Skip to content

Commit

Permalink
Added CVE info to RELEASE.txt (#4367)
Browse files Browse the repository at this point in the history
  • Loading branch information
derobins authored and lrknox committed Apr 10, 2024
1 parent be6a979 commit 2f2ce7c
Showing 1 changed file with 219 additions and 0 deletions.
219 changes: 219 additions & 0 deletions release_docs/RELEASE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,225 @@ Bug Fixes since HDF5-1.14.3 release

Library
-------
- Fixed many (future) CVE issues

A partner organization corrected many potential security issues, which
were fixed and reported to us before submission to MITRE. These do
not have formal CVE issues assigned to them yet, so the numbers assigned
here are just placeholders. We will update the HDF5 1.14 CVE list (link
below) when official MITRE CVE tracking numbers are assigned.

These CVE issues are generally of the same form as other reported HDF5
CVE issues, and rely on the library failing while attempting to read
a malformed file. Most of them cause the library to segfault and will
probably be assigned "medium (~5/10)" scores by NIST, like the other
HDF5 CVE issues.

The issues that were reported to us have all been fixed in this release,
so HDF5 will continue to have no unfixed public CVE issues.

NOTE: HDF5 versions earlier than 1.14.4 should be considered vulnerable
to these issues and users should upgrade to 1.14.4 as soon as
possible. Note that it's possible to build the 1.14 library with
HDF5 1.8, 1.10, etc. API bindings for people who wish to enjoy
the benefits of a more secure library but don't want to upgrade
to the latest API. We will not be bringing the CVE fixes to earlier
versions of the library (they are no longer supported).

LIST OF CVE ISSUES FIXED IN THIS RELEASE:

* CVE-2024-0116-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5D__scatter_mem resulting in causing denial of service or potential
code execution

* CVE-2024-0112-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5S__point_deserialize resulting in the corruption of the
instruction pointer and causing denial of service or potential code
execution

* CVE-2024-0111-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5T__conv_struct_opt resulting in causing denial of service or
potential code execution

* CVE-2023-1208-002
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5O__mtime_new_encode resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1208-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5O__layout_encode resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1207-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5O__dtype_encode_helper causing denial of service or potential
code execution

* CVE-2023-1205-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5VM_array_fill resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1202-002
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5T__get_native_type resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1202-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5T__ref_mem_setnull resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1130-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5T_copy_reopen resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1125-001
HDF5 versions <= 1.14.3 contain a heap buffer overflow in
H5Z__nbit_decompress_one_byte caused by the earlier use of an
initialized pointer. This may result in Denial of Service or
potential code execution

* CVE-2023-1114-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5HG_read resulting in the corruption of the instruction pointer
and causing denial of service or potential code execution

* CVE-2023-1113-002
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5F_addr_decode_len resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1113-001
HDF5 versions <= 1.14.3 contain a heap buffer overflow caused by
the unsafe use of strdup in H5MM_xstrdup, resulting in denial of
service or potential code execution

* CVE-2023-1108-001
HDF5 versions <= 1.14.3 contain a out-of-bounds read operation in
H5FL_arr_malloc resulting in denial of service or potential code
execution

* CVE-2023-1104-004
HDF5 versions <= 1.14.3 contain a out-of-bounds read operation in
H5T_close_real resulting in denial of service or potential code
execution

* CVE-2023-1104-003
HDF5 library versions <=1.14.3 contain a heap buffer overflow flaw
in the function H5HL__fl_deserialize resulting in denial of service
or potential code execution

* CVE-2023-1104-002
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5HL__fl_deserialize resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1104-001
HDF5 library versions <=1.14.3 contains a stack overflow in the
function H5E_printf_stack resulting in denial of service or
potential code execution

* CVE-2023-1023-001
HDF5 library versions <=1.14.3 heap buffer overflow in
H5VM_memcpyvv which may result in denial of service or code
execution

* CVE-2023-1019-001
HDF5 library versions <=1.14.3 contain a stack buffer overflow in
H5VM_memcpyvv resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1018-001
HDF5 library versions <=1.14.3 contain a memory corruption in
H5A__close resulting in the corruption of the instruction pointer
and causing denial of service or potential code execution

* CVE-2023-1017-002
HDF5 library versions <=1.14.3 may use an uninitialized value
H5A__attr_release_table resulting in denial of service

* CVE-2023-1017-001
HDF5 library versions <=1.14.3 may attempt to dereference
uninitialized values in h5tools_str_sprint, which will lead to
denial of service

* CVE-2023-1013-004
HDF5 versions <= 1.13.3 contain a stack buffer overflow in
H5HG_read resulting in denial of service or potential code
execution

* CVE-2023-1013-003
HDF5 library versions <=1.14.3 contain a buffer overrun in
H5Z__filter_fletcher32 resulting in the corruption of the
instruction pointer and causing denial of service or potential
code execution

* CVE-2023-1013-002
HDF5 library versions <=1.14.3 contain a buffer overrun in
H5O__linfo_decode resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1013-001
HDF5 library versions <=1.14.3 contain a buffer overrun in
H5Z__filter_scaleoffset resulting in the corruption of the
instruction pointer and causing denial of service or potential
code execution

* CVE-2023-1012-001
HDF5 library versions <=1.14.3 contain a stack buffer overflow in
H5R__decode_heap resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1010-001
HDF5 library versions <=1.14.3 contain a stack buffer overflow in
H5FL_arr_malloc resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1009-001
HDF5 library versions <=1.14.3 contain a stack buffer overflow in
H5FL_arr_malloc resulting in the corruption of the instruction
pointer and causing denial of service or potential code execution

* CVE-2023-1006-004
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5A__attr_release_table resulting in the corruption of the
instruction pointer and causing denial of service or potential code
execution

* CVE-2023-1006-003
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5T__bit_find resulting in the corruption of the instruction pointer
and causing denial of service or potential code execution.

* CVE-2023-1006-002
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5HG_read resulting in the corruption of the instruction pointer
and causing denial of service or potential code execution

* CVE-2023-1006-001
HDF5 library versions <=1.14.3 contain a heap buffer overflow in
H5HG__cache_heap_deserialize resulting in the corruption of the
instruction pointer and causing denial of service or potential code
execution

FULL OFFICIAL HDF5 CVE list (from mitre.org):

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=HDF5

1.14.x CVE tracking list:

https://github.com/HDFGroup/hdf5/blob/hdf5_1_14/CVE_list_1_14.md

HDF5 CVE regression test suite (includes proof-of-concept files):

https://github.com/HDFGroup/cve_hdf5

- Fixed a divide-by-zero issue when a corrupt file sets the page size to 0

If a corrupt file sets the page buffer size in the superblock to zero,
Expand Down

0 comments on commit 2f2ce7c

Please sign in to comment.