mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
c96f578f10
According to [1], A vulnerability was found in HDF5 1.14.6 and classified as critical. This issue affects the function H5MM_strndup of the component Metadata Attribute Decoder. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Backport patch [2] from upstream to fix CVE-2025-2310 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2310 [2] https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4 Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
From 89a4466d72f688f4da6521e82a466c183ebe1d08 Mon Sep 17 00:00:00 2001
|
|
From: Libo Chen <libo.chen.cn@windriver.com>
|
|
Date: Fri, 30 Jan 2026 14:05:54 +0800
|
|
Subject: [PATCH] Fix CVE-2025-2310
|
|
|
|
Malformed files can have a zero name-length, which when subtracted lead to an overflow and an out-of-bounds read.
|
|
|
|
Check that name length is not too small in addition to checking for an overflow directly.
|
|
|
|
CVE: CVE-2025-2310
|
|
|
|
Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4]
|
|
|
|
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
|
|
---
|
|
src/H5Oattr.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
|
|
index 6d1d237..7b7ebb0 100644
|
|
--- a/src/H5Oattr.c
|
|
+++ b/src/H5Oattr.c
|
|
@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
|
|
if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
|
|
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
|
|
UINT16DECODE(p, name_len); /* Including null */
|
|
+
|
|
+ /* Verify that retrieved name length (including null byte) is valid */
|
|
+ if (name_len <= 1)
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid");
|
|
+
|
|
if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
|
|
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
|
|
UINT16DECODE(p, attr->shared->dt_size);
|
|
--
|
|
2.34.1
|
|
|