Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 601404 (CVE-2016-4330)

Summary: <sci-libs/hdf5-1.8.18: H5T_ARRAY heap buffer overflow (CVE-2016-4330)
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sci
Priority: Normal Flags: kensington: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
=sci-libs/hdf5-1.8.18
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 601408, 601414, 601420    

Description Ian Zimmerman 2016-12-01 23:48:55 UTC 
According to the RedHat summary:

The vulnerability exists due to the library’s failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.

Upstream fix:
https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/2e7e1899d3d7131bcbad65233ba713f6b79e2d69


Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-12-02 08:34:26 UTC 
CVE-2016-4330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4330):
  In the HDF5 1.8.16 library's failure to check if the number of dimensions
  for an array read from the file is within the bounds of the space allocated
  for it, a heap-based buffer overflow will occur, potentially leading to
  arbitrary code execution.
Comment 2 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2016-12-03 22:15:03 UTC 
commit 9b4464259353a242d2c68276203bcb955a307fd6
Author: Kacper Kowalik <xarthisius@gentoo.org>
Date:   Sat Dec 3 16:12:00 2016 -0600

    sci-libs/hdf5: version bump
    
    Fixes security bugs: #601404, #601408, #601414, #601420
    
    Package-Manager: portage-2.3.2
Comment 3 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2016-12-03 22:17:14 UTC 
Arches please stabilize:

=sci-libs/hdf5-1.8.18 alpha amd64 ia64 ppc ppc64 sparc x86

as usual some test mays fail, please file a separate bugs for them, but it's unlikely it's gonna be a regression wrt to current stable. TIA!
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-05 15:49:00 UTC 
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-06 11:51:46 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-06 11:54:36 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-19 14:41:38 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-19 15:17:46 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-20 09:50:52 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-22 09:39:18 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-01-02 14:55:14 UTC 
This issue was resolved and addressed in
 GLSA 201701-13 at https://security.gentoo.org/glsa/201701-13
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-02 14:57:35 UTC 
Re-opening for cleanup.

@ Maintainer(s): Please drop <sci-libs/hdf5-1.8.18.
Comment 13 Justin Lecher (RETIRED) gentoo-dev 2017-01-02 22:20:25 UTC 
commit 5be3396bbda2c7e75d6cc7fb85e359f9576b4e45
Author: Justin Lecher <jlec@gentoo.org>
Date:   Mon Jan 2 22:19:54 2017 +0000

    sci-libs/hdf5: Drop vulnerable versions for CVE-2016-4330

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=604386

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5be3396bbda2c7e75d6cc7fb85e359f9576b4e45