From 2f2ce7c93b304ed65edb98abaf9f0927838ad827 Mon Sep 17 00:00:00 2001 From: Dana Robinson <43805+derobins@users.noreply.github.com> Date: Wed, 10 Apr 2024 06:32:24 -0700 Subject: [PATCH] Added CVE info to RELEASE.txt (#4367) --- release_docs/RELEASE.txt | 219 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 219 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 5a1b7d6072a..7f31626229f 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -499,6 +499,225 @@ Bug Fixes since HDF5-1.14.3 release Library ------- + - Fixed many (future) CVE issues + + A partner organization corrected many potential security issues, which + were fixed and reported to us before submission to MITRE. These do + not have formal CVE issues assigned to them yet, so the numbers assigned + here are just placeholders. We will update the HDF5 1.14 CVE list (link + below) when official MITRE CVE tracking numbers are assigned. + + These CVE issues are generally of the same form as other reported HDF5 + CVE issues, and rely on the library failing while attempting to read + a malformed file. Most of them cause the library to segfault and will + probably be assigned "medium (~5/10)" scores by NIST, like the other + HDF5 CVE issues. + + The issues that were reported to us have all been fixed in this release, + so HDF5 will continue to have no unfixed public CVE issues. + + NOTE: HDF5 versions earlier than 1.14.4 should be considered vulnerable + to these issues and users should upgrade to 1.14.4 as soon as + possible. Note that it's possible to build the 1.14 library with + HDF5 1.8, 1.10, etc. API bindings for people who wish to enjoy + the benefits of a more secure library but don't want to upgrade + to the latest API. We will not be bringing the CVE fixes to earlier + versions of the library (they are no longer supported). + + LIST OF CVE ISSUES FIXED IN THIS RELEASE: + + * CVE-2024-0116-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5D__scatter_mem resulting in causing denial of service or potential + code execution + + * CVE-2024-0112-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5S__point_deserialize resulting in the corruption of the + instruction pointer and causing denial of service or potential code + execution + + * CVE-2024-0111-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5T__conv_struct_opt resulting in causing denial of service or + potential code execution + + * CVE-2023-1208-002 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5O__mtime_new_encode resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1208-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5O__layout_encode resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1207-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5O__dtype_encode_helper causing denial of service or potential + code execution + + * CVE-2023-1205-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5VM_array_fill resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1202-002 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5T__get_native_type resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1202-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5T__ref_mem_setnull resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1130-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5T_copy_reopen resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1125-001 + HDF5 versions <= 1.14.3 contain a heap buffer overflow in + H5Z__nbit_decompress_one_byte caused by the earlier use of an + initialized pointer. This may result in Denial of Service or + potential code execution + + * CVE-2023-1114-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5HG_read resulting in the corruption of the instruction pointer + and causing denial of service or potential code execution + + * CVE-2023-1113-002 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5F_addr_decode_len resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1113-001 + HDF5 versions <= 1.14.3 contain a heap buffer overflow caused by + the unsafe use of strdup in H5MM_xstrdup, resulting in denial of + service or potential code execution + + * CVE-2023-1108-001 + HDF5 versions <= 1.14.3 contain a out-of-bounds read operation in + H5FL_arr_malloc resulting in denial of service or potential code + execution + + * CVE-2023-1104-004 + HDF5 versions <= 1.14.3 contain a out-of-bounds read operation in + H5T_close_real resulting in denial of service or potential code + execution + + * CVE-2023-1104-003 + HDF5 library versions <=1.14.3 contain a heap buffer overflow flaw + in the function H5HL__fl_deserialize resulting in denial of service + or potential code execution + + * CVE-2023-1104-002 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5HL__fl_deserialize resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1104-001 + HDF5 library versions <=1.14.3 contains a stack overflow in the + function H5E_printf_stack resulting in denial of service or + potential code execution + + * CVE-2023-1023-001 + HDF5 library versions <=1.14.3 heap buffer overflow in + H5VM_memcpyvv which may result in denial of service or code + execution + + * CVE-2023-1019-001 + HDF5 library versions <=1.14.3 contain a stack buffer overflow in + H5VM_memcpyvv resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1018-001 + HDF5 library versions <=1.14.3 contain a memory corruption in + H5A__close resulting in the corruption of the instruction pointer + and causing denial of service or potential code execution + + * CVE-2023-1017-002 + HDF5 library versions <=1.14.3 may use an uninitialized value + H5A__attr_release_table resulting in denial of service + + * CVE-2023-1017-001 + HDF5 library versions <=1.14.3 may attempt to dereference + uninitialized values in h5tools_str_sprint, which will lead to + denial of service + + * CVE-2023-1013-004 + HDF5 versions <= 1.13.3 contain a stack buffer overflow in + H5HG_read resulting in denial of service or potential code + execution + + * CVE-2023-1013-003 + HDF5 library versions <=1.14.3 contain a buffer overrun in + H5Z__filter_fletcher32 resulting in the corruption of the + instruction pointer and causing denial of service or potential + code execution + + * CVE-2023-1013-002 + HDF5 library versions <=1.14.3 contain a buffer overrun in + H5O__linfo_decode resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1013-001 + HDF5 library versions <=1.14.3 contain a buffer overrun in + H5Z__filter_scaleoffset resulting in the corruption of the + instruction pointer and causing denial of service or potential + code execution + + * CVE-2023-1012-001 + HDF5 library versions <=1.14.3 contain a stack buffer overflow in + H5R__decode_heap resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1010-001 + HDF5 library versions <=1.14.3 contain a stack buffer overflow in + H5FL_arr_malloc resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1009-001 + HDF5 library versions <=1.14.3 contain a stack buffer overflow in + H5FL_arr_malloc resulting in the corruption of the instruction + pointer and causing denial of service or potential code execution + + * CVE-2023-1006-004 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5A__attr_release_table resulting in the corruption of the + instruction pointer and causing denial of service or potential code + execution + + * CVE-2023-1006-003 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5T__bit_find resulting in the corruption of the instruction pointer + and causing denial of service or potential code execution. + + * CVE-2023-1006-002 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5HG_read resulting in the corruption of the instruction pointer + and causing denial of service or potential code execution + + * CVE-2023-1006-001 + HDF5 library versions <=1.14.3 contain a heap buffer overflow in + H5HG__cache_heap_deserialize resulting in the corruption of the + instruction pointer and causing denial of service or potential code + execution + + FULL OFFICIAL HDF5 CVE list (from mitre.org): + + https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=HDF5 + + 1.14.x CVE tracking list: + + https://github.com/HDFGroup/hdf5/blob/hdf5_1_14/CVE_list_1_14.md + + HDF5 CVE regression test suite (includes proof-of-concept files): + + https://github.com/HDFGroup/cve_hdf5 + - Fixed a divide-by-zero issue when a corrupt file sets the page size to 0 If a corrupt file sets the page buffer size in the superblock to zero,