[Git][security-tracker-team/security-tracker][master] Reserve DLA-3522-1 for hdf5

Markus Koschany (@apo) apo at debian.org
Wed Aug 9 07:21:24 BST 2023 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7803b26c by Markus Koschany at 2023-08-09T08:21:04+02:00
Reserve DLA-3522-1 for hdf5

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -336548,7 +336548,6 @@ CVE-2018-17438 (A SIGFPE signal is raised in the function H5D__select_io() of H5
 	NOTE: Negligible security impact
 CVE-2018-17437 (Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in ...)
 	- hdf5 1.10.6+repack-2 (low)
-	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
 	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#memory-leak-in-h5o_dtype_decode_helper
@@ -336568,7 +336567,6 @@ CVE-2018-17435 (A heap-based buffer over-read in H5O_attr_decode() in H5Oattr.c
 	NOTE: Fixed for 1.10.x in 1.10.7: https://forum.hdfgroup.org/t/release-of-hdf5-1-10-7-newsletter-175-the-hdf-group/7511
 CVE-2018-17434 (A SIGFPE signal is raised in the function apply_filters() of h5repack_ ...)
 	- hdf5 1.10.6+repack-2 (low)
-	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
 	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters
@@ -337011,7 +337009,6 @@ CVE-2018-17238
 	RESERVED
 CVE-2018-17237 (A SIGFPE signal is raised in the function H5D__chunk_set_info_real() o ...)
 	- hdf5 1.10.6+repack-2 (low)
-	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
 	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero
@@ -337030,7 +337027,6 @@ CVE-2018-17235 (The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629451
 CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in  ...)
 	- hdf5 1.10.6+repack-2 (low)
-	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
 	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln3#memory-leak---h5o__chunk_deserialize_memory_leak
@@ -337039,7 +337035,6 @@ CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache
 	NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/f4138013dbc6851e968ea3d37b32776538ef306b
 CVE-2018-17233 (A SIGFPE signal is raised in the function H5D__create_chunk_file_map_h ...)
 	- hdf5 1.10.6+repack-2 (low)
-	[buster] - hdf5 <no-dsa> (Minor issue)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
 	[jessie] - hdf5 <ignored> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln2#divided-by-zero---h5d__create_chunk_file_map_hyper_div_zero


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[09 Aug 2023] DLA-3522-1 hdf5 - security update
+	{CVE-2018-11206 CVE-2018-17233 CVE-2018-17234 CVE-2018-17237 CVE-2018-17434 CVE-2018-17437}
+	[buster] - hdf5 1.10.4+repack-10+deb10u1
 [08 Aug 2023] DLA-3521-1 thunderbird - security update
 	{CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056}
 	[buster] - thunderbird 1:102.14.0-1~deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -60,18 +60,6 @@ glib2.0 (santiago)
   NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test
   NOTE: 20230807: idem.
 --
-hdf5 (Markus Koschany)
-  NOTE: 20230318: Added by Front-Desk (utkarsh)
-  NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh)
-  NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably
-  NOTE: 20230318: sync w/ him. (utkarsh)
-  NOTE: 20230506: tried to triage… seems to be that only sensible way forward would be to update to a newer version in the 1.10.x
-  NOTE: 20230506: line. Still then, state of CVEs are unknown if they have been fixed. 1.10.11 is scheduled for September. (tobi)
-  NOTE: 20230520: Tried to backport 1.10.6 to buster, however, it seems that there is a (hidden) SONAME bump,
-  NOTE: 20230520: https://salsa.debian.org/debian/hdf5/-/commit/52b5fe589e68361ea840121d8f4a8eb9148bf3da
-  NOTE: 20230520: additionally couldn't convince the build system to build for buster, something with the autogenerated .install files,
-  NOTE: 20230520: so giving up on the package. (tobi)
---
 imagemagick (rouca)
   NOTE: 20230622: Added by Front-Desk (Beuc)
   NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7803b26ce71d03bd0c7233d1bcd6eaebfe310f36

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7803b26ce71d03bd0c7233d1bcd6eaebfe310f36
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230809/28a49723/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list