mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

hdf5: patch CVE-2025-2914

Browse Source 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2914

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
This commit is contained in:
Ankur Tyagi
2025-10-29 00:32:42 +13:00
committed by Anuj Mittal
parent b42e6eb3e5
commit 7d1b63f0af
2 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-support/hdf5/files/CVE-2025-2914.patch
+47
View File
@@ -0,0 +1,47 @@
From 20a34d68dd837f83d90df45ead054bbeda999830 Mon Sep 17 00:00:00 2001
From: bmribler <39579120+bmribler@users.noreply.github.com>
Date: Wed, 13 Aug 2025 14:45:41 -0400
Subject: [PATCH] Refix of the attempts in PR-5209 (#5722)
This PR addresses the root cause of the issue by adding a sanity-check immediately
after reading the file space page size from the file.
The same fuzzer in GH-5376 was used to verify that the assert before the vulnerability
had occurred and that an error indicating a corrupted file space page size replaced it.
CVE: CVE-2025-2914
Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/804f3bace997e416917b235dbd3beac3652a8a05]
(cherry picked from commit 804f3bace997e416917b235dbd3beac3652a8a05)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/H5Fsuper.c | 2 ++
src/H5Ofsinfo.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c
index 3e5bc9a3a2..4de4c1feb0 100644
--- a/src/H5Fsuper.c
+++ b/src/H5Fsuper.c
@@ -756,6 +756,8 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, bool initial_read)
if (!(flags & H5O_MSG_FLAG_WAS_UNKNOWN)) {
H5O_fsinfo_t fsinfo; /* File space info message from superblock extension */
+ memset(&fsinfo, 0, sizeof(H5O_fsinfo_t));
+
/* f->shared->null_fsm_addr: Whether to drop free-space to the floor */
/* The h5clear tool uses this property to tell the library
* to drop free-space to the floor
diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c
index 5b692357fc..2bb6ea6119 100644
--- a/src/H5Ofsinfo.c
+++ b/src/H5Ofsinfo.c
@@ -182,6 +182,9 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
H5F_DECODE_LENGTH(f, p, fsinfo->page_size); /* File space page size */
+ /* Basic sanity check */
+ if (fsinfo->page_size == 0 || fsinfo->page_size > H5F_FILE_SPACE_PAGE_SIZE_MAX)
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid page size in file space info");
if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+1
View File
@@ -16,6 +16,7 @@ SRC_URI = " \
file://0002-Remove-suffix-shared-from-shared-library-name.patch \
file://0001-cmake-remove-build-flags.patch \
file://CVE-2025-2913.patch \
file://CVE-2025-2914.patch \
"
SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"