Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 678264 (CVE-2019-8396, CVE-2019-8397, CVE-2019-8398)

Summary: <sci-libs/hdf5-1.10.5: multiple vulnerabilities
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: sci, waebbl-gentoo
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
sci-libs/hdf5-1.10.5
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2019-02-18 03:00:24 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-8396):

"H5O__pline_decode_invalid-read-memory-access"

A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka "Invalid write of size 2."

Reference: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4


(https://nvd.nist.gov/vuln/detail/CVE-2019-8397):

"H5T_close_real_invalid-read-memory-access"

An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_close_real in H5T.c.

Reference: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5


(https://nvd.nist.gov/vuln/detail/CVE-2019-8398):

"H5T_get_size_invalid-read-memory-access"

An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c.

Reference: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6




Gentoo Security Padawan
(domhnall)
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-05-18 19:46:16 UTC
@arches, please stabilize.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-19 18:07:21 UTC
x86 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-19 20:33:57 UTC
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-22 08:13:09 UTC
ia64 stable
Comment 5 Larry the Git Cow gentoo-dev 2019-06-04 07:53:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfbe154ccb9626e3e4fe12077e932062e9cc2446

commit bfbe154ccb9626e3e4fe12077e932062e9cc2446
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-06-04 07:52:21 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-06-04 07:52:36 +0000

    sci-libs/hdf5-1.10.5-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/678264
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 sci-libs/hdf5/hdf5-1.10.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Agostino Sarubbo gentoo-dev 2019-06-04 10:59:41 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-06-05 07:13:24 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-06-08 18:16:03 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Andreas Sturmlechner gentoo-dev 2019-06-16 05:45:58 UTC
Incidental cleanup in commit df2c62a10c80eb73d5c12bf143ae1c2c2321d980.