Bug#884365: hdf5: CVE-2017-17505 CVE-2017-17506 CVE-2017-17507 CVE-2017-17508 CVE-2017-17509

Gilles Filippini pini at debian.org
Thu Dec 6 22:02:17 GMT 2018 

On Thu, 14 Dec 2017 16:17:51 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Source: hdf5
> Version: 1.8.13+docs-1
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerabilities were published for hdf5, the POCs are
> found at [5]. Apart of CVE-2017-17509, all are confirmed back to
> 1.8.13+decs-15+deb8u1, still decided to collect that CVE as well in
> this bug, but we can split up by affected version. Not sure as well if
> the issues have been reported to upstream.
> 
> CVE-2017-17505[0]:
> | In HDF5 1.10.1, there is a NULL pointer dereference in the function
> | H5O_pline_decode in the H5Opline.c file in libhdf5.a. For example,
> | h5dump would crash when someone opens a crafted hdf5 file.
> 
> CVE-2017-17506[1]:
> | In HDF5 1.10.1, there is an out of bounds read vulnerability in the
> | function H5Opline_pline_decode in H5Opline.c in libhdf5.a. For example,
> | h5dump would crash when someone opens a crafted hdf5 file.
> 
> CVE-2017-17507[2]:
> | In HDF5 1.10.1, there is an out of bounds read vulnerability in the
> | function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example,
> | h5dump would crash when someone opens a crafted hdf5 file.
> 
> CVE-2017-17508[3]:
> | In HDF5 1.10.1, there is a divide-by-zero vulnerability in the function
> | H5T_set_loc in the H5T.c file in libhdf5.a. For example, h5dump would
> | crash when someone opens a crafted hdf5 file.
> 
> CVE-2017-17509[4]:
> | In HDF5 1.10.1, there is an out of bounds write vulnerability in the
> | function H5G__ent_decode_vec in H5Gcache.c in libhdf5.a. For example,
> | h5dump would crash or possibly have unspecified other impact someone
> | opens a crafted hdf5 file.

CVE-2017-17505, CVE-2017-17506, CVE-2017-17508 and CVE-2017-17509 are
fixed in upstream release 1.10.2 [1].

Regarding CVE-2017-17507, upstream release notes for release 1.10.2
states [1]:
> NOTE: The HDF5 C library cannot produce such a file. This condition
>       should only occur in a corrupt (or deliberately altered) file
>       or a file created by third-party software.
>
> THE HDF GROUP WILL NOT FIX THIS BUG AT THIS TIME
>
> Fixing this problem would involve updating the publicly visible
> H5T_conv_t function pointer typedef and versioning the API calls
> which use it. We normally only modify the public API during
> major releases, so this bug will not be fixed at this time.
>
> (DER - 2018/02/26, HDFFV-10356)

[1] https://confluence.hdfgroup.org/display/support/HDF5+1.10.2

Thanks,

_g.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20181206/526f5222/attachment.sig>

More information about the Pkg-grass-devel mailing list