Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 661158 (CVE-2018-11202, CVE-2018-11203, CVE-2018-11204, CVE-2018-11205, CVE-2018-11206, CVE-2018-11207)

Summary: sci-libs/hdf5: Multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: trivial CC: kripton, sci, waebbl-gentoo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=714024
Whiteboard: ~3 [upstream cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-07-14 16:29:32 UTC 
CVE-2018-11207 (https://nvd.nist.gov/vuln/detail/CVE-2018-11207):
  A division by zero was discovered in H5D__chunk_init in H5Dchunk.c in the
  HDF HDF5 1.10.2 library. It could allow a remote denial of service attack.

CVE-2018-11206 (https://nvd.nist.gov/vuln/detail/CVE-2018-11206):
  A out of bounds read was discovered in H5O_fill_new_decode and
  H5O_fill_old_decode in H5Ofill.c in the HDF HDF5 1.10.2 library. It could
  allow a remote denial of service or information disclosure attack.

CVE-2018-11205 (https://nvd.nist.gov/vuln/detail/CVE-2018-11205):
  A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the HDF
  HDF5 1.10.2 library. It could allow a remote denial of service or
  information disclosure attack.

CVE-2018-11204 (https://nvd.nist.gov/vuln/detail/CVE-2018-11204):
  A NULL pointer dereference was discovered in H5O__chunk_deserialize in
  H5Ocache.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of
  service attack.

CVE-2018-11203 (https://nvd.nist.gov/vuln/detail/CVE-2018-11203):
  A division by zero was discovered in H5D__btree_decode_key in H5Dbtree.c in
  the HDF HDF5 1.10.2 library. It could allow a remote denial of service
  attack.

CVE-2018-11202 (https://nvd.nist.gov/vuln/detail/CVE-2018-11202):
  A NULL pointer dereference was discovered in H5S_hyper_make_spans in
  H5Shyper.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of
  service attack.
Comment 1 Larry the Git Cow gentoo-dev 2019-03-31 03:35:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49aa89d2a6c9ebc6c939a985b271e30724e68815

commit 49aa89d2a6c9ebc6c939a985b271e30724e68815
Author:     Benda Xu <heroxbd@gentoo.org>
AuthorDate: 2019-03-31 03:24:21 +0000
Commit:     Benda Xu <heroxbd@gentoo.org>
CommitDate: 2019-03-31 03:24:21 +0000

    sci-libs/hdf5: bump to 1.10.5 and EAPI 7.
    
    Suggested-By: Fabio Rossi, Bernd
    Bug: https://bugs.gentoo.org/661158
    Closes: https://bugs.gentoo.org/674998
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Benda Xu <heroxbd@gentoo.org>

 sci-libs/hdf5/Manifest           |  1 +
 sci-libs/hdf5/hdf5-1.10.5.ebuild | 93 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2019-04-03 01:20:52 UTC 
Upstream release notes don't mention these CVE's.

@Benda, any reports elsewhere you are aware of?
Comment 3 Benda Xu gentoo-dev 2019-04-03 02:14:04 UTC 
(In reply to Aaron Bauman from comment #2)
> Upstream release notes don't mention these CVE's.
> 
> @Benda, any reports elsewhere you are aware of?

No, I am not aware of any of those.  I am not sure whether hdf5-1.10.5 has fixed the bugs.