From 43572581cf07864489f7f89c6d29e68bffc76c0b Mon Sep 17 00:00:00 2001 From: Libo Chen Date: Fri, 10 Apr 2026 15:05:01 +0800 Subject: [PATCH] hdf5: fix CVE-2025-2153 According to [1], A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Affected is the function H5SM_delete of the file H5SM.c of the component h5 File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-2153 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2153 [2] https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0 Signed-off-by: Libo Chen Signed-off-by: Jinfeng Wang Signed-off-by: Anuj Mittal --- .../hdf5/files/CVE-2025-2153.patch | 51 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2153.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2153.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2153.patch new file mode 100644 index 0000000000..6f77ad330b --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2153.patch @@ -0,0 +1,51 @@ +From 586f01d74f23dabcd733c82a05cf26bf123a91dc Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Fri, 30 Jan 2026 11:42:10 +0800 +Subject: [PATCH] Fix CVE-2025-2153 + +This PR fixes #5329. Previously, the message flags field was able to be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t could be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they indicate they can be shared. + +The bug was first reproduced using the fuzzer and the POC file from #5329. With this change, the heap based buffer overflow no longer occurs. + +CVE: CVE-2025-2153 + +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0] + +Signed-off-by: Libo Chen +--- + src/H5Ocache.c | 4 ++-- + src/H5Omessage.c | 3 +++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/H5Ocache.c b/src/H5Ocache.c +index 9b82509..7203490 100644 +--- a/src/H5Ocache.c ++++ b/src/H5Ocache.c +@@ -1422,8 +1422,8 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t + else { + /* Check for message of unshareable class marked as "shareable" + */ +- if ((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] && +- !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) ++ if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) && ++ H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) + HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, + "message of unshareable class flagged as shareable"); + +diff --git a/src/H5Omessage.c b/src/H5Omessage.c +index 7190e46..fb9006c 100644 +--- a/src/H5Omessage.c ++++ b/src/H5Omessage.c +@@ -354,6 +354,9 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m + */ + assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE)); + ++ /* Sanity check to see if the type is not sharable */ ++ assert(type->share_flags & H5O_SHARE_IS_SHARABLE); ++ + /* Remove the old message from the SOHM index */ + /* (It would be more efficient to try to share the message first, then + * delete it (avoiding thrashing the index in the case the ref. +-- +2.34.1 + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index e8432f0d6b..09793b3d74 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -24,6 +24,7 @@ SRC_URI = " \ file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch \ file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch \ file://CVE-2025-2926.patch \ + file://CVE-2025-2153.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"