A flaw was found in the HDF HDF5 1.10.2 library. A NULL pointer dereference was discovered in H5S_hyper_make_spans in H5Shyper.c. It could allow a remote denial of service attack. References: https://github.com/Twi1ight/fuzzing-pocs/tree/master/hdf5
Created hdf5 tracking bugs for this issue: Affects: epel-all [bug 1579947] Affects: fedora-all [bug 1579949]
Created attachment 1439597 [details] a plausible fix
This affects the hdf5 versions delivered by RHOS. However, there is very low likelihood that an attacker would be able to exploit this in a meaningful way through gnocchi. Dependency trail. gnocchi->python-pandas->python-tables->hdf5 By default RHOS: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/logging_monitoring_and_troubleshooting_guide/configuring_the_time_series_database_gnocchi_for_telemetry#time_series_database_components "To store the aggregated measures, Gnocchi relies on either Swift or Ceph (Object Storage). Gnocchi also leverages MySQL to store the index of resources and metrics." HDF5 is a lose requirement.