hdf5: patch CVE-2025-6750

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-6750 Pick the patch that is marked to resolve the issue linked in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-12-14 14:25:53 +01:00 · 2025-10-14 16:55:29 +02:00 · 2025-10-14 16:55:29 +02:00 · 9f8f3279be
commit 9f8f3279be
parent 131218e8ad
2 changed files with 88 additions and 0 deletions
--- a/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch
+++ b/meta-oe/recipes-support/hdf5/files/0001-Fixes-CVE-2025-6750-5856.patch
@ -0,0 +1,87 @@
+From 7159488b73fb429a78f79763f7b3775a3c160fad Mon Sep 17 00:00:00 2001
+From: bmribler <39579120+bmribler@users.noreply.github.com>
+Date: Fri, 26 Sep 2025 11:46:50 -0400
+Subject: [PATCH] Fixes CVE-2025-6750 (#5856)
+
+* Fixes CVE-2025-6750
+
+A heap buffer overflow occurred because an mtime message was not properly decoded, resulting in a buffer of size 0 being passed into the encoder.
+
+This PR added decoding for both old and new mtime messages which will allow invalid message size to be detected.
+
+Fixes #5549
+
+CVE: CVE-2025-6750
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/H5Ocache.c | 41 +++++++++++++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/src/H5Ocache.c b/src/H5Ocache.c
+index 12c30cf..e6095a7 100644
+--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
+@@ -1265,6 +1265,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+         if (mesg_size != H5O_ALIGN_OH(oh, mesg_size))
+             HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned");
+ 
+        if (H5_IS_BUFFER_OVERFLOW(chunk_image, mesg_size, p_end))
+            HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message size exceeds buffer end");
+
+         /* Message flags */
+         if (H5_IS_BUFFER_OVERFLOW(chunk_image, 1, p_end))
+             HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
+@@ -1297,12 +1300,6 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+             }
+         }
+ 
+-        /* Try to detect invalidly formatted object header message that
+-         *  extends past end of chunk.
+-         */
+-        if (chunk_image + mesg_size > eom_ptr)
+-            HGOTO_ERROR(H5E_OHDR, H5E_CANTINIT, FAIL, "corrupt object header");
+-
+         /* Increment count of null messages */
+         if (H5O_NULL_ID == id)
+             nullcnt++;
+@@ -1449,6 +1446,38 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
+                     HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount");
+                 oh->nlink = *refcount;
+             }
+            /* Check if message is an old mtime message */
+            else if (H5O_MTIME_ID == id) {
+                time_t *mtime = NULL;
+
+                /* Decode mtime message */
+                mtime =
+                    (time_t *)(H5O_MSG_MTIME->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw);
+
+                /* Save the decoded old format mtime */
+                if (!mtime)
+                    HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode old format mtime");
+
+                /* Save 'native' form of mtime message and its value */
+                mesg->native = mtime;
+                oh->ctime    = *mtime;
+            }
+            /* Check if message is an new mtime message */
+            else if (H5O_MTIME_NEW_ID == id) {
+                time_t *mtime = NULL;
+
+                /* Decode mtime message */
+                mtime = (time_t *)(H5O_MSG_MTIME_NEW->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size,
+                                                              mesg->raw);
+
+                /* Save the decoded new format mtime */
+                if (!mtime)
+                    HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode new format mtime");
+
+                /* Save 'native' form of mtime message and its value */
+                mesg->native = mtime;
+                oh->ctime    = *mtime;
+            }
+             /* Check if message is a link message */
+             else if (H5O_LINK_ID == id) {
+                 /* Increment the count of link messages */
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
@ -19,6 +19,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
           file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \
           file://0001-Fix-CVE-2025-2924-5814.patch \
           file://0001-Fix-CVE-2025-2925-5739.patch \
+           file://0001-Fixes-CVE-2025-6750-5856.patch \
           "
 SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"