Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 601420 (CVE-2016-4333)

Summary: <sci-libs/hdf5-1.8.18: H5T_COMPOUND heap buffer overflow (CVE-2016-4333)
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sci
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 601404    
Bug Blocks:    
Attachments:
Description Flags
hdf5-1.8.17-CVE-2016-4333.patch none

Description Ian Zimmerman 2016-12-02 00:44:55 UTC 
According to the RedHat summary:

The vulnerability exists due to the library allocating space for the array using a value from the file, and then within the loop for initializing said array allowing a value within the file to modify the loop’s terminator. Due to this, an aggressor can cause the loop’s index to point outside the bounds of the array when initializing it. This is a heap-based buffer overflow, and can lead to code execution under the context of the application using the library.

Upstream fix:
https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/73640612aad91d3f04e4d8f1ea71d42acbc85f6e


Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-12-02 08:35:20 UTC 
CVE-2016-4333 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4333):
  The HDF5 1.8.16 library allocating space for the array using a value from
  the file has an impact within the loop for initializing said array allowing
  a value within the file to modify the loop's terminator. Due to this, an
  aggressor can cause the loop's index to point outside the bounds of the
  array when initializing it.
Comment 2 Chris White 2016-12-03 08:29:38 UTC 
Created attachment 454950 [details, diff]
hdf5-1.8.17-CVE-2016-4333.patch

Attached is a patch that applies to 1.8.17 with an additional check. This should be combined with the fix for #601408.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-01-02 14:55:41 UTC 
This issue was resolved and addressed in
 GLSA 201701-13 at https://security.gentoo.org/glsa/201701-13
by GLSA coordinator Thomas Deutschmann (whissi).