|Summary:||<sci-libs/hdf5-1.8.18: H5T_COMPOUND heap buffer overflow (CVE-2016-4333)|
|Product:||Gentoo Security||Reporter:||Ian Zimmerman <nobrowser>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B2 [glsa cve]|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||601404|
Description Ian Zimmerman 2016-12-02 00:44:55 UTC
According to the RedHat summary: The vulnerability exists due to the library allocating space for the array using a value from the file, and then within the loop for initializing said array allowing a value within the file to modify the loop’s terminator. Due to this, an aggressor can cause the loop’s index to point outside the bounds of the array when initializing it. This is a heap-based buffer overflow, and can lead to code execution under the context of the application using the library. Upstream fix: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/73640612aad91d3f04e4d8f1ea71d42acbc85f6e Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot 2016-12-02 08:35:20 UTC
CVE-2016-4333 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4333): The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it.
Comment 2 Chris White 2016-12-03 08:29:38 UTC
Created attachment 454950 [details, diff] hdf5-1.8.17-CVE-2016-4333.patch Attached is a patch that applies to 1.8.17 with an additional check. This should be combined with the fix for #601408.