According to the RedHat summary: The vulnerability exists due to the library allocating space for the array using a value from the file, and then within the loop for initializing said array allowing a value within the file to modify the loop’s terminator. Due to this, an aggressor can cause the loop’s index to point outside the bounds of the array when initializing it. This is a heap-based buffer overflow, and can lead to code execution under the context of the application using the library. Upstream fix: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/73640612aad91d3f04e4d8f1ea71d42acbc85f6e Reproducible: Always
CVE-2016-4333 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4333): The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it.
Created attachment 454950 [details, diff] hdf5-1.8.17-CVE-2016-4333.patch Attached is a patch that applies to 1.8.17 with an additional check. This should be combined with the fix for #601408.
This issue was resolved and addressed in GLSA 201701-13 at https://security.gentoo.org/glsa/201701-13 by GLSA coordinator Thomas Deutschmann (whissi).
