mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2025-10-23 07:23:19 +02:00
hdf5: patch CVE-2025-2310
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2310 Pick the patch that mentions the CVE in its description. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
parent
a66568152a
commit
5961c0dc6e
|
@ -0,0 +1,41 @@
|
||||||
|
From 7cc3c76f681fb4ca739457950352654aecd647a9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt L <124107509+mattjala@users.noreply.github.com>
|
||||||
|
Date: Thu, 9 Oct 2025 16:10:23 -0500
|
||||||
|
Subject: [PATCH] Fix CVE-2025-2310 (#5872)
|
||||||
|
|
||||||
|
Malformed files can have a zero name-length, which when subtracted lead to an overflow and an out-of-bounds read.
|
||||||
|
|
||||||
|
Check that name length is not too small in addition to checking for an overflow directly.
|
||||||
|
|
||||||
|
CVE: CVE-2025-2310
|
||||||
|
Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/6c86f97e03c6dc7d7bd2bae9acc422bdc3438ff4]
|
||||||
|
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
src/H5Oattr.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
|
||||||
|
index 6d1d237..2f8c259 100644
|
||||||
|
--- a/src/H5Oattr.c
|
||||||
|
+++ b/src/H5Oattr.c
|
||||||
|
@@ -167,6 +167,11 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
|
||||||
|
if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
|
||||||
|
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
|
||||||
|
UINT16DECODE(p, name_len); /* Including null */
|
||||||
|
+
|
||||||
|
+ /* Verify that retrieved name length (including null byte) is valid */
|
||||||
|
+ if (name_len <= 1)
|
||||||
|
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "decoded name length is invalid");
|
||||||
|
+
|
||||||
|
if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
|
||||||
|
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
|
||||||
|
UINT16DECODE(p, attr->shared->dt_size);
|
||||||
|
@@ -190,6 +195,7 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
|
||||||
|
*/
|
||||||
|
if (H5_IS_BUFFER_OVERFLOW(p, name_len, p_end))
|
||||||
|
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
|
||||||
|
+
|
||||||
|
if (NULL == (attr->shared->name = H5MM_strndup((const char *)p, name_len - 1)))
|
||||||
|
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed");
|
||||||
|
|
|
@ -15,6 +15,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
|
||||||
file://0002-Remove-suffix-shared-from-shared-library-name.patch \
|
file://0002-Remove-suffix-shared-from-shared-library-name.patch \
|
||||||
file://0001-cmake-remove-build-flags.patch \
|
file://0001-cmake-remove-build-flags.patch \
|
||||||
file://0001-Fix-CVE-2025-2153-5795.patch \
|
file://0001-Fix-CVE-2025-2153-5795.patch \
|
||||||
|
file://0001-Fix-CVE-2025-2310-5872.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"
|
SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user