[hdf5] 01/01: Fix CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333
Gilles Filippini
pini at debian.org
Tue Nov 29 09:25:02 UTC 2016
This is an automated email from the git hooks/post-receive script.
pini pushed a commit to branch jessie
in repository hdf5.
commit f29ea1b4f89d3fe035c84c41783be662872b533b
Author: Gilles Filippini <pini at debian.org>
Date: Fri Nov 25 18:17:06 2016 +0100
Fix CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333
Backport patches CVE-2016-433*.patch from master-1.10 branch.
---
debian/changelog | 8 ++
debian/patches/CVE-2016-4330.patch | 20 +++
debian/patches/CVE-2016-4331-1.patch | 229 +++++++++++++++++++++++++++++++++++
debian/patches/CVE-2016-4331-2.patch | 19 +++
debian/patches/CVE-2016-4332.patch | 37 ++++++
debian/patches/CVE-2016-4333.patch | 23 ++++
debian/patches/series | 5 +
7 files changed, 341 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 98e9952..9789b3f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+hdf5 (1.8.13+docs-15+deb8u1) jessie-security; urgency=high
+
+ * New patches CVE-2016-433*.patch from upstream develop branch
+ to fix four vulnerabilities unveiled by TALOS (closes: #845301,
+ CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333)
+
+ -- Gilles Filippini <pini at debian.org> Fri, 25 Nov 2016 00:59:06 +0100
+
hdf5 (1.8.13+docs-15) unstable; urgency=medium
* New patch HDFFV-8917.patch from upstream to fix a resource
diff --git a/debian/patches/CVE-2016-4330.patch b/debian/patches/CVE-2016-4330.patch
new file mode 100644
index 0000000..8a49ae9
--- /dev/null
+++ b/debian/patches/CVE-2016-4330.patch
@@ -0,0 +1,20 @@
+commit b1eb1b3ee8693e2a56b074315b521c66255acca1
+Author: Neil Fortner <nfortne2 at hdfgroup.org>
+Date: Thu Sep 1 17:24:24 2016 -0500
+
+ Replace assertion in H5O_dtype_decode_helper for number of array dimensions with a check and error. The assertion was inappropriate because it is operating on data read from the file, which the library does not always have direct control of.
+
+Index: hdf5/src/H5Odtype.c
+===================================================================
+--- hdf5.orig/src/H5Odtype.c
++++ hdf5/src/H5Odtype.c
+@@ -518,7 +518,8 @@ H5O_dtype_decode_helper(H5F_t *f, unsign
+ dt->shared->u.array.ndims = *(*pp)++;
+
+ /* Double-check the number of dimensions */
+- HDassert(dt->shared->u.array.ndims <= H5S_MAX_RANK);
++ if(dt->shared->u.array.ndims > H5S_MAX_RANK)
++ HGOTO_ERROR(H5E_DATATYPE, H5E_CANTLOAD, FAIL, "too many dimensions for array datatype")
+
+ /* Skip reserved bytes, if version has them */
+ if(version < H5O_DTYPE_VERSION_3)
diff --git a/debian/patches/CVE-2016-4331-1.patch b/debian/patches/CVE-2016-4331-1.patch
new file mode 100644
index 0000000..9d5f487
--- /dev/null
+++ b/debian/patches/CVE-2016-4331-1.patch
@@ -0,0 +1,229 @@
+commit 2409f991667283f8fa1dacc66f245950693495aa
+Author: Neil Fortner <nfortne2 at hdfgroup.org>
+Date: Thu Sep 8 10:48:54 2016 -0500
+
+ Fix issues in H5Znbit.c where the decompression algorithm would not check the compressed data for validity, potentially causing a buffer overflow.
+
+Index: hdf5/src/H5Znbit.c
+===================================================================
+--- hdf5.orig/src/H5Znbit.c
++++ hdf5/src/H5Znbit.c
+@@ -62,11 +62,11 @@ static void H5Z_nbit_decompress_one_noop
+ unsigned char *buffer, size_t *j, int *buf_len, unsigned size);
+ static void H5Z_nbit_decompress_one_atomic(unsigned char *data, size_t data_offset,
+ unsigned char *buffer, size_t *j, int *buf_len, parms_atomic p);
+-static void H5Z_nbit_decompress_one_array(unsigned char *data, size_t data_offset,
++static herr_t H5Z__nbit_decompress_one_array(unsigned char *data, size_t data_offset,
+ unsigned char *buffer, size_t *j, int *buf_len, const unsigned parms[]);
+-static void H5Z_nbit_decompress_one_compound(unsigned char *data, size_t data_offset,
++static herr_t H5Z__nbit_decompress_one_compound(unsigned char *data, size_t data_offset,
+ unsigned char *buffer, size_t *j, int *buf_len, const unsigned parms[]);
+-static void H5Z_nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
++static herr_t H5Z__nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
+ const unsigned parms[]);
+ static void H5Z_nbit_compress_one_nooptype(unsigned char *data, size_t data_offset,
+ unsigned char *buffer, size_t *j, int *buf_len, unsigned size);
+@@ -899,7 +899,8 @@ H5Z_filter_nbit(unsigned flags, size_t c
+ HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, 0, "memory allocation failed for nbit decompression")
+
+ /* decompress the buffer */
+- H5Z_nbit_decompress(outbuf, d_nelmts, (unsigned char *)*buf, cd_values);
++ if(H5Z__nbit_decompress(outbuf, d_nelmts, (unsigned char *)*buf, cd_values) < 0)
++ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, 0, "can't decompress buffer")
+ } /* end if */
+ /* output; compress */
+ else {
+@@ -1048,12 +1049,15 @@ H5Z_nbit_decompress_one_atomic(unsigned
+ }
+ }
+
+-static void
+-H5Z_nbit_decompress_one_array(unsigned char *data, size_t data_offset,
++static herr_t
++H5Z__nbit_decompress_one_array(unsigned char *data, size_t data_offset,
+ unsigned char *buffer, size_t *j, int *buf_len, const unsigned parms[])
+ {
+ unsigned i, total_size, base_class, base_size, n, begin_index;
+ parms_atomic p;
++ herr_t ret_value = SUCCEED; /* Return value */
++
++ FUNC_ENTER_STATIC
+
+ total_size = parms[parms_index++];
+ base_class = parms[parms_index++];
+@@ -1064,6 +1068,11 @@ H5Z_nbit_decompress_one_array(unsigned c
+ p.order = parms[parms_index++];
+ p.precision = parms[parms_index++];
+ p.offset = parms[parms_index++];
++
++ /* Check values of precision and offset */
++ if(p.precision > p.size * 8 || (p.precision + p.offset) > p.size * 8)
++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "invalid datatype precision/offset")
++
+ n = total_size/p.size;
+ for(i = 0; i < n; i++)
+ H5Z_nbit_decompress_one_atomic(data, data_offset + i*p.size,
+@@ -1074,8 +1083,9 @@ H5Z_nbit_decompress_one_array(unsigned c
+ n = total_size/base_size; /* number of base_type elements inside the array datatype */
+ begin_index = parms_index;
+ for(i = 0; i < n; i++) {
+- H5Z_nbit_decompress_one_array(data, data_offset + i*base_size,
+- buffer, j, buf_len, parms);
++ if(H5Z__nbit_decompress_one_array(data, data_offset + i * base_size,
++ buffer, j, buf_len, parms) < 0)
++ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress array")
+ parms_index = begin_index;
+ }
+ break;
+@@ -1084,8 +1094,9 @@ H5Z_nbit_decompress_one_array(unsigned c
+ n = total_size/base_size; /* number of base_type elements inside the array datatype */
+ begin_index = parms_index;
+ for(i = 0; i < n; i++) {
+- H5Z_nbit_decompress_one_compound(data, data_offset + i*base_size,
+- buffer, j, buf_len, parms);
++ if(H5Z__nbit_decompress_one_compound(data, data_offset + i * base_size,
++ buffer, j, buf_len, parms) < 0)
++ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress compound")
+ parms_index = begin_index;
+ }
+ break;
+@@ -1096,40 +1107,62 @@ H5Z_nbit_decompress_one_array(unsigned c
+ default:
+ HDassert(0 && "This Should never be executed!");
+ } /* end switch */
++
++done:
++ FUNC_LEAVE_NOAPI(ret_value)
+ }
+
+-static void
+-H5Z_nbit_decompress_one_compound(unsigned char *data, size_t data_offset,
++static herr_t
++H5Z__nbit_decompress_one_compound(unsigned char *data, size_t data_offset,
+ unsigned char *buffer, size_t *j, int *buf_len, const unsigned parms[])
+ {
+- unsigned i, nmembers, member_offset, member_class, size;
++ unsigned i, nmembers, member_offset, member_class, member_size, used_size = 0, size;
+ parms_atomic p;
++ herr_t ret_value = SUCCEED; /* Return value */
++
++ FUNC_ENTER_STATIC
+
+- parms_index++; /* skip total size of compound datatype */
++ size = parms[parms_index++];
+ nmembers = parms[parms_index++];
+
+ for(i = 0; i < nmembers; i++) {
+ member_offset = parms[parms_index++];
+ member_class = parms[parms_index++];
++
++ /* Check for overflow */
++ member_size = parms[parms_index];
++ used_size += member_size;
++ if(used_size > size)
++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "compound member offset overflowed compound size")
+ switch(member_class) {
+ case H5Z_NBIT_ATOMIC:
+- p.size = parms[parms_index++];
++ p.size = member_size;
++ /* Advance past member size */
++ parms_index++;
+ p.order = parms[parms_index++];
+ p.precision = parms[parms_index++];
+ p.offset = parms[parms_index++];
++
++ /* Check values of precision and offset */
++ if(p.precision > p.size * 8 || (p.precision + p.offset) > p.size * 8)
++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "invalid datatype precision/offset")
++
+ H5Z_nbit_decompress_one_atomic(data, data_offset + member_offset,
+ buffer, j, buf_len, p);
+ break;
+ case H5Z_NBIT_ARRAY:
+- H5Z_nbit_decompress_one_array(data, data_offset + member_offset,
+- buffer, j, buf_len, parms);
++ if(H5Z__nbit_decompress_one_array(data, data_offset + member_offset,
++ buffer, j, buf_len, parms) < 0)
++ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress array")
+ break;
+ case H5Z_NBIT_COMPOUND:
+- H5Z_nbit_decompress_one_compound(data, data_offset+member_offset,
+- buffer, j, buf_len, parms);
++ if(H5Z__nbit_decompress_one_compound(data, data_offset+member_offset,
++ buffer, j, buf_len, parms) < 0)
++ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress compound")
+ break;
+ case H5Z_NBIT_NOOPTYPE:
+- size = parms[parms_index++];
++ /* Advance past member size */
++ parms_index++;
+ H5Z_nbit_decompress_one_nooptype(data, data_offset+member_offset,
+ buffer, j, buf_len, size);
+ break;
+@@ -1137,10 +1170,13 @@ H5Z_nbit_decompress_one_compound(unsigne
+ HDassert(0 && "This Should never be executed!");
+ } /* end switch */
+ }
++
++done:
++ FUNC_LEAVE_NOAPI(ret_value)
+ }
+
+-static void
+-H5Z_nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
++static herr_t
++H5Z__nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
+ const unsigned parms[])
+ {
+ /* i: index of data, j: index of buffer,
+@@ -1148,6 +1184,9 @@ H5Z_nbit_decompress(unsigned char *data,
+ size_t i, j, size;
+ int buf_len;
+ parms_atomic p;
++ herr_t ret_value = SUCCEED; /* Return value */
++
++ FUNC_ENTER_STATIC
+
+ /* may not have to initialize to zeros */
+ for(i = 0; i < d_nelmts*parms[4]; i++) data[i] = 0;
+@@ -1163,6 +1202,11 @@ H5Z_nbit_decompress(unsigned char *data,
+ p.order = parms[5];
+ p.precision = parms[6];
+ p.offset = parms[7];
++
++ /* Check values of precision and offset */
++ if(p.precision > p.size * 8 || (p.precision + p.offset) > p.size * 8)
++ HGOTO_ERROR(H5E_PLINE, H5E_BADTYPE, FAIL, "invalid datatype precision/offset")
++
+ for(i = 0; i < d_nelmts; i++) {
+ H5Z_nbit_decompress_one_atomic(data, i*p.size, buffer, &j, &buf_len, p);
+ }
+@@ -1171,7 +1215,8 @@ H5Z_nbit_decompress(unsigned char *data,
+ size = parms[4];
+ parms_index = 4;
+ for(i = 0; i < d_nelmts; i++) {
+- H5Z_nbit_decompress_one_array(data, i*size, buffer, &j, &buf_len, parms);
++ if(H5Z__nbit_decompress_one_array(data, i * size, buffer, &j, &buf_len, parms) < 0)
++ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress array")
+ parms_index = 4;
+ }
+ break;
+@@ -1179,13 +1224,17 @@ H5Z_nbit_decompress(unsigned char *data,
+ size = parms[4];
+ parms_index = 4;
+ for(i = 0; i < d_nelmts; i++) {
+- H5Z_nbit_decompress_one_compound(data, i*size, buffer, &j, &buf_len, parms);
++ if(H5Z__nbit_decompress_one_compound(data, i * size, buffer, &j, &buf_len, parms) < 0)
++ HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, FAIL, "can't decompress compound")
+ parms_index = 4;
+ }
+ break;
+ default:
+ HDassert(0 && "This Should never be executed!");
+ } /* end switch */
++
++done:
++ FUNC_LEAVE_NOAPI(ret_value)
+ }
+
+ static void H5Z_nbit_compress_one_byte(unsigned char *data, size_t data_offset, int k, int begin_i,
diff --git a/debian/patches/CVE-2016-4331-2.patch b/debian/patches/CVE-2016-4331-2.patch
new file mode 100644
index 0000000..9df361f
--- /dev/null
+++ b/debian/patches/CVE-2016-4331-2.patch
@@ -0,0 +1,19 @@
+commit 391a231b76c1200ecda5d74636213e9e479fa51a
+Author: Neil Fortner <nfortne2 at hdfgroup.org>
+Date: Fri Sep 9 12:08:30 2016 -0500
+
+ Fix bug in "nooptype" decode in fix for TALOS-0177.
+
+Index: hdf5/src/H5Znbit.c
+===================================================================
+--- hdf5.orig/src/H5Znbit.c
++++ hdf5/src/H5Znbit.c
+@@ -1164,7 +1164,7 @@ H5Z__nbit_decompress_one_compound(unsign
+ /* Advance past member size */
+ parms_index++;
+ H5Z_nbit_decompress_one_nooptype(data, data_offset+member_offset,
+- buffer, j, buf_len, size);
++ buffer, j, buf_len, member_size);
+ break;
+ default:
+ HDassert(0 && "This Should never be executed!");
diff --git a/debian/patches/CVE-2016-4332.patch b/debian/patches/CVE-2016-4332.patch
new file mode 100644
index 0000000..70a7cf7
--- /dev/null
+++ b/debian/patches/CVE-2016-4332.patch
@@ -0,0 +1,37 @@
+commit bfae878d8f2f65bc5f22f0d4bb314f326278ba7b
+Author: Neil Fortner <nfortne2 at hdfgroup.org>
+Date: Fri Jul 1 10:31:44 2016 -0500
+
+ [svn-r30131] Fix bug reported by Cisco Talos TALOS-CAN-0178. Added check for a message that
+ should not be sharable being marked as sharable on disk, returns failure in
+ this case. Needs testing.
+
+ Tested: ummon
+
+Index: hdf5/src/H5Ocache.c
+===================================================================
+--- hdf5.orig/src/H5Ocache.c
++++ hdf5/src/H5Ocache.c
+@@ -1134,6 +1134,10 @@ H5O_chunk_deserialize(H5O_t *oh, haddr_t
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")
+ if((flags & H5O_MSG_FLAG_WAS_UNKNOWN) && !(flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN))
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")
++ if((flags & H5O_MSG_FLAG_SHAREABLE)
++ && H5O_msg_class_g[id]
++ && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
++ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message of unsharable class flagged as sharable")
+
+ /* Reserved bytes/creation index */
+ if(oh->version == H5O_VERSION_1)
+Index: hdf5/src/H5Opkg.h
+===================================================================
+--- hdf5.orig/src/H5Opkg.h
++++ hdf5/src/H5Opkg.h
+@@ -201,6 +201,7 @@
+ \
+ /* Set the message's "shared info", if it's shareable */ \
+ if((MSG)->flags & H5O_MSG_FLAG_SHAREABLE) { \
++ HDassert(msg_type->share_flags & H5O_SHARE_IS_SHARABLE); \
+ H5O_UPDATE_SHARED((H5O_shared_t *)(MSG)->native, H5O_SHARE_TYPE_HERE, (F), msg_type->id, (MSG)->crt_idx, (OH)->chunk[0].addr) \
+ } /* end if */ \
+ \
diff --git a/debian/patches/CVE-2016-4333.patch b/debian/patches/CVE-2016-4333.patch
new file mode 100644
index 0000000..adf95a4
--- /dev/null
+++ b/debian/patches/CVE-2016-4333.patch
@@ -0,0 +1,23 @@
+commit bc10fd219e60fc4b9df7d80567ecb1e39ae5b6e3
+Author: Neil Fortner <nfortne2 at hdfgroup.org>
+Date: Thu Sep 8 13:47:22 2016 -0500
+
+ Change check for number of dimensions for old-style arrays in datatype decoding routine from an assertion to an if/HGOTO_ERROR check, since it is inappropriate to assert the contents of a file will be what we expect.
+
+Index: hdf5/src/H5Odtype.c
+===================================================================
+--- hdf5.orig/src/H5Odtype.c
++++ hdf5/src/H5Odtype.c
+@@ -310,7 +310,11 @@ H5O_dtype_decode_helper(H5F_t *f, unsign
+ if(version == H5O_DTYPE_VERSION_1) {
+ /* Decode the number of dimensions */
+ ndims = *(*pp)++;
+- HDassert(ndims <= 4);
++
++ /* Check that ndims is valid */
++ if(ndims > 4)
++ HGOTO_ERROR(H5E_DATATYPE, H5E_BADTYPE, FAIL, "invalid number of dimensions for array")
++
+ *pp += 3; /*reserved bytes */
+
+ /* Skip dimension permutation */
diff --git a/debian/patches/series b/debian/patches/series
index 8f6a91f..4385f55 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,8 @@ relax-version-check.patch
#skip_cxx_inclusion.diff
soname.diff
HDFFV-8917.patch
+CVE-2016-4330.patch
+CVE-2016-4331-1.patch
+CVE-2016-4331-2.patch
+CVE-2016-4332.patch
+CVE-2016-4333.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/hdf5.git
More information about the Pkg-grass-devel
mailing list