Bug 2280037 (CVE-2024-29158, CVE-2024-29159, CVE-2024-29160, CVE-2024-29161, CVE-2024-29162, CVE-2024-29163, CVE-2024-29164, CVE-2024-29165, CVE-2024-29166, CVE-2024-32605, CVE-2024-32606, CVE-2024-32607, CVE-2024-32608, CVE-2024-32609, CVE-2024-32610, CVE-2024-32611, CVE-2024-32612, CVE-2024-32613, CVE-2024-32614, CVE-2024-32615, CVE-2024-32616, CVE-2024-32617, CVE-2024-32618, CVE-2024-32619, CVE-2024-32620, CVE-2024-32621, CVE-2024-32622, CVE-2024-32623, CVE-2024-32624, CVE-2024-33873, CVE-2024-33874, CVE-2024-33875, CVE-2024-33876, CVE-2024-33877)

Summary: CVE-2024-29157 CVE-2024-29158 CVE-2024-29159 CVE-2024-29160 CVE-2024-29161 CVE-2024-29162 CVE-2024-29163 CVE-2024-29164 CVE-2024-29165 CVE-2024-29166 CVE-2024-32605 CVE-2024-32606 CVE-2024-32607 CVE-2024-32608 CVE-2024-32609 ... hdf5: multiple CVEs
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, eglynn, hbrock, jjoyce, jschluet, jslagle, lhh, lsvaty, mburns, mgarciac, pgrist, rhos-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hdf5 1.14.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2280040, 2280038, 2280039, 2280041, 2280042    
Bug Blocks:    

Description Zack Miele 2024-05-10 19:56:59 UTC 
The following 35 vulnerabilities were published for hdf5:
https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/

CVE-2024-33877
| HDF5 Library through 1.14.3 has a heap-based buffer overflow in
| H5T__conv_struct_opt in H5Tconv.c.

CVE-2024-33876
| HDF5 Library through 1.14.3 has a heap buffer overflow in
| H5S__point_deserialize in H5Spoint.c.

CVE-2024-33875
| HDF5 Library through 1.14.3 has a heap-based buffer overflow in
| H5O__layout_encode in H5Olayout.c, resulting in the corruption of
| the instruction pointer.

CVE-2024-33874
| HDF5 Library through 1.14.3 has a heap buffer overflow in
| H5O__mtime_new_encode in H5Omtime.c.

CVE-2024-33873
| HDF5 Library through 1.14.3 has a heap-based buffer overflow in
| H5D__scatter_mem in H5Dscatgath.c.

CVE-2024-32624
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in
| H5Tconv.c), resulting in the corruption of the instruction pointer.

CVE-2024-32623
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5VM_array_fill in H5VM.c (called from H5S_select_elements in
| H5Spoint.c).

CVE-2024-32622
| HDF5 Library through 1.14.3 contains a out-of-bounds read operation
| in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in
| H5S.c).

CVE-2024-32621
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5HG_read in H5HG.c (called from H5VL__native_blob_get in
| H5VLnative_blob.c), resulting in the corruption of the instruction
| pointer.

CVE-2024-32620
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of
| the instruction pointer.

CVE-2024-32619
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5T_copy_reopen in H5T.c, resulting in the corruption of the
| instruction pointer.

CVE-2024-32618
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5T__get_native_type in H5Tnative.c, resulting in the corruption of
| the instruction pointer.

CVE-2024-32617
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called
| from H5G__ent_to_link in H5Glink.c).

CVE-2024-32616
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| in H5O__dtype_encode_helper in H5Odtype.c.

CVE-2024-32615
| HDF5 Library through 1.14.3 contains a heap-based buffer overflow in
| H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier
| use of an initialized pointer.

CVE-2024-32614
| HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c.

CVE-2024-32613
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| in the function H5HL__fl_deserialize in H5HLcache.c, a different
| vulnerability than CVE-2024-32612.

CVE-2024-32612
| HDF5 Library through 1.14.3 contains a heap-based buffer over-read
| in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption
| of the instruction pointer, a different vulnerability than
| CVE-2024-32613.

CVE-2024-32611
| HDF5 Library through 1.14.3 may use an uninitialized value in
| H5A__attr_release_table in H5Aint.c.

CVE-2024-32610
| HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c,
| resulting in a corrupted instruction pointer.

CVE-2024-32609
| HDF5 Library through 1.14.3 allows stack consumption in the function
| H5E_printf_stack in H5Eint.c.

CVE-2024-32608
| HDF5 library versions <=1.14.3 contain a memory corruption in 
| H5A__close resulting in the corruption of the instruction pointer 
| and causing denial of service or potential code execution.

CVE-2024-32607
| HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c,
| resulting in the corruption of the instruction pointer.

CVE-2024-32606
| HDF5 Library through 1.14.3 may attempt to dereference uninitialized
| values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from
| h5tools_dump_simple_data in tools/lib/h5tools_dump.c).

CVE-2024-32605
| HDF5 Library through 1.14.3 has a heap-based buffer over-read in
| H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in
| H5Dcompact.c).

CVE-2024-29166
| HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode,
| resulting in the corruption of the instruction pointer and causing
| denial of service or potential code execution.

CVE-2024-29165
| HDF5 through 1.14.3 contains a buffer overflow in
| H5Z__filter_fletcher32, resulting in the corruption of the
| instruction pointer and causing denial of service or potential code
| execution.

CVE-2024-29164
| HDF5 through 1.14.3 contains a stack buffer overflow in
| H5R__decode_heap, resulting in the corruption of the instruction
| pointer and causing denial of service or potential code execution.

CVE-2024-29163
| HDF5 through 1.14.3 contains a heap buffer overflow in
| H5T__bit_find, resulting in the corruption of the instruction
| pointer and causing denial of service or potential code execution.

CVE-2024-29162
| HDF5 through 1.13.3 and/or 1.14.2 contains a stack buffer overflow
| in H5HG_read, resulting in denial of service or potential code
| execution.

CVE-2024-29161
| HDF5 through 1.14.3 contains a heap buffer overflow in
| H5A__attr_release_table, resulting in the corruption of the
| instruction pointer and causing denial of service or potential code
| execution.

CVE-2024-29160
| HDF5 through 1.14.3 contains a heap buffer overflow in
| H5HG__cache_heap_deserialize, resulting in the corruption of the
| instruction pointer and causing denial of service or potential code
| execution.

CVE-2024-29159
| HDF5 through 1.14.3 contains a buffer overflow in
| H5Z__filter_scaleoffset, resulting in the corruption of the
| instruction pointer and causing denial of service or potential code
| execution.

CVE-2024-29158
| HDF5 through 1.14.3 contains a stack buffer overflow in
| H5FL_arr_malloc, resulting in the corruption of the instruction
| pointer and causing denial of service or potential code execution.

CVE-2024-29157
| HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read,
| resulting in the corruption of the instruction pointer and causing
| denial of service or potential code execution.
Comment 1 Zack Miele 2024-05-10 19:59:17 UTC 
Created hdf5 tracking bugs for this issue:

Affects: epel-7 [bug 2280039]
Affects: epel-8 [bug 2280040]
Affects: fedora-38 [bug 2280038]
Affects: fedora-39 [bug 2280041]
Affects: fedora-40 [bug 2280042]
Comment 2 Salvatore Bonaccorso 2024-05-17 05:41:29 UTC 
Hi

The list of CVEs in the Bugzilla Alias and the Subject does not seem to contain all the valid CVEs, or for instance such which are not listed on hdf5 release page, I assume they are typos? E.g. CVE-2024-326052.

Can you have a look and if so adjust the metadata?
Comment 3 Zack Miele 2024-05-17 12:31:47 UTC 
In reply to comment #2:
> Hi
> 
> The list of CVEs in the Bugzilla Alias and the Subject does not seem to
> contain all the valid CVEs, or for instance such which are not listed on
> hdf5 release page, I assume they are typos? E.g. CVE-2024-326052.
> 
> Can you have a look and if so adjust the metadata?

Didn't catch that while creating this, thanks for pointing that out. Should be unmangled now and have the correct CVEs. Although the subject may be truncated.

I can certainly break these out if this still causes some issues, but I had hoped this would be a bit easier for folks to consume in one place.