvelope prior to 3.3.0 does not require user interaction to import  ...)
@@ -30500,6 +30502,7 @@ CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is
 	- hdf5 <unfixed>
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5
 	NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10711
 CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 ...)
@@ -58635,6 +58638,7 @@ CVE-2018-17438 (A SIGFPE signal is raised in the function H5D__select_io() of H5
 	- hdf5 <unfixed> (low)
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_h5d__select_io_h5dselect
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10587
 	NOTE: fix in develop branch: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/7add52ff4f2443357648d53d52add274d1b18b5f
@@ -58643,6 +58647,7 @@ CVE-2018-17437 (Memory leak in the H5O_dtype_decode_helper() function in H5Odtyp
 	- hdf5 <unfixed> (low)
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#memory-leak-in-h5o_dtype_decode_helper
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10588
 	NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt
@@ -58659,6 +58664,7 @@ CVE-2018-17434 (A SIGFPE signal is raised in the function apply_filters() of h5r
 	- hdf5 <unfixed> (low)
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10586
 	NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt
@@ -58671,6 +58677,7 @@ CVE-2018-17432 (A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace
 	- hdf5 <unfixed>
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln6#null-pointer-dereference-in-h5o_sdspace_encode
 	NOTE: upstream bug tracker (not public): https://jira.hdfgroup.org/browse/HDFFV-10590
 	NOTE: fix planned for HDF5-1.10.6 (will also be backported to HDF5-1.8)
@@ -59096,6 +59103,7 @@ CVE-2018-17237 (A SIGFPE signal is raised in the function H5D__chunk_set_info_re
 	- hdf5 <unfixed> (low)
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10571 (not public)
 	NOTE: does not appear in 1.10.5 release notes, but fixed in
@@ -59114,6 +59122,7 @@ CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache
 	- hdf5 <unfixed> (low)
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln3#memory-leak---h5o__chunk_deserialize_memory_leak
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10578 (not public)
 	NOTE: does not appear in 1.10.5 release notes, but fixed in
@@ -59123,6 +59132,7 @@ CVE-2018-17233 (A SIGFPE signal is raised in the function H5D__create_chunk_file
 	- hdf5 <unfixed> (low)
 	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
+	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln2#divided-by-zero---h5d__create_chunk_file_map_hyper_div_zero
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10577
 	NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt


=====================================
data/dla-needed.txt
=====================================
@@ -28,11 +28,6 @@ freeimage (Hugo Lefeuvre)
 --
 gdal (Utkarsh Gupta)
 --
-hdf5
-  NOTE: 20191015: Upstream is aware of currently open issues. Progress is slow,
-  NOTE: wait for the next HDF5 point release and either do full package upgrade
-  NOTE: or cherry pick fixes (hle)
---
 ibus
   NOTE: 20191020: Fix for regression in KDE apps still not available (apo)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e821dc95d183520d41bc461606626d3813d7aac7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e821dc95d183520d41bc461606626d3813d7aac7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191024/dec65dd1/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list