According to the RedHat summary:
The vulnerability exists due to the library’s failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.
In the HDF5 1.8.16 library's failure to check if the number of dimensions
for an array read from the file is within the bounds of the space allocated
for it, a heap-based buffer overflow will occur, potentially leading to
arbitrary code execution.
Author: Kacper Kowalik <email@example.com>
Date: Sat Dec 3 16:12:00 2016 -0600
sci-libs/hdf5: version bump
Fixes security bugs: #601404, #601408, #601414, #601420
Arches please stabilize:
=sci-libs/hdf5-1.8.18 alpha amd64 ia64 ppc ppc64 sparc x86
as usual some test mays fail, please file a separate bugs for them, but it's unlikely it's gonna be a regression wrt to current stable. TIA!
Stable on alpha.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
This issue was resolved and addressed in
GLSA 201701-13 at https://security.gentoo.org/glsa/201701-13
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup.
@ Maintainer(s): Please drop <sci-libs/hdf5-1.8.18.
Author: Justin Lecher <firstname.lastname@example.org>
Date: Mon Jan 2 22:19:54 2017 +0000
sci-libs/hdf5: Drop vulnerable versions for CVE-2016-4330
Package-Manager: Portage-2.3.3, Repoman-2.3.1
Signed-off-by: Justin Lecher <email@example.com>