661158 – (CVE-2018-11202, CVE-2018-11203, CVE-2018-11204, CVE-2018-11205, CVE-2018-11206, CVE-2018-11207) sci-libs/hdf5: Multiple vulnerabilities

Bug 661158 (CVE-2018-11202, CVE-2018-11203, CVE-2018-11204, CVE-2018-11205, CVE-2018-11206, CVE-2018-11207) - sci-libs/hdf5: Multiple vulnerabilities

Summary: sci-libs/hdf5: Multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2018-11202, CVE-2018-11203, CVE-2018-11204, CVE-2018-11205, CVE-2018-11206, CVE-2018-11207

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [upstream cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-07-14 16:29 UTC by GLSAMaker/CVETool Bot
Modified:	2022-04-05 22:20 UTC (History)
CC List:	3 users (show)

See Also:	CVE-2020-10809, CVE-2020-10810, CVE-2020-10811, CVE-2020-10812, CVE-2021-45829, CVE-2021-45830, CVE-2021-45832, CVE-2021-45833, CVE-2021-46242, CVE-2021-46243, CVE-2021-46244
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-07-14 16:29:32 UTC

CVE-2018-11207 (https://nvd.nist.gov/vuln/detail/CVE-2018-11207):
  A division by zero was discovered in H5D__chunk_init in H5Dchunk.c in the
  HDF HDF5 1.10.2 library. It could allow a remote denial of service attack.

CVE-2018-11206 (https://nvd.nist.gov/vuln/detail/CVE-2018-11206):
  A out of bounds read was discovered in H5O_fill_new_decode and
  H5O_fill_old_decode in H5Ofill.c in the HDF HDF5 1.10.2 library. It could
  allow a remote denial of service or information disclosure attack.

CVE-2018-11205 (https://nvd.nist.gov/vuln/detail/CVE-2018-11205):
  A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the HDF
  HDF5 1.10.2 library. It could allow a remote denial of service or
  information disclosure attack.

CVE-2018-11204 (https://nvd.nist.gov/vuln/detail/CVE-2018-11204):
  A NULL pointer dereference was discovered in H5O__chunk_deserialize in
  H5Ocache.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of
  service attack.

CVE-2018-11203 (https://nvd.nist.gov/vuln/detail/CVE-2018-11203):
  A division by zero was discovered in H5D__btree_decode_key in H5Dbtree.c in
  the HDF HDF5 1.10.2 library. It could allow a remote denial of service
  attack.

CVE-2018-11202 (https://nvd.nist.gov/vuln/detail/CVE-2018-11202):
  A NULL pointer dereference was discovered in H5S_hyper_make_spans in
  H5Shyper.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of
  service attack.

Comment 1 Larry the Git Cow gentoo-dev

2019-03-31 03:35:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49aa89d2a6c9ebc6c939a985b271e30724e68815

commit 49aa89d2a6c9ebc6c939a985b271e30724e68815
Author:     Benda Xu <heroxbd@gentoo.org>
AuthorDate: 2019-03-31 03:24:21 +0000
Commit:     Benda Xu <heroxbd@gentoo.org>
CommitDate: 2019-03-31 03:24:21 +0000

    sci-libs/hdf5: bump to 1.10.5 and EAPI 7.
    
    Suggested-By: Fabio Rossi, Bernd
    Bug: https://bugs.gentoo.org/661158
    Closes: https://bugs.gentoo.org/674998
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Benda Xu <heroxbd@gentoo.org>

 sci-libs/hdf5/Manifest           |  1 +
 sci-libs/hdf5/hdf5-1.10.5.ebuild | 93 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-04-03 01:20:52 UTC

Upstream release notes don't mention these CVE's.

@Benda, any reports elsewhere you are aware of?

Comment 3 Benda Xu gentoo-dev

2019-04-03 02:14:04 UTC

(In reply to Aaron Bauman from comment #2)
> Upstream release notes don't mention these CVE's.
> 
> @Benda, any reports elsewhere you are aware of?

No, I am not aware of any of those.  I am not sure whether hdf5-1.10.5 has fixed the bugs.