Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601404 (CVE-2016-4330) - <sci-libs/hdf5-1.8.18: H5T_ARRAY heap buffer overflow (CVE-2016-4330)
Summary: <sci-libs/hdf5-1.8.18: H5T_ARRAY heap buffer overflow (CVE-2016-4330)
Status: RESOLVED FIXED
Alias: CVE-2016-4330
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-4331 CVE-2016-4332 CVE-2016-4333
  Show dependency tree
 
Reported: 2016-12-01 23:48 UTC by Ian Zimmerman
Modified: 2017-01-02 22:42 UTC (History)
1 user (show)

See Also:
Package list:
=sci-libs/hdf5-1.8.18
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-12-01 23:48:55 UTC
According to the RedHat summary:

The vulnerability exists due to the library’s failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.

Upstream fix:
https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/2e7e1899d3d7131bcbad65233ba713f6b79e2d69


Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-12-02 08:34:26 UTC
CVE-2016-4330 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4330):
  In the HDF5 1.8.16 library's failure to check if the number of dimensions
  for an array read from the file is within the bounds of the space allocated
  for it, a heap-based buffer overflow will occur, potentially leading to
  arbitrary code execution.
Comment 2 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2016-12-03 22:15:03 UTC
commit 9b4464259353a242d2c68276203bcb955a307fd6
Author: Kacper Kowalik <xarthisius@gentoo.org>
Date:   Sat Dec 3 16:12:00 2016 -0600

    sci-libs/hdf5: version bump
    
    Fixes security bugs: #601404, #601408, #601414, #601420
    
    Package-Manager: portage-2.3.2
Comment 3 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2016-12-03 22:17:14 UTC
Arches please stabilize:

=sci-libs/hdf5-1.8.18 alpha amd64 ia64 ppc ppc64 sparc x86

as usual some test mays fail, please file a separate bugs for them, but it's unlikely it's gonna be a regression wrt to current stable. TIA!
Comment 4 Tobias Klausmann gentoo-dev 2016-12-05 15:49:00 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-06 11:51:46 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-06 11:54:36 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-19 14:41:38 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-19 15:17:46 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-20 09:50:52 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-22 09:39:18 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-01-02 14:55:14 UTC
This issue was resolved and addressed in
 GLSA 201701-13 at https://security.gentoo.org/glsa/201701-13
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann gentoo-dev Security 2017-01-02 14:57:35 UTC
Re-opening for cleanup.

@ Maintainer(s): Please drop <sci-libs/hdf5-1.8.18.
Comment 13 Justin Lecher (RETIRED) gentoo-dev 2017-01-02 22:20:25 UTC
commit 5be3396bbda2c7e75d6cc7fb85e359f9576b4e45
Author: Justin Lecher <jlec@gentoo.org>
Date:   Mon Jan 2 22:19:54 2017 +0000

    sci-libs/hdf5: Drop vulnerable versions for CVE-2016-4330

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=604386

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5be3396bbda2c7e75d6cc7fb85e359f9576b4e45