Bug#1123960: netcdf: CVE-2025-14932 CVE-2025-14933 CVE-2025-14934 CVE-2025-14935 CVE-2025-14936

Salvatore Bonaccorso carnil at debian.org
Thu Dec 25 06:43:42 GMT 2025 

Source: netcdf
Version: 1:4.9.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:netcdf-parallel 1:4.9.3-2 
Control: retitle -2 netcdf-parallel: CVE-2025-14932 CVE-2025-14933 CVE-2025-14934 CVE-2025-14935 CVE-2025-14936

Hi,

The following vulnerabilities were published for netcdf.

The set of reports oginate from ZDI reports and it not very clear if
the issues will get fixed and have not found public upstream
references where they track those. So this might be a first step at
all to track these properly as well for us downstream. For now the CVE
entries just refernce to the published ZDI reports.

CVE-2025-14932[0]:
| NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote
| Code Execution Vulnerability. This vulnerability allows remote
| attackers to execute arbitrary code on affected installations of NSF
| Unidata NetCDF-C. User interaction is required to exploit this
| vulnerability in that the target must visit a malicious page or open
| a malicious file.  The specific flaw exists within the parsing of
| time units. The issue results from the lack of proper validation of
| the length of user-supplied data prior to copying it to a fixed-
| length stack-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current user.
| Was ZDI-CAN-27273.


CVE-2025-14933[1]:
| NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of NSF Unidata
| NetCDF-C. User interaction is required to exploit this vulnerability
| in that the target must visit a malicious page or open a malicious
| file.  The specific flaw exists within the parsing of NC variables.
| The issue results from the lack of proper validation of user-
| supplied data, which can result in an integer overflow before
| allocating a buffer. An attacker can leverage this vulnerability to
| execute code in the context of the current user. Was ZDI-CAN-27266.


CVE-2025-14934[2]:
| NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow
| Remote Code Execution Vulnerability. This vulnerability allows
| remote attackers to execute arbitrary code on affected installations
| of NSF Unidata NetCDF-C. User interaction is required to exploit
| this vulnerability in that the target must visit a malicious page or
| open a malicious file.  The specific flaw exists within the parsing
| of variable names. The issue results from the lack of proper
| validation of the length of user-supplied data prior to copying it
| to a fixed-length stack-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current user.
| Was ZDI-CAN-27267.


CVE-2025-14935[3]:
| NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow
| Remote Code Execution Vulnerability. This vulnerability allows
| remote attackers to execute arbitrary code on affected installations
| of NSF Unidata NetCDF-C. User interaction is required to exploit
| this vulnerability in that the target must visit a malicious page or
| open a malicious file.  The specific flaw exists within the parsing
| of dimension names. The issue results from the lack of proper
| validation of the length of user-supplied data prior to copying it
| to a fixed-length heap-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current user.
| Was ZDI-CAN-27168.


CVE-2025-14936[4]:
| NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow
| Remote Code Execution Vulnerability. This vulnerability allows
| remote attackers to execute arbitrary code on affected installations
| of NSF Unidata NetCDF-C. User interaction is required to exploit
| this vulnerability in that the target must visit a malicious page or
| open a malicious file.  The specific flaw exists within the parsing
| of attribute names. The issue results from the lack of proper
| validation of the length of user-supplied data prior to copying it
| to a fixed-length stack-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current user.
| Was ZDI-CAN-27269.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-14932
    https://www.cve.org/CVERecord?id=CVE-2025-14932
[1] https://security-tracker.debian.org/tracker/CVE-2025-14933
    https://www.cve.org/CVERecord?id=CVE-2025-14933
[2] https://security-tracker.debian.org/tracker/CVE-2025-14934
    https://www.cve.org/CVERecord?id=CVE-2025-14934
[3] https://security-tracker.debian.org/tracker/CVE-2025-14935
    https://www.cve.org/CVERecord?id=CVE-2025-14935
[4] https://security-tracker.debian.org/tracker/CVE-2025-14936
    https://www.cve.org/CVERecord?id=CVE-2025-14936

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-grass-devel mailing list